The $43 billion spent on information security worldwide over the last three decades has been spent on systems with flaws so drastic that they can't be fixed with technology, says Winn Schwartau, an information security expert who has testified before the US Congress and consulted as an expert witness in US courts. Schwartau believes that the policies that handle how long it takes to detect and respond to a security breach are far more crucial than the plethora of preventative technologies available.
Schwartau's time-based security model addresses the fact that no one knows how to secure a computer with complete certainty. Consequently, IT security vendors never guarantee their products 100%, which makes measuring the success of security systems problematic to say the least. When building network infrastructures that are homogenous and easy to use, companies are effectively building in security weaknesses by limiting the number of possible attack targets. Microsoft, for instance, has had to endure a lot of negative publicity about the security of its software because it owns 93% of the desktop operating system market.
Most of the current IT security models were developed for standalone computer systems, rather than those connected to the Internet. Since the advent of the Web, IT security has become a hodge-podge of technologies that address small parts of the whole problem - transferring from a security model where everyone is shut out to one where a company allows customers and partners selective access to its internal systems. The industry is crying out for a replicable methodology that shows the value of IT security relative to the level of investment required.
Schwartau's pitch is that security should be based around an automated reaction path that reduces as far as possible the amount of time that the computer systems are available to attack. This is expressed by the equation, E=D+R. The exposure time (E) of the system equals the detection time (D) needed to see the problem plus the reaction time (R) needed to do something about it. Because nobody can guarantee the protection of a computer system, a company always has to assume the possibility of its systems being exposed for some time when an attack occurs.
Indeed, some intrusion detection systems on the market still work by printing reports on what has already occurred in the traffic over a network, which means response times are dependent on someone reading those reports. Even the most up-to-date systems are often fractured affairs that don't make it easy to make a coordinated response to an attack. The more time an attacker, whether from inside or out, has with the system exposed, the more damage he or she can do.
Schwartau's approach boils down to building a reaction plan to various known problems and scenarios. By classifying data, evaluating assets and choosing the appropriate responses, a company can come up with a policy on how to respond to threats in the shortest possible time. Such a policy, if its procedures are followed, would outweigh any technology put in place - at least until the effectiveness of protective devices can be measured, which isn't yet the case.
The issue is really one of control. The old hierarchical top-to-bottom decision-making processes are being replaced by situations in which business leaders are effectively handing control of their organizations' Internet trading environments over to employees that understand much more about technology than they do.
Schwartau also advocates systems administrators undergoing military-style psychological testing to make sure they will be loyal to the companies they work for. A common-sense streamlining of security policies is one thing, but just how much control can a company have over a huge peer-to-peer network like the Internet? What's likely to arise out of this uncertainty is a way for companies to insure themselves against risk from IT security breaches. But first there has to be a way to evaluate the effectiveness of IT security technologies - which is exactly the problem Schwartau is highlighting with his time-based security theory.
the451 (www.the451.com) is an analyst firm that provides timely, detailed and independent analysis of news in technology, communications and media. To evaluate the service click here.