Information Security staff
Published: 01 Dec 2003
Best Benchmarking Effort: Center for Internet Security
Effective IT risk managers follow the 80/20 rule: They expend 20 percent of their resources addressing 80 percent of their risk.
That's also the M.O. behind the Center for Internet Security's configuration benchmarks, consisting of techniques and scoring tools for hardening default installations of Windows NT/2000, Solaris, Linux, HP-UX, Cisco routers and Oracle databases. When implemented, the benchmarks reduce the number of out-of-the-box vulnerabilities in these systems by more than 80 percent, says CIS president and CEO Clint Kreitner. "There's a ton of low-hanging fruit that organizations can address simply by using the recommendations," he says.
Best of all, the benchmarks -- developed through a global consensus process involving industry, government, academia and consultants -- are offered free to the Internet community at www.cisecurity.org.
"It's hard to know what 'best practice' is, and it's not always easy to configure per best practice once you know what it is," says Oracle CSO Mary Ann Davidson. "Getting a consensus on the best practice to secure 'X' and a tool to do this is a great social service.
"I salute the work CIS does," Davidson adds. "Anything that makes it easier for more people to be secure is a good thing."
Best Training Tactic: Sarasota Memorial Health Care Employee Training Program
Technology will get you only so far if you're trying to secure Florida's second largest community hospital. At the 850-bed Sarasota Memorial Health Care facility, few doctors are full-time employees, so you can't really fire them if they don't comply with security policies.
The path of least resistance, says former data security officer Albert Oriol, is twofold. First, security and HR personnel conduct one-on-one training with all physicians to ensure they know how to use their digital IDs to access medical records, and understand their duty to protect patient confidentiality and privacy. And second, they threaten to revoke a doctor's remote access rights if he or she doesn't toe the security line.
Without remote access privileges, doctors have to come to the hospital to review patient charts, says Oriol.
That prospect is usually enough to motivate compliance.
"Security is the right thing to do," says Oriol. "SMH training helps users practice safe computing from the get-go, because they have a better understanding of why it's important."
Best Security Legislation: Sarbanes-Oxley Act
Which government regulation has imposed the biggest change on corporate security? GLBA? HIPAA? Too narrow. California SB 1386? Too new. The PATRIOT Act? Too consumer-oriented.
The answer is Sarbanes-Oxley, which governs how public companies handle financial reporting. On the surface, the broad-sweeping law barely touches infosecurity-related issues--until you dig into section 404, which covers rules for documenting financial reporting controls and processes.
While SOX (as insiders call it) doesn't mandate specific controls such as strong authentication or the use of encryption, "If someone can easily get in your system because you have a four-character password, that's a no-brainer [sign of noncompliance]," says Gary Saidman, an attorney specializing in infosecurity at the law firm Kilpatrick Stockton.
In the long term, SOX will affect virtually every aspect of infosecurity.
"Some companies spend more on coffee than on security. I think [SOX] will do a lot to change that," says Saidman.
Best Internal Security: Microsoft
Snicker if you must, but this is for real. Microsoft has great internal security policies and controls.
Think about it. When was the last time you heard about a major breach of Microsoft's corporate network? The one you might recall is October 2000, when hackers breached its security and accessed source code for future versions of Windows.
"That was a wake-up call. It changed the way our executives and employees think about security," says Greg Wood, Microsoft's general manager of infosecurity.
Microsoft is one of the most targeted entities on the Internet, absorbing more than 2,200 unique attacks a day. When it developed its security policy, the security team sought simplicity for protecting the company's 300,000 hosts.
Microsoft threw out its thick, three-ring binder that held its barely touched security policy. Replacing it was a thin pamphlet containing 45 half-page doctrines based on elemental security principles: enforcement, business rationale and risk assessments.
The litmus test for any security policy is whether it's enforceable. Microsoft's security policies are easily understood and have teeth. There's no excuse for ignorance of the policy, and any breach is enforced through HR actions, Wood says.
Microsoft's security team applies business logic to its security policies. Wood says this helps earn the business units' cooperation. They know security won't arbitrarily inhibit operations. Where best practices will often ban certain functions and services, the Microsoft policy has flexibility to meet business necessities--within reason.
"Ultimately, our goal is to protect our highest value asset, which is the source code," Wood says. "Anything that would allow the theft of that source code is something we're not going to allow."
Microsoft doesn't claim to have the answer for enterprise security woes, or that it's doing anything unique. Rather, Wood says, the company learned the security practices lesson before most others.
"We're not the best, but we've lived through the fire before most other companies."
-LAWRENCE M. WALSH
Best HIPAA Leadership: Tenet Health Systems
Everyone knows "herding cats" is a euphemism for "next to impossible." It's commonly used when talking about implementing change in large organizations.
