In light of recent high-profile attacks from viruses such as MyDoom, TruSecure’s chief technologist, Peter Tippett, has some refreshing advice to IT managers charged with securing the enterprise: focus more on general risks not specific vulnerabilities. IDG senior analyst, Wayne Rash, spoke to Tippett about the security maze and challenges facing IT today.
What would you say is the single most difficult security problem facing the enterprise today?
Peter Tippett (PT): I would say not chasing vulnerabilities, to put it in the negative. Probably the single most important thing that computer security people mess up on is following the pack, and the thing that’s the hardest thing to do proactively is thinking in risk terms instead of vulnerability terms. Acting in risk terms would mean finding the easiest, cheapest, simplest things to do in your company — whether they’re physical things or network things or policy things or configuration or whatever — that will stop the top 10 problems from happening in your company. And then after the top 10 problems are solved, you can go ahead and worry about the next 10. Instead, we tend to focus on the next vulnerability that comes along; last year we had 4000 new ones to focus on and the year before we had 4000, and the year before that we had 2000, and so on.
You’re talking about not focusing on specific vulnerabilities, but rather on general risks. How would you place the recent, more sophisticated worms in that scenario?
PT: The technologies and processes to make it so that your company wouldn’t get Blaster and Slammer and SoBig and MyDoom were all discovered and could have been implemented years ago. We’ve got a guide called The TruSecure Antivirus Policy Guide that works to reduce risk for all of those by an average of more than 30-fold, and you didn’t need to have your antivirus up to date to be protected against those things. Good antivirus is important, but blocking executables is more important, and configuring your desktop to not respond in certain ways is important, and having policies is important. It is far more powerful to have a dozen things, each of which work poorly against the problem, than to try and have one or two things that work well against the problem. We are very focused on having a better firewall or a better antivirus or a better IPS or a better something, and it’s much stronger in a company to have three or five or 12 layers — each of which is only 50, 60, or 80 per cent effective — and have them work together so the collective effectiveness against any given problem is 99 or 99.9 (per cent) or whatever it needs to be.
What is the first thing that a CTO or IT manager ought to be looking at doing for an existing enterprise network?
PT: There are several things that are very powerful that very few people do. The one in the past two or three years that is most powerful for hacking and (malicious) code is to put default-deny rules on routers. That’s a technology thing that just doesn’t happen. When we did a study in the summer, only 8 per cent of border routers had default-deny as a strategy rule set inbound. And less than 2 per cent had default-deny as a rule set outbound. Doing those is incredibly effective. It’s between a three- and a five-fold incremental reduction of risk for mal code and hacking, independent of what you’re doing on your firewall or policies or other sort of protective layers. The most generic thing that people need to do is take a risk-based approach. We ought to ask, what are the real problems that we’re having? What are the real problems that other people are having? And what are the fewest possible things we can do with the people and products we’ve got to reduce them significantly?
How important are management, training, and so forth to the overall security solution?
PT: The interesting thing about doing good security at the corporate level is that managing and policies and practices and technology are all roughly equally important. We can say, “Geez, I have a policy that people shouldn’t double-click on attachments that they didn’t expect, and 10 or 20 per cent of them are going to do it anyway; therefore, it’s useless.” Well, the fact that 80 or 90 per cent follow your policy makes it 80 or 90 per cent useful. And if you get other things to work 80 or 90 percent, they work together synergistically. You know, two 80s get you a 96 (per cent effective) in combination. Three 80s get you a 99. Technologists are not particularly comfortable with management-style controls because they’re not perfect. They’re not perceived as something that’s very, very effective and therefore they’re (seen as) useless. We need to get over that. They are, in fact, quite useful. Reducing risk by five-fold is very useful. If you have a single control that reduces risk by five-fold, you’ve got an excellent control.
What are the risks that IT manager’s are most likely to encounter?
PT: External attacks are both more frequent and more costly in aggregate than internal attacks for the past two years. So mal code and hacking and defacement and things of that ilk are slightly more likely than internal employee abuse and whatnot. But employee abuse and insider attacks and (former) employees’ attacks are still worth 30 or 40 per cent of all attacks, in terms of dollars lost per year for an average organisation. Therefore, they’re still incredibly important.
I’ve heard from other sources that disgruntled employees, crooked employees, and so forth, actually create more damage per incident than hackers.
PT: Yes, that’s right. Mal code attacks tend to be $US100,000-$200,000 per significant event per thousand-employee company. Hacking attacks are maybe slightly more than that, $US200,000-$300,000 against Web servers. If they’re against other kinds of devices, they approach a million dollars. Employee attacks tend to be well over a million dollars in losses, if you average them (per) company. But they happen less often. The successful internal employee attacks are more expensive but less frequent than mal code and hacking attacks.
Is this because the employees know where to look and what to find?
PT: It’s because they’ve got insider information. It’s because they’ve got many more places to go. It’s because they know what levers will hurt the companies the most. Employee attacks are the ones that can bring down the whole company, whereas outsider attacks are not as likely to do that. (Outsider attacks) cost real money and real damages, but they’re not as likely to bring down the whole company.
Where would a company start in trying to protect itself against employees who would do damage?
PT: The same way you start for all the rest of the risks that you need to worry about. You identify the significant issues and I would suggest, being a company that helps companies do this, that you have an outsider help you figure those out. The top 10 likely problems for almost any company are the same — #9 might swap for #11. Fixing the top 10 problems that are likely to be an issue for any company is a great place to start. And using a company like TruSecure to help you can reduce your cost and your effort in getting it right.
What you’re telling us, really, is that there is no single, perfect technology that’s going to overcome these security problems?
PT: For inside attacks, what we call physical and human factors attacks, we can routinely get between five- and seven-fold reduction of risk in companies. TruSecure has about 600-700 corporations that use our risk management program and we routinely measure between five- and seven-fold reduction in companies that use that program for inside and human and physical attacks compared to people who don’t use the program. For electronic and mal code attacks, such as hacking and viruses and worms and things, we routinely get between 20- and 60-fold reductions of risk for companies. The more electronic the attacks, the more reduction percentages that we can get; the tools to achieve risk reduction against employees (attacks) aren’t as crisp. If they’re there, cameras and policies and practices and procedures and locks on doors and some training and things like that all reduce insider attacks by a significant margin.
If you had to give one piece of advice to the people out there who are trying to protect their enterprise, what would that one piece of advice be?
PT: Don’t use the word “vulnerability” for the next year and still get your job done.