What you do think of when you hear the words "hacker" and "virus"? If you're thinking of cold and flu season, perhaps it's time to brush up on your information security measures. And there's a lot to learn. In his new book, Digital Defense: What You Should Know About Protecting Your Company's Assets, Thomas J. Parenty introduces new principles for developing and implementing corporate security strategies.
Parenty, an expert on information security issues, recently participated in this e-mail Q&A with HBS Working Knowledge's Wendy Guild Swearingen.
Wendy Guild Swearingen: The recent Sobig and Blaster Worm viruses have been a real information security wake-up call, and we can be fairly certain that we have not seen the last of these sorts of viruses. What is your advice to business managers who want to keep from being compromised by these intruders?
Thomas J. Parenty: A lack of information, not a lack of security technology, is the reason viruses and worms have caused as much damage as they have. Anti-virus software and security updates are prudent and effective measures that both enterprises and individuals can use to greatly reduce their vulnerability to these attacks. I'll briefly explain how viruses attack and then discuss how these security technologies fight back.
Viruses, worms, and other hacker techniques such as SQL Poisoning exploit programming mistakes that leave computer programs open to attack. The most common mistake programmers make is not verifying that the data a user or another program enters "looks" correct. For example, they don't check if a person's last name is 5,000 characters long or includes characters such as "$," "*," or "/." By using well-crafted and unexpected input, viruses can fool computer programs into running the virus's malicious instructions and cause the damage that so many people experience.
When a new virus is detected on the Internet, anti-virus companies around the world analyze it and develop signatures or definitions of the virus that their products can then use to detect and disable the new virus. Relatively speaking this takes a short period of time.
However, a company or individual that needs to be protected from the new virus has to get the new virus definition. To do this easily, they should configure their anti-virus software to check at least daily for new virus definitions and automatically download them when they are available. For companies with enterprise anti-virus products, new virus definitions can then be pushed to all of their company computers. In addition, companies should configure their anti-virus software to protect all e-mail accounts employees use, not just the official ones; and to protect against viruses that may inadvertently be downloaded from Websites.
Equally important, but more difficult in real life, is that companies should apply the security updates that fix the programming errors that allow viruses to attack in the first place. Most big virus attacks happen after a software vendor releases the security update that prevents the attack. This is because security updates have traditionally included details on how to exploit the vulnerability; and this information makes the virus writer's task much easier. The security update to prevent Blaster, for example, was available months before Blaster hit the Internet.
There are two primary reasons why keeping up with security updates is difficult for companies. The first is that there are just too many of them. The second is that making any changes to production software, including security updates, runs the risk of damaging business-critical applications. To address the first difficulty, companies can do some up-front work to make sure their software vendors notify them when security updates are available; and they can subscribe to third party mailing lists, such as Bugtraq, that cover vulnerabilities in a wide variety of programs. These information-gather tasks can be outsourced to a variety of security service providers, as well. With this information, a company is in a position to prioritize the security updates it will install.
To reduce the risk that comes from making any changes to its applications, companies should follow the same testing procedures they use when installing any new software, such as the latest version of a database management system (DBMS). Of course, companies need to make the decision to spend the time and money to do this testing.
The long-term solution for preventing viruses and worms is for software vendors and their programmers to be more careful in the first place and to adopt an attitude of "expect the unexpected." As much as I might hope that anti-virus companies will have to find new businesses to go into, I'm not holding my breath. Good programming practices that could, among other things, prevent virus attacks were well known before I got into the field twenty years ago.
Q: You make an interesting point in your book that once a company defines its information assets, it should turn its attention to who can access the information versus who should be able to access it. Can you talk a little about the first steps and required perspectives for determining access?
A: The rule companies should follow is simple: "Only give people access to the information they need to do their jobs." Of course, figuring out how to follow this rule is where the difficulty comes in.
There are a few reasons for this difficulty and the first one is that most organizations don't have a clear idea of what information their employees need to perform their respective tasks. Since the task of identifying the individual files and commands each employee needs to perform his tasks can be daunting, I suggest an approach that looks at existing collections of information. Customer relationship management (CRM) and DBMS applications are two examples of existing information collections. All of the files on a particular computer or within a particular directory folder on a computer are two other examples.
Companies should review who has access to each of these information collections, what specific information they can get to, and remove access permissions, as appropriate. This is not nearly as daunting a task as it might at first seem because this review process should be distributed across the entire organization. The business unit(s) responsible for each information collection understand the value of their information and who needs to use it, and so are in the best position to make these access policy decisions.
Enterprises that use or are planning on using content management systems (CMS) can get an unexpected security benefit. The pre-CMS deployment analysis of the information that users and user populations need helps provide a clear answer to the question of who should access what.
Q: The topic of identity theft has been all over the news lately. How easy is it, really, for a person to "steal" someone else's identity? And how can businesspeople know if the person with whom they are conducting business is legitimate?
A: When thinking about identity theft, it's useful to keep in mind that it's only necessary to steal part of someone's identity to do damage. For example, an identity thief doesn't need to get a passport in a victim's name in order to make purchases with a credit card he acquired using the victim's name. The effort to steal part of someone's identity can be quite easy and businesses are often unwittingly helping the thieves by the very security measures they use to authenticate their customers.
