2003.06.myth.of.secure.computing.pdf

Harvard Business Review Online | The Myth of Secure Computing

Click here to visit:

>| http://www.hbsp.org

The Myth of Secure Computing

When it comes to digital security, there’s no such thing as an

impenetrable defense. But you can mitigate risks by following

sound operating practices.

by Robert D. Austin and Christopher A.R. Darby

Robert D. Austin is an assistant professor of technology and operations management at Harvard Business School

in Boston. Christopher A.R. Darby is the chairman of @stake, a digital security consultancy headquartered in

Cambridge, Massachusetts.

For two weeks in the summer of 2001, a tiny computer program known as the Code Red worm

burrowed through a security hole in Microsoft’s server software to infect hundreds of thousands

of computers around the world. As far as computer viruses go, Code Red was fairly benign – it

defaced Web sites but didn’t directly corrupt or destroy files – yet it nevertheless did a great

deal of damage. Many companies lost the use of their networks; some had to take their Web

sites off-line. The total bill for cleaning up the mess has been estimated at a whopping $2.6

billion.

If you’re like most senior executives, you probably have only a vague memory of the Code Red

worm, or of any of the other viruses or hacker attacks that have plagued corporate networks in

recent years. Indeed, you probably don’t pay a whole lot of attention to digital security in

general. You know it’s a problem – a potentially enormous one – but you avoid getting directly

involved in dealing with it. For one thing, digital security is extraordinarily complicated, requiring

all sorts of specialized technical knowledge. What busy executive has the time to learn the ins

and outs of “buffer overflow” attacks, for instance? For another thing, the majority of security

breaches actually originate with insiders – with careless or vindictive employees. Prevention

requires a lot of nagging, something most executives don’t like to do. Lastly, digital security is

invisible; you know you’ve succeeded only when nothing happens. So there’s little personal

payoff for a job well done. Investors and directors are unlikely to pat you on the back and say,

“Good for you! No serious security breaches for the past three years.” If anything, they’ll scowl

and say, “Wasting money again, like you did on Y2K? Why not let that money drop to the

bottom line?”

It’s therefore no surprise that senior managers routinely hand off responsibility for digital

security to their technical people or to consultants hired to “make the organization

impermeable.” But an arm’s-length approach is extremely unwise given the high stakes

involved. According to industry estimates, security breaches affect 90% of all businesses every

year and cost some $17 billion. Protective measures are expensive; the average company can

easily spend 5% to 10% of its IT budget on security. Even more important, security breaches

can have far-reaching business implications. They can disrupt operations, alienate customers,

and tarnish reputations. Business managers, not just technical managers, are the ones who will

have to deal with the consequences of a security breach, which is why they’re the ones who

should spearhead preventive measures, and fast. The sobering fact is, threats to security – be it

http://harvardbusinessonline.hbsp.harvard.edu/b02/en/hbr/hbrsa/current/0306/article/R0306JPrint.jhtml (1 of 8) [04-Jun-03 21:36:18]

Harvard Business Review Online | The Myth of Secure Computing

from disgruntled employees or from cyberterrorists – are escalating in number.

The good news is that general managers don’t have to learn about the more arcane aspects of

their company’s IT systems to establish crucial preventive measures. Unlike IT managers who

may be directly involved in the cat-and-mouse games played with potential intruders, business

managers should focus on the familiar task of managing risk. Their role should be to assess the

business value of their information assets, determine the likelihood that they’ll be compromised,

and then tailor a set of risk-abatement processes to particular vulnerabilities. That approach,

which views computer security as an operational rather than a technical challenge, is akin to a

classic quality assurance program in that it attempts to avoid rather than fix problems and it

involves all employees, not just IT staffers. The goal isn’t to make computer systems completely

secure – that’s impossible – but to reduce the business risk to an acceptable level.

The Threats

Threats to digital security come in many shapes and sizes, but they essentially fall into three

categories.

