Complacency and Information Security Don't Mix: Interview with Wyatt Starnes

LINDA MCGLASSON: Hi, I’m Linda McGlasson with Information Security Media Group, and today, we’re speaking with one of the leaders of innovation and pioneer in information security. Wyatt Starnes is a household name for those of us who have down in the information security trenches. He’s the founder of Tripwire, that tool that we all love for host-based intrusion detection. Wyatt has spent nearly 30 years in high technology with eight different start-ups. He is currently the Chairman and Chief Executive Officer of SignaCert, Inc., a newly-established company focusing on commercial work in the trusted computing area. In addition, he is co-founder of RAINS, the Regional Alliance for Infrastructure and Network Security, a nonprofit public/private alliance formed to accelerate development, deployment and adopting of innovative technology for homeland security.

> Listen to podcast now

Prior to joining SignaCert, he was the Founder, President and CEO of Tripwire, the world's leading provider of change auditing software. Wyatt has also held executive and director positions for Infinite Pictures, Eclipse Technologies, Trisys, Megatest, Data General Corporation, Monolithic Memories and Maruman Integrated Circuits.

He is a member of the National Institute of Standards and Technology (NIST) and Visiting Committee on Advanced Technologies, (VCAT), on the Advisory Board for the Portland State University Maseeh College of Engineering and Computer Science, and a member of the Oregon Executive Council of the American Electronics Association. He also sits on three Boards including the Swan Island Networks; Comprehensive Intelligence Technology Training Corporation; and the Symbian Software Company of Ottawa, Ontario. Hi, Wyatt.

WYATT STARNES: Hello, Linda.

LINDA MCGLASSON: Are we in information security becoming too complacent? I mean, we have a lot of zero-day threats, hundred thousand node botnet sending us virus threats and all things like that, and those of us in information security, you know, look at the situation and think that this is normal operation procedure, are we too complacent?

WYATT STARNES: I think we are too complacent, and I actually think we’ve been overly, sort of, complacent and self-secure, self-assured for actually quite some time. When you kind of zoom back and look at some of the physical threats in our world, specifically, the tragic events of September 11th, 2001, where we found we were dramatically exposed to physical harm within our own boundaries, I think in the cyber-security world, we haven’t really seen our September 11th, 2001 yet. We are exposed. We continue to be exposed, and information technology is prospectively an important new attack vector for us in our industry and in our economy, and frankly, in our political system as well.

LINDA MCGLASSON: On that same line, you mentioned the 9/11 for the cyber/internet community. What would you consider some scenario of that?

WYATT STARNES: Well, I think we’ve already witnessed some -- I would consider somewhat modest scenarios that have to do with denial of service attacks against, you know, various, both government and commercial entities that have certainly interrupted the ability of those, those entities, those businesses to actually conduct business. I think that we’re still exposed to those types of things. We’re also seeing an increased sophistication in the type and level of attack that the industry’s, you know, have been witnessing for years. I think you’re seeing more professional level, if you will, or more organized attacks that are in the form of phishing and various other identify-based attacks that all exploit a lot of the technology that we built over the last several decades – that connectivity that we have -- the distribution of the computer systems. And they essentially exploit in many ways sort of the notion that we’re connected and therefore, we’re trusted and -- and can be trusted, which is an assumption that is very, very dangerous.

LINDA MCGLASSON: In a similar line, we’re talking about trusted networks. You’re one of the leaders and founders of RAINS and I know that you’ve been a proponent of shared information between the private and public sectors.

How are we doing in terms of the information sharing, especially in regards to a government and the financial services industry?

WYATT STARNES: Well, in that particular example, government to financial services industry, you know, that is actually one of the areas where we have advanced fairly well. I think government has certainly realized the potential risks and dangers of being highly polarized or sectored in terms of information sharing between financial services and government activities – our economy obviously depends very strongly on the trust and stability of our financial services institutions. So, actually, the cooperation there under things like the financial services ISAC and other institutions has come on quite well. Also in the telecommunications area, frankly, our government’s played a very important role in that – in the traditional analog sense. In other words, the traditional telephone system of – I can pick up a phone and call across the country on an analog line and connect with somebody and there’s redundancy built into that and, and there is no law or government oversight in the standards and mechanisms and procedures.

