Print this article | Return to Article | Return to CFO.com
A top cop of IT security is urging companies to look beyond technology to help safeguard their systems.
Karen Winton, CFO Asia
September 1, 2002
Despite all the costly technology deployed to stave off a computer virus attack, the probability of an infection at any company anywhere is still depressingly high. Last year at least one of the top ten companies in the Fortune 500 experienced a serious virus intrusion.
The Nimda virus ("admin" spelled backward, for those who may miss the hacker sarcasm) spread rapidly in September, infecting giants such as General Electric, Yahoo, and Microsoft. The virus is reported to have knocked GE out of action for three days.
Such breaches in the walls of company systems have caused experts to wonder whether the current philosophy of protection is wrong-headed. Now it turns out that a high priest of computer security — a former developer of the ubiquitous Norton antivirus desktop computer software — is questioning the tech approach.
"Technology is not the answer," says Peter Tippett, founder and chief technologist of managed security services provider TruSecure. Instead, he argues, technology is only one line of defense in a technique that combines a checklist of actions to improve company awareness of risk and ensure vigilance.
Tippett's approach smacks of commendable common sense. Not to be outdone by the geeks, however, he points out that it conforms to a standard theory of probability called Bayesian inference. Bayes, an 18th century theologian, developed a way to understand the likelihood of an event once new conditions could be applied to a given situation.
Its applicability to security is that system hacking and computer incursions often involve not one, but a link-up of many failures to detect risk. Defining the probability of each risk separately adds nothing to an overall conception of the woes a company faces.
In this way, risk can be thought of as a moving target. With Bayes's model, Tippett attempts to build the best possible net as a snare.
If one control or solution is 80 percent effective, then it fails one out of five times, Tippett points out. Two controls, each 80 percent effective, together will fail one out of 25 times. Three 80 percent effective controls, operating together, will fail one out of 125 times. That's a 0.8 percent likelihood of failure, or a 99.2 percent probability of success.
The greater effective controls a company applies to the risk of a computer break-in, in other words, the less likely it is to occur. It's even better if the controls represent a coherent, interlocking discipline.
Sleeping Better at Night
The method gibes neatly with IT professionals' experience of their companies' vulnerability.
Jayne Radbone, manager of Nortel Networks' business solutions desk in Australia, says that the best way to address corporate security is to have an internal policy that dictates the environment, sets guidelines for enforcement and support, along with the appropriate technology. "Strategic security in a company is about the integration of policy, process, culture and technology for a comprehensive holistic security," says Radbone.
Liang Tie Hang, vice president and chief manager for operations management at NET263, a Beijing-based Internet services provider, has formalized this approach. Ideally, he says, security must exist on five levels: network, access, server, applications, and management policy.
But he asserts that managers don't appreciate the subtleties of countering threats against each. "A firewall, for example, offers protection only against one level, and that is access," he explains. "Yet there remains a misconception that it will protect against all viruses."
NET263 has in place Nokia Internet Centre security software plus a 24-hour, seven-day-a-week , in-house team of IT specialists ready to pounce on an incursion the instant it occurs. "It's no good putting faith in a firewall alone," says Liang. "We must also watch network operations and make sure someone is there to put into place the right measures in case of a security breach. He adds: "The 24-hour watch concept is a crucial aspect of that network security."
Of course, Nokia and TruSecure are not the industry's sole practitioners of the 24/7 style of computer security. Vendors such as Symantec, Nortel Networks, and McAfee also offer guidance on installing intrusion detection systems, firewalls or other specific deliverables, plus the physical hardware and software products.
But TruSecure sells an enterprise risk management program. The one-year risk-assessment consultation and action plan costs upward from $50,000. In comparison, Symantec's Gateway Security, an all-in-one corporate software application that sits on a Linux platform, starts at $20,000, and rises to roughly $50,000 per implementation, depending on company size and the complexity of implementation
The Holistic Approach
Peter Tippett's eclectic background has proved a good staging ground for the multi-disciplinary approach. Tippett earned a Ph.D. in biochemistry and M.D. in internal medicine at Case Western Reserve University. He also studied for 18 months at Rockefeller University with R.B. Merrifield and Stanford Moore, Nobel laureates in chemistry.
TruSecure's operatives start by analyzing a company's vulnerabilities. They then apply a risk matrix to estimate the likelihood and cost severity of a breach. After that, they adapt their approach to a company's security priorities.
Keeping those priorities in mind, they oversee the implementation of 20 recommended virus controls at the desktop level, plus appropriate controls for E-mail applications, network file and print servers, E-mail gateways, and firewalls.
TruSecure claims that setting in place controls at the desktop level takes from one to several days to configure, test, and propagate, depending on a company's size and the complexity of its systems. But the full monty, so to speak, which involves changes in adjustments in procedure and changes in employee behavior, can take more than six months.
At Bank Central Asia's (BCA) Jakarta, Indonesia headquarters, TruSecure's entire risk management program is under implementation in the bank's 795 branches. The deployment follows an initial rollout over seven months, which focused on the bank's Internet banking business. Darius Wanardi, general manager for IT, says that it wasn't easy to implement the program from scratch.
To meet the practices that TruSecure required before bestowing certification took a long time. TruSecure is a stringent guardian of its certification, which carries with it a money-back guarantee if its methods fail to prevent a hacker break-in. "We had to create new security procedures and policies because we were a new player in the Internet and had no expertise in that area," says Wanardi.
But the upside is that BCA has experienced no Internet security breaches since it signed on with TruSecure in December 2000. Wanardi also says that intercompany awareness of security has become much better, as has knowledge of security issues that affect the bank. "We now have a set of standard procedures and information security policies in place," says Wanardi. "We have to maintain them to keep our TruSecure certification valid."
He adds, "And, of course, our management now sleeps well at night."
Sidebar: Bottomless Pit
CFOs might well regard the enormous and growing cost of network security as an indictment that current methods don't work.
Organizations worldwide spent $8 billion on information security services last year, an increase of more than 19 percent over 2000. Technology consultants at IDC expect this expenditure to reach $24 billion by 2006.
Antivirus products represent a chunk of the expenditure. In the United States last year, 70 percent of desktop computers, 91 percent of servers, 45 percent of proxy devices and firewalls, and 80 percent of email gateways appeared to be protected by full-time antivirus products. Analysts at IT consultants Butler Group in London say that the situation is being made worse by operations issues. They estimate that supporting and managing a company's security setup can account for as much as 80 percent of the company's total investment. The remaining 20 percent is the cost of the software.
What impact did all this investment have on viruses? Almost zero, according to the ICSA Labs Virus Prevalence Survey 2001 published by TruSecure. The survey says that the likelihood of a worm or virus breaching a company firewall has grown at a 15 percent annual clip since 1999.