Security Part I: Strategies

A MARTIAL ARTS teacher tells students, “You’re going to get hit.” They learn that although being hit isn’t much fun, the fear of being hit is far more crippling. Once a beginner student excitedly threw an elbow and caught the instructor under the jaw — a perfect strike. The teacher unashamedly relates that episode, dissecting what he did wrong and what the novice did right to put him on his backside. Despite being shown by an expert precisely how it was done, no student has ever duplicated that success.

IT leaders should approach security with similar acceptance and openness. But the 2002 InfoWorld IT Security Survey of almost 600 IT leaders reveals that the IT community overly worries about a broad spectrum of attacks, even though the odds of suffering damage by most of them are slim. Also, too many companies overspend on security; their yearly expenditures outpace potential damages by an astonishing margin. The average cost-to-risk ratio reported in the survey is 18-to-1.

There is too much spending and there aretoo many successful attacks because a large contingent of the IT community — 38 percent of survey respondents — refuses to share its hard-won security knowledge. The necessary technology — security hardware, software, and services — exists and is constantly improving, so what IT needs is a better-considered, more realistic application of these tools based on collective wisdom. If IT leaders banded together, they could develop a consensus on which attacks are worth preventing and which countermeasures work best. As it stands, what should be a sturdy defensive wall is missing every third brick, and those holes can’t be spackled with money.

The endless onslaught of urgent security alerts can leave you numb, making it difficult to discern the realistic threats from hackers’ harmless experiments. Or it could send you into a frenzied search to match every fresh exploit with a specific countermeasure, expense be damned. We expected the IT Security Survey to tell us that IT leaders are in denial about their level of exposure. Instead, we found symptoms of panic and overreaction. Out of 18 listed types of attacks, only two — viruses and worms — penetrate respondents’ networks with significant frequency. But 12 varieties of attacks provoke serious concern among at least 45 percent of respondents. Most attacks, such as DDoS (distributed denial of service) and transaction theft, inflict measurable damage so rarely that it’s folly to deploy specific defenses for them.

Every attack can’t be prevented, yet IT staffs try. On average, respondents’ companies plan to spend $3.6 million on security products and services during the next year, whereas the average cost of security breaches in the past 12 months was $193,000. Some companies are paying many times more for insurance than they’re likely to suffer in losses. It’s cheaper and less stressful to design a resilient network that blocks everything it reasonably can and quickly contains and recovers from successful attacks.

New technologies expose fresh vulnerabilities, and those risks should be weighed against the technologies’ benefits. To paraphrase an oft-quoted line from the war on terror, if you let security fears slow your efforts to modernize IT operations, the bad guys win. In some shops, they are winning. According to the survey, 24 percent of IT leaders are delaying the deployment of Web services because of security concerns, and 18 percent are holding back on wireless networks for security reasons. Most new services can be adequately protected by adjusting your current security infrastructure.

Fear-mongering pundits sneer at the impotence of existing security measures. But hackers haven’t driven commerce off the Internet yet, so these measures, though uninspiring, are working well enough. The firewall, router, VPN, and anti-virus products made by vendors such as Symantec, Cisco, McAfee, and Check Point Software top respondents’ list of favored solutions: 85 percent of respondents are using firewalls, IP VPNs, or both; 65 percent of firewall/VPN users are getting these capabilities from their routers. And just one respondent out of 597 reported not using an anti-virus solution.

These tried-and-true technologies don’t engender much excitement, but they’re affordable and stop the vast majority of attempted attacks; 57 percent of respondents are planning to buy new firewalls, IP VPNs, or both in the next year. If you’ve taken all the common-sense steps but feel they’re not enough, consider these new approaches. According to the survey, two emerging solutions have joined the old favorites: the IDS (intrusion detection system) and security services.

The IDS, already deployed by 48 percent of respondents and in the planning phase of 26 percent, is like a hyperactive firewall. It examines the details of network connection attempts, looking for patterns associated with attacks. The IDS is a worthwhile step up from firewalls, but it’s not perfect yet. For example, a misconfigured router at a partner’s site can scare your IDS into shutting down a critical connection. IDSes will get more discerning, but sharing attack details with the vendor and with other users of your IDS solution is essential.

Security services are rising in popularity, mostly in niches. The majority of IT leaders outsource discrete elements of their security plan, such as VPNs (55 percent of respondents) or PKI (34 percent). Also, 37 percent use outside consulting and training to augment their security knowledge.

To keep up with security technology, buy smart, not often. Invest in expandable, multipurpose platforms that can handle a combination of routing, firewall, VPN, IDS, and content filtering.

Your network will get hit sometimes. But the low average damage costs and limited variety of successful attacks show that serious harm is rare. Counsel management that security costs and risks must be balanced with larger IT objectives.