Professionals in both information protection and traditional security say the sudden rush to find solutions underscores a change in a long-held attitude--confirmed by an American Institute for Industrial Security study three years ago--that "it can't happen here."
That attitude led many corporations to put security spending on hold, leaving vast holes in network protection just as Internet attacks on companies doubled.
But the Sept. 11 terrorist attacks and the ensuing barrage of government and intelligence com munity warnings about vulnerabilities of critical systems have washed away much of that complacency. In its wake is a growing movement among corporations to assess their security risks in detail, overhaul security budgets and protect themselves using both heightened traditional and high-tech methods.
"The response has been huge--unbelievable," said Caroline Hamilton, president and founder of Maryland's RiskWatch, which does detailed risk assessments for large corporations and government agencies. "I've never seen demand like this in the 10-year history of our company. Companies who've told us they don't have security problems are calling with their credit cards in hand."
Terrorist attacks or no, the latest numbers from the Computer Emergency Response Team Coordination Center, a security response group, should be enough to make I-managers review their Internet security. CERT last week said it has counted nearly 35,000 attacks and probes into company computers in the first nine months of this year.
At that rate, CERT's tally should top 46,000 for the year, more than double the 22,000 incidents reported last year.
But the Internet security landscape is strewn with unanswered questions. Can technological innovations themselves thwart cyberattacks, especially those launched by armies of terrorist hackers, who, many fear, could cripple the nation's ability to deliver goods and services?
Are firewalls and virtual private networks enough to protect critical infrastructure and the privacy of data for customers and clients? Or do we face more draconian measures--like shutting off access to information systems for all but a company's most trusted employees?
And how do those responsible for information systems ensure that employees with access to sensitive systems--especially those that could affect public safety--are trustworthy?
In short, where are the holes that need to be filled, and what are the most important priorities?
The search for answers is taking place in corporate boardrooms, in e-mail musings between technology officers and engineers and on golf courses between information systems peers.
What is emerging, said Francis Juliano, chief technology officer of international business auction house DoveBid, is something less than consensus over how far corporations should go to protect themselves, their personnel and their clients.
"The Internet has become an appliance like the telephone, television and indoor plumbing," Juliano said. "We don't have to have it to live, but we have come to rely on it. To prevent attacks that can shut that system down relies on the collaborative efforts of everyone on the Internet to defend it.
"I talk to CIOs [chief information officers] and other CTOs of corporations, and there is a lot of concern. If the Internet goes down, there is no one person to fix it. And the issues are so far-reaching, so complex, where do you start?"
Information system security is indeed a management responsibility BUT it also a responsibility of the vendors of the associated hardware, software and network systems themselves. AND this area was totally missing from the ZDNET analysis. You buy a car - you expect it to follow the appropriate Australian standards for car safety and quality. The problem today is that commodity systems, e.g. Windows 2000 / XP which have not even achieved a lowest level of trust analysis ( i.e. the old "C2" level of evaluation) are being used in mission critical server/hosts/workstations. It is time the IT industry was held responsible itself - profesisonals need to work with trusted systems that have been assessed according to security standards - and we have one - an international one - ISO 15408 - for system trust. None of this gets any mention in your analysis. Strange ! After all - there is no point blaming a driver for not stopping the car if it has no brakes ! By today, for example, mandatory / role based access control, segmented memory protection and the like should have been standard - they are not. There is the problem. Untrusted, commodity, consumer systems being used in government, business systems and networks for which they are ill suited. Even Steve Balmer of Microsoft was reported in June in the UK as commenting that his company could have done a better job in the security area ! Multiply that by a nation - and we have the potential for cyber disaster.
Bill Caelli
Information Security Research Centre
Queensland University of Technology