I think the challenge we face in, in the telecommunications industry and, to a certain extent, the financial services is we’re switching from analog now to internet protocol communication, which has a whole different set of challenges. So I think we’re lagging behind in our ability to really cross-communicate some of those challenges between industry and government, set new standards that are IP or internet protocol-based standards and understand where the new risks and exposures are as we move from the traditional analog infrastructure to the digital infrastructures. So we have work to do there.

RAINS was formed to help both articulate some of those issues and problems, we’re really clashing two vectors there. There are social issues that impact the desire and method of information exchange and there are technical issues. Both of those are very, very important challenges and both of them require new thinking and new ways at looking at the problem – I think both in the physical world and now the cyber world we realize that the risks associated with not addressing these and getting some of these sector boundaries—communicating, communicating well against these major problems, the risk is very, very significant. We’re potentially missing major information exchanges where one sector is seeing something that could dramatically impact another sector, whether it’s government to private or private to private, we’ve got to get better at sharing that information and making it useful and actionable on a faster basis.

LINDA MCGLASSON: Especially in regards to some of the different types of emerging threats that different industries are seeing within their industry that will eventually move into others, correct?

WYATT STARNES: Absolutely, absolutely. If you really were to look at the surface area of our attack vectors, where we potentially are exposed, again just now speaking from the cyber side. It’s massive and, and there are some Achilles heel elements of that. In other words, there are some significant target vectors that if, if somebody really wanted to come at us hard, you know, finding those target vectors where we’re highly exposed would frankly not be that difficult. So, we need to work better as an industry and as a, an overall society – government and private – to understand the common risks associated with that exposure.

LINDA MCGLASSON: You’re a member of NIST and, can you maybe explain to our audience some of things that you’ve been involved with and how long you have been on NIST.

WYATT STARNES: As probably most of your listeners know NIST is the acronym as you said in the intro, for the National Institute for Standards and Technology. It is one of the oldest federally backed, federally funded research and development and standards organization that traces back into the late 1800s early 1900s and is an amazing organization, frankly. It is involved – really, if anyone were to look around whatever room they happen to be sitting in today, there’s almost nowhere that you could look in the room where you wouldn’t see something that has been impacted by the National Institute of Standards and Technology. Its things like, certainly weights and measurements, you know, what is a pound? You know what is a foot or what is a meter? What is a bolt? You know, how do you precisely measure that? You know, compositions of materials, you know, they’re heavily involved – NIST itself is heavily involved in, in the grain movement, making sure that the things that we’re building are safe not only for consumption but increasingly safe for our environment. So, it’s a very interesting organization; really an amazing organization.

WYATT STARNES: I’m involved in the Visiting Committee on Advanced Technology, acronym VCAT. That’s an appointment-only committee. There are currently, I believe, 14 of us. The legislation that created the VCAT process calls for a maximum of 15 members. We’re almost at that maximum now. It is a very esteemed group of colleagues that I’m involved with that cover a number of different areas from biosciences to physics, to other types of weights and measurements areas. We’re all out of private sector. For the most part, there are a couple of academia folks involved as well. I’m extremely pleased to be involved. I’ve been involved – we serve three-year terms where there’s an opportunity to, at the government discretion, to serve another three years. NIST is a reporting agency up through the Department of Commerce. That may be news to some of your listeners given that they are a very large and influential organization. A lot of people don’t know that they were created and really are managed by the Department of Commerce.

