Pick Your Security Officer's Brain

Distributed denial-of-service attacks, self-replicating e-mail viruses, electronic security insurance, outsourcing: These are just a few of the myriad issues that landed on your information security manager's watch list last year, and even more are expected to arrive in 2001.

Your chief security officer faces so many new issues, in fact, that we polled 35 security vice presidents, officers and managers to determine the top 10 hot spots (see chart, below). We conducted our informal polling in October at the SANS Institute's Network Security 2000 conference in Monterey, Calif.

Your Security Officer's Top 10

• Standards

• Employee awareness

• Remote and wireless access

• Authorization and authentication

• Architecture

• Business-to-business

• Recruiting

• Privacy

• Application service providers

• Risk management

Source: Computerworld survey of

35 security vice presidents, officers and

managers, October 2000

Your security officer's to-do list is loaded: Comply with new security and privacy regulations in health care and finance; develop stronger user-awareness policies; and address more security issues, thanks to the growth of wireless access, business-to-business exchanges and application service providers (ASP).

But there is a silver lining: Nearly all the security officers we spoke with said they agree that this year's No. 1 issue - the adoption of international security standards - just might simplify some of these complexities.

Make Employees Aware

It took self-replicating viruses and distributed denial-of-service attacks to get users thinking about security during the past year, says Pete van de Gohm, director of information asset protection at Enron Energy Services Inc., a subsidiary of Enron Corp. in Houston.

But security managers still have a lot more work ahead of them: Threats from internal employees account for nearly 40% of all security breaches, according to a joint survey of 273 organizations that was released last March by the San Francisco-based Computer Security Institute and the FBI.

The problem is exacerbated by high employee turnover, adds Paul Raines, vice president of information asset protection at the Federal Reserve Bank of New York.

The key to surviving these increasingly complex attacks will be creating security awareness campaigns. These programs should cover three areas: access-control management, root (Unix) and administrative (Windows NT) access, and information handling by both permanent and temporary employees, Raines says.

Keep these policies simple, follow up with refreshers and use media coverage of security events to keep the issue on users' minds, adds Michele Guel, a security engineer at Cisco Systems Inc. in San Jose.

"We're getting there, in terms of teaching our user bases to protect confidentiality," van de Gohm says. "The test this year will be to raise awareness with more creative viruses and Trojan [horses] than Melissa and 'I Love You' to fuel [user-assisted breaches]."

Create a Mobile Policy

User policies must also cover remote access, especially considering the prediction of 55.4 million mobile workers by 2004 by Framingham, Mass.-based IDC.

"Mobile workers and wireless connectivity to your entire network opens a giant security hole," says Ruth Lestina, regional practice lead for information security consulting at network infrastructure consulting firm Predictive Systems Inc. in New York.

Some 38% of 300 security professionals reported break-in attempts through remote systems last September alone, according to an October survey conducted by Cupertino, Calif.-based security vendor Symantec Corp. Yet only 15% of those companies use a desktop firewall for remote workers. For this reason, desktop firewall systems from vendors like Zone Labs Inc., Network Ice Corp., Network-1 Security Solutions Inc. and Symantec will be big sellers.

"You'd be surprised how many firewalls we're selling in the enterprise," says Avi Fogel, president and CEO of Waltham, Mass.-based Network-1.

Wireless devices are more problematic than any other type of mobile equipment. This past year, one Trojan horse and two virus threats against PalmPilots and cell phones, along with a report of a virus found in a German cellular network, were published, although none proved serious. In September, Symantec introduced antivirus software for the Palm operating system, but most wireless security software focuses only on access controls through elliptic-curve cryptography (ECC), a smaller, more portable form of data encryption.

Vendor products that use ECC encrypt data only as it travels from the wireless device to a Wireless Access Protocol (WAP) server, says Luther Martin, product manager at encryption vendor Cylink Corp. in Santa Clara, Calif. The second half of the transaction travels from the WAP server to the Web with Secure Sockets Layer browser encryption. But the WAP server processes all data and credentials in the clear, or unencrypted, which Palm has referred to as a "small air gap."

Martin says this gap is a lot bigger than vendors want it to appear: Hackers need only exploit known vulnerabilities in common operating systems to view the data and credentials.

Pick an Authentication Method

As more access devices go mainstream, mechanisms for authentication (who you are) and authorization (what you're allowed to see) will continue to diversify. Smart cards and biometric access devices will lead the way.

Frost and Sullivan Inc., a consulting firm in Mountain View, Calif., predicts a $5 billion smart-card market by 2003. The biometric access device market will be much smaller - $594 million by 2003, according to International Biometric Group LLC in New York.

"Our organization is looking closely at mechanisms for two-factor authentication. Biometrics may play a role, but our focus now is smart cards, which is becoming a standard product as [smart-card] readers have become cost-effective," says Ken Perrin, a senior engineer for IT planning and business development at Pinnacle West Capital Corp. in Phoenix. He and others predict that interoperability will still be a problem this year and beyond.

Chief security officers will also want to choose an authentication management system. Such systems can link rules engines to directories that contain user attributes and privileges to restrict access to certain types of data. These systems are capable of managing a variety of access devices, including wireless, says John Pescatore, an analyst at Gartner Group Inc. in Stamford, Conn. [Technology, Sept. 11].

