Applying the Patch Post September 11

There is a growing collection of companies touting their product as the 'ultimate post Sept. 11' security solution. Bleary-eyed administrators are asking, "How has my security changed since September 11?"

Answering that question are the tech-evangelists, excited to share their message to deliver you from infrastructure doom.

Increasingly, companies feel the pressure to strengthen their infrastructure to avoid inevitable security breaches. A legion of over-worked IT administrators rush to patch each vulnerability with crossed fingers and duct tape.

How can we pin the need for e-diligence on Sept. 11 itself? The players in the world of e-security exist because security has always been critical. A country's national defense, corporate technical infrastructure, financial transactions - all of this and more has warranted strong protection. It is true that Sept. 11 was a wake-up call to our general state of complacency. It's wrong, though, to market it as the penultimate need to assess corporate security. I wanted to hear from an expert with experiences in both the proactive and reactive security approaches. Fred Rica, who is head of Threat and Vulnerability Assessment for PricewaterhouseCoopers, shared his thoughts with me on reactionary panic and the industry itself.

"With the events of Sept. 11, the 'threat-scape' really changed. While cyberterrorism had always existed, the likelihood of it occurring was fairly low. The cost of defending against it could have been relatively high, and it may not have made sense to expend those resources," Rica notes. "I think what Sept. 11 changed for us is that it made the likelihood more imminent. Now, defending against it, regardless of how high that cost may be, is worth expending the resources on."

We hear a lot about biometrics, especially since Sept. 11. It's almost Orwellian in its approach to identification. It watches us but its eyes are clouded. Riddled with known and fundamental flaws, I asked Fred about the reality of implementing this type of solution.

"I just don't believe that we, as a nation, have the infrastructure in place to support the technology. Any technology is reliant upon the infrastructure and installed base to support it and we don't have either at this time. I'm not sure that it will really exist for Biometrics. Is the financial implication of building the infrastructure worth the data that the technology is trying to protect? At this time I don't think so."

Companies who carved their niche out of being huge and visible are now brand names. Having just read an article about Check Point, I use them as my brand example. In the article, they were proclaimed as having the 'number one firewall' on the market. I had to ask, are they really the best firewall vendor in the whole world?

"The strength of the firewall is in direct correlation to its implementation. It's really hard to say that one firewall is any better than any other," says Rica. "How do you measure that accurately? It's a question of how it's utilized and monitored, and the variables surrounding that. It's dependent on what type of functionality and implementation you need, and the controls you design around that. All of this determines whether or not a firewall is 'strong.'"

Trying to gauge the future of security is impossible. I have to wonder if there is any product we can invent that solves the problem better than just good implementation. Rica believes that encryption may solve one component of the security problem, but it can't address all the issues.

"Some of the advanced technology we hear about may be applicable in certain instances, but there will never be just one product that solves it all. It's not just a technology problem, a lot of times it's a people problem," he adds. "You can have the best of everything, but if the user's password is 'cat' then someone's going to figure that out. There will never be just one solution or silver bullet. Not because the products are bad, or that they don't do what they say they're going to do, it's just that security is so complex. It's unique to each individual organization and it just seems impossible to me, to come up with one single be-all product."

Since absolutely nothing is 100 percent impenetrable, I wanted to get Fred's definition of what "security" meant to him.

"I'm all about 'acceptable levels of risk.' Everyone's house has probably got a deadbolt, but then a person might say, 'Well, I've got a rare ceramic gnome and a deadbolt's not enough, so I'll install an alarm system and put bars on the windows.' So deciding that I have something valuable to protect, I can add something more than just my front door. The guy down the street might say, 'I have an incredibly rare ceramic gnome, so I'll buy a safe and put the gnome in it, in addition to my alarm, bars and deadbolt on my door.' It's about understanding how valuable your resources are and how much you spend to protect them. Nothing is absolute," he maintains. "If someone really wants your rare ceramic gnome, they'll figure out a way to get it. Security is the same way, you're making a risk assessment, and then you're making a judgment call on what your tolerance for risk is. Spending too much on unnecessary security is just as bad as not spending enough."

To close the interview, I asked Fred to give us all some words of wisdom to take with us on our quest to protect our gnomes.

"When a vulnerability has been exposed, there's a patch. Right now the game is one of constant monitoring. If I were going to tell a security administrator, CIO, or any client one thing they should be doing, I'd say that you have to stay on top of the threats and you have to apply the patches as soon as you can," Rica explains. "We're at a point where being vigilant is all we can do. The metaphor 'Apply the patch,' is really about not letting your guard down. Common sense, user awareness, and constant vigilance and you've got 80 to 90 percent of it covered right there."

There you have it. In the superstore of the security industry, shoved in between the multi-million dollar brand names, stands the best security solution we have. In attempting to create an impenetrable infrastructure, we have to realize that no rock star name and no 'world's strongest firewall' will save us from our 'people problem.' We're left to plug that gaping hole with applying the patch quickly, using common sense, and of course, having a password that isn't 'cat.'

Melisa LaBancz is a security and compliance export analyst, living gnome-free in California.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.