Holistic approach is Rx for security

 

Connecting state and local government leaders

Dr. Peter S. Tippett, chief technology officer of TruSecure Corp. of Herndon, Va., began working with computers before he began studying medicine. For many years, he mixed the two fields until finally devoting himself full time to viruses of the computer rather than biological kind.

Dr. Peter S. Tippett, chief technology officer of TruSecure Corp. of Herndon, Va., began working with computers before he began studying medicine. For many years, he mixed the two fields until finally devoting himself full time to viruses of the computer rather than biological kind.Tippett, who worked in computer security for more than 15 years, authored one of the first antivirus programs. Prior to joining TruSecure, he was director of security and enterprise products for the Peter Norton Group of Symantec Corp. He was president and founder of Certus International Corp., a publisher and developer of antivirus security and enterprise management software, before its merger with Symantec in 1992.He advised the Joint Chiefs of Staff on cyberwarfare during Operation Desert Storm, serves on the Computer Ethics Institute Board of Directors and is chairman of the Alliance for Internet Security. He was the 1998 recipient of the Ernst & Young entrepreneur of the year award.Tippett earned both his M.D. and Ph.D. from Case Western Reserve University and studied at Rockefeller University. He received a bachelor's degree in biology from Michigan's Kalamazoo College. GCN senior editor William Jackson interviewed Tippett by telephone. TIPPETT: I was involved with computers before medicine. I was the only kid in high school in Dearborn, Mich., who was allowed to touch the computer, which was actually a 55-baud teletype machine connected to a computer somewhere. At Kalamazoo College I was involved in computer projects, even though my college didn't have a computer on the campus. That was in 1971.Some of the things I did were related to medicine. I wrote a computer model at the University of Cincinnati about how cholesterol is metabolized. At Rockefeller University I built the first synthesized immunoglobulin, a protein that fights disease.The fellow I worked with ended up winning the Nobel Prize, which was handy for my career. I got a scholarship for an M.D. and Ph.D. at Case Western Reserve University, and I did some computer products on the side. I made a computer that automated synthesis of proteins and peptides, and sold some of those. I had a hard time separating my scholastic self from my business self.While I was doing my internship and residency, I started the Pacific Foundation for Science and Technology and wound up writing mass mailings. I wrote add-ons that made mass mailings work better with WordStar 2.0 and sold the software to other nonprofits. In the early 1980s, I loaded a self-branded PC with software that I either bundled or built.Toward the end of my residency, computer viruses came along. I said, this is an easy thing to model using computers. I already had a team of people writing software, so I created a product called Vaccine, which is now regarded as the first commercial antivirus product. That company grew pretty quickly, and I sold it to Symantec Corp., where it became Norton AntiVirus.I worked at medicine while I was with the Norton group, mostly as an emergency doctor and a flight physician in helicopters.TIPPETT: It was clear at the beginning of the virus problem that the mathematics of growth and replication are the same as for bacteria filling a Petri dish. The shape of the curves and the math that drives them are the same.Something that plays out with TruSecure is the notion of community health. Companies often are treated as if they had a bunch of individual computers instead of a community of computers.If you shift the way you approach this, you discover that the people and products you already have are more than adequate to get the job done. You can find ways to save time and energy and still wind up significantly more secure. We figure out how companies can combine relatively simple, cheap things synergistically and wind up with very strong security.TIPPETT: Companies pay us a fee and get what amounts to an all-you-can-eat menu to fill in whatever gaps they've got. Our security assurance services are highly automated, recurring or continuous programs. We establish a set of essential practices and provide a policy framework'the architecture, management and measurement of which things are already working and which ones aren't.TIPPETT: Managed services take the people and products you've already got and make them work more efficiently. Most of the services we offer involve simplifying your policies and practices, and focusing your efforts on fixing the top 100 security problems that happen to everyone else in the world so they almost certainly will happen to you.We don't think vulnerability testing makes a whole lot of sense. If I can make sure you have the right configurations with the right architectures and the right layers of protection, I don't need to do much vulnerability testing.Viruses and hacking have changed dramatically in the last few years. There is a lot of hacking built into viruses, and we don't have a perimeter any more. We used to be able to pour all traffic through a single point'the firewall'before it got to the Internet, and feel comfortable that we had pretty good control.Now we have virtual private networks and home users and partners and collaborators and point-to-point tunneling and encryption. These decrease our ability to do work at the perimeter.TIPPETT: Virus attacks have gone from a steadily growing stream to periodic events that are bad, such as Code Red. In between, we don't have as much virus activity.In the hacking area, we went from 400 vulnerabilities per year to 2,400 in the last four years. We've gone from tracking 200 hacker groups to 800. So the activity is up pretty significantly. A year and a half ago, we had about 150 successful Web site attacks a day; now we have about 300. The automation of the attacks has increased.It's common for hundreds or thousands of people to get the same tools within a matter of days. So there's more automation, more sophistication and more vulnerabilities to exploit.And more home users are connected, so you don't have to get through the firewall to get at the crown jewels. You can get into a home computer and then through the VPN into the corporate network.TIPPETT: Security people tend to focus on the threat du jour, and that is one of the reasons they wind up spending more money each year responding to security events despite having spent more money the year before on security. We're spending more and losing more, and this isn't the way it should be. It's a sign we're doing the wrong things.The solution is making sure that a wide range of things'physical, network, policy, architecture, configuration'are all at an essential baseline level.TIPPETT: The events will look a lot like this year and last: sporadic but significant worm events. We expect that the pressure from automated tools to exploit Unix and Microsoft Windows is going to increase, and there will be plenty of high-profile attacks in government.TIPPETT: On the surface I would say they don't. The essential things have to be present in each system. You might want to drive a Saab rather than a Yugo, but you'd prefer a Yugo over a Saab that didn't have brakes.What we have in government is a wonderful car that is missing some of the essentials. Government and industry alike need to get the essentials right. It doesn't help to require something that isn't achievable. Ten or 20 things need to be done by everyone.TIPPETT: I would say it is about the same as, or slightly worse than, general corporate America. The security and defense agencies are probably a notch better, and the rest are certainly a notch worse. In some places the walls are a few feet high, and in some place they're three miles high.It makes more sense to make sure the walls are 10 feet high with barbed wire everywhere, and if you want to raise them, start from there.

What's more

Age: 49

Last movie seen: 'Beauty and the Beast'

Leisure activities: 'Biking and flying my plane'

Worst job: 'Some jobs in the ER can get pretty gross.'

Best job: 'Blazing new trails in security with the best and brightest.'

Dream job: 'Blazing new trails and still getting home to spend time with the family.'

Dr. Peter S. Tippett, the virus doctor









GCN: How did a medical doctor get into information assurance and security?













GCN: How did your medical training help in IT security?







GCN: How does that work?



GCN: Can managed services replace customer-owned security devices?









GCN: What are the biggest risks now?









GCN: Is there one threat that stands out?





GCN: What risks are coming in the future?



GCN: How do the risks and threats to the U.S. government differ from the rest of the world?





GCN: How would you assess government's cybersecurity status?



X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.