Security myths costing firms

[InfoSec News <isn () c4i org>]

Forwarded from: William Knowles <wk () c4i org>

http://australianit.news.com.au/articles/0,7204,4265774%5E15306%5E%5Enbv%5E,00.html

Karen Dearne
MAY 07, 2002  
 
SECURITY guru Peter Tippett loves to shock people.
 
He invites IT professionals to seminars on network security and then
says you don't need more network security - at least, you don't need
as much as vendors want to sell to you.  Spend up on anti-virus
software if you want to, he said.

But most businesses already had quite adequate security systems in
place and personnel trained to deal with incidents, said Dr Tippett,
who helped invent Norton security products and is now chief technology
officer of TruSecure.

He said no security system was ever going to be 100 per cent
effective.

The costs involved in reacting to every alert or vulnerability would
be prohibitive, in any case, he said.

A better approach was to quantify security risks, and take steps to
realistically address them - bearing in mind the costs of doing so.

Dr Tippett said companies were spending more money on security every
year, but the problems of web defacements, intrusions, viruses and
denial of service attacks still became worse. It was a mindset
problem, he said. Companies were focusing on the wrong things and
failing to get the basics right.

"The problem is that people assume each security measure has 'binary
effectiveness' - it either works all of the time or not at all," he
said. "And while we pay lip service to the idea that no security is
perfect, we still believe good security controls will be 99 per cent
effective. Yet trying to achieve even 90 per cent effectiveness is
incredibly costly, time-consuming and even counterproductive."

A better approach was to employ "synergistic security", which hinged
on the concept of redundancy in security controls, Dr Tippett said.

A keen pilot, he likens the internet to the early days of commercial
aviation, when there was little effort to control safety and planes
frequently crashed.

Now airline safety has improved 1000-fold, largely due to improved
safety practices. If safety hadn't improved and planes crashed at the
same rate they did 60 years ago, more than 500 people would die in air
disasters each day, Dr Tippett said.

Better technologies only accounted for a tenfold improvement in
safety; better education and better practices had multiplied this a
hundredfold.

Dr Tippett said the internet needed something similar to the aviation
industry - traffic controllers and government-backed agencies that
provided immediate warnings in emergencies, and ensured the skies were
safe and planes and pilots met stringent standards.

"In internet security, there's no-one that can tell you what things
you must do to protect your systems," he said.

"There's no formal mechanism for distributing information about
problems and what must be done to fix them."

TruSecure is positioning itself in that space, as an information
repository and advisory service. Dr Tippett said the company monitored
the activities of some 800 hacker groups and collected 200 gigabytes
of net traffic a day, to keep ahead of the problems.

Most companies could improve their security by complementing the
primary controls - firewalls, anti-virus scanners, encryption,
intrusion detectors - with simple synergistic controls.

"These controls need to be cheap, easy and non-infringing [on business
operations] and effective enough against an important category of
risk," he said. "For example, to protect an IIS server from external
hacks, you could implement multiple complementary controls at
different levels.

"At the perimeter, configure border routers and firewalls to
default-deny traffic. On the IIS box itself you could delete sample
files, move or rename the command shell .exe and delete the scripts
directory.

"On the policies and practices level, you could specify only local
management of the server and insist on a quarterly tune-up. And so
on."

At a bare minimum, companies should have either two primary controls
(with greater than 90 per cent effectiveness), or a primary and at
least three synergistic controls for each category of risks. "Failure
of any one control in a scenario like this would still leave better
than 99 per cent effectiveness," Dr Tippett said.


----------------------------------------------------------------------


Tippett's Top Net Security Myths 

'Encryption over the internet is important.' 

But Dr Tippett said the increasing speed and complexity of networks 
meant it was almost impossible to inspect traffic for a single 
message. 


'More obscure end-user passwords are advisable.'

There was no measurable benefit, he said. 


'Daily anti-virus updates are required.' 

Dr Tippett said daily updates were only 1 or 2 per cent better than 
weekly updates. 


'Most vulnerabilities should be patched.' 

Vulnerabilities have to be quantified in terms of the probability of a 
threat succeeding. In many cases, a threat would not be worth worrying 
about. 


'Most businesses should focus more attention on firewall maintenance 
and management.' 

Just get firewalls up to 90 per cent effectiveness and ensure default 
router rules are not overridden, Dr Tippett advises. 

"It's about concentrating on essential practices, rather than best 
practice," Dr Tippett said. 

 
 
*==============================================================*
"Communications without intelligence is noise;  Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
================================================================
C4I.org - Computer Security, & Intelligence - http://www.c4i.org
*==============================================================*



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.