Medicine man: Risk assessment
Medicine man: Risk assessment

Ben Sapiro at The Dominion of Canada General Insurance Co. believes that taking an epidemiological approach to security can help drive risk to zero. Dan Kaplan reports.

When news broke over the Memorial Day weekend that one of the most complex-ever pieces of malware had surfaced, an espionage toolkit known as Flame, arguably the most surprising element was just how long the virus stayed in the wild before it was detected. Estimates ranged from two to seven years. And, while Flame's target base was relatively small – roughly 1,000 computers, mainly in Iran, were believed compromised – the sheer time it took to flag the nefarious malicious code caused many security researchers to wonder aloud just how many other Flames still are out there.

For Ben Sapiro, manager of security and contingency at The Dominion of Canada General Insurance Co., headquartered in Toronto, the belated discovery served as a reminder of a much bigger problem facing many organizations today: They are going about evaluating and understanding risk in much the wrong way, while spending too much of their energy and resources on meeting compliance demands, which is leading to a vast underinvestment in security. And often, instead of fixing the problem that caused a particular incident, they remediate the subset of that problem – like patching a single SQL injection vulnerability instead of delving into a study of one's entire code base.

“The worrying part to me is that what this signals to the world is it can be done,” Sapiro says. “All of the techniques used by Flame can be eventually learned [and] replicated by others, and eventually that knowledge will make it down to college kids. We clearly need a different approach to security to defend ourselves against this type of problem.” 

Sapiro isn't just talking about viruses and trojans, though with most security companies receiving, on average, 1.5 million new variant submissions each month, and with oldies-but-goodies like Zeus still finding ways to spread undetected while costing businesses hundreds of millions of dollars, it's no wonder he sees data-stealing malware as a prime concern.

“You are starting to hear stories of people taking existing malware and repackaging it slightly, and it bypasses all the anti-virus scanners.”

– Ben Sapiro, manager of security, The Dominion of Canada General Insurance Co.

“You are starting to hear stories of people taking existing malware and repackaging it slightly, and it bypasses all the anti-virus scanners,” Sapiro says. “It's a continuous accumulation of things happening every day. We really need to do something different.”

But, the struggle to combat the latest threats runs much deeper than a skillfully built piece of malware. “They will never have a perfect virus detector,” he says. “It is computationally impossible.” Instead, what's necessary is an effective way to understand and assess risk. Yet, Sapiro, who spent many years as a consultant, advising clients such as Motorola, says most organizations accept risks because they don't understand them. That's because businesses, even ones running proficient networks, generally operate under a false sense of security. They assume their defenses are adequate and that the traditional castle-and-moat approach will protect them – both myopic suppositions. “The tools we use don't have all the visibility we need them to, and the perimeter doesn't exist,” he says.

According to Accenture's “2011 Global Risk Management Study,” which polled executives at some 400 companies covering 10 industries across the globe, more senior leaders are recognizing the need to align risk with business strategy, especially in light of reputational concerns, compliance worries and increased reliance on the supply chain for the purchase of IT equipment, software and services. (The U.S. Government Accountability Office, in fact, warned earlier this year that federal agencies face five threats when it comes to the supply chain: malware, bogus hardware or software, buggy hardware or software, service disruptions, and malicious or untrained personnel.)