| |
My
name is Chris Klaus and I am the Founder of Internet Security Systems, known as
ISS. ISS is the pioneer and leading provider of information
protection solutions. We are
headquartered in Atlanta with additional offices throughout the U.S. and
international operations in Sweden, Italy, Belgium, England, France, Germany,
Japan and Latin America. ISS is a
trusted advisor to most large U.S. commercial banks and several government
entities. Founded in 1994, ISS has
experienced phenomenal growth as we have addressed the critical need for
companies and governments to protect their information systems.
Every
day, Internet Security Systems stops criminal hackers and cyber-thieves by
researching computer vulnerabilities and threats and offering a unique,
proactive line of defense for an ever-changing spectrum of threats.
More and more individuals are using the Internet for business-to-business
warfare and corporate espionage, international cyber-terrorism, or to generally
cause havoc and mayhem in our technology infrastructure.
ISS dynamically protects online assets through development of the most
current protection products available and cost-efficient Managed Security
Services. We
also monitor networks and systems around the clock (24 x 7 x 365) from the US,
Japan, South America, and Europe in our six Security Operations Centers and our
Global Threat Operations Center in Atlanta.
We search for attacks and misuse, identify and prioritize security risks,
and generate reports and analysis explaining the security risks and what can be
done to fix them. At the heart of
our solution is our team of world-class security experts focused on uncovering
and protecting against the latest threats.
This team of global specialists, dubbed the X-Force, understands exactly
how to transform the complex technical challenges into an effective, practical,
and affordable strategy. Because of
all of these capabilities, companies and governments turn to us as their trusted
computer security advisor.
The
tragic events of September 11 have heightened awareness of the need for cyber
security. Protection is no longer a
backroom discussion, and security is no longer something businesses are willing
to consider after the fact.
The
threat of terrorist attacks against U.S. citizens and U.S. interests around the
world has become the nation’s most pressing national security issue.
Even more likely are cyber attacks aimed at further disrupting U.S.
interests and business, or sympathizers with general anti-U.S. and anti-allied
sentiments. During the past five
years, the world has witnessed a clear escalation in the number of politically
motivated cyber attacks often resulting in embroiling hackers from around the
world in regional disputes, this to the detriment of the corporations and
government networks, specifically targeted or innocently attacked.
Over
the course of the last three months, hackers have launched sophisticated
attacks, including Code Red II, Code Blue, and Nimda and the Nimda.E attacks.
A 2001 industry survey conducted by “Information Security,” released
on October 16, indicated that out of 2,100 respondents, an overwhelming 89%
experienced virus, worms, or trojan breeches in the last three months.
This is up from 80% a year ago, even though 87% of respondents had
deployed anti-virus software. This
indicates the importance of constantly managing the growing and changing threats
on the Internet and the growing complexity of corporate and government networks.
Moreover, the percentage of those reporting Web server attacks increased
over the past year from 24% to 28%. These
attacks cost the industry billions in lost productivity and system downtime.
The
writing is not only on the wall, it is on the front page of every newspaper in
the democratic world, as well as on the minds of corporate officers and
directors around the world. The
network is the gateway to our assets, and it is the lifeblood of corporations
and governments. Quite simply, it
must be protected.
The
tragic events of September 11 have highlighted the need for increased cyber
security. More attention is being
paid to detection needed to ward off cyber terrorism. We are seeing this at a policy level here in Washington and
in other governments that we serve around the world. The same trend is occurring in state and local governments.
We are also seeing it on a demand level in terms of the number of
inquiries that are coming into our business.
As a result, we are engaging in much broader and more strategic risk
management discussions, which include the network and the overall protection
strategy for the network.
Information
is currency in today’s global economy. Any organization with critical
information assets stored on a network is at risk. The lone hacker may grab headlines, but industrial espionage,
employee sabotage and simple disabling attacks actually constitute the vast
majority of attacks against information resources.
These
incidents rarely make the evening news, but they add up to additional billions
in business losses each year. We pay for these incidents through higher prices
for goods and services, lower stock price valuations, increased insurance
premiums for online business operations and consumer reluctance to adopt
efficient, innovative online business opportunities.
These
attacks against information resources are a significant threat to our economic
base and our national security. The unfortunate truth is that relatively few
organizations are prepared to understand, let alone confront, the threats to
information critical for normal business operations. Security specialists are in
short supply, and command premium salaries. The cost of this expertise is out of
the reach of many organizations. Meanwhile, the dollar losses continue to mount.
