Cyber security hogwash
I attended a fascinating presentation last month in San Francisco in which Peter Tippett, Chief Technology Officer for Cyber Trust, debunked several myths about information technology security, especially as it relates to the Internet. Peter was part of the team that developed the product that eventually became Norton Utilities and anti-virus software, now marketed by Symantec.
Aside from being an engineer, Dr Tippett is also a medical doctor. His presentation was both enlightening and entertaining, and took a largely contrarian view of computer security. Here are a couple of his observations:
ANALOG VS DIGITAL
Most IT professionals are linear thinkers who favor concrete, technology-based security solutions. In reality, the bad guys trying to hack into your systems are humans, and therefore analog. It is much more effective to combat analog attacks with analog solutions. As an example, most IT experts require at least a 6-8 character password that is changed often, which theoretically reduces the chances of a hacker "cracking" into a system. However, deciphering larger passwords with today's criminal tools means a few added seconds; additionally, crooks usually first look for password master files which make the exercise useless. To make matters worse, legitimate users are constantly losing the longer and frequently changed passwords, costing significant amounts of help-desk time and adding to the security risk by excess use of crib notes and reissued passwords.
100% SOLUTIONS
Similar to the analog vs digital argument, IT professionals tend to look for 100% solutions. Aside from being impossible to achieve 100% protection, these solutions tend to be expensive and take too long to implement. Tippett suggests instead the adoption of a series of 40, 60 and 80% solutions that together will offer nearly 100% protection. These smaller solutions are much easier and simpler to implement. For instance, putting safeguards in place to prevent downloading of ZIP, EXE and similar file types will eliminate more than 80% of likely attacks. However, since left-brain thinking IT professionals see this as a less than 100% solution, it is often ignored.
It was clear from the presentation that the threats and risks are real. The number of attacks on company and personal computers is steadily growing and users should take precautions to prevent intrusion. The trick is to take a few reasonable security measures instead of looking for the most expensive, technology-based solutions.
Since CyberTrust's clients consist of Fortune 500 companies, government and the military, I took the advice seriously.
Chris Crawford
www.justiceserved.com