CIO

Running on Luck

The evolution of security attacks such as malicious codes and viruses has seen CIOs reassess and change the way they protect their systems.

It's time to make serious strides towards protecting employees, assets, access and the corporate brand.

Use of the internet for core business activities keeps surging - at a time of global unrest, rising computer crime and network independence. Everywhere we look, new technologies are emerging to feed our seemingly relentless appetite for the new; yet every new technology brings with it new security vulnerabilities.

Small wonder a growing number of analysts and computer security experts are urging us to consider whether we might not, one day soon, finally run out of luck.

It is not as if the warning signs have not been there. The distributed denial of service (DDOS) attacks that crippled Internet leaders over recent years cost giants like Yahoo!, eBay and E*Trade millions of dollars in lost revenues, and even brought down one of the UK's largest Internet service providers (ISPs). And each year the situation worsens, with business's growing dependence on Internet security seemingly an irresistible temptation for those with malicious intent. Disruptive Internet agents such as viruses, spyware, hacker attacks, denial-of-service attacks, attacks on e-mail and Web systems as well as company data and applications have continued to grow.

Yet business's growing dependence on the Internet means every point on every value chain now demands 24x7 applications and data at the ready, as the Internet increases demands of seamless information availability and up-to-the-minute data accuracy. When customers cannot obtain service and transact sales because the information cannot be accessed, systems are down and networks are not available, it is not just online sales that suffer. The brand name is diminished, goodwill goes out the window - and if customer data has also been lost, customers will likely never trust that firm again.

So industry observers and pundits like Aberdeen and Gartner are sounding the alarm bell on the tendency for business to remain far too complacent about the very real risks ahead.

Aberdeen Group reveals Internet-based core business disruptions set off by worms and viruses are costing companies an average of nearly $US2 million in lost revenue per incident, compared to an average cost of just $US74,000 per incident to recover systems and networks to resume normal business operations. Such Internet business disruptions do not just hit e-commerce, but retail, wholesale, manufacturing, government, utility, financial, health-care and other industry sectors equally. Aberdeen puts the median annual revenue loss rate between $US6700 for a $US10 million company to $US20.1 million for a Global 5000 company with $US30 billion revenue.

Customer sales and service functions are just the start of it, with the research showing marked increases in the use of the Internet for other core business functions, including procurement, sourcing, distribution and fulfilment. "Increasing usage of the Internet for these core business functions means that business disruptions from Internet security can seriously impact a company's revenue," Aberdeen analyst Jim Hurley says.

Aberdeen reports most businesses are worried that their operations are exposed to Internet-based threats. For instance, 80 percent of survey respondents indicated that they are worried about network outages, 86 percent are worried about Internet security threats, 84 percent are worried about compromised IT systems, 85 percent are worried about compromises to data integrity, and 71 percent are worried about human errors that may lead to Internet business disruptions.

Page Break

Gartner defines a security vulnerability as a weakness in process, administration or technology that can be exploited to compromise IT security, which can exist in any layer of the application stack and be caused by weaknesses in just about every IT administration, process or design function.

"Increasing Internet activity, along with the use of Web services, wireless connections and other new technologies, will lead to more vulnerable configurations. And these vulnerabilities will cause increased downtime for organizations that don't push security concerns into their processes for software development and procurement," warns John Pescatore, Gartner vice president and research fellow.

"Basic changes to the operating systems and hardware platforms used by servers and PCs will make dramatic leaps forward possible in some areas of software security," says Pescatore. "That said, through 2008, IT leaders will need to implement stopgap approaches to deal with new vulnerabilities associated with unsafe customer, employee and business partner platforms."

However, at least at this stage, such fears do not seem to be translating into effective counteraction.

At a time when the pace of technological change is increasing at a double-exponential rate, according to Raymond Kurzweil's essay on the confluence of exponential trends known as the Law of Accelerating Returns, Gartner research director Steve Bittinger says businesses are woefully unprepared for the implications of this dramatic development. Kurzweil's analysis of the history of technology shows that technological change is exponential, contrary to the commonsense "intuitive linear" view.

"So we won't experience 100 years of progress in the 21st century - it will be more like 20,000 years of progress (at today's rate)," he writes. "The 'returns', such as chip speed and cost-effectiveness, also increase exponentially. There's even exponential growth in the rate of exponential growth. Within a few decades, machine intelligence will surpass human intelligence, leading to a milestone known as The Singularity: technological change so rapid and profound it represents a rupture in the fabric of human history."