The primary mission of NIST is fundamentally to use standards and technology to minimize or reduce the friction related to economic transactions, whether they’re financial or medical or transportation or even information technology. You know, so it’s all about what can we do, what can the government do to help industry work better together and standards have proven to be an incredibly important part of making commerce work well – the interchangeability of items across compatibility of items is incredibly important.

My appointment again was about two years ago. My activities have been – given that I come out of the information technology space and have spent the bulk of the last 30 years of my career in information technology and high technology in general, my focus has been around the measurability science relating to information technology. NIST traditionally has viewed the world and industry in general has viewed the world as measurement is something that you have to be able to, you know, physically see or weigh or, or somehow, you know, create a mechanism to actually quantify it. So the question really is, is information technology “measurable” and if it is measurable, then what is government’s role in creating standards around that measurability, where the goal again is consistent with the overall NIST goal, which is improving commerce, improving the social trust involved with electronic transactions. So, that’s a range of transaction from banking to things like electronic voting. How do we actually create the social and technical trust that will compel people to feel comfortable in entering their votes on an electronic voting kiosk that is network connected and all rolls backed up to some compute system in Washington to -- our grandchildren will likely be even entering their votes on their, on their personal compute devices, whether they’re PDAs or laptop computers. Now that may sound very simple, but in practice, the social and technical issues related to that are huge. So those are types of projects that we’re involved with.

LINDA MCGLASSON: Coming back to the threats – what would you say is one of the largest or biggest information security threats facing the internet community this year?

WYATT STARNES: Well, the biggest threat facing the internet community this year is the same one that was facing the internet community last year and the year before last and five years past. If you look at the way the information technology industry has evolved, it’s really fascinating. It’s a relatively young industry by other standards, you know. If you look at the aircraft industry or the financial services industry in terms of banking and insurance, IT as an industry is really pretty young, but it’s moved, you know, at a hugely rapid pace -- largely driven by technology-centric people, people that are really coming from the technical point of view. So our ability to actually innovate technology has actually in many ways outstripped our ability to manage the technology we’re creating. That’s actually not unusual, Linda. That’s occurred in other industries before. It has occurred in the transportation industry where we were able to fly planes, get them into the sky and then we realized that, you know, they could crash fairly easily if we didn’t have best practices and procedures in place and in trains and telecommunications and in a lot of other industries.

So, what we’re seeing in the information technology is really in a – highly time compressed form, the same sort of technological and social evolution that we’ve seen on other industries before, where we’re gotten ahead our self. So the biggest sort of exposures we have today is we have built systems that actually have inherent and innate imperfections and instabilities and security issues, and then we’ve created after-market industries in the form of anti-virus vendors and intrusion protection software technologies and some of my prior companies, Tripwire, that essentially become add-on safety mechanisms to, to the hardware and software systems that we’ve built.

And we’ve made a lot of assumptions about the way we build those systems. We assume a perimeter and therefore we assume that if we protect ourselves at the perimeter, we can increase the reliability, safety and security of these devices. Well, if you think about it, the perimeter is becoming highly diffused. Where is the perimeter anymore? It used to be at the physical walls of our building. Well now we have our employees taking their computers home and we have, you know, millions of people operating compute devices off of wireless remote terminals in the form of Blackberries or Palms or whatever the device that they might happen to be using. So we’ve made whole bunch of assumptions relating to how we can secure this, this new technology that many of those assumptions really don’t hold anymore. And so, we need a better way. We need a different way of thinking about the problem. And I think that’s really the exciting thing that’s going on in information technology these days. We cannot, we can no longer assume that the old methods of solving the problem are going to work in the future. We need a different and new way of looking at the problem-symptom relationship.

LINDA MCGLASSON: You mentioned your – Tripwire experience. Going back to your days at Tripwire, did you envision that that company would become such a big name? I was looking at the site yesterday. They still say that they have 250,000 active copies in use. So Tripwire is really up there in terms of usage. And I’m sure; actually many in our audience are using it now. What direction would you see that change audit is taking in terms of when we’re talking about the expanded perimeter in a lot of the companies that were operating it?

