A special advertising site produced by the Advertising Department of washingtonpost.com
Welcome to Viewpoint, a live discussion forum on washingtonpost.com. This forum offers washingtonpost.com sponsors a platform to discuss issues, new products, company information and other topics.

Calculating Your Security Risk
Wednesday, December 4, 2002

Dr. Tippett In today's e-world it's critical to assess the impact of cyber attacks on the corporate bottom line. TruSecure's Dr. Peter Tippett was online to offer advice on ways to calculate the impact and mitigate the risk of cyber attacks. Dr. Tippett talked about how to define and identify the three basic components of information security risk, how to measure them, and quantify the impact they have on your organization; how to discover the sphere of threat within which your organization operates and the impact it has on your cyber security; how to uncover often overlooked "synergistic controls" to reduce vulnerability, and more.

Peter Tippett, M.D., Ph.D., an early innovator in creating Internet security products, is credited with developing one of the first commercial anti-virus products on the market today. As chief technologist for TruSecure Corporation, he is a computer industry leader who specializes in computer security, computer viruses, enterprise computer management, and risk management. Notable achievements in Dr. Tippett's career include authoring one of the most widely accepted theories on the worldwide growth of microcomputer viruses, and serving as one of the world's leading experts on the "I LOVE YOU" virus that broke in May 2000. Through his research, Dr. Tippett also provided key information to the Department of Justice about David Smith, the author of the "Melissa" virus, and advised the Joint Chiefs on cyber warfare during Desert Storm.


Moderator: Welcome to Viewpoint with our guest, Dr. Peter Tippett. Dr. Tippett, we're glad to have you with us. Please get us started with an overview of TruSecure Corporation and the products it provides.

Dr. Peter Tippett: Since 1989, TruSecure Corporation has set the standard for risk mitigation in increasingly complex and interconnected business environments. A global leader in managed security services, TruSecure helps organizations ensure the security of critical business information assets.
Once TruSecure essential practices are successfully implemented and maintained, the customer receives industry-recognized certification, providing them confidence, assurance and guarantee that their mission-critical e-business systems, networks, applications and physical environments are fully protected against “cyberthreats.”

Moderator: What do you consider more important for a company, detailed Internet security policies or a good firewall?

Dr. Peter Tippett: What a company really needs is a program to assure that at least the essential security practices, policies, architectures, configurations, testing, etc., are all in place and working. Focusing on any one or two things is a recipe for disaster. The single most common reason for security breaches is not the lack of focus or the lack of a strong-enough firewall, but the lack of breadth in addressing all aspects of security, including physical, human factors, operational, network, device-technical, policy, etc.

Washington, D.C.: I'm curious to know given your extensive experience to what extent you feel, in general, cyber security threats are from within as opposed to being external.

Dr. Peter Tippett: If you are taking the test (anybody's test) the "right" answer is "Inside risk is bigger than outside risk." This was absolutely true when companies only had an "Inside" (just a mainframe, or not much connectivity ...). The fact is that the "outside" risk (viruses, worms, external hacking, spoofing, etc.) has been growing at about two times per year for the seven years TruSecure has been measuring it while "inside" risk has been growing at only 15 to 20 percent per year over the same period. In terms of dollars of security losses per year, we believe that outside has passed (is larger) than inside for the past year or two. For example, the number of Web sites successfully attacked each day, world-wide, has grown just in 2002 from about 300 per day in January to almost 1,000 per average day as of November.

Moderator: Do you publish a list of best practices on your Web site?

Dr. Peter Tippett: The most sought-after "best practice" document that we publish is called the "TruSecure Anti-virus policy guide" which is available at http://www.TruSecure.com/knowledge/whitepapers/.

It shows that updating anti-virus products more often than monthly (desktop) and weekly (server) doesn't provide much incremental benefit and that real benefit comes from configuring the email gateway to block most attachment types (especially .EXE and .PIF, etc.) and configuring the desktop IE and outlook (to point to the restricted sites zone, for example). The details are in the document.

