Information Security staff
Published: 01 Dec 2003
Best Collaboration Program: Automotive Network Exchange
Five years ago, electronic data interchange (EDI) ruled. Ideal? No, yet the automotive industry, among many others, relied upon it.
Developed more than 20 years ago, however, EDI was expensive and never scaled well. Trickle-down expense made it difficult to use; vagaries of VPNs made it onerous to secure.
The automotive industry responded with the Automotive Network Exchange (ANX), created in 1998 by such companies as Caterpillar, Chrysler, Ford, General Motors and TRW. Under the aegis of the Automotive Industry Action Group (AIAG) -- and now operated by Science Applications International Corp. (SAIC) as ANXeBusiness Corp. -- the service offers companies a single, secure, private data interchange network. Partners can share information. Applications can interface directly. And it was invented before Web services.
It was a much-needed change. Previously, GM designed its own EDI standard, then strong-armed suppliers into using it. While tier-1 suppliers might be able to foot the bill for the technology investment and connectivity charges, smaller companies lacked incentives.
A bevy of EDI boutiques opened to bridge the gap between the technology haves and have-nots, and to help navigate the 192 different EDI standards that had been developed or were in use.
Then the Internet boom increased overall connectivity. XML made it easy to translate orders between business partners in the supply chain. Instead of having to hardwire EDI formats into systems, companies could do a quick XML translation, then send it--write once, and translate for anyone.
However, security is a significant issue for Web services. ANX solved the problem by eschewing the Internet for security. Members pay a flat fee for dedicated DSL access to the ANX Network. Better yet, companies can still batch their EDI messages and send them via the network, use TCP/IP-based file transfers, send CAD drawings or e-mail--all done securely.
The upshot: increased logistics, planning and supply dispersal capability, securely, for less than the cost of EDI.
To be sure, there have been hiccups. Not all automakers have bought in. More recently, there have been concerns over IPSec VPNs--end users reported so much variance between VPN products' interpretation of standards that some equipment couldn't access the ANX network. ANX responded by offering a low-price hosted service called Tunnelz, managing a VPN appliance remotely at a customer's site to keep it connected with other members.
The upshot? The automotive industry now securely leverages XML, and has given itself a new way of doing business other industries can emulate.
Best Risk Model: Bank of Montreal
"Security requires a balanced approach," says Bank of Montreal's Robert Garigue. "Technical risk has to be incorporated in overall business risk."
With responsibility for protecting $250 billion in assets, Garigue is part of a new generation of security officers who foster an enterprise-wide security culture based on hard metrics. Under his leadship, BOM has developed a risk management model worth emulating.
"We have the instrumentation and the analytics to say where the high risk is for the level of effort, the bigger bang for the buck," Garigue declares.
BOM's homegrown tool, which Garigue calls "risk analysis mapping," uses a proprietary algorithm to match potential threats against the value of the bank's assets. But it's only a tool. The critical component is how the information is used: snapshots of the bank's current security posture for technical staff and business unit managers, as well as trending reports that show executives "how we're doing." It's raised awareness of overall enterprise architecture issues and "gotten everyone thinking at an enterprise level," he says.
The result is an overall improvement in hardening systems, and an ability to respond more nimbly to threats. "We're faster off the mark," Garigue says. That's important, because "the tempo has risen."
The Blaster and Sobig.F malware outbreaks were hectic for BOM, as they were for other organizations, but "two to three years ago, it would have been a crisis.
"The challenge is how fast we respond," Garigue says. "An organization is measured on its ability to be agile in light of threats."
Best Vulnerability Reduction Program: National Aeronautics & Space Administration
For an agency aiming toward a future of interstellar exploration, the National Aeronautics & Space Administration had a deplorable track record for computer breaches.
In 1999, a frustrated NASA information office studied the attacks and discovered hackers often entered through a relatively few number of common vulnerabilities. To combat this problem, David Nelson, then NASA's deputy CIO for IT security, initiated a program that would systematically remediate the top 50 vulnerabilities in each of NASA's 10 major sites. Once those 50 were completed, they would assess the remaining vulnerabilities and repeat the process.
