BBC NEWS Americas Africa Europe Middle East South Asia Asia Pacific Arabic Spanish Russian Chinese Welsh

 You are in:  Sci/Tech
Front Page 
UK Politics 
Talking Point 
In Depth 

Commonwealth Games 2002

BBC Sport

BBC Weather

Saturday, 23 February, 2002, 08:53 GMT
Tipping the balance on net security
Cert warning, Cert
Warning about the Nimda web worm
Net security is going to get a lot worse before it gets better.

So says Peter Tippett, the computer security pioneer who now runs TruSecure, a company dedicated to spotting the next big security problem before the vandals and malicious hackers exploit it.

Although good technologies are emerging to help companies tackle problems such as web worms, denial of service attacks and website defacements, too little attention is paid to working out new threats and educating people in the basic steps they can take to protect themselves.

As a result, said Mr Tippett, many organisations were taking action that did little to help them tackle the real risks and security problems they faced.

Flight plan

Peter Tippett was co-author of Vaccine, one of the first anti-virus programs released in the days when viruses spread via floppy disks rather than race around the world in e-mail.

But although the net had grown up, the allied security industry had not, said Mr Tippett.

He likens the net now to the early days of aviation when there was little co-ordination of knowledge about the safest way to fly a plane, how to repair them or the basic standards of airworthiness to which aircraft should be built.

David Smith, AP
David Smith, author of the Melissa virus
Now, government-backed organisations co-ordinate air-traffic control to ensure the skies are safe, monitor the maintenance programmes of airlines, certify new aircraft as safe to fly, distribute information about improvements that should be made to aircraft and force airlines to make the changes to their fleets.

The net desperately needs something similar, believes Mr Tippett.

"In internet security there's no-one that can tell you what are the 20-30 things organisations should do that are essential for security," he said. "There's also no mechanism for distributing information about problems and what must be done to solve them."

Instead, said Mr Tippett, the net had a vast array of security experts, software companies and hacker groups pumping out information about security vulnerabilities that often overwhelmed the people inside companies trying to protect their networks.

Under attack

As a result, many companies do a poor job of addressing the real threats.

Most employees are told to change their passwords regularly and to ensure they contain a mixture of numbers and letters.

But, said Mr Tippett, few companies tackled the much bigger security problem caused when one employee used another unattended terminal to damage a company's network or commit a crime.

Now, said Mr Tippett, companies were spending more money than ever on security but the problem was only getting worse.

Peter Tippet: TruSecure
Tippet: "Net security is in its infancy"
For instance, in May 1999, there were only 15 websites defaced every day. By May last year, the figure had leapt to 580. Virus outbreaks can also hit companies hard. TruSecure estimates that 68% of Western companies suffered from the attentions of the Nimda worm.

Many of TruSecure's clients avoided Nimda thanks to the early warning system set up by the company.

Mr Tippett said TruSecure monitors the activity of 800 hacker groups and collects 200 gigabytes of net traffic per day to try to work out what the next big threat was going to be.

It regularly issues guidance to its clients about what they can do to protect themselves from these future attacks. This monitoring system helped it spot that something like Code Red and Nimda would happen months before the virulent, malicious programs actually struck.

Often, said Mr Tippett, a few simply steps could vastly reduce the chance of a particular attack succeeding.

Now, TruSecure is working with many governmental groups to try to spread information about the basic things that companies can do to protect themselves, and to ensure that when significant threats emerge the right people are told about them quickly enough.

See also:

19 Sep 01 | Sci/Tech
Nimda virus loose online
19 Sep 01 | Sci/Tech
Q&A: The Nimda virus
28 Nov 01 | Sci/Tech
Devious viruses set to grow
16 Oct 01 | Sci/Tech
Web attacks on the rise
27 Dec 01 | Sci/Tech
Security by remote control
31 Jul 01 | Sci/Tech
Hackers to the honey
Internet links:

The BBC is not responsible for the content of external internet sites

Links to more Sci/Tech stories are at the foot of the page.

E-mail this story to a friend

Links to more Sci/Tech stories