To Bittinger, the rate of technological advance should be setting alarms ringing across every business in the land. He maintains that many companies have underestimated or poorly understood the problems that are associated with security, particularly since every new technology brings with it a new security vulnerability.

"We have a technologically-based society and technology is zooming ahead faster and faster, and you can turn that around and say: 'Well, what does that say about vulnerability?'," Bittinger says. "We're getting all these new technologies . . . and every one of them brings with it new security vulnerabilities.

"Knowing that that's the state of the world, we can't be reactive. We have to get very serious about understanding what the architecture is that is going to provide us with a greater level of security. We have to actually be proactive in terms of consciously building in security from the beginning," Bittinger says.

The evolution of security attacks such as malicious codes and viruses has seen CIOs reassess and change the way they protect their systems. As the Internet has been such a critical component of many companies' successes, CIOs are starting to realize that to avoid Internet business disruptions, companies need to implement a security system that alerts, protects, responds and manages.

As one observer says: "The role of CIOs has changed from: 'I'm just looking after the gates around the house and making sure no one gets in' to: 'I need to know about neighbourhood robberies, what they are taking and how they are getting in'. This intelligence type of role is becoming more important as attacks become more aggressive and "zero day" attacks start to appear on the horizon. These attacks are defined as a vulnerability that is discovered and exploited so fast that a patch cannot be developed in time.

But while the CIO is a key player - and, for some organizations may be at the nexus of security efforts - it would be a mistake to view IT security as the responsibility of information technology group. "Nothing could be further from the truth," writes M Eric Johnson in the CIO (US) article "Information Security in the Age of the Extended Enterprise".

Johnson, who is professor and director, Centre of Digital Strategies at the Tuck School of Business explains: "During the quality revolution, the firms that found quality breakthroughs were the ones that realized that quality could not be delivered by the quality control department. It had to be part of the organization's culture. Security, like quality, is everyone's responsibility.

"Business managers cannot be passive, waiting for protection from the information security police. Rather information chiefs must articulate the risks, like any risk faced by the business, and as a team, executives must balance the risks. Brad Boston, Cisco's CIO, described how his organization moved from a traffic cop that simply said yes or no to business manager requests to one that helped them make good decisions. 'Our job is to identify the risk. The threat of that risk actually occurring, the probability, and tell what the options are to remediate it. Then a business decision is made about what risks are acceptable and which risks are not.'

"This responsibility resides at every level in the organizations - including the board," Johnson continues. "One CIO complained to me that when he presents updates to his board on new applications their eyes light up. But when he talks about security, he sees them glaze over. Having board members who understand the risks and can help other members see those risks is key to effective information technology governance and to building a culture of security."

Page Break

The Right Type of Profiling

Aberdeen Group recommends organizations determine their Internet profile for customer sales and service, procurement and sourcing, and distribution and fulfilment. Then conduct a revenue loss assessment based on historical data, and identify customers and value chain partners, and the likelihood that their systems and people may cause downtime to their own business operations. It also says organizations should

  • conduct a needs assessment based on business strategy, enablers and available technologies
  • determine best practices from references and available information, and
  • clearly identify a primary strategy for overcoming Internet business disruptions as well as determining and agreeing upon the performance metrics to be used for measuring "improvements" from current practices.

And the research company says all organizations should consider using complementary technology controls to reduce and eliminate revenue loss from Internet business disruptions.

Gartner is urging companies to put pressure on vendors to build more secure software as well as to drive their own IT teams to ensure less vulnerability in in-house software. It says companies should also follow base software architecture on security standards and try to incorporate mechanisms to limit the "attack surface" of applications directly exposed to the Web.

These findings are a part of Gartner's recent strategic planning report: "Building a Sound Security Infrastructure: New Defences for a New World of Threats". The report provides a comprehensive guidance on implementation plans and best practices for developing successful information security strategies.

Bittinger says the real message for organizations is to understand what architecture will provide the greatest level of security. And he reiterates his concerns that security is built in from the beginning. "If you take for instance the basic principle of total quality management, it basically says you get the perfect result because you've created the perfect process. You don't have a bunch of inspectors standing at the end of the line looking to see if there are any flaws in the cars; you try to create the perfect process so you know the perfect car or the perfect product or service is rolling off the end of the production line.