Baltimore, Md.: Dr. Tippett: What in your view is the greatest potential threat to a company's information security? What should we be most concerned about?

Dr. Peter Tippett: The biggest threat is, no question about it, the lack of broad, holistic, practical approach to applying security across all aspects of an organization. Most folks focus in on better firewalling, encryption, passwords, etc., and miss out on many of the relatively easy things that can get the majority of real risks covered. We are too focused on security perfection at a given step instead of accepting "good enough" security broadly applied. I have written an article http://www.infosecuritymag.com/2002/feb/columns_executive.shtml that shows how to use relatively simple controls and get them to work together to wind up with great corporate-wide security with the people and products you already have.

Greatest attack? We will have another big worm in the next nine months (like Nimda).

Alexandria, Va.: I run my own site and have a database with thousands of records of personal information. I am concerned about security liability and want to make it as secure as I can afford. How secure do I need to make it to keep people out and to keep from getting sued if it does get hacked? Thanks.

Dr. Peter Tippett: Don't do any of the "Absolute dont's" like:
Don't ever keep the database on the same box as the Web server.
Do make sure you are doing all the essential do's like:
Make sure the Web and the database operating system and applications are up-to-date and configured securely.
Make sure other (not used) services are disabled,/ uninstalled.
Make sure both your router and firewall are configured for default-deny ...
To deal with liability questions, have someone like TruSecure work with you to both provide rapid, simplified controls, to keep you up-to-date with current issues, and to certify your site. TruSecure Certificaiton is widely accepted as a defacto standard, reducing insurance costs, providing liability mitigation, and improving marketability of your site.

Silver Spring, Md.: I'm reading Kevin Mitnick's new book on the threats of "social engineering." How do I reduce this risk without making my organization less efficient and distrusting of its employees?

Dr. Peter Tippett: Kevin Mitnick has no right to be making money on security issues. He is a master at "social engineering" which means at lying, cheating, manipulating, conniving ... others on a personal level. The way to reduce the risk is to put some synergistic (working together) controls in place that you know will only be 60 to 80 percent effective each, but collectively will bring very good protection. Cameras, user awareness to never, never tell anyone (not even the president) your password or other sensitive information, making sure everyone knows who to call when they suspect a person, certain loging, etc., all can work together effectively.

Leesburg, Va.: Have you seen, or do you expect to see, a significant increase in cyberattacks related to a potential war with Iraq? Or are you even able to identify who is really responsible for particular attacks?

Dr. Peter Tippett: The rate of cyberattacks is already so high (over 1,000 successful external hacks daily, about 80 successful virus encounters per day per 1,000 person company, about 260 new trojans planted daily ...) and is growing so fast that the incremental attacks launched by a few zealots is unlikely to be noticed. The terrorists or Iraqis, or their sympathizers, have access to exactly the same tools (not stronger ones) and exactly the same software, platforms, systems and network connectivity as anyone else. So I wouldn't expect "More severe" or "stronger" or "bolder" attacks than we are already seeing. When the US/China "cyber war" happened last May, only 12 percent of the total attack traffic could be attributed to people claiming to be on one side or another, and of that 12 percent, more than 80 percent were well-known people doing the hacking with the new banner (kind of mercenary but without the bucks) hacktivism by those who would be hacking anyway ...

Washington, D.C.: Doctor, thanks for doing this. Do you find that businesses have paid more attention to their IT security since Sept. 11? Should they be?

Dr. Peter Tippett: September 11 did not increase IT security spending much, but Nimda, three weeks later, did. Boards of directors used 9/11 to ask the question, but the question was mostly directed at physical/evacuation/hotsite/ emergency response/etc., not so much cybersecurity. To the extent the question was directed at cybersecurity, most CISOs I spoke with suggested that the appropriate response was to continue to do "good" security ... that is no change at all for those who thought they were doing a good job anyway.

The economy went down faster than any lift created by security created by 9/11 leaving the total market either flat or down a bit. (Many start-up and smaller security companies are quite out of business).