It’s
no mystery how this situation has come to pass. The Internet is designed for
rapid, simple communications. That’s what allowed it to grow from an academic
research network into the World Wide Web, and allowed everyone from individual
users to multinational corporations to invent new ways to reach out to each
other.
Since
security is not part of the Internet’s fundamental design, it must be added
after an application is written, a system is deployed and/or staff has been
trained. In spite of increasing legal, financial and regulatory incentives to
invest in security solutions, very few businesses focus on security as part of
their core competence. Security measures, therefore, do not receive the
attention that other, more profitable business operations demand. Tight budgets
and overworked IT staff create an almost irresistible temptation to skimp on
security until a crisis occurs.
No
one builds a house, then fits the doors for locks after a family moves in. No
one adds tail lights and a horn to a car two weeks after it leaves the
dealer’s lot. And yet, that is exactly how we graft security onto our computer
code. We need a more cost-effective means to protect the availability, integrity
and confidentiality of electronic information. We need to make security part of
the basic design of our information technology infrastructures.
In
responding to our customers to priority of protecting their information
infrastructure, ISS has developed a common system to manage threats and
vulnerabilities across the entire threat spectrum.
A
resounding request from our customers is to deliver systems that incorporate the
ability to monitor and protect a broad spectrum of threats across their
desktops, networks, and servers. This
simplification in the market is being driven by the customers needs to protect
the environment with an effective system while understanding that the total cost
of ownership is critical to enterprise deployment.
Security
is quickly evolving and consolidating into two key foundational elements:
inclusion and exclusion. Inclusion
represents the security products which allow users to access the resources of a
network or a system. These products
include authentication authorization and the associated technologies which
enable these functions, such as directory management systems, PKI, Smart Cards,
tokens, authentication interfaces like biometrics and other forms of
authentication.
The
second element of security is exclusion, defined as how do I keep unwanted
elements off of my system? ISS
defines this as protection, and we are leading the way to incorporate a number
of innovative technologies into a single common agent to protect the system from
the vast array of threats, including threats from content, trojans, worms,
denial of service exploits and ultimately misuse by trusted or unauthorized
users.
What
is needed is better protection, less complexity, lower cost of ownership and 7 x
24 services to augment and assure the integrity of the network and the support
of the internal security operations. The
ideal solution is a single agent to protect a system from threats, as opposed to
several different products from several different vendors, which are not
integrated.
To
protect themselves from all threats and minimize their vulnerabilities,
companies need systems that will prevent and detect security risks at every
potential point of compromise on desktops, servers, networks, and gateways.
Earlier this year, ISS unveiled the industry’s first pervasive
protection platform strategy. Our
unique product, Real-SecureTM, converges intrusion detection, security
assessment, active blocking, and malicious content and code protection
capabilities to protect against the converging and broader threat spectrum.
Last month, we announced the next major component
of our protection platform known as Site- ProtectorTM. As a result of this unified product, customers will be able
to control, monitor, and analyze their security protection systems from one
central site enabling them to dramatically simplify their security management,
reduce their total cost of ownership, and increase the scale of management
across broader segment of the network.
America
has received a wake up call that cyber security is important and can no longer
be ignored.
ISS’
vast experience with security breaches has caused us to realize how crucial
a secure infrastructure is to the safety and security of our society.
Computer security products empower organizations to proactively monitor,
detect and respond to increasing network vulnerabilities and threats to
enterprise information. These
products provide the tools vital for protection in today’s world of global
connectivity. The public needs to
be aware of the breadth of possible security breaches. Government can help realize this goal by focusing more
attention and funds on computer security. This
includes educating and training the human resources necessary to implement the
necessary security measures. Our
extensive experience has shown that computer crimes are increasing and will
continue to do so. Web sites are an
important tool in helping government be more responsive and effective, but they
are often a target for computer crime. Web
sites should be set up in a secure manner and protected once they are set up.
Everyone must learn that protection of our National Infrastructure
requires everyone to properly update and protect their system, much like using a
seat belt before you leave the parking spot.
Government must be seen as a leader in protecting its systems and in
assisting corporate and private Americans to do the same.
Unless the U.S. invests the necessary resources in this area, America’s
critical infrastructure will be at risk.
|
|