"So we have to focus more upstream, rather than sort of bolting security on at the back end. It has to be absolutely one of the foundation stones of the architecture of business services or products that we're creating." There are positive signs of just that, Bittinger adds. Microsoft is starting to work with Intel very closely on their "Son of Palladium" Trusted Computing Initiative, which is trying to build security in at the deepest levels of the operating system kernel, and the deepest levels of the microprocessors. Many similar initiatives are also on the way.

Bittinger says Gartner has noticed that over the past couple of years it has gained much more serious traction in the IT industry in asking the question: What does a fundamental security architecture look like? Solutions like SAML (the Security Assertion Mark-up Language, an XML-based framework for exchanging security information under development by the OASIS XML-Based Security Services Technical Committee), federated identities, and identity and access management, are the foundations of such a security architecture, he says.

Back Up and Then Back Up Again

Organizations facing damage from Internet business disruptions must also back up their server. Carter Burden, CEO of Logicworks, a New York City-based managed hosting firm, says that companies managing their servers in-house should back up all data on a second site, which may be outsourced to a hosting provider. While not a particularly surprising sentiment given the services his company provides, Burden does go on to say that if an organization uses hosted servers, it is important that any hosting provider trusted with that organization's servers, and consequently all of their data, have backup facilities of their own.

Further, businesses must realize that even backup facilities can fail. For this reason, companies should have a set plan in case even their alternative strategy fails. For instance, Burden says many backup hosting facilities can run on a battery for a half hour or so, or on a diesel generator that can run for days without interruption.

"The biggest lesson that companies must learn is to be diversified in their backup and disaster recovery (DR) strategies," Burden says. "If you have your hosting outsourced, check out that company's DR plan. Choose a provider with independent locations, as city-wide power outages are not uncommon. Never rely entirely on one system - have multiple contingency plans. Even Logicworks, which hosts the servers and data of many large companies, does not rely solely on one strategy. All backups are performed to a separate external location, from where they are then copied to tape and rotated off-site once more by an off-site data protection provider. Consider hot backups, near-line and off-line solutions, and choose the one that is right for you."

Even after all of this preparation, businesses must realize that there still exists a possibility that all of their backup strategies will fail and that they will have to deal with an Internet disruption. The key here is first to get the server and the data available as soon as possible and then deal with the problem that led to the failure in the first place.

The bottom line? Servers will fail and important data can be lost. Be prepared with diverse backup strategies and a disaster recovery plan if even that fails.

Page Break

SIDEBAR: Spreading the Word

Never forget that ever so vital communication strategy

David Hua, producer of the ABC Shop Online ABC Enterprises, says online sales through the shop grew by 41 percent last financial year and are set to grow at an even greater annual rate in future. But it is not just a potential loss of sales during the time the Web site is inaccessible that causes Hua to worry so much about disruptions; it is also "a loss of goodwill and the loss of the brand and the seed loss if the strength of the brand is diminished".

Hua says for the ABC Shop Web site to go down is the equivalent of the ABC's Queen Victoria Building being closed due to vandalism - the ABC simply cannot afford to have someone deface the shop site with the cyber equivalent of spray paint, so it must have the equivalent of cyber security guards front and back with everything locked down. It is not enough to build security into the system behind the scenes, he says, one also must make sure customers know how secure the site is. And when disruptions do occur, Hua believes it is vital to communicate effectively with customers about the reasons why.

"We do all of the regular things, which is to use the most secure encryption system possible and so on, and to reassure our users of that. We're also very aware that a lot of our customers are first time Internet customers who are doing their first online transaction on our site, so we're very clear and upfront about the way in which their information is used. It's not just the fact that we do have all these security systems behind the scenes - we also have to communicate effectively that it is a secure system that they're engaging with."

Hua says perceived security is every bit as important as actual security, and communicating with users about even the briefest disruption is vital.

"Obviously as with any Web site we do regular upgrades. When we upgrade we put up a 'Sorry Page' to say that we're enhancing the Web site and please be patient with us, we'll be back in an hour with something flashier and something nicer for you," Hua says. "If you approach it that way most people are understanding in the same way they are in a bricks and mortar shop if the shop manager has to step out for five minutes and puts out the sign 'Back in five minutes'.

"When we do have issues - and we've only had very minor issues - we're just very upfront about it. If the Web site is a bit slow, then we might put up a message on the front page to say you might be experiencing some slowness at the minute, it's being worked on, or we might mail to our subscribers and say thank you very much for your help and your patience and we'll be back very soon."