Arlington, Va.: How come a company like Ford Motor Credit doesn't have some type of "checks and balances" in place to detect something like the identity theft ring that was just discovered, and had been going on for three years? What can these large organizations do to stop these types of internal attacks, or at the very least ensure that they're detected much earlier?

Dr. Peter Tippett: There are about a dozen "essential practices" that apply here. People with administrative access to highly confidential or private data need background checks and good reference checks before being hired -- those who steal often did so before, by another means, or have very poor credit or work records ... good monitoring like cameras, logging, big-deal door-locks, etc., along with very visible and frequent discussion/reminders to employees that their actions are being watched/monitored, along with good education to others to watch out for suspicious activity by not only non-employees, but by employees ... and more all add up to strong set of synergistic controls. It is almost always true that someone "suspected that guy" years before he was discovered. That someone needs to be encouraged to talk. Records can be watermarked, watermarking can be changed depending upon who retrieved the data, bogus records for tracking can be planted in the database ... there are many technical controls, too.

Vienna, Va.: What's the best way for me to determine how much I should budget for my company's security? Thanks for answering.

Dr. Peter Tippett: You should budget enough to do the basics across the board. Typically you can get all the "Essential security practices, policies, architectures, configurations ..." going with the people and products you already have. If you do it right (think TruSecure services), you can probably both improve your security AND reduce your total security spending.

Typical companies spend 3 to 6 percent of their total IT budget on security people, products and processes.

Tysons Corner, Va.: What determines being sufficiently vs. insufficiently secure?

Dr. Peter Tippett: Sufficient security is enough to take care of the 98 percentile of the risk in each category of risk. If you achieve it, you will reduce your likelihood of a security breach by 50-fold. We need to decide to be very happy with a 20 times or 50 times reduction in risk.

We as a society spend far too much time worrying about vulnerabilities and vulnerability testing, and not nearly enough time fixing the easy things that will address the real risks that occur every day. Of the 2,437 new vulnerabilities published in 2001, only about 20 were actually used in any attack against any company anywhere. Likewise, of the 50 or so "critical" patches released by Microsoft in the past year, only 20 or so are worth applying in any company (because the vulnerabilities fixed by the other 30 will never be attacked even in poorly run companies). If you follow a set of essential practices like those produced by TruSecure, you wind up with only two or three of these "critical patches" actually being needed because the essential practices, configurations, architectures ... take care of any potential attacks by other means.

Singapore: In the Asia Pacific region the BS7799 standard is increasingly being adopted, both by individual organizations and as a governmental model. Do you think this standard is an effective one, and do you see it gaining acceptance in North America? Thanks.

Dr. Peter Tippett: Hello sleepless in Singapore:
BS7799 is a widely recognized security standard that is most adopted in Asia, then Europe and almost not at all in the U.S. It is highly organized (as are virtually all security standards) around relatively static view of computer/organizational security. It is relatively good stuff, but is a ton of work compared to the Essential/Synergistic methods we, at TruSecure, promote. Our strategy fills in the gaps by providing continuous, recurrent testing to assure the essential practices are working, by providing alerts and advisories and predictive modelling that deals with emerging risk. In the end, either method will get you to a more secure place as a company. The TruSecure method maps well (and we provide the mapping to all TruSecure customers to not only BS7799, but also HIPAA, GLB, etc.) but the work of achieving certification under the TruSecure method is typically easier, cheaper, and more pragmatic, and the risk reduction under TruSecure method is typically larger and more measurable.

Dr. Peter Tippett: Well, we are just about out of time. Thanks for joining us today. As a recap, TruSecure provides a comprehensive suite of services focused on helping organizations continuously and pragmatically manage risk. If you have questions about how we can help you with your company's Internet security, you can email me at the following address: events@trusecure.com. Also, please feel free to browse our Web site at http://www.trusecure.com to keep up-to-date on today’s information security threats. Thank you again.

Moderator: Our thanks to Dr. Peter Tippett, TruSecure Corporation and all who participated.

VIEWPOINT: Archived Discussions, Paid Programming
Related Links