Network attacks are waged over the Internet. They can slow network performance, degrade e-

mail and other on-line services, and cause millions of dollars in damages – all without breaching

the internal workings of an IT system. Denial of service (DoS) attacks, for instance, disable

computers by flooding them with an overwhelming number of messages. As the computers try

to respond to each of the thousands of messages, their resources are consumed and they often

crash. In February 2000, DoS attacks against such high-profile targets as Yahoo, eBay, CNN,

and the FBI caused damages estimated in excess of $100 million.

DoS attacks are easy to mount and difficult to defend against. The average individual can

download an attack program from the Internet in less than ten minutes. And even more

sophisticated attacks – such as a distributed denial of service (DDoS) attack, which hijacks

computers and uses them to launch further DoS attacks – can be started by people with only

modest technical skills. Fortunately, new enterprise software tools can thwart most network

attacks, and even if your systems are knocked out, the damage is rarely permanent.

Intrusions differ from network attacks because they actually penetrate an organization’s internal

IT systems. How do intruders do it? It’s easier than you might think. User names are generally

predictable: John Smith’s user name is often jsmith, for example. As for passwords, people

frequently use birthdays, children’s names, or even “password.” And as unbelievable as it may

sound, many tape their passwords to their monitors so they don’t forget them. (It’s worth noting

that the majority of intrusions are committed by insiders.) Even people who create hard-to-

guess passwords will often give them up to an official-sounding caller pretending to be a

company network engineer. Sometimes, intruders don’t even need to steal passwords; they can

get in through flaws in software code.

Once inside a network, intruders enjoy the same rights of access and control over systems and

resources as legitimate users do. They can steal information, erase or alter data, deface Web

sites, or pose as company representatives. In one instance, an intruder posted a press release

about an earnings shortfall, causing a company’s stock price to plummet. And intruders can use

what’s called sniffer software to eavesdrop on network conversations and acquire more

passwords. Because traffic flows among companies, a sniffer can find passwords on other

networks, too.

In February 2000, DoS attacks against such

high-profile targets as Yahoo, eBay, CNN, and

the FBI caused damages estimated in excess of

$100 million.

http://harvardbusinessonline.hbsp.harvard.edu/b02/en/hbr/hbrsa/current/0306/article/R0306JPrint.jhtml (2 of 8) [04-Jun-03 21:36:18]

Harvard Business Review Online | The Myth of Secure Computing

One of the most difficult problems arising from intrusion is figuring out what, precisely, was

done. Hackers take great pains to cover their tracks. They may make subtle changes in a

system, open obscure “doors” that allow other hackers secret access in the future, or slightly

alter data in ways that are difficult to detect. They can also deposit time bombs, seemingly

innocuous bits of code that are scheduled to explode at a future date. And many intruders leave

behind programs (with names like “Devil” and “Executer”) that allow them to use the company’s

computers to launch other attacks.

While it can be costly for companies to uncover what, if any, changes were made, it’s absolutely

crucial. There’s a very high public relations penalty for not knowing something consequential

about your computer systems or, worse, for making false assurances about the security of your

systems.

The final type of threat, malicious code, consists of viruses and worms. Although experts

disagree about the precise definitions, a good rule of thumb is that viruses need help replicating

and propagating (they rely on naive users to open an e-mail attachment, for instance) whereas

worms do it automatically. Both types of malicious code move much faster than human hackers

do. What’s more, their targets can be random, making it impossible to predict where they’ll hit

next. The SQL Slammer, which struck in January 2003, attacked indiscriminately and took down

the Finnish telephone service as well as more than 13,000 Bank of America ATMs. And because

worms and viruses are often used to launch other strikes, their potential for destruction is

enormous. The Code Red worm, for example, not only invaded vulnerable systems but also

deposited a program to launch DoS attacks against other computers.

