Subscribe
About

Be paranoid

By Leon Engelbrecht, ITWeb senior writer
Johannesburg, 08 May 2008

Business is still cavalier about security - even in the face of organised online and IT crime - and many companies believe they can outsource the responsibility, or fix the problem with technology.

Speaking after a presentation at ITWeb Security Summit 2008, in Midrand, this week, EC-Council president Sanjay Bavisi said his core message was that "you can outsource security, but you cannot outsource responsibility for security".

The International Council of E-Commerce Consultants (EC-Council), a member-based organisation, certifies individuals in various e-commerce and security skills and is the owner of the Certified Ethical Hacker (C|EH) course.

The New York-based security expert says it pays to be paranoid. Bavisi says just because a company's security software cannot detect a vulnerability or attack, does not mean there is none. This is an area where the absence of evidence is not evidence of absence.

"You cannot have complete security, otherwise you'd have no business. But you need to find a balance between the two - and core is the people, the fact that we shy away from training, from vetting, from addressing simple issues like social engineering. Everyone here knows what it is, but no one can dare to say all their employees know what it is, but they all use computers and that is where the big fright is."

He says many companies spend fortunes on physical security and technology, but little time and resources on configuring or managing this properly. Even when they vet staff, they seldom do the same when outsourcing code writing. Bavisi says this can be a critical vulnerability.

"It is very frightening. How do you know your code is secure? Maybe there is a backdoor, maybe there's a Trojan running in your software; there is really no way to know and no way to check a billion lines of code.

"Of course, there is secure coding software available, but the initiative and time to go through millions of lines of code to check for malware is a different thing altogether. So, I would not go so far as to say that just because we have not heard anything there is no problem.

"Just because I did not see a hack, I did not see a blue screen does not mean there is nothing wrong. There could well be a trigger. Don't assume life's perfect. You could be wide open with everyone looking at what you are doing. So, basically, welcome to the world of paranoia! Turn every stone out there."

Related stories:
Standard Bank to step up e-crime measures
Vulnerability auction a hit
Web 2.0 opens security holes
Kaspersky's channel booms

Share