Robert Garigue may be less than six months in a new industry as Bell Canada's chief security executive, but that doesn't mean that the security playbook that served him well as CISO for the Bank of Montreal has to be scrapped. Most threats and best practices are universal and security philosophies can be carried from job to job.
What's your advice for security pros who switch jobs?Garigue: In any business sector, you must ensure there are security and assurance processes at the network, computer, applications and content layers. You must ensure security processes lock down routers and harden servers, and that the proper monitoring and response mechanisms are in place. To deal with threats, education, awareness and business executive support is vital.
In switching business sectors, which threats have carried over?Garigue: Much of what's happening now is geared toward identity theft, and the threat [is a problem] for any business sector. Criminal focus has moved away from technology and toward the business model as the weakest link. Phishing and Trojans are used to capture passwords and access accounts; this attacks the trust mechanism of a business model as opposed to attacking the technology.
How has the security response changed as a result?Garigue: Initially the [threat focus] was on the networks and the response was about access control lists and firewalls. Then operating systems were the focus and the response was intrusion detection systems and patch management. Now the focus is on the applications and the response is ID management.
What should security pros focus on when planning for the future?Garigue: Organizations will control less and less of their infrastructure. When you don't control the infrastructure anymore, like in a mobile environment, you need to focus your efforts on how to protect content, and it will all be about digital rights management.
Phishing is a popular weapon among identity thieves. Are security tactics changing to deal with this kind of threat?Garigue: Financial institutions in Canada now won't send marketing information with an active link in the page because that's what the phishers do. The word going out to customers is that "We won't link." If a customer sees a link in a message, they now know it's not really from the bank. At present social engineering is a problem mostly because people don't offer enough credentials for a transaction. There needs to be more "trust but verify." We can require people to answer a shared secret. There can be multiple questions that people have to answer.
Are there some universal best practices a security pro can take from one job to the next?Garigue: First, remember that education, awareness and executive support is vital to deal with these threats. Make sure you are locking down routers and hardening servers, and that the proper monitoring and response mechanisms are in place. Make sure your security processes address threats at the network, computing, application and content layers.
Could you provide an example?Garigue: With the newer security solutions, customers can personalize accounts, and not just with an address and phone number. A picture may be included and someone has to answer questions about a picture. It could be a vacation picture. I can ask how many people are in the picture, where was it taken, and if there is snow on the mountain in the background.
About the author
Michael S. Mimoso is Senior Editor of Information Security magazine.