"The typical computer network isn't like a house with windows, doors and locks. It's more like a gauze tent encircled by a band of drunk teenagers with lit matches"
- Robert David Steele, former CIA analyst and CEO of Open Source System
It must have taken vast amounts of self-discipline to avoid radiating smugness: When American Water was infected by the Sasser worm last year its exposure was limited to just 19 hosts out of a potential 10,000, thanks to early detection and active intervention. During the same period, a sister company suffered 4000 infected machines - virtually its entire infrastructure.
"The remediation alone, much less the business interruption quantification, was in excess of a half a million [US] dollars value to us," says American Water director, security, Bruce Larson.
In a world where the spectre of the so-called "zero day attack" (in which a security vulnerability is exploited "in the wild" before there is time to report it to the rest of the security community) looms ever larger, and when network linkages between entities are springing up like bacteria in a Petri dish, American Water sees network intrusion detection as one of its most valuable investments. "We have a full suite of defence in-depth architecture and now information security. Network intrusion detection forms the core of that," Larson says. So does around-the-clock coverage - the only approach that gives American Water the flexibility to respond to a zero day attack.
Larson says as the time line - from vulnerability to disclosure, to widespread malicious software distribution - decreases, the importance of being flexible with your apparatus continues to grow. And that's why he believes network intrusion detection is one of the "most valuable investments that we have in the estate".
New network linkages are proliferating as companies outsource operational aspects of their businesses - from design and manufacture to logistics and customer service - to partners along their value chains.
US IT research firm Aberdeen Group points out that every one of those partnership, outsourced business arrangements and reverse business functions places yet more strain on an enterprise's ability to verify and preserve the sanctity of the underlying networks and computing infrastructures employed to advance missions and business functions.
"The ability to maintain auditable control and security for these networks and systems is becoming more difficult and more important as external auditors expand the purview of their testing and are increasingly using automated test tools to root out problems," Aberdeen reports. "It's no small wonder that Aberdeen's research shows that best practices for security in an environment involving less direct control means firms are having to dramatically improve procedures to verify the sanctity of the interconnected networks, systems, applications and underlying data throughout their value chains to operate their missions and business functions."
As enterprises continue to automate processes and extend beyond traditional boundaries, they need to ensure that a strong security awareness program is in place. It is a challenge companies have known about for the past 25 years, which has been important for more than five years, and critical during the past three, notes Greg Wood, the man who was in charge of securing Microsoft's electronic environments for more than three years, and now CTO for biometric security software company BioPassword.
"The challenge is, how do you correct 25 years of history in a short period of time, and that's the challenge that people have today. So you have networks that are built based on little security measures that have been built over 25 years and all of a sudden you have eight months or nine months or a year to fix them. And that's why they pick the most important holes and fix them first to recognize that it will take many years and huge investment to catch up," Wood says.
"Security vulnerabilities are like the Florida fire ant - you can't kill them, all you can do is maintain your garden better than your neighbour so they choose to infest his yard instead of yours," says Dr James Whittaker, chief security strategist and founder with Security Innovation. "Companies without clear and effective security strategies will draw the hackers to themselves and away from the companies doing a better job."
Yet according to The Global State of Information Security 2005, a worldwide study by CIO magazine and PricewaterhouseCoopers (PwC), most organizations are just holding their ground, although the third annual edition of the survey reports incremental improvement in the tactical battle to react to and fight off security incidents.
CSO magazine (Australia) says the data shows a notable lack of focus on actions and strategies that could prevent these incidents in the first place, a "remarkable ambivalence" among respondents about compliance with government regulations, a clear lack of risk management discipline, and a continuing inability to create actionable security intelligence out of mountains of security data.
Just 37 percent of respondents reported that they had an information security strategy - and only 24 percent of the rest say that creating one is in the plans for next year. With increasingly serious, complex, targeted and damaging threats continuously emerging, that is not a good thing.
"When you spend all that time fighting fires, you don't even have time to come up with the new ways to build things so they don't burn down," says Mark Lobel, a security-focused partner with PwC. "Right now, there's hardly a fire code." Lobel compares the global state of information security to Chicago right before the great fire. "Some folks were well-protected and others weren't," he says, but when the ones that were not protected began to burn, the ones that were protected caught fire too.