Security 7 Award winners tackle important information security issues
The 2008 Security 7 Award winners have their say on information sharing, perimeter security, relationships, convergence, strategy, history and progress.
Continue Reading This Article
Enjoy this article as well as all of our content, including E-Guides, news, tips and more.
| Ready for a history lesson? How about some thoughts on convergence, information sharing, relationship management or developing a strategic plan?
More on Security 7 award winners
Watch a
video on security operations from last year's Security 7 awards program.
|
||||||||||||||||||||||||||||||||||||||||||||
|
secure collaboration Safely leapfrogging the perimeter firewall can enhance innovation and provide the right balance of access and security.
In 2007, the Motorola information security team started a project to find better ways to protect key information assets while also enabling employees to be more innovative. First, we changed the way we looked at firewalls. The perimeter firewall has been a primary tool for protecting networks, enabling appropriate connections to the outside and controlling unauthorized traffic in and out of the enterprise. While providing protection, this also creates barriers to the kind of ad hoc, unstructured and unpredictable needs for communication that are imperative in the age of mobility. So we implemented a novel security concept called enablement zones (E-zones), a logical collection of users, software applications and systems that have similar need for connectivity and protection. They embrace the need for increased protection without suppressing innovation and mobility. E-zones facilitate sharing of information with mobile employees, business partners and customers, while improving the protection of critical data. For the more than 65,000 individuals in 50 countries, E-zones eliminate the traditional corporate firewall perimeter and historical friction that security compliance generated. A business unit, department or functional unit can support any number of E-zones, and there can be any number of systems per zone. E-zones can be short-term or permanent.
|
| secure collaboration The E-zones architecture abolishes the status quo concept that physical location is a reliable measure for protecting organizations against risk of information leaks. E-zones empower business managers to select the right balance of network protection and connectivity for their applications and other digital assets. E-zones have been designed and built to feature:
E-zones are vital to the company's culture of innovation, increasing flexibility for interpersonal and interorganizational communications with substantially reduced friction to the creative processes essential for new products. The results prove we can have better protection with increased flexibility, a necessary combination in the hyper-competitive global marketplace.
|
||||||||||||||||||||||||||||||||||||||||||||
|
building relationships Making connections inside and outside the enterprise helps foster a healthy security organization and career.
He was right: The ability to build and leverage strong relationships is indeed a key element in the success of today's information security executives. To build a successful program, CISOs must align themselves with many departments within the organization, including internal audit, legal, HR and, sometimes the most difficult, their own IT department. If any of the leaders in these groups don't recognize and appreciate the role of the CISO, the CISO's effectiveness will be significantly weakened, because an opposing senior executive may create roadblocks or delay progress. Conversely, the ability to build relationships with others within one's organization creates opportunities to advance security initiatives.
|
| building relationships Throughout my career, many of my work experiences have been created through business relationships I've developed with my peers and other security leaders. My first invitation to go into the boardroom came about because my company's external auditors suggested to the CFO and CIO that information security would be a relevant topic of discussion for the audit committee. Of course, the exposure to my company's senior executives through my board presentation proved invaluable in furthering many of the security initiatives we were working toward. Several jobs I've held were offered to me because of relationships I made with someone working at those organizations. Each job provided even more opportunities to build relationships with coworkers and vendors, which provided additional learning opportunities and career development. In each role, effectively collaborating among teams and implementing security technologies in innovative ways has been a key tool for building rapport and strengthening ties among IT staff. For example, when we rolled out a SIM at one company I worked for, we provided the remote IT teams with view-only access to the event console; this gave them additional visibility into their environments. More importantly, this gave them a sense of ownership of the initiative and the tool, helping ensure their ongoing support for our critical monitoring initiative, which otherwise risked being viewed as "big brother" spying on them. In another organization I worked for, a strong relationship with the legal department provided the support needed to get a critical compliance initiative funded. I am honored to win the Security 7 Award. There are many leaders within the security profession who are deserving of this recognition. The interesting thing about being recognized by your profession is that you have to be nominated by someone who believes you worthy of recognition, which, like most other opportunities, stems from the development of strong working relationships. I guess that Junior Achievement guy was pretty sharp indeed.
|
||||||||||||||||||||||||||||||||||||||||||||
|
security for the masses Security cannot be a discipline unto itself; it must serve all entities in the enterprise.
Sensing that the particular moment wasn't right for a speech on security philosophy, I quipped, "You know, it wasn't a problem because the lasers didn't activate." This drew hearty laughs. This anecdote illustrates a commonly held belief that security is not a meta-discipline that serves all walks of enterprise life, but rather that "security is what security people do." Lay people, i.e., those who aren't full-time security pros, tend to think about security to the extent that security people bug them about it. Security is a bunch of paranoids creating ridiculous things with lasers and so forth, while the business moves along on its own.
|
| security for the masses A lot of this is the fault of security professionals. Far too many of us see security as an end unto itself. Many don't realize that simply finding a policy violation does not equal success. It's no wonder those outside of security often treat security as some weird realm to be entered at your peril. This attitude places an upper limit on meeting security requirements, because security activities are generally viewed somewhere between necessary evil and unnatural act. The security team walks into meetings with the de facto goal of serving as a random requirements generator lobbing overhead onto the project, rather than consciously moving the business forward by solving problems using a specialist's toolkit. Some people, when given a hammer, would rather hit someone with it instead of using it to build a house. In our corner of the enterprise world, the security team is composed of Security Conscious Problem Solvers (credit my enterprise security architects Bryan McDowell and Barbara Vibbert for this phrase). We're here to solve business problems, and recognize that when your eye is on the ball of customer satisfaction, revenue, scalability, connectivity, etc., you can miss out on the need to cover security requirements as well. Security work needs to promote business needs, not just implement some set of rules that looked good in the abstract when someone wrote them down. The intent of the rules needs to be understood. The rules need to be clear and repeatable as much as possible. The security team always needs to be open to the possibility that the rules are wrong and need to be changed. That's harder than saying "No" formulaically, but it's sustainable in the long run.
|
||||||||||||||||||||||||||||||||||||||||||||
|
convergence and information sharing Integrating operational risk and sharing vital information serve the greater good.
Security organizations need to enable, not inhibit, these opportunities, fortify the road they take and ultimately build confidence in the country's critical financial services infrastructure. Just as we insure our families to protect their future, we must also insure the financial services infrastructure in order to be strong and resilient in the face of growing threats for generations to come. We can realize this vision in two steps: integration with operational risk and information sharing. Through these two steps, we position our organizations to maximize performance and productivity, take calculated risks that are in the best interest of shareholders and customers, and more efficiently adapt and respond to our changing environment and the threat landscape.
|
| convergence and information sharing Operational risk is naturally present in all business activities and incorporates a broad range of risks, including reputation, legal and regulatory risk; business disruption and system failures; information security and privacy; employment practices and workplace safety; processing errors; theft and fraud; and damage to physical assets. An organization's ability to drive an effective and practical operational risk management program with corporate-wide governance practices, values and integration sets the foundation for managing these risks effectively. This foundation can be further fortified if we are willing to advance opportunities to converge security and operational risk management disciplines and to share information--resulting in more efficient and effective business services. Break down internal silos among executive business leadership, risk management, facilities, physical security, business continuity management, fraud, information security, privacy, IT, human resources, compliance, etc., and work together to seek opportunities for operations excellence. Information sharing also means actively participating in external information sharing forums with peer companies. One such example is the Financial Services Information Sharing and Analysis Center (FS-ISAC), founded under presidential directives and embodying a public-private information sharing partnership. Forums like FS-ISAC create a virtual fusion center where ideas, threats and intelligence can be gathered, analyzed and communicated efficiently. By sharing, issues are identified early in order to contain and resolve risk, impact and exposure to participating organizations. More importantly, it provides a platform to team up against terrorism and other threats that impact our industry and day-to-day lives. By participating in initiatives like the FS-ISAC, we are not alone. Ultimately, I believe that breaking down the barriers to convergence and information sharing is a broader responsibility we all share--and only by working together can we protect the future of this country's critical financial services infrastructure.
|
||||||||||||||||||||||||||||||||||||||||||||
|
industry progress and attitudes Uniform security among IT systems is nonsensical, yet that attitude still prevails in many instances.
