Exposing the myths of security

24 Sep 2003

“When people say they’ve never had a security breach and that their systems are secure it usually means that their security is so bad they don’t realise they have a problem.” This was one of the view-from-the-trenches type of insights into computer security that keynote speaker Ira Winkler brought to the IDC IT Security Conference in Dublin yesterday.

A bestselling author and former intelligence expert within the US government’s National Security Agency, Winkler is now chief security strategist with computer maker Hewlett-Packard. His often swashbuckling approach to computer security involves performing penetration tests, where he ‘breaks into’ some of the largest businesses in the world to investigate crimes against them.

This modern-day James Bond, as he is often called, had titled his presentation ‘Zen and the Art of Cybersecurity’, but if his audience was expecting revelations about the dark and murky world of hacking and virtual espionage, it would have been disappointed. In fact, Winkler made a point of peeling away the layers of mystique that surround computer security and focusing on the real issues.

His first target was the way computer hackers have been elevated to a sort of demi-god status by the media and even certain elements of the business community who have a grudging admiration for the way these teenage script kiddies can breach corporate networks. “When you don’t understand your enemy they seem like geniuses,” Winkler observed, adding: “It’s really easy to break into a computer. I could train a monkey to break into one in four hours. Hackers are nuisance vandals not geniuses.”

He wryly noted that it often suits IT managers to build up hackers into a “great enemy” to cover their own failure to secure their networks and to allow them to portray themselves as brave knights looking to slay the fearsome dragon trying to destroy the corporate edifice.

Another target was cyber terrorism and the way the US Government and media in particular had become obsessed with this type of threat. In Winkler’s view, Cyber terrorism – terror groups using the internet to seek out intelligence or to orchestrate a global assault on the computer systems of big business – is not a problem that most ordinary businesses need to worry about. “Cyber terror is not effective,” he claimed. “Terrorists want highly ‘visual’ attacks such as Pan AM 103 or the World Trade Centre; they don’t want to just create damage.” A greater threat, he argued, is represented by viruses such as Nimda and Code Red, which have caused billions of dollars worth of losses to business but were not acts of terror per se.

Security professionals and consultants did not escape a tongue lashing from Winkler either. Especially those who are unwilling to accept the limitations of their own knowledge and who assure clients that they can provide ‘bullet-proof’ security solutions. There is no such thing as 100pc security, Winkler warned: “There are only two people who sell perfect security: liars and fools.”

The exaggerated claims of the security industry was picked up by other speakers at the conference, including Lionel Lamy, research manager of the European infrastructure management services at IDC. In an interview beforehand, Lamy described bullet-proof security as simply unattainable. “Security is a journey; it’s not a state. You can’t say you’re 100pc secure or say that you’ve spent a million dollars, have ticked that box and now you’re secure. It doesn’t work that way.”

Companies looking to build a strong security infrastructure needed to understand first of all that security is not a one-size-fits-all phenomenon. “It’s all about business needs,” said Lamy. “There’s no single technology answer to security threats. It’s all about knowing what’s good for your business, what your business requires and how you can adapt your security policy and investments to suit your business.”

He added that there is inevitably a trade-off between cost and risk and between risk and the openness of a company’s business systems. “Ideally, to counter any security threats, emails would only be internal and you would stop your staff accessing the internet but you can’t do business that way; you need to open up, but in doing so you expose yourself to attack.”

While preventing external attacks is often the main priority, businesses should not overlook the disgruntled employee factor either, advised Andy O’Kelly, technical director of LAN communications. “The majority of incidents are internal. It’s usually not the teenager in the top bedroom in the Megadeth T-shirt.”

Noting that rigorously applied policies and procedures are the key to preventing both internal and external attacks he said that many elements of IT security can be outsourced, but security policies should not be one of them. “Policy is almost a cliché, but it’s the first thing you’ve got to do.”

While technology such as firewalls, anti-virus software and intrusion detection systems are an integral part of many companies’ defences, unless ‘softer’ issues such as policy and training are also in place, companies will leave themselves wide open to attack, argued Winkler, concluding his presentation. “You buy a car and the importance of safety is emphasised from day one,” he noted. “But nobody tells people when they get a computer in the office or at home how to use it safely.”

By Brian Skelly

Pictured: Ira Winkler, chief security strategist at HP, speaking at IDC’s IT Security Conference 2003 in Dublin this week