[ISN] Security myths costing firms

From: InfoSec News (isnat_private)
Date: Tue May 07 2002 - 01:53:00 PDT

  • Next message: InfoSec News: "Points to ponder, was Re: [ISN] Deceptive Duo in the news again"

    Forwarded from: William Knowles <wkat_private>
    Karen Dearne
    MAY 07, 2002  
    SECURITY guru Peter Tippett loves to shock people.
    He invites IT professionals to seminars on network security and then
    says you don't need more network security - at least, you don't need
    as much as vendors want to sell to you.  Spend up on anti-virus
    software if you want to, he said.
    But most businesses already had quite adequate security systems in
    place and personnel trained to deal with incidents, said Dr Tippett,
    who helped invent Norton security products and is now chief technology
    officer of TruSecure.
    He said no security system was ever going to be 100 per cent
    The costs involved in reacting to every alert or vulnerability would
    be prohibitive, in any case, he said.
    A better approach was to quantify security risks, and take steps to
    realistically address them - bearing in mind the costs of doing so.
    Dr Tippett said companies were spending more money on security every
    year, but the problems of web defacements, intrusions, viruses and
    denial of service attacks still became worse. It was a mindset
    problem, he said. Companies were focusing on the wrong things and
    failing to get the basics right.
    "The problem is that people assume each security measure has 'binary
    effectiveness' - it either works all of the time or not at all," he
    said. "And while we pay lip service to the idea that no security is
    perfect, we still believe good security controls will be 99 per cent
    effective. Yet trying to achieve even 90 per cent effectiveness is
    incredibly costly, time-consuming and even counterproductive."
    A better approach was to employ "synergistic security", which hinged
    on the concept of redundancy in security controls, Dr Tippett said.
    A keen pilot, he likens the internet to the early days of commercial
    aviation, when there was little effort to control safety and planes
    frequently crashed.
    Now airline safety has improved 1000-fold, largely due to improved
    safety practices. If safety hadn't improved and planes crashed at the
    same rate they did 60 years ago, more than 500 people would die in air
    disasters each day, Dr Tippett said.
    Better technologies only accounted for a tenfold improvement in
    safety; better education and better practices had multiplied this a
    Dr Tippett said the internet needed something similar to the aviation
    industry - traffic controllers and government-backed agencies that
    provided immediate warnings in emergencies, and ensured the skies were
    safe and planes and pilots met stringent standards.
    "In internet security, there's no-one that can tell you what things
    you must do to protect your systems," he said.
    "There's no formal mechanism for distributing information about
    problems and what must be done to fix them."
    TruSecure is positioning itself in that space, as an information
    repository and advisory service. Dr Tippett said the company monitored
    the activities of some 800 hacker groups and collected 200 gigabytes
    of net traffic a day, to keep ahead of the problems.
    Most companies could improve their security by complementing the
    primary controls - firewalls, anti-virus scanners, encryption,
    intrusion detectors - with simple synergistic controls.
    "These controls need to be cheap, easy and non-infringing [on business
    operations] and effective enough against an important category of
    risk," he said. "For example, to protect an IIS server from external
    hacks, you could implement multiple complementary controls at
    different levels.
    "At the perimeter, configure border routers and firewalls to
    default-deny traffic. On the IIS box itself you could delete sample
    files, move or rename the command shell .exe and delete the scripts
    "On the policies and practices level, you could specify only local
    management of the server and insist on a quarterly tune-up. And so
    At a bare minimum, companies should have either two primary controls
    (with greater than 90 per cent effectiveness), or a primary and at
    least three synergistic controls for each category of risks. "Failure
    of any one control in a scenario like this would still leave better
    than 99 per cent effectiveness," Dr Tippett said.
    Tippett's Top Net Security Myths 
    'Encryption over the internet is important.' 
    But Dr Tippett said the increasing speed and complexity of networks 
    meant it was almost impossible to inspect traffic for a single 
    'More obscure end-user passwords are advisable.'
    There was no measurable benefit, he said. 
    'Daily anti-virus updates are required.' 
    Dr Tippett said daily updates were only 1 or 2 per cent better than 
    weekly updates. 
    'Most vulnerabilities should be patched.' 
    Vulnerabilities have to be quantified in terms of the probability of a 
    threat succeeding. In many cases, a threat would not be worth worrying 
    'Most businesses should focus more attention on firewall maintenance 
    and management.' 
    Just get firewalls up to 90 per cent effectiveness and ensure default 
    router rules are not overridden, Dr Tippett advises. 
    "It's about concentrating on essential practices, rather than best 
    practice," Dr Tippett said. 
    "Communications without intelligence is noise;  Intelligence
    without communications is irrelevant." Gen Alfred. M. Gray, USMC
    C4I.org - Computer Security, & Intelligence - http://www.c4i.org
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Tue May 07 2002 - 04:51:43 PDT