Symantec GM aims for vigilant security

Symantec Corp. provides a range of content and network security solutions to individuals and enterprises. The company bills itself as a world leader in Internet security technology and a leading provider of virus protection, risk management, Internet content and e-mail filtering, remote management and mobile code detection technologies. In Canada, the firm enjoys 57 per cent of the market share for anti-virus software.

During 2000, the company unveiled its Symantec Enterprise Security offering aimed at medium- and large-sized businesses. It has also released a new carrier-class anti-virus solution targeted at Internet providers.

In December, it announced shareholder approval of the merger with enterprise security solutions developer AXENT Technologies, Inc., of Rockville, Md. Symantec’s Canadian operations are headquartered in Toronto with offices in Montreal, Ottawa, Calgary and Vancouver. IT World Canada editor Susan Maclean interviewed Michael Murphy, general manager for Canada, Symantec Corp., from his base in Toronto.

Maclean: What trend do you see in network security and virus protection?

Murphy: The biggest trend in viruses generically now is worms that use e-mail to propagate or replicate themselves versus viruses. We usually just call them all viruses. A better way to think of them is malicious code and then you can discern between viruses and worms, Trojan horses, Java applets, ActiveX applets and that kind of things. ASPs and ISPs need to make sure they have some sort of virus protection at the gateway and firewall.

Maclean: What is the extent of the threat?

Murphy: When we do our virus signatures, we add anywhere between 50 and 70 a week of new variant strains and things we haven’t seen before. This problem of viruses will be with us for a long time simply because virus writers are able to write viruses. The nature of our computing today gives it a nice, easy, homogeneous platform for virus writers to target. The biggest threats are threats of social engineering where a hacker or physical criminal will exploit the trust and good nature of a person to purport whatever crime they’re trying to do.

A good example of this was Loveletter. It was not a sophisticated virus. But Loveletter was clearly an experiment in social engineering where curiosity of people receiving e-mails was far greater than their understanding of the risks and policies and procedures to follow when they get email that may appear suspicious to security people.

Maclean: What trend do you see for ASPs, systems integrators and independent service vendors in this context?

Murphy: Their consumers are going to demand from them individually-tailored services, almost an a la carte menu of services (where) consumers will want to pick and choose what service offering their ASP/ISP can provide for them. There’s also the ability for them to provide privacy services…some type of PKI infrastructure or encryption.

Most consumers are saying “I’m already dealing with a high-speed provider, I would like to go to my ISP/ASP and ask them to provide this service for me so I don’t have to manage it, go out and buy the software and update the software.” Some ISPs and ASPs are going to this step to provide firewall services. Shaw and Telus in Canada already provide on their CDs for their service offering trial versions of our personal firewall product, Norton Internet Security. We’re working with a lot of the other cable and DSL service providers to provide the same access to our product to their customers.

The sole function of a group of Symantec (solution providers services division) is to scale the products we develop at the enterprise and consumer space to “carrier-class” infrastructure providers to allow them to provide an end-solution for their consumers. Yahoo scans all of their clients’ e-mail inbound and outbound with Norton anti-virus. We have also signed a deal with Toshiba. Their cable modems come with a copy of Norton Internet Security. Already the vendors providing the hardware or services are looking to the software vendors to provide a bundle or value-added ability to consumers.

Maclean: Does emerging peer-to-peer transfer technology pose a potential security threat? If so, is Symantec dealing with this?

Murphy: All of those technologies – cell phones, PDAs, Napster, even the MP3 format and Bluetooth technology- were designed without security in mind. It’s not that they didn’t originally have a security blueprint or specification built in, but unfortunately time to market on these devices will always win over good quality security. So now, after the fact, people rush to develop security to plug the vulnerabilities that are found to be in these devices. The technology is not yet there today, but the development of technology is “If I’m going to share information with you via my PDA or cell phone, we have to establish a trust relationship.” That could be by exchanging some kind of certificate of trust or some type of encryption key…so it is not an anonymous transfer.

When I check into a Westin hotel…and my content in that city for the day is beamed to my PDA,…who is scanning the content for malicious viruses, Trojans, etc.? Who is protecting the fact that these are my personal preferences? Who is safeguarding that information? The technology is viable and exists today but the security isn’t built in yet. My biggest concern with peer-to-peer technologies is the loss of private information and the exploitation of that private information…that they use my name and my information as their identity – and that identity (is) used to commit some other sort of crime. Personal firewalls protect inbound and outbound communication that you don’t want. If you do want Napster, you just open the appropriate port on your firewall to allow Napster services in. Or you possibly put Napster services on a separate machine so it is isolated. Maybe you put it on a different hard drive and you only share your music folder and provide appropriate security for that folder or, more practically, better security for the rest of the machine.

Maclean: At some point one has to decide how much is enough in terms of protection and money spent. Can one ever have enough?

Murphy: Security has a tendency to get in the way of productivity. You can protect your house with alarm systems, dogs, fences…you can put guards out front. But every night when you want to get into your house or out of your house, it becomes time-consuming and counter-productive for what you really want to do. The same holds true for computer security.

Depending on what type of computing you’re doing, depending on the value of the information, you need to take the appropriate balance of security and cost. Security costs money, time and productivity. You need to balance the value of your assets, the productivity decline that you’re going to get with the cost of implementing security. People need to constantly spend on security. They need to update their security. They need to revamp their policies, procedures, tools. We constantly spend money on insurance. Security and insurance are very similar.

The biggest vulnerability or weakness is really us – the lack of education and awareness. Nobody’s trained to understand computer security. Someone in finance is hired to do finance, accounting and numbers. Someone in human resources was hired to do HR work. The company’s challenge is to make people aware of the threats and vulnerabilities that exist, and at the same time make them routine and part of the day-to-day job. Security needs to be so commonplace and forefront in our minds that it becomes second nature. Then security will work for people.