How much security is enough?

Von Stefan Hammond

J Michael Gibbons, CISSP, is VP and GM of Federal Security Solutions for US-based Unisys. He talked to Computerworld Hong Kong?s Stefan Hammond about open-source security and the responsibility of law enforcement agencies in preventing cybercrime.

NOTE: Part 1 of this interview was published in Computerworld Hong Kong?s September issue. Part 2 follows below:

CWHK: Some countries in Asia, like China, are using open-source software (OSS) for sensitive projects. Is Linux security robust enough for these applications?

JMG: The challenge isn?t really whether the security is robust enough, it?s more a question of: whose "bellybutton" do you push when it isn?t? OSS isn?t tied to someone (who) stands behind it. It?s open-source, so caveat emptor--buyer beware. If (the end-user) wants to reach and grab someone by the throat or "push a bellybutton" to get something changed, it?s their burden. So, it may be the most secure stuff in the world, but if (an end-user) finds out it doesn?t meet their needs, that?s just tough luck.

I don?t want to sound like a shill for Microsoft, but at least I know I can reach out to Steve Ballmer and say "get this fixed" and he?ll yell at somebody and down the hall twenty people will scurry off and come back with a patch.

That said, our company likes open-source. We (have deployed) open-source on mainframe computers on large-scale servers and have found it to be very serviceable, very useable and very secure. But in that case, we?re pushing our own bellybutton...we?re standing behind it, we?re doing the integration, we?re on the hook for it.

CWHK: We?ve read of botnets, forcible encryption techniques and other serious cybersecurity problems. What action is being taken by law enforement agencies?

JMG: Well, (US) law enforcement doesn?t want to talk about ongoing investigations because anything they say can be used against them in court. Law enforcement typically has nothing to gain by going public, so it?s in their interest to not go public until someone?s been convicted, and then to announce why, the lessons learned, and all that.

However, there is the concept of the "greater public good." In cases where a technique can be used to exploit someone else and can be used (widely), law enforcement would get the word (about an exploit) out to the tool-manufacturers.

I?ve been in that particular loop, because when I was at the FBI I managed all of the computer investigations, and I was faced with this decision a number of times: "we know, (but) when do we tell?" Our decision was always governed by the greater public good principle, it (was never) a question of "do we keep this secret, or do we tell the press?" The challenge was: how do you get the right word to the right people? So we?d talk to a Microsoft or a Symantec or a Sun about these things when we discovered them and we share vulnerability information in a timely fashion.

It?s their software, so the vendor can do what they want--you can?t control them. You wouldn?t tell them your source of information in many cases.

CWHK: Is organized crime involved?

JMG: Organized crime is behind a lot of the online attacks, and has been for a number of years. However, if you are a public company, and someone is attempting extortion, you are required to report it as a violation of the law. If you?re a public company and you?re being extorted, if you pay off you?re actually doing something illegal. They should engage law enforcement and take action to resolve it, because otherwise they force the problem downstream onto other people.

This happened in the denial-of-service attacks on a few years ago. They were extorted by Russian hackers, they worked with Scotland Yard who arrested the hackers with the help of the Russian police. The company spent US$20 million on technology to scrub packets and screen their traffic and use mirror sites so no one can shut them down anymore. They mitigated the risk by buying more bandwidth than the hackers can come up with.

I think is a good example of someone who worked with law enforcement early on and got a positive result.

But the main question is: "how much security is enough?" What do I spend, and how do approach this decision? In the US, the NIS (National Institute of Standards) releases special publications defining high, medium and low sets of security standards. These are available publicly at search for Special Publication 800-37, which will give you the basics for how to look at your data, how to classify it, how to build a basic security program. All US government agencies must now follow these procedures, and it?s good practice.