Edward Amoroso is the chief security officer at AT&T in the US, as well as a professor who has written several textbooks on information security. Amoroso spoke with Jon Brodkin last week in Boston, where he delivered a keynote about network security during Forrester's Security Forum.
What are your biggest security challenges at AT&T?
The biggest challenge right now is sensitive personal information being all over the place, Social Security numbers, credit card numbers. It's an IT problem. I'm not even convinced it's appropriate to call it a security problem, it's just IT infrastructure has developed in a way where that stuff is all over the place. We're encrypting the whole company. That's a pretty heavy-handed approach to solving the problem, but that's really the only option.
Have you lost any sensitive data?
We've had some laptops that have been lost just like anybody else. So we report those and move on. That's been the extent of it, it could be worse.
You also spoke about network security and defending against botnets and denial-of-service attacks in your keynote.
That's our second-biggest challenge. Keep in mind, we're a service provider, so the availability threat is way more important than if we were selling software. If Microsoft.com is down for an hour, it wouldn't be good but it's not a stock-price-affecting problem. If our network services are down for an hour, that is a very big problem.
Will AT&T be able to successfully defend against these botnets?
We do it now. These things we see, a lot of them are aimed at us all the time. Any carrier that says 'we're not under attack' is lying to you.
Last December, we saw some pretty significant increases in traffic aimed at our host. We think that somebody was aiming big denial of service attacks at our hosting DNS services. We just filter the traffic, we survive it. It's just the normal course of business for that stuff to be lobbed at you, and you block it.
You're an adjunct professor of computer science at the Stevens Institute of Technology. What can we expect from the next generation of computer scientists?
They're good hackers, that's for sure. They come in and they've been reading hacking magazines since they were little kids. There's a lot of foolishness in youth so a lot of young people do design attack tools. They're better [than previous generations]. But they're also better as computer scientists. I would say there's a general uplift in capability, good and bad. It keeps me sharp. They let me have it if I don't know the answer to something.