When Nikk Gilbert was hired to run security at Alstom Transport, a massive manufacturer of trains and other large vehicles with operations in 60 countries, he wasn't quite sure where to start. Alstom had never had anyone dedicated to security before, so Gilbert, IT security and telecom director, started at the beginning, with a detailed security assessment of the entire network. What he found offers a number of important lessons for security pros everywhere.
How challenging was the situation when you got to Alstom?
Gilbert: There was no information security guy. I was the first one. So when I came in I wasn't sure what to expect coming into a company that didn't have any security at all before I got there. When I came in I knew I had a lot of work to do and the thing that was on my mind the most was to get a feel for the network. So I started playing around with a lot of tools I like to use. Solar Wind is one of my favorites. I got a quick snapshot of how big the network was. Nobody could give me the big picture.
Once you did that and you ran Core Impact, what did you find?
Gilbert: Once I was able to get to the heart of the network, I considered Core Impact because I'd seen it work before. I was really impressed and I knew I needed something. The biggest problem in security is running vulnerability scanners and then you get a 1000 page report that tells you this machine has 59 exploitable vulnerabilities and you have this document and there's nothing to it. With Core you don't get that and everything you get is an actual penetration. There's no false positives. I didn't have a staff yet. So I thought maybe I should get a consultant and run a scan that way. But I thought I'd run into the same problem.
What are the most common security mistakes you find?
Gilbert: There are several key things that people have to do. If you have a large enterprise network, you need to have some kind of local patch management. That's priority number one. You have to get the workstations up to the required security level. When I came on board, I gave people a month ot get patched. I just dropped it to two weeks. There were a couple of situations where we had to take it to the next level. Some of our computers are on manufacturing machines. There's a Windows 95 machine that controls a multi-million Euro machine that measures how many microns apart two pieces are on a train. You can't patch a Windows 95 machine. It's a wide open vulnerability. So what we did is put protection in front of it, intrusion prevention system (IPS), firewall. The second thing is antivirus. Every system on the network has to have antivirus. In a global enterprise, you have to have global distribution. Next thing would be IT security policy. If you don't have some way to make it happen with some teeth in it, you're going to run into a problem. Unless you're monitoring and controlling, it's just paper. I'm of two minds on this. I'm for customer service, because if I didn't have customers I wouldn't have a job. But I know security impairs some people's abilities to do a job. You have to have a good balance between security and customer service. When I roll out a new program, I try to find a way to make it attractive to the user. For example, single sign-on (SSO). If you take SSO, slap it on a smart card with PKI, the user isn't going to have to remember 20 passwords.
That's an interesting attitude, because I think a lot of IT folks tend to think of the users as a necessary evil sometimes.
Gilbert: Yeah, but that's not where all this is going. Maybe five years ago the scare tactics worked where the CSO goes into the CIO's office and says we have to lock everything down or we're going to lose billions of Euros. Now we know it's business that drives IT. People have to focus and say, I have to work on return on investment (ROI), I have to work on customer service, I have to make these programs attractive to the users. That's the IT security professional of the future, I believe.