Security: Vulnerability Is Inevitable

No Such Thing As Safe

From badge checks to biometrics, security measures are on the rise. But are we any more protected?

And then there was panic. In a matter of hours after the September 11 attacks on the World Trade Center and the Pentagon, businesses around the world began a mad scramble to beef up security—online and off. At parking garages, trunk checks became mandatory. Downtown office buildings hired extra security guards and constructed makeshift barricades to funnel foot traffic through a single entrance. And it is now against the rules to take toenail clippers on an airplane.

And of course, companies in all sectors are tightening electronic security as well. For network security firms, business is booming. Security company Whale Communications says sales inquiries are up 30 percent in the aftermath, and Viisage, which built the facial-recognition tool used to scope out ruffians at this year's Super Bowl, saw its stock price quadruple in the two weeks following the attacks. Government action is aiding in the push, as antiterrorism legislation to expand wiretapping authority and monitor Internet communications without a warrant has been rushed through Congress (see Legal Redux).

Security consultant John W. Kennish says that's exactly what the attackers wanted. "It's one of the objectives of terrorism," he says, "to complicate, restrict, and inconvenience. A lot of what we're seeing is knee jerk. Every building is simply not a target."

For the vast majority of companies, Kennish says that the appropriate security response should simply be "a matter of prudence." By comparing the likelihood of an attack with the cost of providing any enhanced security, he says, few additional security measures make sense in the long run.

Most experts instead point to beefing up electronic security through the diligent use of security patches, antivirus software, and firewalls. After all, if terrorists strike again, they probably won't try walking through the front door.

The Watchman

On guarding your business in troubled times: cryptographer Bruce Schneier.

Will the promises of technology help or hinder us when the next September 11 rolls around? If anyone knows, we figured it would be world-renowned cryptographer and security technologist Bruce Schneier. Founder and chief technical officer of Counterpane Internet Security, a managed-security service, Schneier is also the author of six books, including Secrets & Lies: Digital Security in a Networked World (Wiley, 2000). He also writes a monthly e-newsletter called Crypto-Gram, which addressed terrorism in its September 30 issue.

Since September 11, security has become priority No. 1. What measures are the most effective? The most important thing you can do is to start paying attention. You need to monitor your security all the time—that is better than any preventive measure. I can prevent yesterday's attacks, but it's tomorrow's attacks that worry me. Those are the hard ones.

And yet there's no shortage of companies selling solutions. I'm very frustrated by the companies that have been saying, "If you'd just used my product then the World Trade Center incident wouldn't have happened." That's absolute nonsense. That assumes the attackers weren't able to modify their attack. They went out and they tested, they practiced, they saw how security was. If security was different, the attack would have looked different. There is no magic thing I can give you to make you secure, but if you pay attention you're more likely to find what's going on.

In your most recent Crypto-Gram, you wrote: "It's easy and fast, but less effective, to increase security by taking away liberty. However, the best ways to increase security are not at the expense of privacy and liberty." That recalls a recent editorial cartoon depicting someone sitting at a computer screen that displayed two buttons, "Freedom" and "Security," with the caption "Pick One." Right, but that's not it. That bothers me a lot that people believe that.

Polls suggest that most Americans are willing to give up civil liberties for security. And they're willing to give it up in this cargo-cult mentality—"If I sacrifice my freedom and go through the motions, I will magically be safe again"—without any thinking about "Am I actually getting safety?" Some of the best security measures don't sacrifice freedoms. Only the sloppy, hasty, and ill-thought-out ones do. Interning the Japanese worked, to some degree it worked, but it's not something we do.

After the attacks, several biometrics companies saw their stocks surge. Can biometrics enhance security? Putting a biometric scanner on the front door of your building might be a good thing, but using it to find terrorists in a crowd is just plain stupid.

Suppose this magically effective face-recognition software is 99.99 percent accurate. That is, if someone is a terrorist, there is a 99.99 percent chance that the software indicates "terrorist," and if someone is not a terrorist, there is a 99.99 percent chance that the software indicates "nonterrorist." Assume that one in 10 million fliers, on average, is a terrorist. Is the software any good?

No. The software will generate 1,000 false alarms for every one real terrorist. And every false alarm still means that all the security people go through all of their security procedures. The false alarms in this kind of system render it mostly useless. It's the boy who cried wolf increased one-thousandfold.

The question is, of all the things we can do, what are we going to do with limited money, limited resources, etc.? Everything has some use. Grounding all aircraft forever has some use, right? It's actually a pretty good security measure. We have to decide: Do we want to do that? Terrorists use lots of things. They used aircraft, skyscrapers, credit cards, telephones, computers. They didn't use cryptography, it seems. We could ban any one of those things. We could ban box cutters. You just have to decide what's worth banning.

—THOMAS CLABURN

The Enemy in the Next Boardroom

As you read this, the competition is busy stealing your secrets.

While terrorism gets all the headlines, a threat from overseas is probably not your biggest security worry. Rather, the increasingly dangerous plague of computer viruses, worms, and other bits of malicious code is about to turn into an epidemic. While simple worms like Code Red, Nimda, and SirCam inflict random acts of mischief, from erasing your hard drive to mailing documents from your PC to everyone in your address book, the world is headed into an era where a virus can actually go looking for specific documents. Welcome to the harrowing near-reality of corporate hacking and espionage.

Imagine, for example, that Company A wants to spy on Company B. So, A quietly infects B with a tool that will e-mail all documents with the words "merger," "acquisition," "sales," "loss," or "profit" to a hijacked server where the e-mail can be pored over without being traced.

Is it possible? Robert Clyde, chief technology officer of the giant computer security firm Symantec, thinks so. "In fact," says Clyde, "that was the original concept of the worm in William Gibson's Neuromancer. You create a program and it goes out and finds information. The really scary thing is that if it's done right, you won't even know it happened."

Network security breaches are up 100 percent this year. According to the Computer Security Institute's 2001 survey, the average respondent reported more than $2 million in annual loss due to computer crime—suggesting to Clyde that such targeted attacks are inevitable.

There are others still who think that the boom in corporate espionage will not come from highly specialized worms or viruses, but from time-honored techniques borrowed from the real-life spy-vs.-spy world.

"Sure, it's conceivable that viruses like that could be created," says Dennis Treece, a former U.S. Army colonel charged with securing the Army's computer network in Europe, and now the director of special operations at Atlanta-based managed security firm Internet Security Systems. "But it's more likely that we will see a rise in traditional espionage techniques—it's just a new arena." Treece is talking about simply paying off a network system administrator in exchange for unfettered access to a company's networks.

But is this compu-espionage threat real? "Well," says Treece, pausing to consider his words carefully, "you can't ignore it."

—JOHN GALVIN

Copyright © 2004 Ziff Davis Media Inc. All Rights Reserved. Originally appearing in Ziff Davis Smart Business.