This article can also be found in the Premium Editorial Download "Information Security magazine: Exclusive: Security salary and careers guide."
Download it now to read this article plus other related content.
Robert Garigue may be less than six months into a new industry as Bell Canada's chief security executive, but that doesn't mean the security playbook that served him well as CISO for the Bank of Montreal has to be scrapped. Most threats and best practices are universal, and security philosophies can be carried from job to job.
In switching business sectors, which threats have carried over? Much of what's happening now is geared toward identity theft, and the threat [is a problem] for any business sector. Criminal focus has moved away from technology and toward the business model as the weakest link. Phishing and Trojans are used to capture passwords and access accounts; this attacks the trust mechanism of a business model as opposed to attacking the technology.
How has the security response changed as a result? Initially the [threat focus] was on the networks, and the response was about access control lists and firewalls. Then, operating systems became the focus, and the response was intrusion detection systems and patch management. Now the focus is on the applications, and the response is ID management.
What should security pros focus on when planning for the future? Organizations will control less and less of their infrastructure. When you don't control the infrastructure anymore, like in a mobile environment, you need to focus your efforts on how to protect content. It will all be about digital rights management.
Phishing is a popular weapon among identity thieves. Are security tactics changing to deal with this kind of threat? Financial institutions in Canada won't send marketing information with an active link in the page because that's what the phishers do. The word going out to customers is, "We won't link." If a customer sees a link in a message, they now know it's not really from the bank. At present, social engineering is a problem because people don't offer enough credentials for a transaction. There needs to be more "trust but verify." We can require people to answer a shared secret. There can be multiple questions that people have to answer.
Are there universal best practices a security pro can take from one job to the next? First, remember that education, awareness and executive support are vital to deal with these threats. Make sure you are locking down routers and hardening servers, and that the proper monitoring and response mechanisms are in place. Make sure your security processes address threats at the network, computing, application and content layers.w
Read the complete interview with Robert Garigue at searchsecurity.com/ismag.
This was first published in July 2006