SECURITY COUNSEL
Computer Risk: A top cop of IT systems security is urging companies to look beyond technology. Karen Winton weighs the evidence
By Karen Winton

Despite all the costly technology deployed to stave off a computer virus attack, the probability of an infection at any company anywhere is still depressingly high. Last year at least one of the top ten companies in the Fortune 500 experienced a serious virus intrusion. The Nimda virus - 'admin' spelled backwards for those non-geeks who may miss the hacker sarcasm - spread rapidly in September, infecting giants such as General Electric, Yahoo and Microsoft. General Electric is believed to have been out of action for three days.

Such breaches in the walls of company systems have caused experts to wonder whether the current philosophy of protection is wrong-headed. Now it turns out that a high priest of computer security - a former developer of the ubiquitous Norton anti-virus desktop computer software - is questioning the tech approach.

"Technology is not the answer," says Peter Tippett, founder and chief technologist of US-based managed security services provider TruSecure. Instead, he argues, technology is only one line of defense in a technique that combines a checklist of actions to improve company awareness of risk and ensure vigilance. Tippett's approach smacks of commendable common sense. Not to be outdone by the geeks, however, he points out that it conforms to a standard theory of probability called Bayesian inference. Bayes, an 18th century theologian, developed a way to understand the likelihood of an event once new conditions could be applied to a given situation. Its applicability to security is that system hacking and computer incursions often involve not one, but a link-up of many failures to detect risk. Defining the probability of each risk separately adds nothing to an overall conception of the woes a company faces.

In this way, risk can be thought of as a moving target, and with Bayes's model, Tippett attempts to build the best-possible net as a snare. If one control or solution is 80 percent effective, then it fails one out of five times, Tippett points out. Two controls, each 80 percent effective, together will fail one out of 25 times. Three 80 percent effective controls, operating together, will fail one out of 125 times. That's a 0.8 percent likelihood of failure, or a 99.2 percent probability of success. The greater effective controls a company applies to the risk of a computer break-in, in other words, the less likely it is to occur. It's even better if the controls represent a coherent, interlocking discipline.

Sleeping Better at Night

The method gibes neatly with IT professionals' experience of their companies' vulnerability. Jayne Radbone, manager of Nortel Networks' business solutions desk in Australia, says that the best way to address corporate security is to have an internal policy that dictates the environment, sets guidelines for enforcement and support, along with the appropriate technology. "Strategic security in a company is about the integration of policy, process, culture and technology for a comprehensive holistic security," says Radbone.

Liang Tie Hang, vice-president/chief manager, operations management at NET263, a Beijing-based Internet services provider, has formalized this approach. Ideally, he says, security must exist on five levels - network, access, server, applications and management policy - but that managers don't appreciate the subtleties of countering threats against each. "A firewall, for example, offers protection only against one level, and that is access," he explains. "Yet there remains a misconception that it will protect against all viruses," he says.

NET263 has in place Nokia Internet Centre security software plus a 24-hour, seven-day-a-week in-house team of IT specialists ready to pounce on an incursion the instant it occurs. "It's no good putting faith in a firewall alone," says Liang. "We must also watch network operations and make sure someone is there to put into place the right measures in case of a security breach. He adds: "The 24-hour watch concept is a crucial aspect of that network security."

Of course, Nokia and TruSecure are not the industry's sole practitioners of the 24/7 style of computer security. Vendors such as Symantec, Nortel Networks and McAfee also offer guidance on installing intrusion detection systems, firewalls or other specific deliverables plus the physical hard- and software products. But only TruSecure sells an enterprise risk management program. The one-year risk assessment consultation and action plan costs upwards from US$50,000. In comparison, Symantec's Gateway Security, an all-in-one corporate software application that sits on a Linux platform, starts at US$20,000 and rises to roughly US$50,000 per implementation, depending on organizational size and complexity.

The Holistic Approach

Peter Tippett's eclectic background has proved a good straging ground for the multi-disciplinary approach. Tippett earned a PhD in Biochemistry and MD in Internal Medicine at Case Western Reserve University in the US, and studied for 18 months at Rockefeller University with RB Merrifield and Stanford Moore, Nobel laureates in chemistry.

TruSecure's operatives start by analyzing a company's vulnerabilities. They then apply a risk matrix to estimate the likelihood and cost severity of a breach. Then they adapt their approach to a company's security priorities. Keeping these priorities in mind, they oversee the implementation of 20 recommended virus controls at the desktop level, plus appropriate controls for email applications, network file and print servers, email gateways and firewalls. So far, the biggest takers of the system seem to be the region's banks. Maybank Singapore, Bank Negara Malaysia and Chinatrust Commercial Bank of Taiwan have all converted to Tippett's provisos. Banks in the region are more open to any new effective means of computer security following years of restructuring and the rollout of the updated Basle Accords, which focus on many types of risk.

TruSecure makes the claim that setting in place controls at the desktop level takes from one to several days to configure, test and propagate, depending on a company's size and the complexity of its systems. But the full monty, so to speak, which involves changes in adjustments in procedure and changes in employee behavior, can take more than six months.

Real World Rollout

At Bank Central Asia's (BCA) Jakarta, Indonesia headquarters, TruSecure's entire risk management program is under implementation in the bank's 795 branches, following an initial rollout over seven months, which focused on the bank's Internet banking business. Darius Wanardi, general manager, IT, says that it wasn't easy to implement the program from scratch.

To meet the practices that TruSecure required before bestowing certification took a long time. TruSecure is a stringent guardian of its certification, which carries with it a money-back guarantee if its methods fail to prevent a hacker break-in. "We had to create new security procedures and policies because we were a new player in the Internet and had no expertise in that area," says Wanardi.

But the upside is that BCA has experienced no Internet security breaches since it signed on with TruSecure in December 2000. Wanardi also says that inter-company awareness of security has become much better, as has knowledge of security issues that affect the bank. "We now have a set of standard procedures and information security policies in place," says Wanardi. "We have to maintain them to keep our TruSecure certification valid." He adds: "And, of course, our management now sleeps well at night."

Karen Winton is a senior writer at CFO Asia in Hong Kong and executive editor of eCFO.