Forwarded from: William Knowles <firstname.lastname@example.org> http://australianit.news.com.au/articles/0,7204,4265774%5E15306%5E%5Enbv%5E,00.html Karen Dearne MAY 07, 2002 SECURITY guru Peter Tippett loves to shock people. He invites IT professionals to seminars on network security and then says you don't need more network security - at least, you don't need as much as vendors want to sell to you. Spend up on anti-virus software if you want to, he said. But most businesses already had quite adequate security systems in place and personnel trained to deal with incidents, said Dr Tippett, who helped invent Norton security products and is now chief technology officer of TruSecure. He said no security system was ever going to be 100 per cent effective. The costs involved in reacting to every alert or vulnerability would be prohibitive, in any case, he said. A better approach was to quantify security risks, and take steps to realistically address them - bearing in mind the costs of doing so. Dr Tippett said companies were spending more money on security every year, but the problems of web defacements, intrusions, viruses and denial of service attacks still became worse. It was a mindset problem, he said. Companies were focusing on the wrong things and failing to get the basics right. "The problem is that people assume each security measure has 'binary effectiveness' - it either works all of the time or not at all," he said. "And while we pay lip service to the idea that no security is perfect, we still believe good security controls will be 99 per cent effective. Yet trying to achieve even 90 per cent effectiveness is incredibly costly, time-consuming and even counterproductive." A better approach was to employ "synergistic security", which hinged on the concept of redundancy in security controls, Dr Tippett said. A keen pilot, he likens the internet to the early days of commercial aviation, when there was little effort to control safety and planes frequently crashed. Now airline safety has improved 1000-fold, largely due to improved safety practices. If safety hadn't improved and planes crashed at the same rate they did 60 years ago, more than 500 people would die in air disasters each day, Dr Tippett said. Better technologies only accounted for a tenfold improvement in safety; better education and better practices had multiplied this a hundredfold. Dr Tippett said the internet needed something similar to the aviation industry - traffic controllers and government-backed agencies that provided immediate warnings in emergencies, and ensured the skies were safe and planes and pilots met stringent standards. "In internet security, there's no-one that can tell you what things you must do to protect your systems," he said. "There's no formal mechanism for distributing information about problems and what must be done to fix them." TruSecure is positioning itself in that space, as an information repository and advisory service. Dr Tippett said the company monitored the activities of some 800 hacker groups and collected 200 gigabytes of net traffic a day, to keep ahead of the problems. Most companies could improve their security by complementing the primary controls - firewalls, anti-virus scanners, encryption, intrusion detectors - with simple synergistic controls. "These controls need to be cheap, easy and non-infringing [on business operations] and effective enough against an important category of risk," he said. "For example, to protect an IIS server from external hacks, you could implement multiple complementary controls at different levels. "At the perimeter, configure border routers and firewalls to default-deny traffic. On the IIS box itself you could delete sample files, move or rename the command shell .exe and delete the scripts directory. "On the policies and practices level, you could specify only local management of the server and insist on a quarterly tune-up. And so on." At a bare minimum, companies should have either two primary controls (with greater than 90 per cent effectiveness), or a primary and at least three synergistic controls for each category of risks. "Failure of any one control in a scenario like this would still leave better than 99 per cent effectiveness," Dr Tippett said. ---------------------------------------------------------------------- Tippett's Top Net Security Myths 'Encryption over the internet is important.' But Dr Tippett said the increasing speed and complexity of networks meant it was almost impossible to inspect traffic for a single message. 'More obscure end-user passwords are advisable.' There was no measurable benefit, he said. 'Daily anti-virus updates are required.' Dr Tippett said daily updates were only 1 or 2 per cent better than weekly updates. 'Most vulnerabilities should be patched.' Vulnerabilities have to be quantified in terms of the probability of a threat succeeding. In many cases, a threat would not be worth worrying about. 'Most businesses should focus more attention on firewall maintenance and management.' Just get firewalls up to 90 per cent effectiveness and ensure default router rules are not overridden, Dr Tippett advises. "It's about concentrating on essential practices, rather than best practice," Dr Tippett said. *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ================================================================ C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* - ISN is currently hosted by Attrition.org To unsubscribe email email@example.com with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Tue May 07 2002 - 04:51:43 PDT