In The Battle To Protect Computer Systems, Our Shields Are Failing Badly

How much security is enough security, and how much is sheer overreaction?

In this security-sensitive, post-September 11 era, one would think that businesses everywhere couldnt spend enough on protecting their critical computer systems from attack, but actual purchases of security products do not seem to bear this out.

According to Information Security magazine, the September 11 attacks didnt result in an increase in business for security product vendors. In fact, selling cycles for security vendors seem to have lengthened, with potential customers looking more closely at each purchase.

Yet the case for protecting computers and data has never been stronger. Last October, Information Security published results of a survey of 2,545 information security professionals in which an incredible 90% of reporting organizations said they had been infected by viruses, worms, Trojans and other malicious code. This was despite the fact that 88% of those companies had some sort of virus protection in place.

About 12% of the respondents were in banking/financial services, while 3% were in legal/insurance/real estate.

Lets put these results in a different context–say, the bridge of the Starship Enterprise:

Sulu: Captain, Klingon bird of prey de-cloaking off the port bow!

Captain Kirk: Red Alert! Battle Stations! Mr. Chekov, raise shields!

Sulu: The Klingons are powering up their weapons.

Chekov: Shields at 5%.

Kirk: 5%! Push those shields to full strength!

Chekov: Aye, aye kyepten. Shields at 10%.

Sulu: Klingon weapons are locked onto us.

Kirk: 10%! I said full strength!

Chekov: Dat is full strength, sir.

Kirk: Scotty, we need more power to the shields!

Scotty: Sorry capnour dilithium crystals are low. Were waitin for new ones, but theyre hung up wi those lads in Purchasing at Star Fleet.

Sulu: Klingons firing weapons, sir!

Kirk: Scotty, do something! I need more power, now!

Scotty: I canna change the laws of physics!

Kirk: Anyone know how to say “Cant we all just get along?” in Klingonese?

(The ENTERPRISE explodes in a massive thermonuclear fireball.)

This is the situation we find ourselves in with regard to systems protection in an age of massive hacking and cyber-crime. Enemies are lining up to make war on our systems, but our defenses are hardly adequate to rebuff even the weakest attacks.

Certainly, the current economic climate has caused many businesses to be more cautious in their spending. The fact remains, however, that being penny-wise and pound-foolish with regard to systems security could indeed bring about the collapse of businesses–particularly those with a strong Internet presence.

Why would insurance companies, financial services companies, agents and others in this industry bury their figurative heads in the sand when it comes to security? Two thoughts come to mind.

First, theres the traditional reluctance of the insurance industry in particular to embrace technology of any kind. While many in this industry resent that characterization, few would dispute it. In fact, when I first came from the technology sector to start reporting on the insurance industry and told a group of agents that insurance was two years behind the curve on technology, I was interrupted by an audience member who insisted: “No, were five years behind!” I rest my case.

Second, theres a definite feeling among non-IT folks that cyber-crime “cant happen to us.” Indeed, the high-profile hacking incidents have not, for the most part, been in the insurance and financial services industries.

Privately, however, insurers have admitted being the targets of such attacks. They may not be talking about it, but they are hardly immune from the dangers of hacking and cyber-espionage.

And the attacks that affect us need not be aimed directly at our own systems. There was a report last year that a group had hacked into the World Economic Forums Web site and stolen the credit card numbers of Bill Clinton, Bill Gates and Yasser Arafat, among others. As systems become increasingly interconnected across industries, the dangers grow exponentially.

So, apart from the obvious solution of spending more on security initiatives and products, what can we do to raise our shields against attack?

Virus protection, while sometimes effective, is obviously far from adequate when it comes to protecting systems. Such software requires frequent updating, and even then, it is a nearly hopeless task to keep up with the hundreds of new viruses being created every year.

We still recommend the diligent use of virus protection applications, but dont stop there. Firewalls and intrusion detection systems also offer an effective line of defense, with such applications improving in effectiveness over time.

The key, however, lies not with technology, but with better human resources practices. The majority of systems attacks still come from within companies, rather than from external hackers. Disgruntled employees, in particular, represent a significant threat, especially if those employees have access to your system passwords.

Human resources professionals need to be much more careful in checking references and employment histories. Businesses also need to take advantage of software solutions that enable them to track the activities of all authorized users.

Finally, businesses would be well advised to establish solid Internet usage guidelines that, among other things, restrict personal use of functions such as e-mail and instant messaging. Many of the viruses that enter computer systems gain entry via online communications.

Is this kind of attention to security an overreaction? No more so than Star Fleet getting those crystals quickly delivered to the Enterprise.

Theres nothing quite as reassuring as hearing: “Shields at 100%.”


Reproduced from National Underwriter Life & Health/Financial Services Edition, April 15, 2002. Copyright 2002 by The National Underwriter Company in the serial publication. All rights reserved.Copyright in this article as an independent work may be held by the author.