Yet, despite the incredible transformations in hardware, operating systems, databases, languages and more, overall information security may be worse now than it was in the 1960s. We're still suffering from problems known for decades, and systems are still being built with intrinsic weaknesses, yet now we have more to lose with more systems coming online every week. Why have we failed to make appreciable progress? In part it is because we've been busy trying to advance on every front, and have every system perform all possible tasks. There is a general lack of awareness that security needs are different for different applications; instead, people seek uniformity of OS, hardware architecture, programming languages and beyond. Ostensibly, this uniformity is to reduce purchase, training and maintenance costs, but fails to take into account risks and operational needs. Such attitudes are clearly nonsensical, so it is perplexing they are still rampant in IT.
|
| industry progress and attitudes For instance, imagine buying a single model of commercial speedboat and assuming it will be adequate for bass fishing, auto ferries, arctic icebreakers, Coast Guard rescues, oil tankers and deep water naval interdiction--so long as we add on a few items. Fundamentally, we understand that this is untenable and that we need to architect a vessel from the keel upward to tailor it for specific needs, and to harden it against specific dangers. Why can't we see the same is true for computing? Why do we not understand that the commercial platform used at home to store Aunt Bee's pie recipes is not equally suitable for weapons control, health care records management, real-time utility management, storage of financial transactions and more? Supporting everything in one system results in unwieldy software on incredibly complex hardware chips, all requiring dozens of external packages to rein in problems introduced by the complexity. The situation is unlikely to improve until we start valuing good security and quality over the lifetime of our IT products. We need to design systems to enforce behavior within each specific configuration, not continually tinker with general systems to stop each new threat. Firewalls, IDS, antivirus, DLP and even virtual machines are used because the underlying systems aren't trustworthy. A better approach would be to determine exactly what we want supported in each environment, build systems to those more minimal specifications, and then ensure they are not used for anything beyond those limitations. To use some current terminology, that's whitelisting as opposed to blacklisting. It's also craftsmanship--using the right tools for each task at hand, as opposed to treating all problems the same because all we have is a hammer. As an academic, I see how knowledge of the past combined with future research can help us have more secure systems. The challenge continues to be convincing enough IT professionals that "cheap" is not the same as "best," and that we can afford to do better. After all, we no longer need to pay $20 per transistor.
|
||||||||||||||||||||||||||||||||||||||||||||
|
a personal history lesson Systems and security have matured in parallel, but some still appreciate the good old days.
I remember the excitement I felt after seeing the banner and saying, "Awesome, I'm online! Now what?" I had some friends who warned me not to forget the floppy drive inside, because the Michelangelo virus was in circulation. Nobody knew much about what that meant, but we started buying antivirus software. There weren't many options back then, so I got my F-Prot package on a floppy that you installed and set up in about a minute. Also, now I had a reason to log in to my BBS [bulletin board system] to download the antivirus definitions once a week. Back then there was not too much worry about security in the corporate IT environment--not on Novell or on NT 3.5. My first manager once said to me, "This NT box runs non-stop for three months, and then it crashes itself. What is the reason to patch it? Or even install antivirus to slow it down?" Of course this all changed once viruses began hitting the boxes, and we were staying all weekend to rebuild them. Then our mindset shifted to paranoia, and we started the patching process.
|
| a personal history lesson I learned a lot about security and the patch management process during those days, patching NT servers at 3 a.m. and praying for the servers to come back online after the restart. Backups were done once a week if at all, and offsite tape storage was just a fantasy. Information services on the Web were just starting too. A few forums were available about security, and people were talking about how the Ping of Death can bring systems down if SP4 for NT hadn't been applied. At that point we all started deploying service packs, and our transition to full-time paranoia mode was complete. These days of course, you would not even consider connecting your box to a production network unless it had the latest service pack, patches, antispyware, antivirus, a firewall, and was properly maintained. Today we have more reliable OSes. We have patching solutions that scan and patch thousands of servers, compliance tools, auto-update antivirus, group policies that secure the servers, firewalls and IDS. We have rootkit detection, daily backups, off-site storage, books, forums, blogs and more. And still, you'll never have a 100 percent secure box, unless of course the network cable is disconnected. Security is a never-ending story. It changes and mutates, gets better, faster, more complicated and fun. Sometimes, though, I miss the old BBS days.
|
||||||||||||||||||||||||||||||||||||||||||||
|
strategic planning Ignore strategic planning at your own peril.
