IT vs. the mischief makers

As cyberpunks crank up their games, network executives fight back by building security-aware corporate cultures.

Action plan Practice what you preach Patience in the playing Struggle synopsis

The summer of 2003 will go down in the history books as a rough one for network security executives. According to Computer Economics, an IT research and consulting firm, hackers unleashed at least 50 viruses during August alone. These include the Blaster worm, which Symantec estimated infiltrated 330,000 systems within its first four days, and SoBig.F, to which e-mail security tools vendor MessageLabs awarded the dubious honor of being the fastest-spreading virus ever. The company intercepted 12.8 million SoBig.F-laced e-mails for more than 65,000 business customers within 13 days of its release.

Computer Economics estimates that the financial effects of worms and viruses unleashed in August could reach $2 billion. A toll like that leaves network executives struggling to answer two big questions: Will business always live in fear of virus writers? And what will it take to turn the tide against the bad guys?

Action plan

Security experts say network executives can triumph over the ne’er-do-wells. What’s needed, they say, are pervasive security-aware corporate cultures.

To get there, network executives must begin by insisting on CEO leadership. The CEO must decide on the risk level the company is willing to take and instill in the workforce the importance of being security-savvy and of using security technologies to protect against attacks.

In a security culture, regularly changing passwords, not opening suspicious e-mail attachments and other basic precautions are second nature. One way to engender such a culture is to include security compliance in performance reviews, suggests Mike Rasmussen, a security analyst at Forrester Research and vice president of standards and public policy at the Information Systems Security Association (ISSA ).

Getting tough on non-compliers is another option. David Cullinane, ISSA president, explains how one company avoided succumbing to this year’s MS-S Slammer worm by giving users 48 hours to apply patches and then severing network connections for those who did not comply by the deadline.

For their part, network security professionals must accept the CEO’s risk assessment and strive to better understand the delicate balance of remaining open for business while staying protected, security experts say. “Some security people seem to think that they can issue edicts and that things will happen. But businesses take risks all the time – that’s how they make money,” says Cullinane, who also is chief information security officer at a Fortune 500 financial services company he declined to name.

Practice what you preach

To be sure, IT departments are not excused from the cultural change necessary to combat all the script kiddies, malicious hackers and serious cybercriminals out there.

Blaming Microsoft  for selling software with vulnerabilities is easy, but in-house developers should be building better security into their code. And as Microsoft works to streamline its much-maligned patch-management architecture, user organizations should standardize on one version of an operating system. “You can’t afford to deal with systems that can’t be patched because they are too old,” Cullinane says.

And user organizations must put in place adequate programs for tracking how a system was built, recording its maintenance and life cycle, and knowing which group is accountable for its security, says Joe Duffy, security practice global leader for PricewaterhouseCooper’s Global Risk Management Solutions. “Who has accountability and why? The security guys don’t have authority to do anything about how assets are configured and deployed,” he says. “The good guys will never get the upper hand if they don’t know where their computer assets are.”

IT operations and security teams often work against each other to the detriment of overall security, says Jose Granado, a partner in Ernst & Young’s Security & Technology Practice. “The IT guys try to get things running and operational and the security guys are regarded as the ones who say ‘no,’ so sometimes IT tries to circumvent things.”

The issue: According to the 2003 Computer Security Institute/FBI Computer Crime and Security Survey, 75% of 530 respondents suffered financial losses as a result of computer crimes. Theft of proprietary information and denial-of-service attacks led to the highest losses, at $70.2 billion and $65.6 billion, respectively; losses from virus attacks reached $27.4 billion. The reported number of newly discovered vulnerabilities doubles each year, according to CERT. Outlook: Good can triumph if user organizations create security-conscious cultures. Companies must decide the level of risk their organizations are willing to take, and IT and security teams must create security frameworks and awareness programs that ensure employees become security-savvy. Enterprise impact: Employees should consider security measures, such as regularly changing passwords and not opening suspicious e-mail attachments, as a matter of course. Application developers should build security into code, and business managers should present security as a competitive advantage.

User organizations must embrace security as an enabler rather than as some bad-tasting medicine, ISSA’s Rasmussen says. By managing risk and putting in adequate controls, security could help extend a business. For example, banks enable online transactions by using passwords that should contain a certain number of characters or symbols. Asking for a higher level of authentication, such as password plus token, would turn security into a disabler.

Patience in the playing

Rasmussen says he expects the security playing field to become more balanced over the next five years. “Organizations will pull ahead because of the cultural change, and software vendors will build tighter security,” he says.

And nothing is more powerful than a security-savvy workforce, Cullinane adds. “If you have 60,000 employees you will have 60,000 pairs of eyes watching for strange things happening on the network,” he says.