Students

IT systems security requires vigilance at all levels

The average hacker used to be a cyberspace vandal whose prime motivation was mischief and developing a reputation as an IT wizard. Over the past year, however, hackers have increasingly used their skills to break into inadequately guarded systems to steal money and valuable data. And companies are now exposed on more fronts than ever. Firms that take IT governance seriously are 20 percent more profitable, according to Rob Clyde, chief technology officer of computer security vendor Symantec Corp. The CTO should be in on every top-level decision, he advised, and IT security should be the responsibility of every unit in the organization.
2005-09-28
Elevate information technology security to an enterprise-wide, top priority or risk losing your shirt in just 10 minutes. That's the time it takes for the quickest viruses to race through 90 percent of unprotected servers, says Rob Clyde, an authority on detecting computer system intrusion. "New threats spread too fast to respond," says Clyde, chief technical officer of Symantec Corp. "We can't keep up. There's no way to write and distribute a fix in 10 minutes." Best known for its flagship product, Norton anti-virus software, the Cupertino, Calif., company is a heavyweight among computer-security vendors. Clyde's scary rap is aimed right at a tender target: IT managers at firms ranging from banks to dog-food manufacturers, a market segment that makes up 38 percent of Symantec's revenue. The message seems to be working -– Symantec's profits grew 69 percent, to $198.6 million, for the quarter ending July 1. As Clyde reminds the in-house IT gurus, computers and the Internet play an increasingly crucial role in everything from public relations to distribution. The consumer ordering online, the marketing director e-mailing her troops, the doctor prescribing a medication electronically: each one's transaction depends on computer operations that are rapid, accurate and hacker-proof. Unfortunately, as this dependence deepens, the number of malicious computer-system break-ins is growing. "Nearly 50 new vulnerabilities have surfaced every week for the last three years, for a total of almost 2,600 a year," warns Clyde. Spyware and adware attacks grew 25 percent during the last six months of 2004, versus first six months of the year, he adds. Industry monitors reported 4.7 million new spam e-mails daily during the last six months of 2004, which carry an assortment of Trojan horses or viruses, or engage in phishing -- a common con using fake Web sites and fraudulent e-mail alerts to fool people into providing account numbers, passwords and the like. The results are staggering. For instance, 2.4 million online consumers lost $929 million in 2004 due to phishing. And the cyber weapons aren't just increasing, they're becoming more efficient, Clyde notes. Example: In 2001, the Code Red virus doubled its infection rate in 37 minutes. Slammer, debuting in 2003, doubled its infection rate in 8.5 seconds. Other factors are at play, too. Even a company with full-strength firewalls and fierce anti-virus protection may be looted via its electronic links to less hacker-savvy business partners, subcontractors and outsourcers. And in the race to stomp a worm that's targeting customers, software vendors sometimes "patch and pray," issuing a patch that's not yet fully tested. It's risky, but sometimes a better bet than the "wait and hope" approach, in which the vendor takes time to test the patch, all the while hoping customer systems stay safe. "Patches usually take 30 days to develop and test. Hackers can break in, say, in seven days," Clyde notes. As Hurricane Katrina proved in the Gulf states recently, hackers don't present the only threat to business computer systems -- along with floods, tornados, earthquakes, fire, there are the more mundane programming glitches, user mistakes (like not upgrading anti-virus software) and system maintenance that interrupt service. Software vendors can make only limited inroads against these threats, though. They're more successful against the malicious intruders, a group that has evolved considerably since 1985, Clyde says. Most computer break-ins "used to be inside jobs by employees, mostly for financial gain, but also for the purpose of showing off," he explains. "By 1994, the Internet made it possible to attack a massive number of systems," continues Clyde. "Find a tool kit online, launch it and prove that you can do it. These attacks came from outsiders, who considered the whole endeavor a game." Starting last year, though, he's seen a shift. While outsiders still dominate, they're busting open corporate systems to steal money rather than boost their cyber-world reputation. For around $200, it's possible to hire a hacker to attack a foreign company's network, Clyde says, although it costs more to invade domestic companies. "Our concept of security may have to be expanded" to cope with this ugly reality, he adds. Governments in more than 40 countries, mostly in recognition of these growing threats, have passed a slew of e-commerce laws such as ISO 17799, FISMA, HIPAA, GLBA, Patriot, Basel II, NERC, Sarbanes-Oxley and EU Data Protection and Privacy, seeking to mitigate IT risk. Complying with the expanding regulations is mandatory, but the smartest business leaders are taking their own companies' security a step further, Clyde notes. Why? The usual reason: money. "Companies with IT governance programs are 20 percent more profitable," he claims. "Going beyond minimum compliance provides measurable competitive advantage…it's no longer a technical issue, but an essential component of an effective overall business strategy." Otherwise, he insists, the computer dependency woven through the fabric of today's marketplace "leaves us operating without a net." These days the bad guys are shifting their focus to Web applications, because they collect and store financially useful information –- like a credit-card database, Clyde says. Web apps are handy targets, with standard interfaces that make for easier exploitation, he adds. At the same time, new technologies are fueling the fire. Example: the growth of wireless devices makes it simpler for hackers to intrude without having physical access to a system. As mobile phones and PDAs evolve into ever-more sophisticated tools with more network connectivity, the door to hackers swings open wider. The growth of broadband is another risk-booster, because "more broadband means there are more poorly secured systems that are always turned on," he adds. Then there is the issue of product fragmentation in the software industry itself. Addressing more than a hundred corporate IT directors at the third annual Security Symposium in Tempe, Ariz., Clyde described a bank that uses 127 security vendors. Vendors can boost customer safety by producing more integrated products, he says. Another direction worth pursing is "proactive behavioral blocking" in which whole classes of viruses are generically blocked without needing a specific signature. "Or you can intercept data streams at the gateway and on hosts, only forwarding data that meets accepted Internet standards," Clyde says. A non-cyber example are those metal boxes at airport security checkpoints that your carry-on bag must fit through. Generic exploit blocking is another high-tech weapon to defend your data. Clyde explains it this way: "just as properly shaped keys can open a lock, only properly shaped worms can exploit a vulnerability….characterize the vulnerability, then use the shape as a signature, scan network traffic and block anything that matches it." As cyber-security becomes key to the bottom line, the role of the chief technology officer is changing. In the most farsighted companies, the IT honcho reports directly to the CEO, attends board meetings and is regularly consulted on all major decisions. But everyone, not just the CTO, has to be involved in guarding IT security, Clyde warns. "Information security goes to the heart of business. It needs to be built into applications and the overall business design. No one person should be responsible for security. It should be in sales, in your legal department, in finance, too." The Security Symposium was sponsored by Arizona State University's Center for Advancing Business through Information Technology, in collaboration with the Arizona Technology Council and the Government Information Technology Agency.
KnowIT

