Speaker: Choose security battles wisely
ORLANDO–Enterprise IT security professionals should use a rifle-shot rather than shot-gun approach to preventing network attacks, because the hacker community is populated with “too many smart people,” who are becoming more clever and sophisticated in their tactics. So said Eric Winsborrow, vice president of product marketing for network security solutions vendor McAfee, today at the Homeland Security for Networked Industries conference here.
“They can’t possibly deal with everything,” Winsborrow said. “But what they can do is better manage the risk.”
He added that companies often spend too much money on their security efforts, creating systems so unwieldy that they are difficult to manage and siphoning resources from other important areas.
“If you keep buying solutions, you end up with a lot of stuff that doesn’t work together, and you quickly come to a point of diminishing returns.”
W. Hord Tipton, chief information officer for the Department of the Interior, who also spoke at the conference, agreed. “The only technology issues that we have are in keeping up with the technology,” he said. “There are almost too many tools. The challenge is to figure out which ones fit best.”
Instead of focusing on tools, Winsborrow suggested that IT security managers pinpoint assets and then prioritize them based on value and vulnerability.
“Risk is a mathematical equation that centers on vulnerabilities, assets and threats,” Winsborrow said. “True risk occurs when all three are at a high level. At some point, they have to do triage on their assets and spend their money on the ones with the greatest risk.”
A tool that AT&T uses to conduct such assessments for its internal systems will be made available to external customers later this year, according to speaker Roberta Bienfait, AT&T’s vice president of operations. Likening it to Wall Street’s Dow Jones Index, the solution provides analysis of potential cyber security problems, letting the carrier’s IT security managers pick and choose the ones worth addressing. When it comes to cyber security, more information always is better, according to Bienfait.
“It’s all about being proactive, predictive and preventive,” she said. “You can’t be reactive today. You have to have people running ‘what if’ scenarios all the time.”
Hord further suggested that enterprises could improve their cyber security efforts simply by consolidating their systems. Hord has overseen an effort by the DOI—which consists of eight agencies and 70,000 employees that manage facilities over 504 million acres (20% of the U.S. land mass) and control a $16.2 billion annual budget—that has reduced 13 wide area networks to one and 33 internal points of presence to five.
“It’s been a laborious effort,” Hord said. But he quickly added that the effort already is paying dividends. “We’re saving $2 million a year just in operating costs,” he said.
However, Hord added that despite the DOI’s best efforts, the department’s Web sites “are still proliferating.” At one point, DOI agencies maintained 50,000 sites. “It’s impossible to coordinate … in that scenario,” he said.
One type of attack that increasingly is popping up on the radar screens of cyber security professionals is created by software robots—or “botnets”—that are placed on unsuspecting computers and allow hackers, through the use of worms or Trojan horses, to gain control of the device without the user suspecting anything. Botnets currently are used primarily to steal data from enterprises that then is sold to the highest bidder, or to create a network of computers whose capacity is then leased to outside entities. But fear is growing that hackers eventually would use botnets to take down entire systems, said Donald (Andy) Purdy, acting director of the Department of Homeland Security’s National Cyber Security Division, also speaking at the conference.
“They’re getting into systems, and people aren’t noticing,” he said. “There is a false sense of security. You have to assume that they’re stealing your data every day.”
Purdy added that enterprises must become cognizant of the fact that hackers “can do harm when and where they want to.”
The key to mitigating such attacks, or at least lessening their severity, is preparedness. But cost-conscious executives often don’t provide to cyber security professionals enough resources to fight the battle, Purdy said. Consequently, he suggested that lawmakers hold CEOs accountable for sensitive data pirated from their company’s information systems, just as it did in 2002 when it passed the Sarbanes-Oxley Act, which allows criminal and civil penalties for inaccurate financial disclosure statements in the wake of the WorldCom and Enron scandals.
“If they’re held responsible, it might create a new dimension to get more resources in the right places,” Purdy said.