Las Vegas

While insurers work on adopting data security measures mandated by federal legislation, the threat of security breaches is increasing at an alarming rate, according to a panel of experts.

“Just how bad is it? Its pretty bad,” stated Andrew L. Briney, editor in chief of Information Security magazine, and moderator of the panel discussion, which was held here at the Comdex Fall 2002 technology exposition.

Briney cited figures showing that security vulnerabilities have risen by 124% over the past two years. Actual virus infections increased by 15% from 2000 to 2001, while some 200 new viruses are seen each month, he added.

He pointed out that in four days, the Melissa Virus caused some $400 million in corporate losses worldwide, and in just five hours, the Love Letter Virus racked up losses between $8 billion and $15 billion. The Code Red Virus, meanwhile, brought down some 520,000 servers and caused $2.6 billion in losses, he said.

According to Gene Hodges, president of Network Associates Inc., based in Santa Clara, Calif., three things one can be sure of are “death, taxes and escalating attack rates.” He also noted that there has been a strong trend toward targeted cyber-attacks that demand a higher skill level.

One problem the panelists pointed to in defending against outside attacks is the high number of security “patches” that software manufacturers send to their customers. According to Bruce Schneier, founder and chief technology officer of Counterpane Systems, based in Minneapolis, there are “20 to 30 security patches per major product per week.”

Panelists pointed out that most companies dont have the time and resources to keep up with installing the patches and that some patches require system shutdowns. “The notion that we can find stuff and fix it has failed,” said Schneier.

“We need to move to the philosophy that we will never make our networks safe,” he continued. “As a scientist, I can tell you that we have no clue how to write secure code.” He added that all software bugs that become security vulnerabilities are “mistakes.”

“The reason software isnt secure is because the companies producing it dont care,” Schneier asserted, eliciting spirited applause from the audience. Microsoft and other software producers, he explained, are judged by the speed of product releases. “If Firestone produces a tire with a systematic flaw, they get sued,” he said. When Microsoft [produces a flawed product], they dont.”

“Every software vendor here could do a better job of protection,” Hodges agreed.

According to John Weinschenk, vice president, Enterprise Services Group, for VeriSign Inc., Mountain View, Calif., “The challenge is that the attacks are more and more sophisticated. The best you can do is try to minimize your risk.” He also recommended that companies formulate specific plans to deal with the possible consequences of cyber-attacks.

Briney also pointed out that security concerns are “the number one barrier to the deployment of wireless [technologies].”

“The threat is serious,” agreed Dan MacDonald, vice president, Internet Communications, of Nokia, Tokyo, Japan. Corporations, he said, need to be aware that wireless networks “could be dangerous to their corporations.” The solution, he noted, is strong authentication (making sure a user is who he or she claims to be) and encryption (encoding data so that only authorized persons can read it). “That is best practice these days,” he observed.

Schneier characterized wireless communications as being “robustly insecure,” adding that “the people who designed the [wireless] protocol did a horrible job on security.”

The panel pointed to a widespread trend of individuals bringing their own wireless devices to work and linking into their corporate networks. Among such “rogue” wireless users (those whose links are not set up by the companys IT department), most are vulnerable to attack, the panelists agreed.

Briney also noted that, in his research, 48% of European companies have said security worries keep them from adopting Web services. Schneier, however, disagreed that such worries will slow Web services growth.

“The key to Web services is making a profit,” Schneier explained. “Web services will be deployed with not-good security, with half-assed security. If you can make more money than you lose, youll do it.

“Security is a nice thing to have,” he continued, “but when youre making money, get that thing out of the way.”

When it comes to spending on security, Weinschenk said that regulated markets (such as insurance and financial services) are spending money on it, “because they have to.”

Briney noted that IT spending devoted to security is showing a 21% compound annual growth rate among all companies, but Schneier argued that “the average company spends more on coffee than on security.”


Reproduced from National Underwriter Life & Health/Financial Services Edition, December 16, 2002. Copyright 2002 by The National Underwriter Company in the serial publication. All rights reserved.Copyright in this article as an independent work may be held by the author.