WYATT STARNES: Well, great, great question, Linda. Yeah, we’re very proud actually. I’m very proud personally of what Tripwire has accomplished. I believe the number they’re referring to is in excess of a quarter million commercial copies, and that’s on top of what is probably still a pretty robust open source or academic source release community. So, it is likely one of the, the most highly deployed change management, change detection, intrusion assessment mechanisms in the marketplace. No – I really attribute the success of that to, for one, a really good team and a good core technology approach that dates back to the early 90s where Professor Gene Spafford at Purdue University worked on some of the original technology concepts with Jean Kim, who’s still the chief technology officer over at Tripwire. But, I think what really makes it valuable, it is, is that it is a very new approach to the problem. I mean, it’s not new in the marketplace anymore, but it takes a different approach than the traditional anti-virus approach. And let me expound on that a little bit. Traditionally, information security is about keeping the bad stuff out of the environment, right? Trying to create these tall, deep walls so that, so we can protect what we assume to be good systems within the walls by keeping the bad stuff on the other side. And this is a sort of perimeter-centric view that I talked about. Given that the perimeter is not defined like that anymore, the net affect is you need to move detection and prevention much closer to the compute device itself, which is what Tripwire does.

Tripwire really is a mechanism that runs on the particular device itself – the laptop, the server, the routing device – that actually understands what the device should look like when it’s in a presumed trusted state, and then resamples it on some periodic basis and looks for changes from that expected or desired trusted state. We use – Tripwire uses cryptographic hashing mechanisms to do that, which is, you know, fancy terminology for essentially, you know, short-hand checks some kinds of mechanisms that allow you to identify complex data structures in a very short-hand way. So it’s a very powerful mechanism of understanding the initial trusted state of the machine and then revalidating it and looking for changes. But its coming much more from an inside out point-of-view as opposed to the traditional outside in protected mechanisms that most of the security companies provided.

LINDA MCGLASSON: Your most recent company, SignaCert, is involved in the trusted computing movement. Could you maybe take a few minutes and explain to those who don’t know what the trusted computing movement is all about and what are some of the directions it’s taking as of late?

WYATT STARNES: The trusted computing movement, if you will, the groups that have been involved with this – and there are many – the best known is probably The Trusted Computing Group, which is a consortia or alliance of companies that include Intel and Microsoft and Sun and many others. The whole notion was formed around this idea of we as platform providers and we as software providers, vendors essentially, to the induced community, need to do a better job ourselves of making sure that our machines can be managed more effectively, that have more innate trust and security mechanisms built in. So, to create an analogy – I mentioned that there are parallels between the IT industry and other industries.

In the early days of the automobile industry, many of us remember when seatbelts were optional, and then when airbags were optional. And now, you know, if you look at today’s marketplace, you know, our children, thankfully and fortunately, are very used to getting into the car and fastening their safety belt and they are very used to the notion that the airbag is there. So, safety has become -- and security of the devices, has become a competitive factor. It has become, you know, much more implicit in the design of the device and much more expected by the users – the automobile users. You know, safety is not considered an option anymore; it’s a requirement. In much the same way, information technology is following that same route. In other words, the supply side, the vendor side is saying, we can no longer push the cost and the exposure of some of these inherent risk parameters that are somewhat by design in our IT systems. We can no longer push that cost in that after-market requirement out to our customers. We need to take more responsibility for it ourselves. Now in order to do that, one of the social aspects or cultural aspects of that is that you’ve gotta get companies that are normally competing with one another to actually cooperate to create common standards and common framework to allow these safety-best practices to be designed into the platforms, because from a customer standpoint, they don’t want to think about a different form of security or safety from XYZ platform vendor which is different than the other platform vendor. So, standards become a really critical element of building more highly-trusted system environment – more secure system environment.

