Security Management Turns Into a Sales Job

Long meetings frustrate but eventually pay off

I remember how bored I got when I first started work as a graduate trainee. I worked for a big consulting firm as a security specialist, and I was too junior to send out on jobs on my own and too much of a specialist to be much help on other projects. So I spent a lot of time loafing around the office.

I really can't imagine going through that here. As an example, and despite the fact that I will do almost anything to avoid going to any meeting with more than three people in it, my day yesterday was back-to-back meetings, apart from a half-hour for lunch. My days seem to be taken up more and more with talking to people, convincing them of the need for security, and less and less with actually keeping an eye on the security of our systems.

1pixclear.gif
1pixclear.gif
1pixclear.gif

THIS WEEK'S GLOSSARY

Certificate authority: This is the entity that issues, validates and revokes digital certificates that authenticate a vendor's Web site to the user. Microsoft includes software with Windows 2000 that allows its Internet Information Server to act as a certificate authority.

Data Encryption Standard (DES): An industry-standard cryptographic algorithm that has been widely used for decades. It's now being superseded by the Advanced Encryption Standard.

Triple-keyed DES: DES uses a short (56-bit) key and is therefore vulnerable to attack. One way of resolving this problem without rewriting all your software is to set DES to encrypt a message three times, with three different keys. This is sometimes referred to as 3DES.

Cipher-block chaining mode (CBC): A mode of operation of some algorithms that helps defend against a particular type of attack. You'll almost never need to know anything about CBC unless you are deeply involved in cryptography.

128-bit RC4: Another common cryptographic algorithm, written by Ron Rivest. Opinions are divided as to whether RC stands for the formal "Rivest Cipher" or the somewhat more prosaic "Ron's Code."

LINKS

This "Snake Oil FAQ" shows how to tell when you're dealing with a cryptocharlatan.

Mansfield, Conn.-based WinZip's Web site is the source for downloading the WinZip file-compression utility.

1pixclear.gif

By concentrating on the "soft" side of the job - talking, meeting and greeting - the technical side of my job has suffered to the extent that I now find myself trying to squeeze product evaluations into 20-minute slots between meetings.

Help Wanted

However, my efforts paid off when management recognized the need to get some real resources behind the job. I've been given the authority to hire four new security engineers to take on all the technical security work. That's a blessing, because I've never been that technical myself, so I'll finally be able to get systems implemented and configured much more easily.

But it's turning out to be difficult to find the right people. Each of the security engineers is going to concentrate on one particular area - one for Windows NT, one for Unix, one for e-commerce, one for networks - and so each needs to be a specialist in that area. Above that, each engineer also needs to know a fair amount about security. As any engineering manager will tell you, it's hard enough just to find and afford a technically competent Windows engineer without demanding additional specialties such as security expertise.

Still, I'll keep looking. I have a feeling that it's going to take a few months to find the right people. In the meantime, there are two internal candidates who are both knowledgeable and professional - what more do you need? Neither has any current security qualifications, but it's much easier to train good staff than it is to find trained staff who are good.

One of the larger calls on my time this week has been something rather thought-provoking. I was asked by a group of venture capitalists to give them an overview of the security industry. The idea was to give them an insider's view of the industry, to help them tell the next big thing from the next big flop and to help them understand some of the underlying technology.

Writing the presentation has given me a whole new perspective on my industry. It's forced me to think about the economic forces shaping the industry, rather than the functionality available to me from vendors.

It's also thrown up a lot of questions that I'm not sure I can answer. For example, what will be the effect on public-key infrastructure vendors like VeriSign Inc., Entrust Technologies Inc. and Baltimore Technologies PLC now that Microsoft Corp. is giving away its certificate authority software with Windows 2000? How long can the current cutthroat business practices in the antivirus world last? Will biometrics ever really take off? But one thing didn't surprise me: One mention of cryptography and their faces started to glaze over. Although crypto is fundamental to many emerging e-commerce technologies - such as digital watermarks, digital currencies and secure electronic voting protocols - for some reason, it's exceptionally hard to explain.

This is partly because there are no easy analogies to use to explain the concepts. When I want to explain firewalls, I can compare them to a bouncer at the door of a nightclub. Content scanning? Think wartime censors. Intrusion-detection software? The information technology version of burglar alarms. But crypto? Crypto algorithms are based on abstract mathematical principles, and to really understand the implications of crypto technologies, you've got to have a basic understanding of how they work. However, as soon as people realize that they're dealing with mathematical processes, a lot of people just switch off.

This is why I had difficulties with PGP encryption software a couple of months ago - not because there's anything wrong with the software, but because users just don't understand the basic concepts of how it works. My problem back then was that an otherwise highly intelligent end user couldn't grasp the concept that if you encrypted a message for one person, then only that person could read it. He tried forwarding encrypted e-mail, expecting other people to be able to read the e-mail that had been encrypted for his eyes only.

Keep it Simple

However, after that episode, I had an e-mail conversation with a nontechnical reader who suggested that I use WinZip Computing Inc.'s password protection as an alternative. Now password protection isn't anywhere near as strong as good crypto, but that's not the point. WinZip is file-compression software, and data compression is based on some abstract mathematical principles, just like crypto. But WinZip doesn't ever let you know that it's doing something mathematically complex. It just presents you with a simple, easy-to-use graphical user interface.

Crypto software, on the other hand, rams its technical nature down your throat. Look at a sales pitch for crypto software and you'll see phrases like "11 trillion years to crack," "128-bit RC4," "168-bit triple-keyed DES in cipher-block chaining mode." Now I know my math pretty well; I've studied and even taught cryptography, and I understand what those terms mean. I know from experience that nine out of 10 crypto salespeople don't really understand it, but that doesn't stop them from quoting meaningless numbers for you. I also know that none of this information has ever been the slightest bit of use to me as a security manager - except for the occasional bit of satisfaction at shooting down salespeople who let their mouths run ahead of their brains.

The next time anyone tries to browbeat you with obscure crypto terms, ignore him. Ask the crypto salespeople to explain what they mean in simple English. As soon as they start talking numbers, get them to start talking about people instead - the end users and how they'll understand and use the software.

When we have crypto software that's as easy to use as WinZip, we might actually get real people to use it. When we get real people to use crypto software, we'll dramatically improve data security.

• This journal is written by a real security manager, "Jude Thaddeus," whose name and employer have been disguised for obvious reasons. It's posted weekly at www.computerworld.com and at www.sans.org to help you and your security manager better solve security problems. Contact him at jude.t@lycos.com or head to the forums. (Note: Registration required to post message; anyone may read messages. To register for our forums, click here).

Copyright © 2000 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon