Security Manager's Journal: Eyeing risks while cutting spending

Computerworld - We're still dealing with fallout from the weakening economy. Besides the massive layoff I wrote about last time, each department has been told to decrease spending by 15%.

My job as a security officer is to ensure the confidentiality, integrity and availability of our systems and intellectual property, and my budget was fairly limited already. So there wasn't much I could do to further cut expenses without putting the company at serious risk. Nonetheless, I did a risk assessment and came up with the following cutbacks.

First up is intrusion detection. Our 12 sensors are positioned to monitor the DMZs at corporate and remote offices as well as major data centers and some interoffice communications. We're using several offshore analysts to monitor those sensors; they attend to the alerts and, when necessary, escalate things to our analysts here in the U.S. for evaluation and action. But we're definitely monitoring more attack signatures than we need to. Our analysts spend a good part of their days chasing false positives.

When we had more resources, that didn't seem like a big deal, but now it's looking like an area of potential savings. I'm going to tune the rules so that we can decrease the offshore head count.

The next cuts are in the form of SecurID tokens. Until now, our company has issued the hard (key fob) tokens. There are currently more than 5,000 tokens deployed worldwide. These tokens have batteries that last only a few years, and then new tokens are needed.

With software tokens, we can eliminate the need for those hardware replacements and the cost of shipping fobs to our users around the world. They are easier to deploy, and there aren't any batteries.

The drawback is the threat of keystroke-capture programs. Since the physical tokens are separate from the computers, they're not susceptible to keystroke capture being used to obtain a user's PIN.

It's a risk we're going to have to take, and we may be able to get users to enter their PINs by pointing their mice to on-screen number pads, which would mitigate the keystroke-capture threat. An added benefit is that the software tokens can be used on mobile devices.

Long-Distance Audit

Other savings will come from altering my audit schedule from twice to once a year. This saves on travel expenses and the cost of an independent contractor. I'm also looking into having an engineer in India conduct the audits. That could be doable because my audit methodology is fairly streamlined and routine.

Finally, I'm going to stop paying maintenance on some of our commercial scanning tools. I'll keep IBM's ISS Scanner for servers and Hewlett-Packard's WebInspect for applications, but we can use open-source tools to fill in the gaps. Nessus has always served me well, and the open-source version can stand up nicely to the commercial equivalents. And there are plenty of Web-based application-scanning tools, such as Nikto or Google's Ratproxy. They may lack the bells and whistles of commercial equivalents, but they do the job.

I doubt I'll be able to get to that 15% figure without pulling out firewalls and VPN concentrators. But doing things like that is riskier than the other things I outlined above.

I'm never happy about having to make cuts in the security budget, of course, but I'm sure that this economic downturn will be short-lived and that I will eventually be able to ramp up our security program again, returning it to a more meaningful level.

This week's journal is written by a real security manager, "Mathias Thurman," whose name and employer have been disguised for obvious reasons. Contact him at mathias_thurman@yahoo.com.

Join in. To join in the discussions about security, go to computerworld.com/blogs/security.

Read more about Security in Computerworld's Security Topic Center.