Holistic approach is Rx for security
- By William Jackson
- Jan 22, 2003
Dr. Peter S. Tippett, the virus doctor
Dr. Peter S. Tippett, chief technology officer of TruSecure Corp. of Herndon, Va., began working with computers before he began studying medicine. For many years, he mixed the two fields until finally devoting himself full time to viruses of the computer rather than biological kind.
Tippett, who worked in computer security for more than 15 years, authored one of the first antivirus programs. Prior to joining TruSecure, he was director of security and enterprise products for the Peter Norton Group of Symantec Corp. He was president and founder of Certus International Corp., a publisher and developer of antivirus security and enterprise management software, before its merger with Symantec in 1992.
He advised the Joint Chiefs of Staff on cyberwarfare during Operation Desert Storm, serves on the Computer Ethics Institute Board of Directors and is chairman of the Alliance for Internet Security. He was the 1998 recipient of the Ernst & Young entrepreneur of the year award.
Tippett earned both his M.D. and Ph.D. from Case Western Reserve University and studied at Rockefeller University. He received a bachelor's degree in biology from Michigan's Kalamazoo College. GCN senior editor William Jackson interviewed Tippett by telephone. GCN: How did a medical doctor get into information assurance and security?
TIPPETT: I was involved with computers before medicine. I was the only kid in high school in Dearborn, Mich., who was allowed to touch the computer, which was actually a 55-baud teletype machine connected to a computer somewhere. At Kalamazoo College I was involved in computer projects, even though my college didn't have a computer on the campus. That was in 1971.
Some of the things I did were related to medicine. I wrote a computer model at the University of Cincinnati about how cholesterol is metabolized. At Rockefeller University I built the first synthesized immunoglobulin, a protein that fights disease.
The fellow I worked with ended up winning the Nobel Prize, which was handy for my career. I got a scholarship for an M.D. and Ph.D. at Case Western Reserve University, and I did some computer products on the side. I made a computer that automated synthesis of proteins and peptides, and sold some of those. I had a hard time separating my scholastic self from my business self.
While I was doing my internship and residency, I started the Pacific Foundation for Science and Technology and wound up writing mass mailings. I wrote add-ons that made mass mailings work better with WordStar 2.0 and sold the software to other nonprofits. In the early 1980s, I loaded a self-branded PC with software that I either bundled or built.
Toward the end of my residency, computer viruses came along. I said, this is an easy thing to model using computers. I already had a team of people writing software, so I created a product called Vaccine, which is now regarded as the first commercial antivirus product. That company grew pretty quickly, and I sold it to Symantec Corp., where it became Norton AntiVirus.
I worked at medicine while I was with the Norton group, mostly as an emergency doctor and a flight physician in helicopters.GCN: How did your medical training help in IT security?
TIPPETT: It was clear at the beginning of the virus problem that the mathematics of growth and replication are the same as for bacteria filling a Petri dish. The shape of the curves and the math that drives them are the same.
Something that plays out with TruSecure is the notion of community health. Companies often are treated as if they had a bunch of individual computers instead of a community of computers.
If you shift the way you approach this, you discover that the people and products you already have are more than adequate to get the job done. You can find ways to save time and energy and still wind up significantly more secure. We figure out how companies can combine relatively simple, cheap things synergistically and wind up with very strong security.GCN: How does that work?
TIPPETT: Companies pay us a fee and get what amounts to an all-you-can-eat menu to fill in whatever gaps they've got. Our security assurance services are highly automated, recurring or continuous programs. We establish a set of essential practices and provide a policy framework'the architecture, management and measurement of which things are already working and which ones aren't.GCN: Can managed services replace customer-owned security devices?
TIPPETT: Managed services take the people and products you've already got and make them work more efficiently. Most of the services we offer involve simplifying your policies and practices, and focusing your efforts on fixing the top 100 security problems that happen to everyone else in the world so they almost certainly will happen to you.
We don't think vulnerability testing makes a whole lot of sense. If I can make sure you have the right configurations with the right architectures and the right layers of protection, I don't need to do much vulnerability testing.
Viruses and hacking have changed dramatically in the last few years. There is a lot of hacking built into viruses, and we don't have a perimeter any more. We used to be able to pour all traffic through a single point'the firewall'before it got to the Internet, and feel comfortable that we had pretty good control.
Now we have virtual private networks and home users and partners and collaborators and point-to-point tunneling and encryption. These decrease our ability to do work at the perimeter.GCN: What are the biggest risks now?
TIPPETT: Virus attacks have gone from a steadily growing stream to periodic events that are bad, such as Code Red. In between, we don't have as much virus activity.
In the hacking area, we went from 400 vulnerabilities per year to 2,400 in the last four years. We've gone from tracking 200 hacker groups to 800. So the activity is up pretty significantly. A year and a half ago, we had about 150 successful Web site attacks a day; now we have about 300. The automation of the attacks has increased.
It's common for hundreds or thousands of people to get the same tools within a matter of days. So there's more automation, more sophistication and more vulnerabilities to exploit.
And more home users are connected, so you don't have to get through the firewall to get at the crown jewels. You can get into a home computer and then through the VPN into the corporate network.GCN: Is there one threat that stands out?
TIPPETT: Security people tend to focus on the threat du jour, and that is one of the reasons they wind up spending more money each year responding to security events despite having spent more money the year before on security. We're spending more and losing more, and this isn't the way it should be. It's a sign we're doing the wrong things.
The solution is making sure that a wide range of things'physical, network, policy, architecture, configuration'are all at an essential baseline level.GCN: What risks are coming in the future?
TIPPETT: The events will look a lot like this year and last: sporadic but significant worm events. We expect that the pressure from automated tools to exploit Unix and Microsoft Windows is going to increase, and there will be plenty of high-profile attacks in government.GCN: How do the risks and threats to the U.S. government differ from the rest of the world?
TIPPETT: On the surface I would say they don't. The essential things have to be present in each system. You might want to drive a Saab rather than a Yugo, but you'd prefer a Yugo over a Saab that didn't have brakes.
What we have in government is a wonderful car that is missing some of the essentials. Government and industry alike need to get the essentials right. It doesn't help to require something that isn't achievable. Ten or 20 things need to be done by everyone.GCN: How would you assess government's cybersecurity status?
TIPPETT: I would say it is about the same as, or slightly worse than, general corporate America. The security and defense agencies are probably a notch better, and the rest are certainly a notch worse. In some places the walls are a few feet high, and in some place they're three miles high.
It makes more sense to make sure the walls are 10 feet high with barbed wire everywhere, and if you want to raise them, start from there.