Vmyths.com



Hoaxes, myths,
urban legends

Columnists

Newsletter
signup


Addictive
Update
Model

False
Authority
Syndrome


About us

Computer
security
humor

Truth about computer security hysteria
Truth About Computer Security Hysteria

Rob Rosenberger

You'd think a ''senior analyst'' would know this...

Rob Rosenberger, Vmyths co-founder
Thursday, 12 February 2004 JOHN OLTSIK WORKS as a senior analyst at Enterprise Strategy Group. In a recent "Perspectives" column on News.com, he talked about the recent MyDoom virus ... and he offered the same tired excuse for why the Internet nearly died:
The authors of various Internet protocols and software systems didn't design their stuff with security in mind. This wasn't a big deal when the Internet was the exclusive playground of academic and military types, but add a few 100 million users and the lack of systemic security became a real problem. In reaction, security "bolt on" technologies became a necessity. Today enterprise companies have a complex array of firewalls, Intrusion Detection Systems, gateway appliances and antivirus software for protection. Yet they keep getting hit with additional security problems. This model is clearly unsustainable and something has to change.
John Oltsik's tired idea will not cor­rectly priori­tize where to start so we can solve our secu­rity woes. Why? Be­cause he — like so many others — focuses on symptoms rather than the under­lying problem.
After delivering the same tired excuse, Oltsik went on to say:
IT must abandon the security box mentality, examine the fundamental security of mission-critical applications and business processes, and come up with a reasonable budget for protection.
Oltsik then regurgitated the same tired idea for fixing security:
Start with the most important and basic security analysis; namely what are the potential threats and what would the business impact be if this system were attacked? This will help prioritize where to start.
Oltsik's tired idea will NOT correctly prioritize where to start so they can solve their security woes. Why? Because Oltsik — like so many others — focuses on security symptoms rather than the underlying problem.
IN FRUSTRATION, I picked up an easy-to-read book from a local library. It's called "Step-By-Step Problem Solving." I quote from the very first paragraph on page 1:
Oltsik — like so many others — fails to use a struc­tured approach to com­pu­ter secu­rity problem-solving. He's too busy putting out fires to pre­vent them in the first place.
Have you ever been in the position of tackling a problem only to stop and ask yourself or your team members, "Didn't we solve this problem last year? What are we doing working on the same problem again?" If this has happened to you, you know how frustration it can be, putting time and effort into the same project over and over again.
It then goes on to identify six steps for problem-solving. On page 24, the authors nailed Oltsik's in-the-box thinking:
An easy trap to fall into is the one of assuming you know what is really causing a problem without taking the time and effort to dig deeper. This trap will hold you captive to analyzing symptoms, instead of freeing you to dig for the true root cause(s) of the problem.
Oltsik — like so many others — fails to use a structured approach to computer security problem-solving. He's too busy putting out fires to prevent them in the first place. So I spent three hours writing what Oltsik failed to learn (yet again) from the MyDoom virus/worm. Without further ado:
  1. Define the problem
    1. Develop a problem statement: "our firm suffers 17 major virus attacks per year on average ('major' in that critical services must be shut down until the attack can be contained)"
    2. Identify a "desired state" or goal: "our firm will suffer no more than one major virus attack per year"

  2. Analyze potential causes
    1. Identify potential cause(s)
      1. Our antivirus solution does not detect new viruses until it gets a security patch
      2. Our antivirus solution requires hundreds of security patches every year
        1. Firms spend hours creating each new security patch for their antivirus products
        2. It can take a day just to download a security patch from an antivirus firm
        3. It can take up to two days to install the antivirus patch on every computer
        The problem is "our firm suffers 17 major virus attacks per year on average." The desired state is "our firm will suffer no more than one major virus attack per year."
      3. Email servers do not employ an antivirus solution
      4. File servers do not regularly employ an antivirus solution
      5. Gateway SMTP (port 25) is not scanned for viruses
      6. Employees blindly open any attachment sent to them via email
      7. Employees sometimes turn off our antivirus solution on desktops & laptops
      8. Employees sometimes don't care to install every antivirus security patch
      9. Employees hook unprotected/infected personal equipment to our corporate network
      10. Contractors hook unprotected/infected business laptops to our corporate network
    2. Determine the most likely cause(s)
      1. Antivirus solution does not detect new viruses until it gets a security patch
        1. Antivirus firms need valuable time to produce each patch
        2. We can't start patching our antivirus solution until the patch is available
      2. System administrators don't trust an antivirus solution on the email servers
      3. System administrators disable antivirus software on file servers when installing a security patch and then they forget (or choose not) to re-enable it
      4. Gateway SMTP (port 25) is not scanned for viruses
      5. Employees sometimes disable the antivirus solution on their desktops & laptops
      6. Employees sometimes don't care to install every antivirus security patch
      7. Employees do not regularly install antivirus patches to stop new viruses
    3. Identify the true root cause(s)
      1. Our antivirus solution does not detect new viruses until it gets a security patch
        1. Because "scanning" technology, by design, fails to detect new viruses
        2. Because it takes hours for antivirus firms to develop each security patch for their products
        3. Because it can take two days for us to patch every computer's antivirus solution
        Honestly: did your com­pu­ter secu­rity expert use a struc­tured approach to solve your virus problem?
      2. Gateway SMTP (port 25) is not scanned for viruses
        1. Because we allow unrestricted in/out traffic on port 25
        2. Because we use an email application that does not rely on port 25
      3. Employees do not regularly install antivirus patches to stop new viruses
        1. Because they believe computer security is up to the computer security team
        2. Because non-stop antivirus updates take time out of their busy schedule
        3. Because they think it may require a reboot, which also takes time
        4. Because we have no standard procedure for installing the patches
        5. Because we keep ordering them to do it "immediately"
        6. Because they won't get punished if they refuse to do it
        7. Because they won't get punished even if their computer gets infected
        8. Because the computer security team will do it for them, sooner or later
        9. Because the computer security team doesn't have enforcement powers

  3. Identify possible solutions
    1. Generate a list of possible solutions
      1. Choose an antivirus solution that doesn't need so many security patches
        (antivirus firms don't get infected by new viruses, so what solution do they use that we don't use?)
      2. Install an antivirus solution on the email servers
      3. Pay an outside firm to scan incoming/outgoing email on port 25
        (lock down port 25 so only the email servers can use it)
      4. Give the computer security team enough power to enforce its security policies
      5. Punish employees who refuse to obey the computer security team
        1. Post their names on a "shame on you!" list in the break room
        2. But do NOT punish senior managers and/or officers of the firm (give them bonuses instead)
        Does your firm applaud com­pu­ter secu­rity experts who re­peatedly fail to solve your virus problem? If so, then you've got a larger problem...
      6. Punish employees if their computers get infected
        1. Dock one hour of pay
        2. "Three strikes and you're out" policy
        3. But do NOT punish senior managers and/or officers of the firm (give them bonuses instead)
      7. Punish the computer security team for every major virus attack
        1. Post their names on a "shame on you!" list in the break room
        2. But do NOT punish the Asst VP who manages the computer security team (give him/her a bonus instead)
      8. Establish a standard procedure for installing antivirus patches
        1. Establish a standard time of the day for installing antivirus patches
        2. Conduct the procedure in the last hour of the workday and give each employee the rest of the hour off when they complete the patch installation
      9. Outsource the computer security team and hold them responsible for our virus problems
      10. Increase the size of the computer security team so it can do what the employees expect them to do
      11. Teach employees not to blindly open email attachments
      12. Ban all types of email attachments that might carry viruses
        1. Or just ban all types of attachments, period

    2. Determine the best solutions
      1. From here on out, it's all academic...
  4. Select the best solution
  5. Develop an action plan
  6. Implement solution and evaluate progress
Mind you, Oltsik is a "senior analyst" at Enter­prise Strategy Group. His job title im­plies he should know this!
Longtime Vmyths readers know I don't espouse everything in this list. For example, I see no reason to teach employees about evil email attachments. (If your antivirus software could identify them, then you wouldn't need to teach anyone how to identify them.) I also don't think we should ban certain email attachment types. (Again, if your antivirus software could identify the evil ones...) I included some annoying things in the list just so your "symptom solvers" can't brainstorm them. It's up to you to figure out what solves a symptom vs. what solves a problem.
OLTSIK'S FIRM — LIKE so many other firms out there — will continue to suffer from virus attacks so long as they focus on the symptoms rather than the underlying problem. It's literally that simple. Mind you, Oltsik is a "senior analyst" at Enterprise Strategy Group. His job title implies he should know this! (The same goes for Gartner Group's analysts, but let's not digress.) Print out a copy of this column and show it to your computer security expert. If he/she says "this is the wrong approach," then you need to ask an obvious question. "What is it about a structured problem-solving approach that you feel is wrong?"