The process isn't cheap, requiring at least two full-time staff members constantly scanning NASA's networks for holes. That costs upwards of $2 million a year, or $30 per node, according to published reports.
Despite the costs and effort, the system does work. By addressing the "low-hanging fruit," NASA decreased the number of breaches. The model was so successful, it served as the foundation for the SANS Institute/FBI top 20 vulnerabilities list, through which the two groups advocate enterprises emulate the NASA process.
Where keeping up with patches seems like a never-ending battle, the NASA program is a demonstration of the 80/20 rule--spending 20 percent of your time to address 80 percent of your problems.
-SANDRA KAY MILLER
Best Governance Program: American Electric Power
Michael Assante believes security starts at the top. Before he took the job as CISO of American Electric Power (AEP), he made sure top-level management was committed to making security an integral part of the Midwest utility's business culture.
"It's the single most important element for success," says Assante, who joined the Columbus, Ohio-based company in April 2002 and is now CSO. "Their (management's) participation is to advance security as a requirement for a critical infrastructure company."
To Assante, that means senior business unit leaders have to get involved in security. AEP established an executive security committee, chaired by the chief risk officer. Senior VPs from each business unit participate, along with key corporate functions such as legal, corporate communications and audit. The committee reviews overall corporate risk and security controls and approves security policy for implementation, based largely on the status reports and metrics Assante presents.
"I get to spotlight what I want to spotlight," Assante says. "I highlight the things I think senior business executives need to understand." That works both ways. Assante says he has a better grasp of the connection between security strategy and business strategy and understands the financial factors that help him plan security initiatives.
He provides a snapshot of AEP's security posture, where the company is vulnerable, based on a rating of "critical, important and moderate" risk. The risk "drives how we react with technology managers," he says.
The committee met monthly, but now meets quarterly, "because we've accomplished much of our projects, we're in planning mode," Assante says.
It wasn't always like that. When Assante arrived, there was no corporate security program. AEP, like many companies, had a stovepipe security structure. The facilities VP, for example, might bring up security issues to his peers, as they surfaced, but there were no formal processes.
Assante says that the 9/11 terrorist attacks were a "watershed," although there was an awareness of security before that. "CEOs stopped and asked, 'where are my vulnerabilities?' The federal government really started to move on security requirements from Homeland Security. That drove us."
"It's very important to keep focus on security linked to risk and business strategy," Assante says. Each industry, he says, is different in getting the message that senior management must be close to the security issue. Financial services has understood this for some time, and now energy companies are coming around.
With the corporate security culture firmly in place, Assante finds he doesn't have to "sell" the security message as often to the company's executives.
"They are really part of the governing process, and they take that responsibility very seriously."
Best Market Taxonomy: Gartner's Magic Quadrant
Whether you're an infosecurity vendor or an enterprise customer, a new Gartner Magic Quadrant analysis is bound to make you stop and take notice.
"The most important use for enterprises is to create a short list of vendors," says John Pescatore, Gartner's VP of security research. "They'll look for the three most highly rated, and send out their RFPs. Second, they'll look to see if one of their vendors is starting to drop down."
Vendors prize a position in the "leader" quadrant, or, if they are brand new, perhaps as a rising "visionary." Pescatore says vendors take this very seriously, and will object to less-than-stellar positioning.
The Magic Quadrant evolved about 15 years ago, when founder Gideon Gartner looked for a way to analyze the IT market along the lines of stock analysis and prediction.
"The Magic Quadrants have mirrored the overall growth in the security market," Pescatore says. "It used to be antivirus and firewalls were the only infosecurity markets. Now there's IDS, access management, wireless, personal firewalls, managed services, etc."
Gartner analysts also use the Magic Quadrant to define infosecurity markets as user needs change and technologies evolve. Gartner relies heavily on customer feedback and looks at how vendors are meeting--or not--their needs.
"Every vendor believes they are in their own market space," Pescatore says. "Enterprises don't think like vendors think, though. They focus on their needs."