Clearly, digital attacks – especially when used in combination – can bring a company to its

knees. Consider the damage done by one disgruntled bank employee. During a holiday

weekend, he launched a DoS attack against an internal network that connected important

banking systems to the company’s databanks. Knowing the IT staff would have its hands full

restoring communication between systems and storage devices, he moved the battle to a

second front. He knew which Web server software the company was running, and he knew (or

suspected) that its security patches were not up-to-date. He researched the software’s

vulnerabilities and then downloaded programs created by the hacker community to exploit those

flaws. He altered the bank’s Web site so that visitors were diverted to a pornographic site.

Having created another diversion, the attacker started doing more serious damage. He knew

which bank databases contained customer information, and he suspected that database

applications had not been “hardened” – in other words, adjusted so that only required services

were left running. The attacker used a service that was running unnecessarily to corrupt the

databases and destroy client data.

By Tuesday morning, the bank was in chaos. Because the integrity of its systems couldn’t be

trusted, the bank was reduced to a pencil-and-paper operation. Although it recovered from most

of the technical disruption in four business days, it was still working to restore client confidence

six months later.

The Operational Approach

Companies need to have smart technicians who stay abreast of emerging digital threats and

defenses, of course, but the technicians shouldn’t be calling the shots. General managers need

to take the lead in building processes that will lessen the likelihood of a successful attack and

mitigate damage. Most organizations already have at least some of these processes in place, but

they rarely develop and manage them in a coherent, consistent way. Here are eight that your

company should be working on.

Identify your company’s digital assets, and decide how much protection each

deserves. You don’t hire armed guards to prevent the occasional nonbusiness use of copy

machines, nor do you keep your company’s cash in a filing cabinet. You protect each corporate

resource in proportion to its value. The same principle applies to digital security.

http://harvardbusinessonline.hbsp.harvard.edu/b02/en/hbr/hbrsa/current/0306/article/R0306JPrint.jhtml (3 of 8) [04-Jun-03 21:36:18]

Harvard Business Review Online | The Myth of Secure Computing

To begin, you first have to figure out what your digital assets are (they’re not always obvious). A

team of senior managers from across the company should take an inventory of data and

systems, assess how valuable each is to the company, and decide how much risk the company

can absorb for each asset. That will tell you the level of protection each warrants. A bank, for

instance, might assign the greatest amount of protection to the database that stores its

customers’ financial information. For a pharmaceutical company, it might be the research

servers that hold data on promising drug compounds. Internal Web servers that contain general

information about benefit programs probably warrant less protection.

The next step is to review the people, processes, and technologies that support those assets,

including external suppliers and partners. When you’re done with that, you’ll have a blueprint

that identifies precisely what your digital assets are, how much protection each merits, and

who’s responsible for protecting them.

Earnings Versus Security

Sidebar R0306J_A ( Located at the end of this

article)

Define the appropriate use of IT resources. All companies have policies explaining the

appropriate use of resources. For example, employees know what kinds of things can be

charged to expense accounts. But use of company computer systems is often left unclear.

Managers need to ask, “Who should have remote access to the corporate network? What

safeguards must be in place before employees can connect to the corporate network from a

remote location?” These aren’t technical questions; they’re people and process questions that

will help you identify the normal behaviors for particular jobs and what employees should and

shouldn’t be doing on their systems (such as sharing passwords).

Because even the best security policy will be ineffective if users and business partners ignore it,

it’s important for companies to explain their rationale for the limitations they place on computer

usage.

Securing the Small to Midsize Enterprise

Sidebar R0306J_B ( Located at the end of this

article)

Control access to your systems. You don’t allow just anyone off the street to wander in and

use your company’s fax machines or sit in on a strategy session. In a related vein, you need a

way to bar some people from your computer systems while letting others in. You need systems

that determine who gets access to specific information. And you need a way to ensure critical

communications aren’t overheard.

Certain technologies – firewalls, authentication and authorization systems, and encryption – are

used to meet these requirements, but they’re only as good as the information that feeds them.

