Improved security raises threat to the unimproved

The long view of security strategies for your network.

Weekend Edition Saturday is a two-hour news show from National Public Radio that covers a wide range of topics with intelligence and flair. On June 21, host Scott Simon reported on the Mississippi River flooding of recent weeks. I was particularly interested in his interview of Timothy Kusky, director of the Center for Environmental Sciences at St. Louis University, who explained that the improvements to levees all along the river has resulted in an inevitable rise in the flood crests all along the great river. In earlier times, upstream flood waters would be dispersed into flood plains, protecting downstream locations from some of the rising water; with tighter control over the flooding, that water now reaches downstream in much higher volumes and flood levels.

The story got me thinking about an issue that should concern organizations which have fallen behind industry standards of improved security in recent times.

Readers may have heard the old story about the hikers walking in the back country of British Columbia who round a corner and suddenly confront a 1,000-pound grizzly bear standing 8 feet tall in front of them. The hikers drop their packs and take off back down the trail running for their lives. One of the hikers says, “[pant, pant] This is crazy! [pant, pant] We can’t outrun a grizzly bear! [pant, pant] They can run 25 miles per hour and they can climb trees!” The other hiker responds, “[pant, pant] I don’t have to outrun the grizzly bear. [pant, pant] I just have to outrun [pant, pant] YOU.”

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Weekend Edition Saturday is a two-hour news show from National Public Radio that covers a wide range of topics with intelligence and flair. On June 21, host Scott Simon reported on the Mississippi River flooding of recent weeks. I was particularly interested in his interview of Timothy Kusky, director of the Center for Environmental Sciences at St. Louis University, who explained that the improvements to levees all along the river has resulted in an inevitable rise in the flood crests all along the great river. In earlier times, upstream flood waters would be dispersed into flood plains, protecting downstream locations from some of the rising water; with tighter control over the flooding, that water now reaches downstream in much higher volumes and flood levels.

The story got me thinking about an issue that should concern organizations which have fallen behind industry standards of improved security in recent times.

Readers may have heard the old story about the hikers walking in the back country of British Columbia who round a corner and suddenly confront a 1,000-pound grizzly bear standing 8 feet tall in front of them. The hikers drop their packs and take off back down the trail running for their lives. One of the hikers says, “[pant, pant] This is crazy! [pant, pant] We can’t outrun a grizzly bear! [pant, pant] They can run 25 miles per hour and they can climb trees!” The other hiker responds, “[pant, pant] I don’t have to outrun the grizzly bear. [pant, pant] I just have to outrun [pant, pant] YOU.”

Security instructors have been using the story for years to emphasize that part of the task of securing systems is making the protected system a less appealing target for the opportunistic attacker than a less-secured system. The same principle applies to, say, steering-wheel locking bars. A determined car thief can easily disable such a device in less than a minute, but if there are many more equally valuable cars on the street that don’t have the locking bar, why bother? It’s less risky and less trouble just to steal some other car with lower security.

So what happens when almost all the cars have steering-wheel locking bars? The risk for unprotected cars rises.

Even the federal government’s information-security management has improved: a report issued in May 2008 by the House Oversight and Government Reform Committee comparing 2007 results to 2006 evaluations raised the overall grade from C- to C. When counseling students in similar situations, I always smile, adopt an encouraging tone and say things like, “This is a good beginning! Now let’s look at where you can make some more gains. First, let’s consider your study habits, and then we can look at this procrastination problem we’ve been struggling with….”

You can bring up the issue of falling behind the next time your boss argues that your organization hasn’t been hit by hackers / industrial spies / angry employees / identity thieves / competitors yet, so there’s no point in spending money on improving security. As poorly protected organizations fall further behind the rising standards of security, they will become more interesting targets for criminals of all kinds who are looking for an easy mark.

M. E. Kabay, PhD, CISSP-ISSMP, specializes in security and operations management consulting services and teaching. He is Chief Technical Officer of Adaptive Cyber Security Instruments, Inc. and Associate Professor of Information Assurance in the School of Business and Management at Norwich University. Visit his Web site for white papers and course materials.