Best Product Standard: Common Criteria
Common Criteria doesn't guarantee an application is bulletproof. Witness Windows 2000 SP4, which earned Common Criteria certification yet continues to be plagued by serious vulnerabilities. But the government-drafted standard, first introduced in 1996, is the only truly objective measure for evaluating software security.
"It can be anything from a basic, cursory review of documentation all the way through very in-depth review of design analysis," says Edward Roback, chief of the National Institute of Standards and Technology Computer Science Division. "It's not specific to operating systems or firewalls or VPNs. It's a very flexible tool."
Common Criteria was adopted as the foundation for the NIST/National Security Agency joint program, and National Information Assurance Partnership (NIAP). NIAP was devised to unite security testing, evaluation and assurance for IT vendors and customers in both the private and public sectors.
Common Criteria is recognized by 17 nations to provide a common language for functional security requirements in the use of IT products. National security agencies and critical infrastructure groups require Common Criteria certification for software vendors doing business with them. That alone is sufficient reason for many vendors--including IBM, Microsoft, Oracle and Red Hat--to have pursued certification for their products.
Common Criteria also carries a certain implied cache in the commercial marketplace.
"It's getting to be embedded into contracts and the acquisition process and the whole security engineering lifecycle," says Debra Herrmann, author of the book Using the Common Criteria for IT Security Evaluation.
Despite its global acceptance, Common Criteria doesn't guarantee a product or system's security assurance.
"It's a very subtle thing, and some people get off track when they read the part about no guarantees--you are secure, you are not secure," explains Herrmann. It's more of a "continuum of security," a common evaluation methodology.
And Common Criteria remains a work in progress, as the NIAP and the standard's proponents continue to refine and develop it.
"The one key way to improve is to do more research so we can come up with better ways of doing security testing," Roback says. "We have to find ways to improve and streamline our ability to adapt technically."
-SANDRA KAY MILER
Best Awareness Program: St. Jude Medical
After spending the first eight months on the job creating IT standards and policies for St. Jude Medical, David Stacy faced his next major challenge -- translating the essentials of 65 pages of complex legalese in seven languages and imparting them to 5,000 culturally and technically diverse employees.
"Intranet use in our company is pervasive," says Stacy, global IT security director for the $1.6 billion international medical equipment manufacturer. "It's the primary means in which we communicate."
Stacy developed an intranet-based security training program. Each employee is required to take the appropriate training courses and tests--for basic users, supervisors and IT staff, plus a separate test for Internet and e-mail policy.
The key was persuading management to support the program and make it mandatory. "Security affects every aspect of the business," says Stacy. "We don't have resources to watch every packet and deal with every threat scenario.
"It's like a neighborhood watch. There aren't enough cops to watch every street corner."
For others following St. Jude's example, Stacy recommends outsourcing the training. He's learned through experience that enterprises need experts who understand how to teach diverse groups of adults. "But you can't outsource the content," he declares. "I wrote the courses, and they edited it." He also put the materials through extensive user testing.
It made good business sense. The cost--including the addition of modules for St. Jude's new Japanese and Chinese employees--figures out to about $30-$35 per user.
"That's a small amount of money to ensure IT security policy and standards are well understood by users," Stacy says.
Best Government Response Program: Washington Computer Incident Response Center
In 2001, Washington's state government agencies were ill prepared to respond to attacks on their networks.
Now, under the aegis of the Washington Computer Incident Response Center (WACIRC), the state has a coordinated, battle-tested response mechanism. When the SQL Slammer worm struck last January, the attack was contained within eight hours. More recently, August's Blaster worm failed to bring down the state networks.
While each agency retains its own processes to mitigate and report attacks, the Department of Information Services (DIS) is the central point for communication. DIS analyzes threat reports and rapidly notifies WACIRC liaisons in each agency.
The keys to incident response are communication and formal processes says Darlene Kosoff, CSO of the state's DIS.
"We built a plan and documented it, and we follow it to the letter," she says.