Attempts to build secure computer systems are bound to fail, a former United States Defence Department security expert said on Thursday.
Speaking at the Infosecurity 99 conference in London, Bob Ayers, now a security consultant based in London, said that although the Defence Department's computer systems were built to "Orange Book" security standards, a vulnerability analysis of 18,000 computer systems conducted in the mid nineties showed that 88 per cent of the systems could still be broken into and "root" access gained within four days.
"What's really disturbing is that we only attacked computers on the invitation of the system's owners, and we only used attack tools which were freely downloadable from the Internet," said Ayers. He added that 96 per cent of the successful attacks went undetected, and when detected the intrusions were almost never reported.
Ayers' conclusion is that a computer system can never be made completely secure. "Some sort of attack detection system and a rapid operational response is also critically important," he said. "We decided in the US that security is a dynamic process and not an achievable end state."
As between 80 per cent and 90 per cent of security attacks come from inside an organisation, any intrusion detection system must include detection of unauthorised activity from insiders, Ayers said. System configuration checking needs to be carried out on a continuous basis rather than once a month or less frequently, and some system for the detection, eradication and reporting of malicious code must also be implemented.
Since no system can ever be entirely secure, the amount of time that security measures "buy" before an attack is successful must be more than the time necessary for system administrators to detect and respond to an attack. Ayers said the cost effectiveness of alternative security measures can be evaluated by measuring the time benefit that implementation would bring during a malicious attack.
He said that reducing the response time once an attack has been detected is frequently a far more cost effective way of increasing security than increasing the protection level of a computer system.
To comment on this story, email [email protected]
Kicking Palantir off of AWS is among their demands, too
Rafaela Vasquez was watching The Voice at the time of the crash, new evidence shows
PUBG price slashed on Steam after selling more than 50 million copies - as daily player numbers plunge
Use the same password for every website? It might be time to change them all