Las Vegas

While more and more companies are conscious of the need to secure their data and computer systems from attack, many still remain out of touch with the dangers such attacks present, according to experts on a security panel held here during the recent Comdex 2003 Global Technology Marketplace.

According to Christian Byrnes, vice president and service director for the Stamford, Conn.-based META Group, 5 years ago, only 20% of his companys client base was “well secured.” Today, he said, that figure is 40%, with another 20% investing and growing their security programs.

The remaining 40% of META clients, however, “have not woken up yet” to the need for security, Byrnes said.

He asserted that “30% of security is technology,” such as monitoring software but that the remainder rests on human factors and accurate risk assessment. As a result, companies need to focus on establishing security policies, creating processes to protect the most valuable assets and acquiring the technology necessary to protect critical assets.

“Sixty to 70% of organizations worldwide are doing the wrong things security-wise,” he stated. He noted that companies are looking to automate security processes but not paying enough attention to human factors and attitudes. “Your worst enemy is a CIO who doesnt understand that security is a necessary investment,” he said.

However, according to Ben Golub, senior vice president, security, payments and managed security services for Mountain View, Calif.-based VeriSign, attacks on computer systems nearly doubled last year despite $12.6 billion being spent on security. VeriSign is a provider of digital commerce and communication products and services.

Golub recommended that companies manage their security programs the same as they would financial risk, based on risk vs. return. He also advocated bringing in an outside consultant to get an objective view of a companys security capabilities and vulnerabilities.

While some of the high profile virus problems that have surfaced recently have been linked to vulnerabilities in Microsoft software and the Windows operating system, Carl Elison, senior security architect for Redmond, Wash.-based Microsoft, said, “This is not just a Microsoft problem.”

He conceded that Microsoft is “good at producing cool stuff” but noted that “security isnt cool.” He pointed to the commitment (only a day earlier) of Bill Gates, Microsofts chairman and chief software architect, to make security the No. 1 priority at Microsoft. He also noted that Microsoft is developing schedules that will allow software users to keep their patches up to date. The patches would be sent in large “bundles,” thereby requiring less frequent updates, which has less impact on the company.

Elison also noted that many worms are produced after the patch is released by hackers who study the patch then make the worm. A worm is a virus that replicates itself by sending itself out to other computers, using the computer systems of its victims.

Golub pointed out, however, that even when such a patch is applied, “there is a level of risk that it may not work well with your systems. He also noted that even with todays firewall technology, companies “cant stop everything” when it comes to attacks. He cited users who take company laptops home and connect to the Internet there as one common security risk. The solution, he suggested, lies in authenticating the identity of users both inside and outside the company.

Bruce Schneier, CTO and founder of Counterpane Internet Security, Cupertino, Calif., said that the more software is “examined” by software engineers or others, the more secure it is. One way this can happen is via “open source,” that is, making source code of a program freely available to the development community.

Elison noted, however, that open source carries its own security risks, in that the software code also can be examined by potential attackers.


Reproduced from National Underwriter Life & Health/Financial Services Edition, January 2, 2004. Copyright 2004 by The National Underwriter Company in the serial publication. All rights reserved.Copyright in this article as an independent work may be held by the author.