So we’ve been heavily involved in that process with many of the other companies that I’ve mentioned for several years. We’ve contributed a lot of technology in terms of best practices and specifications, especially, as it relates to Tripwire-like mechanisms, integrity management mechanisms, software measurement mechanisms. How do you measure software and how do you create collections of the measurement of software so that a system can actually validate that it is a trusted system and make that more implicit in the system design and not an after-market add-on or a customer responsibility. So, the Trusted Computing Group is really, I think, doing a very good job in a very complex environment of creating both technology and social bridges that allow more inherently trusted systems to come to market.

LINDA MCGLASSON: This is going to be the other question to follow-up. The trusted computing movement is and has been somewhat controversial in certain camps. How do you answer the critics of trusted computing as to the loss of individual user’s privacy?

WYATT STARNES: That’s also a great question and being as heavily involved in the working group processes and the organizational structure for many years, I can tell you that those of us that are working on these technologies and methods spend some percentage of everyday thinking about that concern. How do you, create more secure and inherently trusted machines without losing the privacy of that – that consumers not only expect but demand, right? And there are some very good ways to do that. Number one is customers themselves, the users of the machines can decide what level of trust that they want to employ on their individual systems. The suppliers of the machines do not force customers to divulge private information off their machines. They do not force customers to take the individual machine identifiers and link that with the software and the activity that’s happening on that machine and provide that to vendors. So, we’ve built a lot of flexibility into the architectural method to protect privacy, but the fact of the matter is there is a very hard trade-off that one has to make between convenience and ultimately security.

Back to the physical world, none of us like going through the metal detection machines and all of the TSA practices that came in after September 11th. You know, our kids will never remember the day where you just got your ticket out, walked directly in and got on the plane. But we had to give up a certain degree of flexibility in order to protect ourselves. And we’re following the same premise in the trusted computing space. You don’t have to give up 100% of your privacy at all. In fact, you’re privacy is very well protected in the methods that are developed, but we’re providing a much higher degree of safety and security and reliability of systems. So, I think you can find a balance there. I think customers at the end of the day will help evoke where the right balance point is.

The Trusted Computing Group effort is not dictating, you know that you have to give up certain privacy rights in order to make this work. We’re building highly flexible mechanisms that will allow, certainly enterprises that have a lot at stake, to manage to a much better set of implicit trust in inherent security in their systems. So, we see it much more as a shift of responsibility than anything. You know where we as an industry have push those costs and that responsibility largely out to our end customers who are now beginning to assume a lot of that responsibility ourselves.

LINDA MCGLASSON: Obviously, the trusted computing movement will help improve information security at financial institutions and for their customers. In closing, Wyatt, do you have any parting advice for the information security professionals out there in financial institutions?

WYATT STARNES: Yes. I would strongly encourage the managers and system administration in the whole IT management infrastructure to begin to look at the problem with information security with a new set of paradigms. Rather than just looking at how we defend our systems, which is certainly a security issue and a privacy issue, as we’ve discussed. It’s also an economic issue. When you look at the cost of managing complex information technology, the number of people we have assigned for the number of computers that we’re managing, our efficiency levels are exceptionally low when you compare them with other industries. So, we need to find new methods. So I would strongly encourage your listeners to set aside the privacy concern on the trusted computing side for just a moment. Don’t let it go, but set it aside and then look at some of these new and evolving implicit, built-into-the-machine trust methods that are coming along, because not only will they improve your security and your system reliability, they will begin to dramatically improve your operating efficiencies and your business agility. And in the financial services, banking community, business agility without giving up security and privacy and some of the compliance requirements is becoming a competitive factor. So, new methods are required, new methods are coming, we’re going to have to let the old methods go or substantially reduce or dependence on the old methods and embrace some of these new methods as they come to market.

LINDA MCGLASSON: Wyatt, thank you so much for joining us here today on our podcast series and we’ll look for more great news coming from you in the future.

WYATT STARNES: Well, thank you, Linda. I appreciate the opportunity to speak with you.


About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.




Around the Network