Beyond passwords, patches and the perimeter

Update your antivirus software more often, use longer passwords and make sure you patch as many vulnerabilities as possible.

All good advice, most of us would think.

Not so, or rather not necessarily so, says Peter Tippett, chief technology officer at Cybertrust Inc., the security services company recently formed from the merger of Betrusted, TruSecure and Ubizen.

Tippett visited Australia earlier this month and, speaking at a Cybertrust press conference in Sydney, said that before downloading every patch and rushing to buy every product security vendors put on the market it's prudent to ask "Is this really the best way to increase security?"

Cybertrust makes its money from consulting and services in security and isn't a product vendor, so it's natural that its mantra is "your security spend should include services and monitoring as well as products."

However, it's hard to fault Tippett's logic when he says longer passwords with a capital letter and a number or two in them aren't necessarily more effective than shorter ones.

When Computerworld asked why, he replied that if someone launches a dictionary attack using a password list crack program, the program will still target the same patterns in longer passwords and may not crack as many of them as quickly as shorter passwords, but will still get some.

More effective security against password hackers can be taken by strengthening the repository where passwords are held, he says.

"Also, longer passwords increase helpdesk costs, as a lot of helpdesk work is password resets."

He gives as another example of why the buy-all-the-patches-and-antivirus approach to security is flawed by pointing out that no matter how often you update your antivirus software, some malware will always get through.

"Zero day viruses will get you even if you update daily."

Policies and precautions are as much a part of defeating viruses as software and patches, he says.

"For last [northern] summer's worms, patching was seventh on [TruSecure's] list in terms of effectiveness and number one was getting users to reboot their laptops [before logging in to the organisation's network]."

Making sure the inbound filtering capabilities of routers are activated is another inexpensive way to boost security, he says.

The whole way we look at security is flawed, he says. "It's about the absence of something, it's a negative."

Rather than seeing security in terms of single computers, best practices, proving the negative and focusing on the perimeter, users and organisations need to think in terms of risk, communities of computers and proving the positive.

As for the perimeter, it's history, he says.

Another fault of the present security mindset is that it sees security in terms of the binary nature of computing, "but while computers are binary, the people who attack them are analogue."

That means a more synergistic view of security is needed, he says.

Tippett is a licensed medical doctor in the U.S. and practiced up until a few years ago.

His former company, Certus, sold its Vaccine product to Symantec in 1991. Vaccine became Norton Antivirus.

Tippett then joined Symantec and worked there as director of security and enterprise products for the Norton product group while still doing emergency medicine part-time.

In 1995 he left Symantec and has since served on the U.S. President George W Bush's IT advisory committee as well as working for TruSecure and now CyberTrust.

(Watson travelled to Sydney courtesy of Cybertrust.)

Join the newsletter!

Error: Please check your email address.
Show Comments
[]