LOGIN MAIL

• PRESS ROOM4 THE PUBLIC
• STUDENTSCANDIDATES
• CONTACT USNEED A CPA?
• HELPADVERTISE
• SEARCH
  
• 901 Dulaney Valley Road | Suite 710 | Towson MD 21204 | 800.782.2036

• January / February
• March / April
  • 529 plans or education savings accounts: Which is best for your clients?
  • The robbing of the elderly, part 2: Action plan
  • Tax shelters: Traps for the unwary
  • Intermediate sanctions
  • SOX: 'An appropriate response'
  • A new way to approach security
  • Profession flexes its political muscle at CPA Day 2004
  • Cramming on keyboards
• May / June
• July / August
• September / October
• November / December

A new way to approach security

NOTE: Chaim Yudkowsky, CPA, CITP, is an MACPA member and president of Byte of Success Inc., a technology consulting company specializing in helping small and mid-size business grow using technology.

By Chaim Yudkowsky, CPA, CITP

"The worst the bad can do is make us doubt the good."
— Jacinto Benavente, Spanish dramatist

Since that tragic day on Sept. 11, 2001, much has changed about the way we think about security.

The most spectacular manifestation of this can be seen at the checkpoints of our airports. At all costs, we are being protected from even the most remote possibility of a hijacking (or worse) through a variety of strategies that include arming pilots, putting more air marshals in the air and even grounding planes with questionable passengers on the passenger list. Now, even the plans of grading passengers and their possible threat profiles have returned as a likely future in air travel.

The procedures at checkpoints have led to an outrage. Frail and sometimes disabled seniors are sometimes frisked and suspiciously handled on their way through. Our common sense of decency, respect for our elders and pragmatism about the profile of a would-be terrorist is insulted by witnessing this humiliating process of preparing our seniors for transport. Some would have us believe that for the sake of propriety, we should institutionalize the less attentiveness to seniors. Would this undermine or strengthen our air security?

In IT, we are experiencing confusion and paranoia similar to that of homeland security. Hackers, denial-of-service attacks, viruses and industrial spies are lurking around every virtual corner, eager to pounce, damage our data or gleen our confidential information. Thus, a security mindset and methodology that has stability and is not subject to regular disruptions of process have become increasingly more difficult to design and implement in the digital world.

Systematic vulnerabilities and boardroom paranoia have become strange bedfellows demanding that IT invest untold dollars and resources responding to the phantom possible threats. Management sensitivity to increase return on investment (ROI) in every IT initiative goes out the window when data security is concerned. Our IT strategies now include strategies to immediately react to the latest identified threats. Exacerbating this challenge is that the list of vulnerabilities continues to grow. Just when an organization has insulated itself from one, another becomes prominent.

There is another, more reasoned way to approaching security, according to Peter Tippett, Ph.D., founder and CTO of TruSecure. His approach is one of risk management, not dissimilar to the risk management that a company adopts for other organizational risks. Based on experience, empirical and statistical evidence, Tippett suggests the following points in defining an IT risk strategy.

• Ban the use of the word "vulnerability." When we focus on reducing risk, looking for any vulnerability will undermine our efforts. This is because we associate vulnerability with eradication of a risk, not a more realistic reduction. To demonstrate this concept, Tippett suggests those using a seat belt are still vulnerable since seat belts do not work 100 percent of the time. Still, the seat belt as just one layer of risk mitigation reduces the likelihood of death by 55 to 60 percent.
• Create and use checklists. Checklists impose the discipline and organization to make sure steps are not missed or forgotten. Often, the worst problems surface because an update was made or new equipment was installed and processes were forgotten. Tippett, a pilot, says checklists alone have made air travel safer tenfold over the last 60 years.
• Choose the 5 percent that you need to worry about, not 100 percent of the problem. To do this, you need risk intelligence. This helps us to not react to every advisory and warning Microsoft and virus / firewall vendors send us.
• Address the responses that are cheap. Tippett gives a few examples. Renaming all of the CMD.exe files on Windows computers to something else reduces the likelihood of the dreaded buffer overflow attack by 80 percent. Default-deny most attachments; fewer than 0.5 percent of networks are set up this way. Set the border router to default-deny mode; only 8 percent of companies surveyed by TruSecure are set up this way. In each example, there is no new software or hardware cost for this one-time configuration change, but the cumulative risk reduction is significant.
• Know why you want good IT security. Granted, the unexpected and planned-for is inconvenient for IT and might even interfere with the IT budget. But the real reason why this is important is "to run our businesses faster." Why do NASCAR cars have great brakes? Why is new brake technology so important? The drivers want to drive faster. You cannot drive faster if you are afraid that you will not be able to stop on a dime.

What is the goal? It's to minimize the frequency of patching to once per year, especially for organizations with many computers and devices. As part of continuing risk research, TruSecure has defined a model for calculating IT risk that applies to 98 percent of instances. In an upcoming column, we will look at this model.

Jacinto Benavente's words have been updated by Dr. Tippett: "We wind up fixing things that we don't need to fix." Now we can be fast!