Winning the battle for computer security.

• Author: Muckley, David

The numbers are staggering. In 1996, American corporations spent almost $6,000,000,000 on computer network security, only to lose an estimated $10,000,000,000 from attacks on their systems. Moreover, the latter figure undoubtedly is low as many of the surveyed organizations, although reporting losses, elected to keep their magnitude to themselves.

Even more alarming figures from the 1996 Computer Security Institute/FBI Computer Crime and Security Survey show that 42% of the 428 U.S. companies and institutions participating had experienced unauthorized use of their computer systems within the previous year. Contrary to conventional thought these "attacks" were not mounted by hackers or from disgruntled or dishonest employees. More than half of the reported incidents were projected to come from American corporate and foreign competitors and foreign government intelligence services.

Changes in the way organizations use technology have increased exposure to misuse, damage, and loss of computer data dramatically. The rapid movement to distributed systems and client/server architecture have complicated greatly the task of securing systems. The mandate to connect to the Internet in order to remain competitive, as well as the need to offer broad access for Internet applications, have caused security issues to expand exponentially, much faster than threat awareness and security solutions are growing.

While many organizations simply are ignorant about the seriousness and variety of computer security issues, others seem impotent to resist. They are overwhelmed by the challenges posed by the myriad combinations of threats to, and the vulnerabilities of, their large, complex networks. Their tendency to resist change is reinforced further by the limited number of well-qualified consulting services and the increasingly large amount of inexperienced "experts" rushing into the marketplace to fill the security gap. It takes time to educate security engineers and provide enough field experience to make them effective. After all, an attacker is looking for only a single entry point while the security engineer is trying to find and protect them all.

There also is a great deal of uncertainty about the effectiveness of available safeguards. Competing providers of security services and products add to the confusion. Depending on who offers the definition, "security assessment" might measure compliance with a formal security policy, vulnerabilities of a network...