Managing Network Security

The Limits of Awareness

by Fred Cohen



Series Introduction

Computing operates in an almost universally networked environment, but the technical aspects of information protection have not kept up. As a result, the success of information security programs has increasingly become a function of our ability to make prudent management decisions about organizational activities. Managing Network Security takes a management view of protection and seeks to reconcile the need for security with the limitations of technology.


Duck!

In the last month, we had the Melissa virus - followed closely by the Papa virus and other variations on the theme. While there are a lot of interesting things to be gleaned from the lessons of these viruses, few people have apparently noticed that this series of incidents demonstrates pretty clearly the limits of awareness in information security.

The Melissa virus was as well-publicized an incident as we are ever likely to see. It had saturation coverage on all available media - television, radio, the Internet, newspapers, and magazines all had major stories on this over a period of days. The military awareness levels were high in much of the world because of the war in Europe and well-publicized information warfare attacks against military targets. Companies of all sizes were informed via email and from the computer security vendor community. Many large companies got the virus in a big way and responded with major internal communications efforts. I doubt if you could do a better job of promoting awareness of computer viruses attached to email'ed messages than this.

In the following weeks, a substantial number of copy-cat viruses were sent out into the world. Many of them used very similar distribution techniques, they used similar methods to spread, they had similar structure, and in many cases shared portions of the code. The anti-virus vendors provided timely updates on many of these, and in some cases had detection and eradication code available for their customers before a working copy of the virus was released into the wild.

The papa virus also gave us a unique opportunity to track the spread of a virus under this highly unusual circumstance because every copy of the papa virus includes code that, with a 1 in 6 probability, sends packets to a known Web site that I own and operate. I have been tracking those packets and they clearly indicate that, even with all of the awareness of these viruses and readily available technical safeguards, they still managed to spread quite well. To date, we have tracked about 200 sites that have emitted packets apparently caused by the Papa-B virus, indicating that some 1200 sites have been infected. These have included many military sites, government sites, and major corporate sites, some of which we know have licenses to the major virus scanners and the ability to freely and rapidly update.

It seems clear that awareness has its limits and that its limitations are quite substantial.


Choose!

If you keep walking out on a busy highway, eventually you will get hit by a truck. If you keep using risky software and business practices, eventually you will get hit by a serious cyber-incident. And after getting hit once or twice in a year, you would think that businesses would change their ways... but they don't.

Now this, to me, should be the height of awareness. You get hit, you know you were hit, you know what it cost you, you know that it could have been far worse, and you know that the cost of getting rid of the problem would be far less than getting hit again. So, what do you do? Nothing.

Yes, that's right. I know of several cases where all of these conditions were met, and yet, over a multi-year period, management did nothing to solve the problem. They just lost more and more each year. In one case, the company was eventually bought out, resold, and as far as I know, it still has the same problems... but today's management is unaware of it because they just ignore things that are in three-year-old reports. I'm working to get the report back in their view. In another case, an oversight process causes increased awareness, so they made fixes, but not fixes that were designed to mitigate the problem - so the problem recurred - several times - and keeps recurring. And they got the Melissa virus in a big way - and they will get more and more of them.


Is anybody in there?

Regardless of what these cases say about management, they certainly seem to say something about awareness. Now there are a lot of people who might come up with valid reasons that these companies don't solve these longstanding problems. Perhaps it's a matter of return on investment? Not even close - in each case the return was shown to be far greater than any normal investment the organization would make. Perhaps it's a matter of priorities? No - not in these cases. Other priorities were taken, but no other item that was followed up on was as financially important as the ones I listed above. Perhaps there were strong reasons not to make these fixes? It could be that the management was defrauding the companies, but in these cases I don't think so.

So what is the problem? I'll tell you what I think. I think that there are limits to what awareness can do, and that those limits are rather severe. Awareness of serious security problems are not useful unless the people who are aware are serious about security. It may be hard to understand because if you are reading this article, you are probably serious about security. But it's not that complicated really.

Suppose somebody came and told you that you could make a million dollars by investing fifty thousand dollars, that it was clear from the facts that it was an assured return on investment in 6 months, that you had the fifty thousand dollars, and that all you had to do was to invest in ant farms in South Africa.


Who wants to own an ant farm in South Africa?

I had you going there until that last part. Now it turns out that I don't know anything about ant farms in South Africa, and I don't think it would be wise to invest in them based on anything I have said here. But even if I were the world's leading expert on ant farms and I could show you that it was a sure thing, the chances are that you would not make the investment.

It's the same with computer security investments. No matter how certain it may look to anybody that knows about security, and no matter how much you try to make somebody understand what you are talking about, unless they are interested in ant farms or South Africa, it is going to be an awfully hard sale.


No good deed...

I forgot about one thing. One day, they will figure out that security is a great investment. And when they do, you may rest assured that your years of effort trying to teach them this will go unrewarded. It follows the old adage: "No good deed ever goes unpunished."

In case you don't believe me, I would like to tell you about a good friend and professional associate of mine who spent the last 5 years or more trying to convince his multi-billion dollar company to get a firewall. By the end of his crusade, he was told by top management in no uncertain terms that he was never to bring the subject of a network firewall up again, and he was removed from his mid-level management position and placed in a "side box" during his transition to a lower level position.

A month or so later, a real big-time incident happened that ultimately involved being unable to continue using personal computers for a major portion of the corporation for a period of weeks, during which things were cleaned up. Within a few days of the inability to continue operations, the same executive that told my friend not to ever bring up the subject again, stood up in front of major corporate meetings proclaiming that they were going to put in a network firewall, describing how it would make them safe, and putting a group in charge of the effort. My friend was not only not included in the group doing the implementation, he wasn't contacted, mentioned, and otherwise given any credit for the years of effort he had put behind trying to get the problem fixed.

Now wait... the story is not over yet. Because if we have learned anything here, it is that awareness has its limits. The firewall that was installed would not have prevented the incident. Yes, that's right. It was the wrong solution for the problem at hand, even if it was a good thing to do. The problem was actually fixed by other people doing other things unrelated to the firewall.


Conclusions

I hope that I have not offended too many managers by my comments here today. Indeed, I should mention that I know of lots of cases where management has used awareness in the right way and made rational decisions. I would not say that it is the rule, but it is also not that big of an exception.

What I think is clear from today's article is that awareness has limits and those limits are fairly severe. They seem to be related to the predisposition of those being made aware to have interest in the subject matter.

While we can make the awareness process less painful, and even fun and reasonably effective, we should not expect that the fact of awareness produces good decisions.


About The Author:

Fred Cohen is a Principal Member of Technical Staff at Sandia National Laboratories and a Managing Director of Fred Cohen and Associates in Livermore California, an executive consulting and education group specializing information protection. He can be reached by sending email to fred at all.net or visiting /