Send your comments, praise or criticisms to firstname.lastname@example.org. We reserve the right to edit letters.
Keeping pace not enough
Microsoft says it is "keeping pace" with increasingly efficient attackers, especially as threats are increasingly financially motivated and perpetrated by serious con artists.
The fact is, security software is all, by and large, reactive to evolving threats. For the most part, security companies are doing a fine job of keeping up. To optimize your security posture, however, all systems would have to be patched in near real-time, and users would need to be ever vigilant and knowledgeable about security issues and policies. Is that realistic? Hardly.
The key to thwarting attackers is a strong and proactive first layer of defense. Our workers, their PCs and nearly all our company data are mobile. They move on and off managed corporate networks, with the result that perimeter security alone simply no longer protects the workers or the information. Companies need distributed protection of endpoint PCs through centrally-managed client-side defense software that automates security and policy enforcement. That is by far the most effective way to combat future threats.
Mike Hall, CEO, Senforce Technologies Inc.
The value of insurance
Katrina is yet another reminder of why the physical world trumps that of cyberspace.
Does your organizational risk tolerance and corresponding allocation of resources to manage risk align with the realities on the ground? With any perceived risk, you have three choices of what to do about it – accept, mitigate or assign.
Every dollar spent on security is one that could have been spent on business continuity planning (BCP) or disaster recovery (DR) capability, or even business interruption insurance (if assigning risk is preferable to mitigating it directly).
Since the boom of the internet as a business tool, security as a discipline and functional capability has grown in prominence, budget and perceived value. During that time, the BCP/DR process has largely struggled to adapt to the shift from centralized mainframes to the distributed computing of today.
Even major firms were caught with their collective DR pants down with the East Coast power outage of August 14, 2003, and that was after they had all "learned the lessons of 9/11."
To be fair, given the initial response to Katrina, the lessons of DR management appear not to be have learned by our government either.
If your responsibility embraces managing risk, might I suggest that you review the coverage and terms of your business interruption insurance? With the difficulty of evaluating risk so that it can be accepted, and the tendency of those championing mitigation steps to over-estimate their effectiveness, you might find that assigning the risk to an insurance company is your best option.
Lloyd Gauntlett Hession, CSO, BT Radianz
Threat remains the same
David Emm's article "Virus writers and hackers change tactics" (SC newsletter, August 22) was a little presumptuous.
When assessing security posture you should look at three areas – threat, vulnerability and impact. Is the reduction in global attacks in one, two, or all of these areas? Emm seems to think only the threat is changing.
I believe we have no evidence of threat reduction, but we do have evidence of threat reduction, but we do have evidence of reductions in vulnerability and impact.
Reduced vulnerability from improved firewalls, patch management, network isolation and awareness, and reduced impact from better business continuity and response procedures.
Probably the only reason the Bozori worm event hit the news is because it hit CNN. There have been other widespread viruses that didn't make the news and for which labs did not release interim updates. It's squeaky wheel syndrome.
The author says "attacks are becoming more localized." This sounds suspiciously to me like the threat is the same, just that vulnerability and impact management vary considerably.
Michael D. Black, by email