They should be configured to reflect the choices you made when you defined your most critical

assets and decided who had access to them. Of course, nontechnical managers won’t be doing

the actual configuration work, but they will inform the process by asking questions like “How do

we keep suppliers from accessing the payroll data?”

Just as companies keep an eye on their equipment and supplies by conducting scheduled audits

and random spot checks, so should they monitor the use of their IT systems. Monitoring and

intrusion-detection tools routinely log computer activity on company networks and highlight

patterns of suspicious activity, changes in software, or patterns of communication and access.

Some companies turn off activity-monitoring functions because they can slow network

http://harvardbusinessonline.hbsp.harvard.edu/b02/en/hbr/hbrsa/current/0306/article/R0306JPrint.jhtml (4 of 8) [04-Jun-03 21:36:18]

Harvard Business Review Online | The Myth of Secure Computing

performance, but that’s exceedingly shortsighted; the cost of not knowing enough about a

security breach is much, much greater.

Insist on secure software. All well-run operations tell their materials suppliers exactly what

specifications to meet. Similarly, companies should demand reasonable levels of security from

software vendors. Look at the wording of this contract between General Electric and software

company GMI:

Code Integrity Warranty 1

GMI warrants and represents that the GMI software, other than the key software, does not and

will not contain any program routine, device, code or instructions (including any code or

instructions provided by third parties) or other undisclosed feature, including, without limitation,

a time bomb, virus, software lock, drop-dead device, malicious logic, worm, Trojan horse, bug,

error, defect or trap door (including year 2000), that is capable of accessing, modifying,

deleting, damaging, disabling, deactivating, interfering with or otherwise harming the GMI

software, any computers, networks, data or other electronically stored information, or computer

programs or systems (collectively, “disabling procedures”).…If GMI incorporates into the GMI

software programs or routines supplied by other vendors, licensors or contractors (other than

the key software), GMI shall obtain comparable warranties from such providers.…GMI agrees to

notify GE immediately upon discovery of any disabling procedures that are or may be included in

the GMI software, and, if disabling procedures are discovered or reasonably suspected to be

present in the GMI software, GMI, as its entire liability and GE’s sole and exclusive remedy for

the breach of the warranty in this section 7.3, agrees to take action immediately, at its own

expense, to identify and eradicate (or to equip GE to identify and eradicate) such disabling

procedures and carry out any recovery necessary to remedy any impact of such disabling

procedures.

When airtight clauses like these become common in software contracts, exploitable flaws will

become rare.

Managers need to sort through which risks are

most likely to materialize and which could

cause the most damage to the business, then

spend their money where it will be most

useful.

If your company develops software, make sure your developers are following secure coding and

testing practices. Those who aren’t may be costing your company large sums of money. One

multinational database supplier estimates that releasing a major patch (a fix for a problem in

already deployed code) costs the company $1 million, and it releases as many as 12 a month.

But 80% of these patches would be unnecessary if the company eliminated only one common

type of coding error known as “buffer overflows.”

Know exactly what software is running. It’s shocking how many companies don’t follow this

very obvious rule. Keeping track of what versions and fixes have been applied is as fundamental

to digital security management as keeping an accurate inventory of physical assets is to plant

management.

We’re not saying that this is easy – software configurations change all the time. Maybe a

program isn’t running correctly, or an important customer demands a change, or a software

vendor releases a new patch – the list can go on and on. But no matter the reasons, it’s crucial

to document every modification. That way, if your computers are breached, you’ll have current

records to determine when and where the hacker struck. And if you prosecute the intruder,

you’ll have digital forensics to establish a chain of evidence.

http://harvardbusinessonline.hbsp.harvard.edu/b02/en/hbr/hbrsa/current/0306/article/R0306JPrint.jhtml (5 of 8) [04-Jun-03 21:36:18]

Plik z chomika:

Inne pliki z tego folderu:

Inne foldery tego chomika: