Winning the battle for computer security

USA Today (Society for the Advancement of Education), Nov, 1997 by David Muckley

The numbers are staggering. In 1996, American corporations spent almost $6,000,000,000 on computer network security, only to lose an estimated $10,000,000,000 from attacks on their systems. Moreover, the latter figure undoubtedly is low as many of the surveyed organizations, although reporting losses, elected to keep their magnitude to themselves.

Even more alarming figures from the 1996 Computer Security Institute/FBI Computer Crime and Security Survey show that 42% of the 428 U.S. companies and institutions participating had experienced unauthorized use of their computer systems within the previous year. Contrary to conventional thought these "attacks" were not mounted by hackers or from disgruntled or dishonest employees. More than half of the reported incidents were projected to come from American corporate and foreign competitors and foreign government intelligence services.

Changes in the way organizations use technology have increased exposure to misuse, damage, and loss of computer data dramatically. The rapid movement to distributed systems and client/server architecture have complicated greatly the task of securing systems. The mandate to connect to the Internet in order to remain competitive, as well as the need to offer broad access for Internet applications, have caused security issues to expand exponentially, much faster than threat awareness and security solutions are growing.

While many organizations simply are ignorant about the seriousness and variety of computer security issues, others seem impotent to resist. They are overwhelmed by the challenges posed by the myriad combinations of threats to, and the vulnerabilities of, their large, complex networks. Their tendency to resist change is reinforced further by the limited number of well-qualified consulting services and the increasingly large amount of inexperienced "experts" rushing into the marketplace to fill the security gap. It takes time to educate security engineers and provide enough field experience to make them effective. After all, an attacker is looking for only a single entry point while the security engineer is trying to find and protect them all.

There also is a great deal of uncertainty about the effectiveness of available safeguards. Competing providers of security services and products add to the confusion. Depending on who offers the definition, "security assessment" might measure compliance with a formal security policy, vulnerabilities of a network operating system, effectiveness of a firewall, or any number of other scenarios.

Five years ago, worldwide telecomputing standards and technology-based companies still were emerging. They were not tested on a broad scale, or even understood by some of the companies now at the forefront of the technology industry. Today, there is a better understanding of Internet usage and security threats, so network security solutions can be pursued aggressively and with confidence.

To understand computer security, it is important to be cognizant of the sources of attack. Two of the four categories of threat reside inside an organization and are called "internal hostile" and "internal non-hostile." A disgruntled employee who has high-level access to critical systems and data represents a hostile threat. Conversely, a satisfied employee with similar high-level access who leaves the workspace for lunch or a meeting without logging out poses a non-hostile threat. Simply, the non-hostile threat is one that is neither intended nor calculated. The other threat categories--"external hostile" and "external non-hostile"--typically are more spectacular. Accordingly, they receive the most media scrutiny and, usually, the most management attention. Outsiders involved in corporate espionage generally are considered hostile, while hackers, intent on gaining publicity just by showing they got in, might be considered non-hostile.

Individuals with desktop computers have more autonomy and computing power than ever before. All of this power is in the hands of users whose experience ranges from novice to super-geek. Users face a vast array of temptations and time wasters. Most have the opportunity to breach security, and some have the motivation to do so. The situation is comparable to the newly licensed teenage driver who has access to the family car; doesn't have to pay for gas, insurance, or car payments; and is faced with the choices of obeying traffic signs and speed limits and whether to drink and drive.

Continuing this automobile analogy, the ratios demonstrated in the following examples may vary slightly from situation to situation, but one thing is certain: Common sense and experience tell us that preventing a loss costs less (often substantially so) than containing or recovering from one. The psychological costs of the loss--insecurity, anxiety, lost productivity--though difficult to quantify, add to the cost.

Prevention ($10). Locking your car and parking it in an attended lot are just two of many inexpensive ways you can try to prevent someone from breaking into the vehicle. It might cost about $10 for parking.