Latest news

  • Lab lessons: Roadcase.com VP shares how ASU's SMB Lab fueled growth and efficiency

    The Arizona-based audio/visual equipment case manufacturer gets expert guidance on improving…

  • Best installment loans

    Loans should be prioritized by their ability to improve human capital, says an ASU finance…

  • Why does online shopping make me feel like absolute crap?

    Online shopping can cause anxiety and frustration, says a W. P. Carey marketing expert.

Get the latest from the W. P. Carey School of Business

Headlines and deep dives
IT news and research
CAPTCHA
This question is needed to prevent spam submissions.

We're committed to your privacy. W. P. Carey uses the information you provide to us only to share our relevant content that you select. You may unsubscribe from these communications at any time. For more information, check out our privacy policy.

B-school tips

Learn more about top-ranked programs from ASU's W. P. Carey programs and get tips to help you succeed.

Request info

Stay in the loop

Keep up to date on the worldwide W. P. Carey alumni community - sign up for the digital magazine.

Subscribe
W. P. Carey School of Business at ASU
W. P. Carey School of Business at ASU

Give

Academics
Departments MBA Degrees Master's Degrees Undergraduate Programs PhD Programs
Connect
Calendar of Events W. P. Carey Jobs School Directory Alumni Recruiters and Corporations Contact
Maps and Locations Jobs Directory Contact ASU My ASU
Repeatedly ranked #1 on 20+ lists in the last 3 years
Copyright and Trademark Accessibility Privacy Terms of Use Emergency