Opinion: When security fails, who are you going to fire?

Two recent unrelated news stories struck me as indicative of a fundamental problem with IT security: We seem to favor looking at symptoms over finding the root cause of problems.

The first story was nearly comical for the effort that was expended to pin blame. Back in December, the Conficker virus infected 3,000 computers on the network of the Waikato District Health Board, which encompasses all of the hospitals in a district that accounts for 10% of New Zealand's population. Officials claimed that emergency operations were not affected, but the district hospitals requested that only true emergencies be referred to them. Certainly, it is critical that steps be taken to assure that nothing like this ever happens again.

I just don't agree that an effective response would include a three-month investigation into the incident. The report came in this month, and, believe it or not, they say they found the source of the infection. According to the report, someone plugged an infected USB drive into a computer in a parking garage tollbooth, bringing multiple hospitals to a near standstill for three days.

Very impressive forensics (although of course I am very skeptical). But isn't the real question how the network could have been infected in the first place? Well, this was in a medical environment, and epidemiologists are very interested in vectors of contamination and determining the identity of Patient Zero. But let's use a medical analogy to this situation to assess the merits of the response. Say that a hospital system had to shut down because all of its doctors and nurses came down with H1N1 flu. An epidemiologist will want to know the source of the infection, but the glaringly obvious question would be, Why wasn't the entire staff inoculated against the H1N1 virus?

Which is why I ask, Why was the Waikato DHB network vulnerable to Conficker? A computer that has been patched just about any time within the past year would not have been vulnerable to Conficker. And just about any up-to-date antivirus software would have safeguarded the network against the virus. These are two fundamental computing principles that the system failed on.

Now that the Waikato DHB has fingered the culprit, what will be its next move? Caution everyone who uses the network not to attach USB sticks to devices on the network? Fire the parking garage attendant as an example for everyone? Either action would be beside the point. To return to the H1N1 analogy for a moment, firing the parking garage attendant would be akin to firing a janitor who had been negligent about washing his hands and was determined to be the source of the flu infection. Wouldn't the truly culpable person be the hospital administrator who failed to assure that the entire staff had been inoculated?

What the board should do is to fire the CIO for failing to make basic computer practices standard on all systems. Then the board should make sure that the new CIO is serious about ensuring that regular patching is implemented and that up-to-date antivirus software is running throughout the system. While they're at it, they might ask him to isolate the parking garage computer from critical hospital systems.

While I certainly do think that no competent CIO would countenance running systems without good and up-to-date antivirus software in place, the second news story that caught my eye suggests why we need something better than that. Quite simply, signature-based malware protection is inadequate for endpoint security.

According to that second story, NSS Labs conducted a study and found that only one common antivirus product was able to detect variants of the exploit used in the Google/Aurora incidents. While I don't think this study was perfect, it does point up the limitations of signature-based anti-malware software. Why, despite those limitations, is it the gold standard in the security industry?

Behavior-based malware detection can hardly be considered a new concept. I worked on a research project for the U.S. Navy as far back as 1995 for behavior-based intrusion detection. Some behavior-based anti-malware products have made it to the market. But for some reason, the large endpoint security companies have not incorporated behavior-based technologies into their products. Why not?

Part of the reason is that customers of anti-malware products haven't demanded the technology. CISOs and other security executives have to start asking the right questions of anti-malware vendors. If they create the demand, the antivirus vendors are likely to respond.

Would that finally solve all of our security problems? No, of course not. We're fighting too many variables to be able to prevail with a single tool. But behavior-based anti-malware products would be a significant improvement over signature-based tools.

In the end, being a CIO or CISO is about asking the right questions. If you never ask the right questions, then security failings are your fault. If you then begin to ask the wrong questions, you should be fired. Is anyone listening in New Zealand?

Ira Winkler is president of Internet Security Advisors Group and author of the book Spies Among Us. He can be contacted through his Web site, irawinkler.com.


Copyright © 2010 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon