Despite all the costly technology deployed to stave off a computer virus attack, the probability of an infection at any company anywhere is still depressingly high. Last year at least one of the top ten companies in the Fortune 500 experienced a serious virus intrusion.
The Nimda virus (“admin” spelled backward, for those who may miss the hacker sarcasm) spread rapidly in September, infecting giants such as General Electric, Yahoo, and Microsoft. The virus is reported to have knocked GE out of action for three days.
Such breaches in the walls of company systems have caused experts to wonder whether the current philosophy of protection is wrong-headed. Now it turns out that a high priest of computer security — a former developer of the ubiquitous Norton antivirus desktop computer software — is questioning the tech approach.
“Technology is not the answer,” says Peter Tippett, founder and chief technologist of managed security services provider TruSecure. Instead, he argues, technology is only one line of defense in a technique that combines a checklist of actions to improve company awareness of risk and ensure vigilance.
Tippett’s approach smacks of commendable common sense. Not to be outdone by the geeks, however, he points out that it conforms to a standard theory of probability called Bayesian inference. Bayes, an 18th century theologian, developed a way to understand the likelihood of an event once new conditions could be applied to a given situation.
Its applicability to security is that system hacking and computer incursions often involve not one, but a link-up of many failures to detect risk. Defining the probability of each risk separately adds nothing to an overall conception of the woes a company faces.
In this way, risk can be thought of as a moving target. With Bayes’s model, Tippett attempts to build the best possible net as a snare.
If one control or solution is 80 percent effective, then it fails one out of five times, Tippett points out. Two controls, each 80 percent effective, together will fail one out of 25 times. Three 80 percent effective controls, operating together, will fail one out of 125 times. That’s a 0.8 percent likelihood of failure, or a 99.2 percent probability of success.
The greater effective controls a company applies to the risk of a computer break-in, in other words, the less likely it is to occur. It’s even better if the controls represent a coherent, interlocking discipline.
Sleeping Better at Night
The method gibes neatly with IT professionals’ experience of their companies’ vulnerability.
Jayne Radbone, manager of Nortel Networks’ business solutions desk in Australia, says that the best way to address corporate security is to have an internal policy that dictates the environment, sets guidelines for enforcement and support, along with the appropriate technology. “Strategic security in a company is about the integration of policy, process, culture and technology for a comprehensive holistic security,” says Radbone.
Liang Tie Hang, vice president and chief manager for operations management at NET263, a Beijing-based Internet services provider, has formalized this approach. Ideally, he says, security must exist on five levels: network, access, server, applications, and management policy.