SIDSEBAR: The People Paradigm

Bruce Schneier, security technologist and CTO of Counterpane Internet Security, answers questions about computer network defences and sloppy end users

Q: Now that we've moved beyond the "security perimeter" paradigm for security, we seem to be stuck with impossible-to-manage solutions. What is your outlook for relief?

A: I think that the "death of the perimeter" is premature. Perimeter security defences are still valuable, and always will be. It's just that they used to be enough, and now they're not.

The firewall model of network security is based on the castle paradigm. The good guys are on the inside, and you build walls to keep the bad guys out. That worked pretty well when networks were largely self-contained and people worked inside them. Today, things are more complicated. The good guys are regularly on the outside, and the bad guys are inside. Even worse, you want the bad guys on the inside - just not doing bad things. So we have all sorts of solutions: intrusion detection systems, authentication services, VPNs and so on.

Instead of dumping the notion of a perimeter, we need a new paradigm. I think network security is like city security. In a city there are all sorts of perimeters: fences, buildings, rooms. People move in and out of those perimeters, depending on who they are. If you're a shopkeeper, you want everyone to be able to enter the store but only during business hours. And you want only employees to be able to open the door to the stockroom. I think the usability of products is the most critical Internet security problem right now, and I don't see much relief.

Q: Do you think "umbrella" security services - for example, directory services, identity management and user provisioning, single sign-on, transitive trust models - are ready for prime time?

A: Your question points to an interesting paradox in the computer world: Products are never ready for prime time until after they're widely deployed. In other words, it takes a healthy marketplace for a given technology before the problems shake out. Until they're deployed, we don't know what the problems are. We can't fix the technology until we start using it.

So no, I don't think that these services are ready for prime time. But I think we have to deploy them anyway. We need to break them in. We need to watch the bad guys attack them. And slowly, over time, they'll become more robust.

Q: While hardware and software security solutions abound, it seems like users are still the biggest security problem. How do organizations ensure that their people don't violate security?

A: Honestly, they can't. Computers and networks might be difficult to secure, but the biggest security vulnerability is still that link between keyboard and chair. People are sloppy with security; they choose lousy passwords, don't properly delete critical files, and they bypass security policies. They're susceptible to social engineering, and they fall victim to phishing attacks. They misconfigure security hardware and software. They accidentally bring worms and Trojan horses into the network. In short, they're a huge security problem.

Education is part of the solution, but I'm not optimistic about radically changing people's behaviours. I would rather see technology that takes sloppy users into account. For example, there are e-mail encryption programs that automatically secure e-mail: The user doesn't have to remember to do it, and doesn't even have to understand what's going on. Managed security monitoring provides network security even in the face of sloppy users. These types of solutions assume that insecurity - especially user insecurity - is inevitable; they try to maintain security anyway. I don't think there's any other reasonable alternative.

Q: With the advances in technology such as intrusion prevention systems (IPSs), are people becoming obsolete in network security?

A: People are the biggest security problem, and they're also a critical security resource. Even though security products are getting better all the time, attackers are getting more sophisticated. IPS is not any different than intrusion detection systems, or firewalls. They simply don't work without people.

SIDEBAR: Customers Curb Net Enthusiasm

by Jon Surmacz

The Los Angeles Times recently reported that many computer users have begun to curb their use of the Internet because of myriad threats that it presents: identity theft, spam, spyware, viruses and so on. In one extreme case, the Times reports, an avowed technology enthusiast named Stephen Seemayer decided enough was enough. His inbox had become so wrought with spam and his system so choked with spyware that the best solution, in his opinion, was to pull the plug. He's been untethered since September. And he's OK with that.

Although use of the Internet continues to grow across the globe, there are some numbers to suggest that users are increasingly wary of potential threats - especially when it comes to e-commerce. According to Forrester Research, 26 percent of consumers of online financial products say they would rather apply for or purchase products through snail mail or telephone than through the Internet because of phishing concerns. A smaller group (20 percent) says it won't open e-mails that claim they are from a financial provider for the same reason, and 19 percent say they will not enrol in online banking or bill payment because they don't trust the Internet. Furthermore, Harris Interactive reports that growth in e-commerce users has ground to a halt: 27 percent of Internet users conducted a transaction in 2004, up just one percentage point over 2003. (That group grew 20 percent from 2002 to 2003.)

So much for consumer confidence in the Internet.