Speaking at NetWorld+Interop 2001, he sought to shatter assumptions e-businesses too often made about the nature of their own security measures, the people who made them, and the people who break them.
Any of these blunders ring a bell?
- Assume you're not a target. What are you, special? Invisible? Your site is no less appealing to hackers than anyone else's, says Glennan.
- Assume your firewall will keep the bad guys out. Bad guys love firewalls. They're a challenge and challenges are what make hackers tick.
- Assume your IT staff can handle security.
Sure, you have skilled, dedicated staff, but "the hacker community is probably more organised than your IT staff," says Glennan.
"If we had staff with the intensity (hackers) have, the economy would be booming."However, Glennan was quick to dispel the supposition that hackers are generally "intelligent but misguided". Most hackers were unintelligent, unemployed, and simply followed "recipes" found in a "cookbook", he said.
- Assume your network won't be broken into.
"People spend money on their 'front door' and completely forget about everything else," says Glennan. If you're realistic, he says, you'll assume you will be broken into. - Assume you don't have the budget.
Companies that install simplistic, cheap or minimal security solutions are living with a "false sense of security", says Glennan.Plus, what CIOs and CEOs don't realise is that they are now liable to be sued for failing to adequately protect company assets.
Of course, intellectual property is counted as an asset. If you have the budget for a burglar alarm, you have the budget for a regularly audited, thorough IT security system.
- Assume no one else is reading your email.
Glennan says reading other people's email is so easy it's trivial. Remember, email is "just data travelling through public networks". He cited an example of some Australian employees sent to a regional office who decided to read every single email their manager received, simply because they felt they were not being briefed as regularly as they would have liked. Which brings us to mistake number seven... - Assume you can trust your employees.
The above example in mind, Glennan warns that "disgruntled employees" constitute one of the largest categories of malicious attack on company systems. - Assume that security products are secure.
Market demands on software vendors outweigh their integrity, Glennan says. In many cases, if these vendors don't get their latest gizmo out the door five seconds ago, their competitor will. At least, that's the perception. And the priority.Besides, no matter how much integrity, security software vendors are "just as capable of stupid mistakes as anyone else", he says. And "they don't think outside the box like hackers."
- Assume that you would know if an incident occurred.
This may seem ludicrous, but Glennan admits it can often be hard to tell when someone's stolen something that isn't material."Sometimes it's just a matter of duplicating a set of electrons. Often you can't tell," he says.
In the infamous Microsoft attack of late 2000, the software giant admitted that the culprit - who was eventually caught - had been entering their systems for three months prior to detection. Of course, it's Microsoft which makes it funny, but you get the picture.
- Assume the problem can be "fixed".
One isolated security problem might be fixed today, but another one will appear tomorrow, says Glennan. "Every time we do something, they do something."He advises companies to employ objective outside parties to regularly "test the gates" on their IT systems.
Keith Glennan is the general manager for consulting services at e-Sec.
