By Tim Wilson
February 6, 2008
WASHINGTON -- Computer Forensics Show 2008 -- Peter Tippett thinks it's
time for security professionals to wake up and stop wasting their
In a presentation here yesterday, Tippett -- who is vice president of
risk intelligence for Verizon Business, chief scientist at ICSA Labs,
and the inventor of the program that became Norton Antivirus -- said
that about one third of today's security practices are based on outmoded
or outdated concepts that don't apply to today's computing environments.
"A large part of what we [security pros] do for our companies is based
on a sort of flat-earth thinking," Tippett said. "We need to start
looking at the earth as round."
For example, today's security industry focuses way too much time on
vulnerability research, testing, and patching, Tippett suggested. "Only
3 percent of the vulnerabilities that are discovered are ever
exploited," he said. "Yet there is huge amount of attention given to
vulnerability disclosure, patch management, and so forth."
Tippett compared vulnerability research with automobile safety research.
"If I sat up in a window of a building, I might find that I could shoot
an arrow through the sunroof of a Ford and kill the driver," he said.
"It isn't very likely, but it's possible.
"If I disclose that vulnerability, shouldn't the automaker put in some
sort of arrow deflection device to patch the problem? And then other
researchers may find similar vulnerabilities in other makes and models,"
Tippett continued. "And because it's potentially fatal to the driver, I
rate it as 'critical.' There's a lot of attention and effort there, but
it isn't really helping auto safety very much."
Similarly, many security strategies are built around the concept of
defending a single computer, rather than a community of computers,
Tippett observed. "Long passwords are a classic example," he said. "If
you take a single computer and make the password longer and more
complex, it will be harder to guess, and that makes that computer
But if a hacker breaks into the password files of a corporation with
10,000 machines, he only needs to guess one password to penetrate the
network, Tippett notes. "In that case, the long passwords might mean
that he can only crack 2,000 of the passwords instead of 5,000," he
said. "But what did you really gain by implementing them? He only needed
Tippett also suggested that many security pros waste time trying to buy
or invent defenses that are 100 percent secure. "If a product can be
cracked, it's sometimes thrown out and considered useless," he observed.
"But automobile seatbelts only prevent fatalities about 50 percent of
the time. Are they worthless? Security products don't have to be perfect
to be helpful in your defense."
This concept also applies to security processes, Tippett said. "There's
a notion out there that if I do certain processes flawlessly, such as
vulnerability patching or updating my antivirus software, that my
organization will be more secure. But studies have shown that there
isn't necessarily a direct correlation between doing these processes
well and the frequency or infrequency of security incidents.
"You can't always improve the security of something by doing it better,"
Tippett said. "If we made seatbelts out of titanium instead of nylon,
they'd be a lot stronger. But there's no evidence to suggest that they'd
really help improve passenger safety."
Security teams need to rethink the way they spend their time, focusing
on efforts that could potentially pay higher security dividends, Tippett
suggested. "For example, only 8 percent of companies have enabled their
routers to do 'default deny' on inbound traffic," he said. "Even fewer
do it on outbound traffic. That's an example of a simple effort that
could pay high dividends if more companies took the time to do it."
Security awareness programs also offer a high rate of return, Tippett
said. "Employee training sometimes gets a bad rap because it doesn't
alter the behavior of every employee who takes it," he said. "But if I
can reduce the number of security incidents by 30 percent through a
$10,000 security awareness program, doesn't that make more sense than
spending $1 million on an antivirus upgrade that only reduces incidents
by 2 percent?"
Subscribe to InfoSec News