Medicine man: Risk assessment

Share this article:
Medicine man: Risk assessment
Medicine man: Risk assessment

Ben Sapiro at The Dominion of Canada General Insurance Co. believes that taking an epidemiological approach to security can help drive risk to zero. Dan Kaplan reports.

When news broke over the Memorial Day weekend that one of the most complex-ever pieces of malware had surfaced, an espionage toolkit known as Flame, arguably the most surprising element was just how long the virus stayed in the wild before it was detected. Estimates ranged from two to seven years. And, while Flame's target base was relatively small – roughly 1,000 computers, mainly in Iran, were believed compromised – the sheer time it took to flag the nefarious malicious code caused many security researchers to wonder aloud just how many other Flames still are out there.

For Ben Sapiro, manager of security and contingency at The Dominion of Canada General Insurance Co., headquartered in Toronto, the belated discovery served as a reminder of a much bigger problem facing many organizations today: They are going about evaluating and understanding risk in much the wrong way, while spending too much of their energy and resources on meeting compliance demands, which is leading to a vast underinvestment in security. And often, instead of fixing the problem that caused a particular incident, they remediate the subset of that problem – like patching a single SQL injection vulnerability instead of delving into a study of one's entire code base.

“The worrying part to me is that what this signals to the world is it can be done,” Sapiro says. “All of the techniques used by Flame can be eventually learned [and] replicated by others, and eventually that knowledge will make it down to college kids. We clearly need a different approach to security to defend ourselves against this type of problem.” 

Sapiro isn't just talking about viruses and trojans, though with most security companies receiving, on average, 1.5 million new variant submissions each month, and with oldies-but-goodies like Zeus still finding ways to spread undetected while costing businesses hundreds of millions of dollars, it's no wonder he sees data-stealing malware as a prime concern.

“You are starting to hear stories of people taking existing malware and repackaging it slightly, and it bypasses all the anti-virus scanners.”

– Ben Sapiro, manager of security, The Dominion of Canada General Insurance Co.

“You are starting to hear stories of people taking existing malware and repackaging it slightly, and it bypasses all the anti-virus scanners,” Sapiro says. “It's a continuous accumulation of things happening every day. We really need to do something different.”

But, the struggle to combat the latest threats runs much deeper than a skillfully built piece of malware. “They will never have a perfect virus detector,” he says. “It is computationally impossible.” Instead, what's necessary is an effective way to understand and assess risk. Yet, Sapiro, who spent many years as a consultant, advising clients such as Motorola, says most organizations accept risks because they don't understand them. That's because businesses, even ones running proficient networks, generally operate under a false sense of security. They assume their defenses are adequate and that the traditional castle-and-moat approach will protect them – both myopic suppositions. “The tools we use don't have all the visibility we need them to, and the perimeter doesn't exist,” he says.

According to Accenture's “2011 Global Risk Management Study,” which polled executives at some 400 companies covering 10 industries across the globe, more senior leaders are recognizing the need to align risk with business strategy, especially in light of reputational concerns, compliance worries and increased reliance on the supply chain for the purchase of IT equipment, software and services. (The U.S. Government Accountability Office, in fact, warned earlier this year that federal agencies face five threats when it comes to the supply chain: malware, bogus hardware or software, buggy hardware or software, service disruptions, and malicious or untrained personnel.)

Page 1 of 3
Share this article:
You must be a registered member of SC Magazine to post a comment.
close

Next Article in Features

Sign up to our newsletters

More in Features

As EMV deadline looms, industry looks to next ATM attack front

As EMV deadline looms, industry looks to next ...

Next year, EMV migration in the U.S. will inevitability change fraudsters' attack methods.

Game theory: Cyber preparedness

Game theory: Cyber preparedness

Business leaders are beginning to fathom the importance of cyber war game simulation exercises, reports James Hale.

Forward progress: How the Denver Broncos really play defense

Forward progress: How the Denver Broncos really play ...

Off the field, demand for bandwidth and protection from network threats set the ball in motion for the Denver Broncos. Greg Masters reports.

Copyright © 2014 Haymarket Media, Inc. All Rights Reserved
This material may not be published, broadcast, rewritten or redistributed in any form without prior authorization.
Your use of this website constitutes acceptance of Haymarket Media's Privacy Policy and Terms & Conditions.