[ISN] Year After 9/11, Cyberspace Door Is Still Ajar

From: InfoSec News (isnat_private)
Date: Tue Sep 10 2002 - 00:15:17 PDT

  • Next message: InfoSec News: "[ISN] Intel announces computer security technology"

    Forwarded from: "eric wolbrom, CISSP" <ericat_private>
    September 9, 2002   
    Sounding the alarm is not the same as paying for a deadbolt on the
    door. Which may explain why, despite the heightened fears of
    cyberterrorism and online security that followed last September's
    attacks in New York and Washington, few American businesses or
    organizations have responded with new measures to safeguard their
    computing systems from intruders.
    Harris Miller had hoped it would be otherwise. He recalls that warning
    Americans about cyberterrorism and online security before Sept. 11 had
    been an exercise in futility.
    "I felt like Sisyphus," said Mr. Miller, president of the the
    Information Technology Association of America, a trade group, adding
    that his pleas for greater awareness and quicker action were
    consistently ignored. "Just rolling the stone up the mountain, and it
    kept rolling right back down again." For government, corporations and
    individuals alike, Mr. Miller said, computer security was always "the
    11th item on a 10-item list."
    Then came the attacks -- and with them, a growing sense that terrorism
    could happen anywhere. And anywhere included the nation's computer
    networks and all the critical systems that were tied to them.
    "It really was a wake-up call," said Mario Correa, director of
    Internet and network security policy for the Business Software
    Alliance, an industry lobbying group in Washington.
    Security experts predicted that their calls would finally be heeded
    and that corporations and governments would shore up their
    cyberdefenses. Some even spoke of a "security dividend" for the
    industry arising from the attacks. The International Data Group, a
    publisher of trade magazines, even announced a new magazine, CSO,
    aimed at the hoped-for legions of deep-pocketed corporate chief
    security officers.
    So what has changed in the year since the attacks?
    Not so much, actually.
    The fretting, certainly, has been vocal. Companies say in survey after
    survey that they believe they, and the government, are still
    vulnerable to cyberattack. Indeed, a poll published this summer by the
    Business Software Alliance found that 60 percent of those who are
    directly responsible for their companies' network security believe
    that United States businesses are at risk for a major cyberattack in
    the next 12 months.
    And a government team led by Richard A. Clarke, the White House
    cyberspace security adviser, has been busy on a computer security
    framework that is to be announced next week and is expected to spell
    out actions that should be taken by government, industry and even
    individuals to safeguard the Internet.
    The fretting and frameworking, however, has not escalated into
    spending. Money spent on security has been flat the last year, with no
    turnaround imminent, said Steve Hunt, a vice president of the Giga
    Information Group, a high-technology analysis company.
    "The security market is not going to benefit in 2002," he said. A
    survey of the customers of Sanctum Inc., a security company in Santa
    Clara, Calif., which said it had extensively interviewed 10 customers
    on the topic, showed that only three had made new Internet security
    moves because of the Sept. 11 attacks.
    Other areas of security, like the disaster preparedness of information
    technology systems, have also come under increased scrutiny since
    Sept. 11. But, as with cybersecurity, little money has been spent. In
    a survey conducted for AT&T, 73 percent of those questioned said their
    companies had reviewed their disaster recovery planning after Sept.
    11, but only one in 10 said business disaster planning had become a
    top priority after the attacks.
    That is not particularly surprising in tight economic times, when most
    information technology spending has focused on incremental
    improvements to current systems, said Art Coviello, the chief
    executive of RSA Data Security, a computer network security company in
    Bedford, Mass. At a conference of chief information officers early
    this year, Mr. Coviello recalled, executives listed the top three
    priorities in 2002 as "cut costs, cut costs and cut costs."
    "The next priority was to make more out of what they had," he said.
    "The next priority after that was security."
    Part of the reason for the lack of action is a growing sense of
    frustration with the task of making computer systems secure, said
    Peter S. Tippett, the chief technology officer of Trusecure, a
    computer security management firm in Herndon, Va. Trying to keep up
    with each individual software patch and vulnerability and apply each
    one to every computer and network has become an all but impossible
    task for many organizations.
    The Computer Emergency Response Team, a federally financed monitoring
    group and information clearinghouse at Carnegie Mellon University,
    identified 2,437 software vulnerabilities in 2001, but fewer than 1
    percent were used in actual attacks. "Why don't we figure out what the
    essential security is?" Mr. Tippett said.
    He suggested that another reason companies had not acted decisively
    could be a growing sense among industry experts that the threat of
    cyberterrorism had been overstated. He noted that although the world's
    computer networks are increasingly tied to critical systems like power
    grids and telecommunications networks, a cyberterrorism episode is
    unlikely to stand alone, or to be devastating in itself. Instead, he
    said, such an attack would probably come in conjunction with physical
    attacks and be meant mainly to sow confusion. He compared such a
    disruption to "a snowstorm on top of an otherwise bad day."
    Still, Mr. Tippett and other security experts agree that the nation's
