Two months ago, Debora Plunkett director of the Information Assurance Directorate (IAD) at the U.S. National Security Agency (NSA), made headlines when she told attendees at a cyber security forum that there is “no such thing as ‘secure’ anymore.”
What Plunkett meant, according to Dickie George, technical director of the NSA’s IAD, is that there has been a paradigm shift in network and computer security: rather than focusing all efforts on keeping intruders out, the reality of today’s world forces security teams to assume that adversaries can and do access their networks.
While keeping intruders out is still the primary objective, George said during the annual Cryptographers’ Panel at the RSA Conference 2011 in San Francisco, monitoring today’s networks requires keeping a vigilant eye out within for uncharacteristic or “inappropriate” behavior.
“If you assume they haven’t been [inside your network], you are setting yourself up for a shock,” George said.
George and fellow panelists, including Ronald Rivest, the Viterbi professor of electrical engineering and computer science at MIT, said cryptography remains the best tool available for ensuring network security. But they noted that cryptography has its limitations.