Businesses, such as banks, credit card companies, and department stores, need some way of assuring themselves that their customers are really who they say they are in order to conduct various types of transactions. This is true whether a customer is physically present, calling on the telephone, or communicating through the Internet. A common approach to solving this problem, especially in the telephone and Internet situations, is to identify users by their account numbers and then have users provide some secret information to prove or authenticate that they are the real owners of their accounts. In general, this is a good approach.
Unfortunately, many companies have customers authenticate themselves with information, such as a social security number or mother's maiden name that is not secret. Many credit card companies use the last four digits of a social security number to authenticate their customers. However, many health insurance companies use social security numbers to identify their customers. In the U.S., birth certificates include the mother's maiden name and are public records anyone can get. Information that is public in one context should not be used to authenticate a person in a different context. And you can't change your mother's maiden name, regardless of how many people know it.
The attitude that security is someone else's problem, or is something to be addressed after the real work gets done, is pervasive in the business world. |
In the larger issue of knowing who is really who on the Internet, most attention is focused on the strength of evidence, such as passwords, PINs, smart cards, and biometrics that people use to authenticate their digital identities, such as login names and e-mail addresses. Although this is an important issue to address, it misses the point that even if all of this works perfectly you still don't know who's who. In order to get the full answer, you need to understand what went into verifying a person's real world identity before they got their digital one. In many cases, such as free e-mail accounts, it wasn't much. Both businesses and individuals should ask themselves why they should believe the name on their screen belongs to the person in question in addition to asking why they think that person is the one currently using that name.
Q: What projects are you working on now?
A: Since finishing up work on Digital Defense earlier this year, I've been working on a variety of projects both in the U.S. and Hong Kong, where I recently opened an office. In one project, I've been helping a large organization develop a system to manage large amounts of personal information in over 100 countries. The policies governing who can access different types of information are quite sophisticated and will continue to change in ways that are not completely predictable throughout the lifetime of the system. One interesting security concern is the prevention, and if that fails, detection and remediation of deliberate attacks to corrupt the information.
In another project, I've been advising a police department on the security of its internal IT infrastructure, as well as on addition security measures it will need to take as it starts to conduct more cross-border investigations. For a change of pace, I'm developing a two-day information security workshop based on my book that I'll offer for the first time this December at a university in Hong Kong.
[ Buy this book ]
Book Excerpt: Digital Defense
by Thomas J. Parenty
One way of discovering how information security technology can promote innovation is to start by looking in the opposite direction, at how the security technologies companies use actually impose constraints on business activities.
Automated teller machines (ATMs) illustrate how the evidence used to meet trust objectives can either impose or eliminate constraints on transactions such as withdrawing cash. Because ATMs were introduced in the 1970s, you might think the technology is too old and the story too familiar to be relevant today. However, that's exactly the point. ATMs continue to be an innovative business device even today because of the way information security is used in their deployment. Their very familiarity makes it easy for us to forget the role security plays in each and every transaction.
A bank's trust objectives for routine banking include knowing who its customers are, making sure customers are able to access only their own funds, maintaining the confidentiality of financial information, and keeping transaction records to address fraud and reporting regulations. In a typical branch bank, meeting these objectives is labor-intensive. A teller verifies a customer's identity by validating authentication evidence such as a photo ID, signature, or passbook. Because tellers are the ones who hand over cash to customers, they enforce the restriction that customers can access only their own funds. Tellers are also the ones who enter transaction records into a bank's auditing system. In addition to teller discretion, the bank building, vault, and locked file cabinets help ensure the confidentiality of the bank's and customers' financial records.
What limitations does the trust evidence for banking with a teller impose, and what are the business consequences? The limitations are that simple banking transactions can take place only when a teller is present to authenticate customers, dispense cash, and enter transaction records, and these transactions can take place only within a physical bank. The consequences of these limitations include, among other things, long customer lines, the need to employ enough tellers, and the need for sufficient bank space to accommodate them all.
Next think of how the situation changed with the introduction of ATMs. Customers can withdraw money when and where it's convenient for them and banks can reduce operating expenses for staff and capital expenses for buildings, while at the same time expanding the number of customers they can service.
In order to accomplish this, banks need new trust evidence to satisfy their requirements for customer authentication, transaction confidentiality, and so on-evidence that doesn't impose the same limitations as in-person banking. This new trust evidence includes inserting ATM cards and entering PINs instead of presenting a driver's license to a teller, and using encryption to replace the privacy inherent in teller/customer exchanges. Even technologies that are not considered security-related are part of the trust evidence. Within an ATM, for instance, there is a small camera that photographs each bill and a sensor that checks the thickness of each bill before it dispenses cash. In addition to audit records of customer transactions, this evidence can be used in the event of a dispute over the cash an ATM dispensed. Non-security technologies, such as leased telephone lines and printers, are necessary for ATMs to work, but it is well-chosen security technologies that make ATMs a viable innovation for banks.
This example illustrates how the security mechanisms a company uses to protect itself can limit its business activities in terms of time (banking hours), location (a bank), and scale (number of customers and tellers), and how the use of security technologies can remove these limitations. It's important to note that existing security mechanisms do not necessarily make a business weaker or more vulnerable, but they do limit its ability to function optimally. The lesson for businesspeople is this: If you want to find opportunities in which information security can promote innovation at your company, focus on removing limitations of time, location, and scale.