- The Washington Times - Monday, December 3, 2001

Inside a classroom at George Washington University's Virginia campus, professor Lance Hoffman stands before a group of curious souls, ignoring the clickity-clack of the two innocent-looking grad students typing on laptop computers to his left.
He expounds on the topic at hand: the security of the Internet. He has Power Point slides, splashy Web pages on display, with facts, figures and anecdotes. He throws out the classic buzz words: "Virus," "Worm," "Hacker."
But behind him on a screen, his fancy presentation is getting defaced. In big bold letters, the word "Hacked" spreads over one of his Web pages. The culprits? Those two "innocent" grad students to his left.
Indeed, while Mr. Hoffman spoke, those two hacked in quietly.
Fortunately, this was a staged event. But it proved a point that Mr. Hoffman was careful to make. Hacking into a Web site, defacing a presentation or wreaking other havoc on the Internet isn't hard. All you need is the basic equipment, knowledge and desire to do damage.
Mr. Hoffman has been teaching courses in computer security for 25 years, and is about to head up George Washington's graduate certificate program in Internet security. He contends, along with just about every Internet security professional, analyst and technician, that the world's computer networks are becoming increasingly vulnerable to these types of attacks every day.
"All networks, whether business or government, are vulnerable," says Matt Kovar, director of security solutions and consulting with the Yankee Group, a Boston technology analysis firm. "All networks are probed on a daily basis and some are probed on an hourly basis."
Security companies and other groups like the Computer Emergency Response Team (CERT) at Carnegie Mellon University have reported exponential increases in reported incidents in each of the last 10 years. This year, reported incidents have already far surpassed the number recorded last year. And the terrorist attacks of September 11 have caused many people to look at the issue of Internet security in a new light.

The effects of terrorism
The big question is whether those attacks have made the nation's computer systems more vulnerable to these type of cyber-attacks.
"With the unthinkable rapidly becoming yesterday's news, we know that cyber-crime may be quickly becoming the forerunner of cyber-terrorism," says Harris Miller, President of the Information Technology Association of America (ITAA), at an October conference dubbed "Strengthening Homeland Cyber Defense."
"Terrorists may soon be using our critical information infrastructure against us," Mr. Miller went on, "blocking computer networks, disrupting real-time operations, damaging businesses and consumers."
Mr. Miller's statements followed executive orders by President Bush that established a "Critical Infrastructure Protection Board," to aid coordination of information-security measures among government agencies, and the creation of an information security czar position. And they foreshadowed a hearing on Nov. 9, in which a House subcommittee gave the federal government an "F" grade for its efforts in protecting vital computer data.
"No responsible parent would stand for this type of performance," ITAA's Mr. Miller says in response to the failing grade, which followed a grade of "D-minus" issued last year.
But security analysts and professionals in the industry are less confident about drawing a direct link to the September 11 attacks and any further threat on computer networks.
"I really downplay that entirely," Mr. Kovar says. "The threats to the digital world have not changed to my knowledge."
In fact, since September 11 there have been just a handful of cyber-security breaches, only one of which made headlines. Bad Trans.B, a worm that appeared on Nov. 23, has been a small nuisance compared to other threats of the past year.
But Mr. Kovar and analysts like him stop short of saying the attention given to Internet security is undeserved.
"Have people gone into overkill mode? My guess is probably not," Mr. Kovar says.
But actual measures to improve the situation at the government level have been slow in coming. Last Tuesday, the House postponed discussion of a bill that would appoint the National Institute for Standards and Technology as the lead agency in all matters relating to computer security. The bill is similar to one originally proposed in 1999 that never got off the ground in the Senate.

More money, more brains
At the corporate level, security professionals say more needs to be done to protect computer assets. Frank Prince, a senior analyst with Forrester Research says that on average, companies spend about $250 for security measures out of every $1 million they spend on information technology. It's a figure that he says is "arguably not a big pile of money."
"By and large, corporations do need to spend more," says Tim Belcher, chief technology officer for Riptech, an Alexandria-based security firm. "The vast majority of corporations are what I would consider vulnerable."
But others in the Internet security field say money won't help, because many security breaches are the result of human carelessness and lax policies, not a lack of technology. They point to the SirCam virus, which affected thousands of computers simply by acting as a file attached to an e-mail. Security professionals say SirCam could have been squashed easily if all companies had policies prohibiting employees from accepting certain types of e-mail attachments. But only 12 percent of companies have implemented or enforce such policies, says Peter Tippett, vice chairman and chief technology officer at TruSecure, a Herndon Internet security firm.
Mr. Tippett says he has seen careless and faulty thinking on the part of many companies TruSecure works for. He's seen everything from vital computer equipment being left unwatched on loading docks to companies spending money on security issues that don't address the real risks.
"[Security expenditures] are often directed at things that are perceived as problems, but aren't," Mr. Tippett says.
And many security professionals and analysts agree that extra money spent on security often does nothing more than make people feel better.
Mr. Hoffman, the George Washington University professor, sums up the issue simply: "Don't throw money at the problem, throw brains at the problem."

Microsoft to blame?
Microsoft, the world's largest software manufacturer and maker of the operating systems installed in more than three-fourths of the world's computers, has dealt with its share of bad publicity relating to security threats. Many worms and viruses, including Code Red and Nimda, exploit vulnerabilities found in Microsoft software, and the company has been forced to respond by offering nearly 60 free software patches to fix the many vulnerabilities that have been found and exploited. So far, millions of patches have been downloaded off the company's Web site.
But while it's easy to blame Microsoft for security breaches, observers say it just happens to be the biggest culprit because of the widespread use of its software. There's nothing about Microsoft's products that make them any less secure than those made by other companies, security professionals and analysts say.
"Any large body of code has security problems associated with it. It can't be any other way," Mr. Prince says.

LOAD COMMENTS ()

 

Click to Read More

Click to Hide