Forget fortress mentality, the way to keep out hackers is to increase the speed of detection and reaction to system intrusion.
How many computer hackers can fit on the head of a pin?
Can bin Laden really squeeze his body down a fibre-optic cable?
These are the types of questions that perplex the security industry as we come to terms with the internet-speed world. Here is the problem. We do not really know how much hacking is going on, we do not know who is doing the hacking and most people cannot even agree as to what a hack is.
Are firewalls, an electronic bastion meant to protect computer networks from the evils of the internet, any good? Firewalls represent the ancient concept of "fortress mentality": build the walls of protection high enough and the bad guys will go away. Right? Well in 5,000 years of military history, fortress mentality has not worked. If you throw enough men/horses/tanks against a static defensive wall, sooner or later you will crack it - the hackers will find a way to beat through the best protection mechanisms that Microsoft has to offer.
The modern company cannot isolate itself behind either physical or virtual walls. The premise of the "network" and the internet is to encourage bi-directional data flow. So how can fortress mentality possibly work?
Last point: how do we measure information security? We can compare height and length with envy but what about security? Can we measure security? Yes.
On a cold February afternoon in Warsaw, our Polish hosts were delayed for five hours while Bob and I decided to solve the problem on a ream of bar napkins: if fortress mentality cannot work, let us come up with an alternative. The answer to measuring network and computer security is surprisingly simple. The industry has a technology called Intrusion Detection which is designed to detect hacking, insiders intruding and the quantifiable anomalies of individual network behaviour. We can also measure the time it takes to detect the improper actions.
Once we have detected hacking, we need to do something about it. This is called reaction. We may choose to filter out the offending internet address from doing any more damage or we may choose to suck the hacker into a "honey pot" to monitor his activities and then trace his virtual and physical locations. The goal is to protect the network and its information resources. We then measure the time of a successful reaction.
With this information, we begin the maths of network defence with the key concept: time is metric. The foundation formula says: in order for a given network to be considered secure, the amount of time offered by protection must be greater than the amount of time it takes both to detect and to react to a network attack. To improve network security, the goal is to increase the speed of the detection and reaction stages, which means we can rely less on the unmeasurable protection process.
We now know that the maximum risk to a network can be measured as exposure time. The risk to a network and its information is measured in the amount of unfettered time an intruder might have to cause damage. By applying the fundamentals of time-based security to network defence, we derive a number of useful techniques and approaches which do not require the typical inefficiencies and administrative overhead of fortress mentality.
We are seeking support for continued research into wider applicability models of time-based security, and using it as the basis for predicting network failure, network and communications collapses and criminal behaviour.
Winn Schwartau is the president of Interpact Inc and author of Information Warfare and Cybershock.