VideoDespite all the costly technology deployed to stave off a computer virus attack, the probability of an infection at any company anywhere is still depressingly high. Last year at least one of the top ten companies in the Fortune 500 experienced a serious virus intrusion.
The Nimda virus ("admin" spelled backward, for those who may miss the hacker sarcasm) spread rapidly in September, infecting giants such as General Electric, Yahoo, and Microsoft. The virus is reported to have knocked GE out of action for three days.
Such breaches in the walls of company systems have caused experts to wonder whether the current philosophy of protection is wrong-headed. Now it turns out that a high priest of computer security — a former developer of the ubiquitous Norton antivirus desktop computer software — is questioning the tech approach.
"Technology is not the answer," says Peter Tippett, founder and chief technologist of managed security services provider TruSecure. Instead, he argues, technology is only one line of defense in a technique that combines a checklist of actions to improve company awareness of risk and ensure vigilance.
Tippett's approach smacks of commendable common sense. Not to be outdone by the geeks, however, he points out that it conforms to a standard theory of probability called Bayesian inference. Bayes, an 18th century theologian, developed a way to understand the likelihood of an event once new conditions could be applied to a given situation.
Its applicability to security is that system hacking and computer incursions often involve not one, but a link-up of many failures to detect risk. Defining the probability of each risk separately adds nothing to an overall conception of the woes a company faces.
In this way, risk can be thought of as a moving target. With Bayes's model, Tippett attempts to build the best possible net as a snare.
If one control or solution is 80 percent effective, then it fails one out of five times, Tippett points out. Two controls, each 80 percent effective, together will fail one out of 25 times. Three 80 percent effective controls, operating together, will fail one out of 125 times. That's a 0.8 percent likelihood of failure, or a 99.2 percent probability of success.
The greater effective controls a company applies to the risk of a computer break-in, in other words, the less likely it is to occur. It's even better if the controls represent a coherent, interlocking discipline.
Sleeping Better at Night
The method gibes neatly with IT professionals' experience of their companies' vulnerability.
Jayne Radbone, manager of Nortel Networks' business solutions desk in Australia, says that the best way to address corporate security is to have an internal policy that dictates the environment, sets guidelines for enforcement and support, along with the appropriate technology. "Strategic security in a company is about the integration of policy, process, culture and technology for a comprehensive holistic security," says Radbone.
Liang Tie Hang, vice president and chief manager for operations management at NET263, a Beijing-based Internet services provider, has formalized this approach. Ideally, he says, security must exist on five levels: network, access, server, applications, and management policy.
But he asserts that managers don't appreciate the subtleties of countering threats against each. "A firewall, for example, offers protection only against one level, and that is access," he explains. "Yet there remains a misconception that it will protect against all viruses."
NET263 has in place Nokia Internet Centre security software plus a 24-hour, seven-day-a-week , in-house team of IT specialists ready to pounce on an incursion the instant it occurs. "It's no good putting faith in a firewall alone," says Liang. "We must also watch network operations and make sure someone is there to put into place the right measures in case of a security breach. He adds: "The 24-hour watch concept is a crucial aspect of that network security."
Of course, Nokia and TruSecure are not the industry's sole practitioners of the 24/7 style of computer security. Vendors such as Symantec, Nortel Networks, and McAfee also offer guidance on installing intrusion detection systems, firewalls or other specific deliverables, plus the physical hardware and software products.
But TruSecure sells an enterprise risk management program. The one-year risk-assessment consultation and action plan costs upward from $50,000. In comparison, Symantec's Gateway Security, an all-in-one corporate software application that sits on a Linux platform, starts at $20,000, and rises to roughly $50,000 per implementation, depending on company size and the complexity of implementation
The Holistic Approach
Peter Tippett's eclectic background has proved a good staging ground for the multi-disciplinary approach. Tippett earned a Ph.D. in biochemistry and M.D. in internal medicine at Case Western Reserve University. He also studied for 18 months at Rockefeller University with R.B. Merrifield and Stanford Moore, Nobel laureates in chemistry.
TruSecure's operatives start by analyzing a company's vulnerabilities. They then apply a risk matrix to estimate the likelihood and cost severity of a breach. After that, they adapt their approach to a company's security priorities.
Reader Comments» Post a comment