After some interesting discussions over the years, I've concluded that much of our strategic thinking efforts and subsequent strategic planning amounts to little more than brainstorming drills that happen to occur around a certain time each year. The result is typically more of a tactical plan than a real strategic vision for our security organization. Why? Here's an interesting thought--we're in a tough business where decisions can (and do) cost a CISO his or her job, so when it comes to dividing resources between the strategic-of-the-future and the tactical-of-the-now, perhaps it's simply a personal economic decision to keep a roof over one's head and bread on the table. Maslow said it first! Can you relate?
|
| strategic planning When the wolves are at the door--and they're at the door every day--it can be difficult to focus strategically on where we think the threat may be in three or five years and what our reaction should be. That, however, does not preclude the requirement for the CISO to set the strategic course. So once a year, we gather our team at an off-site meeting to create--drum roll, please--the Strategic Plan, which often ends up being more tactical than strategic. The result is that we end up without a true strategy because we haven't devoted the deep thought necessary to create a vision worthy of being called a Strategic Plan. I've done the annual strategic plan dance more times than I care to admit because creating a Strategic Plan takes real time and real effort, which is difficult to justify when you find yourself in more of a firefighter role than a CISO. Perhaps if we'd done a better job as an industry in our strategic planning and thinking, we wouldn't be overrun with the poorly coded applications we have today that just beg for a hacker's attention. In retrospect, my strategic thinking should have focused more on these kinds of big problems that have business implications, because as we all know, business is typically what suffers when you have a security incident. I knew legacy applications were vulnerable to the kind of command-execution and client-side attacks we are seeing today, and you probably did too. Have we just been too focused on Patch Tuesday vulnerabilities or the latest vulnerability assessment results? When did application security show up on your Top 5 list of things to worry about? Think about it--we've known about the problem of protecting personally identifiable information for years, but when did it be-come your No. 1 priority? I think times are changing in most business circles, and hopefully security is finally being appreciated as being business critical. Perhaps not always happily, but recognized nonetheless, due to the growing regulatory environment, increasing requirement to protect intellectual property--and in the government sector, the need to guard our citizens' perception that we are protecting their personal information. So while it takes a degree of boldness to look into the future, I believe CISOs neglect true strategic planning at their peril because real success is impossible without the road map a strategic plan provides.
|
||||||||||||||||||||||||||||||||||||||||||||
|
Q&A Catching Up with... A professor and information security pioneer, Dorothy Denning won the 2006 Security 7 Award in education. She continues to teach at the Naval Postgraduate School in Monterey, Calif., with a focus on cyberterrorism and cyberwarfare. ON THIS SUMMER'S DDoS ATTACKS ON GEORGIAN GOVERNMENT WEBSITES: I haven't seen any good evidence it came from the Russian government, but who knows. Clearly a lot of hacker activists were involved in that, much the same as with Estonia. You could see Web forums where Russians were advocating conducting these attacks and telling people how to do them. ON THE POTENTIAL FOR CYBERWARFARE AND CYBERTERRORISM: I don't know; I don't like to speculate too much. There are plenty of people who are happy to do that, and tell you either there's nothing to worry about or we really should be very worried because they'll go after the electric grid and all that kind of stuff. I don't know what will happen. The history of it is that it seems to be something mostly that people do on their own initiative, maybe in small groups. It looks more like hacker warfare to me. You have conflicts taking place on a state level, but now what you have are these citizen warriors who are joining in and doing their thing. It's kind of chaotic; I don't think the state has control over it. Maybe some governments inspire it, and maybe they sort of condone it by not doing anything about it. ON HER CURRENT CLASSES: One is on Conflict in Cyberspace; we look at the cyberwarfare issues. We don't do too much in the way of security in that class, although in the class next week, we look at the broad homeland security issues. The other class I teach is called Trust Influence in Networks, but it's about social networks, so a lot of it is just on building trust, social influences and underground networks and how you might undermine terrorist networks. I do a lot on terrorist networks. It's more psychology and social science; it's nothing about information security. ON HER RECOMMENDED READING: One of the best books I've read in the last year on security is Geekonomics by David Rice. He looks closely at all the problems that come from faulty software. You start thinking about should there be more liability put on the vendors, should there be more requirements put on the vendors to develop better software, how do we deal with that issue. It's a very thought-provoking book; I recommend it.
|
||||||||||||||||||||||||||||||||||||
Start the conversation
0 comments