While insurers work on adopting data security measures mandated by federal legislation, the threat of security breaches is increasing at an alarming rate, according to a panel of experts.
“Just how bad is it? Its pretty bad,” stated Andrew L. Briney, editor in chief of Information Security magazine, and moderator of the panel discussion, which was held here at the Comdex Fall 2002 technology exposition.
Briney cited figures showing that security vulnerabilities have risen by 124% over the past two years. Actual virus infections increased by 15% from 2000 to 2001, while some 200 new viruses are seen each month, he added.
He pointed out that in four days, the Melissa Virus caused some $400 million in corporate losses worldwide, and in just five hours, the Love Letter Virus racked up losses between $8 billion and $15 billion. The Code Red Virus, meanwhile, brought down some 520,000 servers and caused $2.6 billion in losses, he said.
According to Gene Hodges, president of Network Associates Inc., based in Santa Clara, Calif., three things one can be sure of are “death, taxes and escalating attack rates.” He also noted that there has been a strong trend toward targeted cyber-attacks that demand a higher skill level.
One problem the panelists pointed to in defending against outside attacks is the high number of security “patches” that software manufacturers send to their customers. According to Bruce Schneier, founder and chief technology officer of Counterpane Systems, based in Minneapolis, there are “20 to 30 security patches per major product per week.”
Panelists pointed out that most companies dont have the time and resources to keep up with installing the patches and that some patches require system shutdowns. “The notion that we can find stuff and fix it has failed,” said Schneier.
“We need to move to the philosophy that we will never make our networks safe,” he continued. “As a scientist, I can tell you that we have no clue how to write secure code.” He added that all software bugs that become security vulnerabilities are “mistakes.”
“The reason software isnt secure is because the companies producing it dont care,” Schneier asserted, eliciting spirited applause from the audience. Microsoft and other software producers, he explained, are judged by the speed of product releases. “If Firestone produces a tire with a systematic flaw, they get sued,” he said. When Microsoft [produces a flawed product], they dont.”
“Every software vendor here could do a better job of protection,” Hodges agreed.