Bill Boni and Ira Winkler on Insider Threats and the Death by 1,000 Cuts

Security veterans Boni and Winkler talk about protecting intellectual property from insiders and snoops.

Let's talk more about standards and regulations. We recently surveyed readers about whether, since budget justification is so difficult, there should be more regulation. We got a very mixed response.

Winkler: You have to realize that a regulation, if nothing else, is going to [apply] a uniform standard across a large number of computers. It's never going to be perfect, but it can be reasonable. If you want good [proposed] regulations, here are three.

First is to configure systems according to an acceptable guideline from, say, the Center for Internet Security, from the National Security Agency or from the vendors—freely available [specifications] that have gone through industry peer review.

Second, manage [systems] correctly with a patch-management program. Fixing bugs within, generally, three months allows you to be relatively secure. If you graph the CERT Coordination Center data, most exploits begin to rise after about three months. The activity hits a peak and then comes back down around six months. So that means if you fix a vulnerability within one to three months, the likelihood of your being exploited is acceptable.

Third, network administrators should be reasonably well trained. When computers were first coming out, I [heard about] a company that took its secretary and said, "OK, you know Microsoft Word and Excel, so we're making you our Unix administrator." True story. That's the type of environment we were in. But today, just as you need well-trained mechanics to fix an airplane, you need well-trained administrators to maintain your systems. Some companies are going to say, "I can't afford to send my people to a class to learn how to do this well." But, to me, if you can't afford to do the basics right, you're not offering a secure service to your customers, and maybe you shouldn't be in business.

In raising the notion of "reasonable regulations," you talk about basing regulatory decisions on historical data such as the CERT diagrams. Another analogy that might be useful is the process of legally mandated auto inspections. You have to maintain a car to certain benchmark specs, and you ought to maintain your computer systems similarly.

Winkler: By installing your computers well, you can keep them up and running. Turning off unnecessary processes makes the systems more efficient. This is where security is increasing performance. People lose track of the fact that patches don't all have to do with security [vulnerabilities]. They sometimes have to do with functionality. Doing a security program makes your systems more functional, more stable.