When people evaluate security threats, one of the things that you advise them to think about is whether "the cure is worse than the disease". Care to elaborate?
We've got to think about security in terms of the value of what we are protecting. If you live in a $10m house and you have lots of valuable artwork, then obviously you have to put in a sophisticated security system.
But if you live in a one-bedroom apartment without much furniture, you're probably not going to be too worried about people breaking in. What companies have to do is find a balance between the value of the information they have and the cost of protecting it.
For instance, if I work in a bank, I'll be concerned about having multi-layered security environment, making sure that there are at least two firewalls — probably different kinds — and not allowing people to plug laptops into my corporate network.
If I run a small company that uses email, and I don't keep my customers' credit card numbers online, then I won't have a lot of intellectual property or confidential data to protect. I will probably only need to have antivirus and firewall on my desktop, and that's safe enough. Even if somebody breaks in, it's not going to cause my business to fail, or cause damage to my customers.
More often than not, IT managers need to instil fear, uncertainty and doubt to get their security proposals approved and adopted. How can they otherwise convince their bosses?
Bosses in the past thought that hacking only affected the likes of Yahoo and Amazon. They looked at the attacks and felt that nobody would bother to attack their companies because nobody knew who they were. That was the prevalent attitude seen over the last few years.
What's changed in the last 18 months is that hacking is more about making money. It's all automated, finding vulnerable machines, capturing passwords that can gain access to a company, or simply using those machines as part of a bot-net to launch massive spam and spyware attacks.
The IT administrator has good reason to go to the management with a business case and say, if we don't do anything about security, and something happens, then these are the potential costs. And these [attacks] are not predictable — it could happen once, or five times, a year.
But if we spend this much on security, the chances of running into such problems are much lower. It's not really a return on investment in the traditional sense, but what you are doing is spending a small amount of money for a predictable result, rather than having a large outstanding risk.
In today's environment, with the uncertainties in the economy, I don't think that any sensible business manager will want to expose himself to any big risks.
Software bugs can open doors to corporate networks. Proponents claim that open source software is more secure than proprietary ones, because there are more eyes looking at the source codes. Do you agree?
I agree with that. If the source codes are in public examination, people would spot security loopholes sooner, because there's always someone changing, modifying and probing the code.
The other thing that happens in open source software is that unlike a commercial enterprise, which will often try to hide security flaws for fear of being exposed to the fact that they are not good coders, there's no financial risk. Everybody will say 'we've made a mistake, let's fix it'. And it gets fixed very quickly. From that point of view, I do believe that open source is more secure ultimately than proprietary [software].
