AT&T Security Manager (092008)

AT&T security guru talks DoS attacks, tomorrow’s hackers
Botnets, protection of personal information pose biggest challenges, CSO Edward Amoroso says

Edward Amoroso is the chief security officer at AT&T in Florham Park, N.J., as well as a professor who has written several textbooks on information security. Amoroso spoke with Network World’s Jon Brodkin this week in Boston, where he delivered a keynote about network security during Forrester’s Security Forum.

What are your biggest security challenges at AT&T?
The biggest challenge right now is sensitive personal information being all over the place, Social Security numbers, credit card numbers. It’s an IT problem. I’m not even convinced it’s appropriate to call it a security problem, it’s just IT infrastructure has developed in a way where that stuff is all over the place. We’re encrypting the whole company. That’s a pretty heavy-handed approach to solving the problem, but that’s really the only option.

Have you lost any sensitive data?
We’ve had some laptops that have been lost just like anybody else. So we report those and move on. That’s been the extent of it, it could be worse.
You also spoke about network security and defending against botnets and denial-of-service attacks in your keynote.
That’s our second-biggest challenge. Keep in mind, we’re a service provider, so the availability threat is way more important than if we were selling software. If Microsoft.com is down for an hour, it wouldn’t be good but it’s not a stock-price-affecting problem. If our network services are down for an hour, that is a very big problem.

Will AT&T be able to successfully defend against these botnets?
We do it now. These things we see, a lot of them are aimed at us all the time. Any carrier that says ‘we’re not under attack’ is lying to you.
Last December, we saw some pretty significant increases in traffic aimed at our host. We think that somebody was aiming big denial of service attacks at our hosting DNS services. We just filter the traffic, we survive it. It’s just the normal course of business for that stuff to be lobbed at you, and you block it.

You’re an adjunct professor of computer science at the Stevens Institute of Technology. What can we expect from the next generation of computer scientists?
They’re good hackers, that’s for sure. They come in and they’ve been reading hacking magazines since they were little kids. There’s a lot of foolishness in youth so a lot of young people do design attack tools. They’re better [than previous generations]. But they’re also better as computer scientists. I would say there’s a general uplift in capability, good and bad. It keeps me sharp. They let me have it if I don’t know the answer to something.

If this new generation of computer scientists is smarter, what kind of impact will they have when they enter the workforce?
I’m in my 40s. When I was growing up technology wasn’t generally available. Young people today are growing up with technology and they speak it fluently the way you speak French in Paris.
My kids, I buy them these complex gaming systems. My son, he’ll go online and buy these hacking devices, and expanded memory and a way of bridging Wi-Fi to our video, and to his camera. There’s no manual, there’s no anything, he’s just sort of natively doing it, and it just works.
When he gets into the workforce, I don’t know if he’s going to be an engineer, a lawyer, a doctor or whatever. But whatever he’s doing he brings that capability to bear. If he goes bad and decides he wants to be a hacker then we’ve got a problem because that’s a kid who knows what he’s doing.