Call Connie Emery a master cat herder. She is a privacy and security officer for Tenet Health Systems, which employs 114,000 people in 16 states. She leads Tenet's efforts to comply with new privacy and security regulations introduced as part of HIPAA.
Tenet handled compliance in stages--Emery would examine the regulations and, with her team of six, write compliance policies. Then she'd send the policies to affected employees and ask if they'd work. Emery's team would take the feedback and revise the policies, then develop online modules for training thousands of employees.
Emery says getting people to focus on compliance wasn't any harder than getting hungry cats to eat dinner. They didn't want to be in violation, and she had no lack of volunteers -- her "HIPAA Heroes" -- to give feedback.
Combining privacy and security compliance in one function made it easier to craft policies, she says. "If you buy Christmas presents and you don't lock your car, they're not going to still be there."
Her other key: Starting early. Though the HIPAA deadline for security compliance isn't until 2005, most of Tenet's policy work is already completed.
Best Grassroots Standard: Network Reliability and Interoperability Council
The Slammer worm ruined last January for a lot of people. But not those that followed best practices outlined a month earlier by the Network Reliability and Interoperability Council (NRIC).
"We were green the entire time," says Bill Hancock, who serves both as CSO at Cable & Wireless and chair of the NRIC's cybersecurity best practices committee.
NRIC develops recommendations for the Federal Communications Commission and the telecommunications industry on a variety of factors affecting telephone and Internet services.
The council itself is a who's who of communications: Its 53 members include CEOs or presidents of more than a dozen major telephone companies, as well as top executives at suppliers, government agencies and Fortune 500 companies. Its guidelines on topics carry a lot of weight; since NRIC was formed in 1992, some 92 percent of its recommendations have been adopted by members.
"These should help tighten things up," says Jon Spence, a certified information systems auditor at the Government Accounting Office. He says that even though NRIC's recommendations are meant for private industry, "It's really good stuff. Everybody needs to pay attention to it."
Hancock's cybersecurity group generated more than 150 best practices for preventing security breaches and for recovering from attacks.
Among these best practices were keeping UDP ports 1433 and 1434 closed -- the ports Slammer hit. Even if a company had installed the long-available Microsoft patches that prevented Slammer from doing damage, they still suffered network availability issues if those ports were open.
Hancock's committee is split it into eight groups, which look at areas such as incidents, authentication, audits and accounting, and architecture. These groups used the best practices of member companies and other sources, such as the Internet Security Alliance (which Hancock also chairs).
The NRIC's best practices aren't universally applicable. The systems used by an organization, and its particular architecture, determines which practices are relevant. Hancock notes, too, that cybersecurity best practices need constant updating, and that some security problems don't have solutions yet. But NRIC's best practices were good enough to beat Slammer, and that's a good step forward.
Best Firewall Policy: Defense Information Systems Agency
The strongest fort is vulnerable if a gate is left open and unguarded. The same is true for firewalls, which cannot be defended if ports are unexpectedly -- or unwittingly -- left open.
The Defense Information Systems Agency (DISA) keeps all ports slammed shut. But like any operation today, it has applications that need to communicate across different networks. So the DISA's CIO grants policy waivers for specific circumstances. The problem: the CIO's office is in Virginia, which creates substantial delays for line unit security managers around the world.
Darrin Lau, a firewall admin with DISA's Pacific group at Wheeler Air Force Base in Hawaii, kept running into problems with ports being opened for the wrong reasons. An employee of government contractor Antineon, Lau believed DISA's CIO office wasn't getting all the information it needed to properly evaluate waiver requests.
To alleviate the Pacific group's bottleneck, Lau and Dewaine Christle, an infosecurity specialist with government contractor SAIC, devised a specific set of requirements for people who wanted a port opened. The requirements included specific elements, including network topology diagrams and the security issues the open port would create.
Lau would then draft a report and send it to the base's Information Assurance Manager for approval. From there, it would go to the CIO's office, which could effectively and expeditiously evaluate the request.
This bottoms-up approval system meant firewall admins would have a stronger hand in approving requests for open ports, and also have all the research for effectively securing in-service ports.
Lau says the system has worked well, thanks in part to strong support from the Pacific group's chain of command.
"We had very good management support all the way up to the command level," Lau says. "If users didn't provide info by a certain date, their port was closed and application was cut off."
Because of excellent user compliance, Lau says he's yet to reject a request for a firewall policy exemption.
The Pacific group's firewall waiver policy made so much sense that the CIO adopted a modified version for all three DISA regions (the Pacific, the continental U.S. and Europe).