CyberCrime 2001 Kicks Off with General Security Addresses
Page 1 of 3
MASHANTUCKET, Conn. -- When the national CyberCrime 2001 symposium commenced Sunday afternoon with Microsoft Corp.'s Corporate Security Officer Howard A. Schmidt anchoring the keynote slot, it quickly became apparent that IT's consensus belief is that people with Internet businesses are ready for the basics of security -- and that's it.
Unlike say, a highly technical conference engaging audiences with the complex machinations of XML, Sunday's lead-off speakers seemed to have been given the missive of keeping the task of combating cybercrime simple.
And they did. From Schmidt to a Massachusetts police sergeant discussing online investigation tactics, to an impromptu enterprise security overview, the overall theme was that many people are not aware just how vulnerable their systems are to attacks by knowledgeable perpetrators. But that's what makes the conference, hosted by Connecticut-based Internet Crimes Inc., so useful: people seem to listen when they are told that their security system is dated and therefore susceptible to serious attacks. Call it a case of ignorance breeding concern, which begets paranoia. The result is that if you build a secure system, the people will come.
Schmidt: The Basics of Critical Infrastructure
Who better to ignite a conference than the person who has to contend with potential hacks on the largest software company in the world's 6,000 servers and 100,000 PCs in more than 400 different locations around the globe, which is the makeup of what Schmidt smartly calls Microsoft's "digital central nervous system?"
While Schmidt ran through his slide presentation like he was late for a flight, he kept it interesting with a number of cracks and interesting observations. A former police officer, Schmidt told a story about when he was working in that capacity in Arizona. He said that a new subdivision had just been put in his area of coverage, and immediately the burglary rate shot up.
"We couldn't figure it out," Schmidt said. "But after some investigation, we found two things: 1) The door locks were vulnerable; all a perpetrator had to do was pop them off with a twist -- it took two seconds and 2) The slider windows; a perp just had to put a little pressure on the window and it slid right out of its tracks."
Schmidt's point was that once a few criminals figured this out, it was all over the criminal contingent in that area of Arizona.
And how did this relate to computer security? Schmidt maintained the analogy is clear: You can have what seems to be a rich, robust application, but the minute someone finds weaknesses, they will be shamelessly exploited all over the hacker world. Schmidt's point is that technological security is constantly evolving and if companies do not evolve with it, they are asking for trouble.
While Schmidt delved into mostly general points about security (such as the idea that since the mid-'80s, computer engineers have realized that security "is not going to come from a guy with a 43-inch chest, but from a guy with technical know-how"), he also managed to plug his illustrious and infamous company, referencing Microsoft's Information Assurance Program and its 10-step checklist of security. But he abbreviated said credo by listing six basic points.
Schmidt said to consider these factors before you build or license something important to your business: engineer it securely, administer security, test its defenses, eliminate weaknesses, investigate threats, and finally, but perhaps most importantly -- educate the world.
Schmidt ended his discussion there, but he did so by driving home the important point that companies should report hack attacks, worms, and viruses, because if they don't they are just paving the way for more perps to challenge a network's defenses.
Police Sgt. John J. McLean: How a Police Department Takes A Bite Out of Cybercrime