    computer networks need more effective and extensive shoring up.
    Meanwhile, Bush administration officials argue that despite the lack
    of progress cited by others, great strides have actually been made
    since last September.
    Mr. Clarke, chairman of the president's Critical Infrastructure
    Protection Board, said the real alarm was sounded not on Sept. 11 but
    on Sept. 18. That is when a piece of rogue computer software named
    Nimda spread through Internet-connected computers around the world and
    caused damage that was estimated in the billions of dollars. The
    creator of Nimda, which attacked computers and installed "back doors"
    for subsequent hacker attacks, has never been identified.
    "Sept. 11 made everybody in corporate America think about security,"
    Mr. Clarke said. "Sept. 18 made them think about cybersecurity."
    Since then, he said, software companies have grown far more serious
    about plugging the kinds of vulnerabilities that Nimda exploited.
    Microsoft, for example, shut down its software development efforts for
    nearly two months in a $100 million effort to analyze Windows software
    for bugs and to train its engineers in "trustworthy computing"
    Other major software makers have announced similar efforts to make
    security "not an add-on, but a central thought" in software design,
    Mr. Clarke said. Industries that did not pay much heed to
    cybersecurity before -- Mr. Clarke cited power companies as an example
    -- have "really begun taking security seriously," with widespread use
    of encryption to shield data from prying eyes and authentication
    systems to ensure that only authorized people have access to critical
    system controls.
    And government is "beginning to walk its talk" by shoring up its own
    systems, Mr. Clarke said. The administration's proposed budget for the
    2003 fiscal year calls for $4.2 billion for securing federal networks,
    a 56 percent increase over the the current fiscal year. And next week,
    on Sept. 18, Mr. Clarke's team plans to release its action plan for
    safeguarding the Internet.
    But government can only do so much, since most of the networks and
    systems that need to be protected are in private hands, Mr. Clarke
    observed. "The government is not going to secure hospitals and banks
    and railroads -- they have to do it for themselves," he said.
    Mr. Correa's industry group has spent much of the last year trying to
    ensure that the government's responses to the Sept. 11 attacks do not
    do more harm than good. "You're seeing Congress look for what appear
    to be quick fixes and really are not," he said.
    The group opposed, for example, well-intentioned early efforts by
    lawmakers that would have required federal agencies to upgrade
    computer security using very specific technologies obtained through
    strict government procurement guidelines.
    Under early drafts of legislation, for example, the National Institute
    of Standards and Technology was to specify the kinds of antivirus and
    firewall software and hardware that would be used in government
    systems. Mr. Correa's group feared that the specifications would
    quickly become outdated, because antivirus software, for instance,
    must evolve continually to keep pace with new kinds of threats.
    So Mr. Correa's group and others requested -- successfully -- that the
    bills specify only performance goals, like a requirement that any
    firewall software be able to block a certain number of intrusions a
    second, without defining how the software accomplish that task.
    "You've got to make those security standards performance-based, not
    technology-based," Mr. Correa said, or "they will be outmoded in a
    Mr. Correa's group is also fighting an administration plan to put a
    unit of the Commerce Department that helps set computer security
    standards, the Computer Security Division, into the new Department of
    Homeland Security -- a move that they argue would make that group less
    effective by blurring purely technical issues with military and
    law-enforcement agendas that could end up with worse, not better,
    His group has also tried to pave the way for greater cooperation among
    industries and the government on security issues. Those efforts have
    included legislative proposals for making sure that companies are
    willing to share information with the government by carving out
    exemptions in the Freedom of Information Act for such exchanges, so
    that information given voluntarily to the government about intrusions
    is not made public.
    Mr. Hunt, the Giga Information analyst, sees reasons for optimism. "No
    security vendors are getting richer, and there are a lot of security
    problems yet to be solved," he said.
    But, he added, companies have begun to shift toward viewing security
    as an integrated business function and not merely the province of a
    "little cult in the corner of the I.T. department." In surveys
    conducted more than a year ago, only 30 percent of all companies said
    they had a person responsible for connecting security efforts with the
    actual risks of the business, he said. Now, nearly 90 percent do.
    "This is not a 200 percent improvement in spending," Mr. Hunt said.
    "It is an improvement in quality, meaning the haphazard approach to
    security management of the past -- an approach that left many holes --
    is steadily being replaced by robust processes of detection and
    Even Harris Miller says he is feeling less Sisyphean lately. "While
    there's been much more attention in the private sector, there's a long
    way to go," Mr. Miller said. "But I don't feel the exercise is as
    futile as it was a year ago. Now the need is to get the money spent."
    eric wolbrom, CISSP                     Safe Harbor Technologies
    President & CIO                         190 Goldens Bridge Ct.
    Voice 914.767.9090 ext. 6000            Katonah, NY 10536
    Fax   914.767.3911                              http://www.shtech.net
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Tue Sep 10 2002 - 03:03:46 PDT