Bolster Your Architecture

Issues like these spur improvements in overall security infrastructures, which, for the most part, are woefully inadequate to support online businesses, says Leon A. Kappelman, information systems research director at the College of Business Administration at the University of North Texas in Denton.

A key driver for infrastructure work will be companies' attempts to overcome outdated networks and comply with the new Healthcare Information Portability and Accountability Act (HIPAA), which regulates security and customer privacy in the health care industry, says Lestina. She also predicts limited infrastructure reworking in the financial industry to comply with the Gramm-Leach-Bliley Act, a financial deregulation bill approved in 1999.

Kenneth Cole, MIS director at Sun Healthcare Group Inc. in Albuquerque, N.M., says it will take his organization two years to complete HIPAA compliance work. "At our corporate office, this will involve changes to our security policy, with a strong emphasis on employee education," he says. "At the subsidiary level, we will also have to ensure compliance at both the state and federal levels."

Bulletproof Your B2B Exchanges

Business-to-business exchanges will also force infrastructure work this year, according to Chuck Ryan, director of information security at Molex Inc. in Lisle, Ill., which manufactures parts for mobile computing devices.

"Security becomes very big when you look at the chain of events that need to occur relating to a transaction. Each link has to be secure, because everyone in the chain is a potential competitor," explains Glen Gow, president and CEO of Crimson Consulting Group Inc. His Los Altos, Calif.-based research firm predicts $3.9 trillion annually in global business-to-business transactions by 2003.

Varying international laws on privacy and encryption will further compound the task, says Ryan, who projects that most companies will ease into conducting business-to-business transactions during the next two years.

Recruit Top Talent

Your chief security officer will be on the hunt for streetwise security experts like Ryan next year. Lestina suggests that security officers will need to become more creative in their staffing efforts, finding most of their employees inside the organization and then mentoring and training them [Careers, Sept. 25].

Last year, the leading industry-recognized training and certification program was the Certified Information Systems Security Practitioner, offered by U.S.-based International Information Systems Security Certifications Consortium Inc. In the coming year, expect more diverse and specialized security training through organizations like the SANS Institute in Bethesda, Md., which is getting rave reviews from IT managers for its rigorous training and certification programs, including intrusion-detection, firewall and incident-analysis certifications.

Train Regulatory Experts

Chief security officers also face a shortage of privacy experts this year, as the medical and financial industries feel the squeeze of the HIPAA and the Gramm-Leach-Bliley Act, according to van de Gohm.

However, because these jobs are so regulatory-driven, privacy officers will most likely originate from legal and consumer affairs departments, says Alan Westin, professor of public law and government at New York's Columbia University and president of Privacy and American Business, a privacy research and professional services group in Hackensack, N.J.

Still, the security team will need to get up to speed on HIPAA and Gramm-Leach-Bliley requirements because it will be directly overseeing the technical and employee-awareness compliance initiatives.

Choose a Reliable ASP

Customer and commercial data processed at ASP sites will also complicate the job of the chief security officer. IDC predicts that the ASP market will grow at a compounded rate of 93% per year - from $74.4 million in 1999 to more than $2 billion in 2004.

Tony Parziale, chief technology officer at Maxxim Medical Inc. in Clearwater, Fla., says ASPs will face a number of security challenges this year, like working with second- and third-tier business partners and monitoring traffic.

In fact, advises Pescatore, you shouldn't even consider an ASP that can't address security at the network, platform, application, operations and end-services relationship levels.

"The industry...still has a long way to go to enable true e-commerce," says Marriott's Jerry Dixon.

Determine Your Risk Level

Your security officer will need to distinguish between risks and threats, says Peter Tippett, chief technologist at TruSecure Corp., a security services firm in Reston, Va. "IT managers need to learn how to behave in risk-based orientation instead of threat-based," he says.

Here's how: Start with a list of top vulnerabilities, like the one found at the SANS Institute's Web site. Next, look at critical applications and determine what level of risk your company can assume in order to see those processes through, says Ryan.

"The core of it is getting down to your own developers and your customers inside your business and prioritizing business and technical requirements," he says.

Get Involved in Standards

The underlying key to all of these issues is standards. "In order to advance e-commerce, you must have security standards," says Jerry Dixon, director of information security at Marriott International Inc. in Bethesda, Md. "The industry . . . still has a long way to go to enable true e-commerce. A prime example is public-key encryption. We cannot validate a digital signature among competing products."

Dixon says he's heartened to see not only vendors but also the security community at large start to pass standards that will simplify some of the complexities faced by IT security leaders. For example, he points to the Common Vulnerabilities and Exposures (CVE), an indexing system for vulnerabilities and threats that was started last year by Bedford, Mass.-based Mitre Corp., a research and support agency for the U.S. Department of Defense.

"[The CVE] effectively created a national standard on communicating different types of vulnerabilities and exposures so that all agencies - commercial vendors, alert publications and newsgroups - are speaking the same language," Dixon says. "This now allows security teams to effectively communicate exploits or findings with one another."

The key with standards is to get involved. There are several working groups currently hashing out security standards. The SANS Institute is working with the Center for Internet Security in Bethesda, Md., and Visa U.S.A. Inc. in Foster City, Calif., to release security standards by mid-July. And last October, the International Standards Organization in Geneva published a first draft of fast-track security standard ISO 17799, an outgrowth of a British standard.

1 2 Page 1
Page 1 of 2
7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon