Published: 27 Sep 2005
Seven winners. Seven verticals. Countless achievements.
Welcome to our first annual Security 7 awards, where we profile seven security practitioners who have helped shape information security technologies, policies and practices.
Information Security magazine, our sister site SearchSecurity.com and Information Security Decisions, our annual conference, have created these awards to recognize the achievements of the world's top security professionals.
We solicited nominations from the security industry and then had an industry panel select the winners.
They represent seven different vertical industries--education, financial services, telecommunications, government, energy, manufacturing and healthcare--but have the same strong commitment to information security.
From San Francisco to Wolfsburg, Germany, from the researcher who identified DDoS source code to the manager who protects the fifth largest network in the world--our Security 7 recipients are visionaries, pioneers and innovators. Each is a giant in his field with huge responsibilities and little glory. It's time to put these unsung heroes in the spotlight.
Daily, these practitioners safeguard large networks, dodge threats, manage risk, meet regulatory requirements and, as a result, protect billions of dollars in vital information.
Each of our award winners will receive his award Oct. 19 in New York City during Information Security Decisions. The following profiles offer a wealth of perspective and insight into how to be successful in an ever-changing and challenging job.
Security by the Book
by Herman Mehling
Senior security engineer and researcher
University of Washington's Center for
Information Assurance and Cybersecurity
Stress Reliever: Enjoys photography, mountain biking, rock climbing and ski mountaineering volcanos.
Favorite geek site: www.techbargains.com, to check out toys.
As the first person to identify the source code for distributed denial of service (DDoS) attacks and raise awareness of them, Dave Dittrich has star billing in the world of computer security. And rightly so. Dittrich now works tirelessly to teach others how to fight DDoS intrusions on individual, host and network computers.
He identified and gave name to DDoS in 1999 when he was a Unix support engineer at the University of Washington. He recalls getting reports from outside organizations complaining that university computers were the source of traffic flooding their sites. Dittrich discovered that the Trinoo attack program had infected dozens of UW's Solaris systems and traced the program to European hackers using U.S. computers to target Internet Relay Chat (IRC) servers.
Nowadays, Dittrich is a senior security engineer and researcher for UW's Center for Information Assurance and Cybersecurity and its Information School. He is also a member Seattle's influential Agora security group and the Honeynet Project, a nonprofit organization dedicated to improving the security of the Internet by providing cutting-edge research for free.
Dittrich is published widely, is recognized across the industry and is a much-sought-after speaker. Yet, in spite of his stellar reputation, he remains at heart a low-key guy who loves, as he says, "being an applied researcher." He talks modestly about his many accomplishments, giving the impression that discussing them is monotonous. Rather, he says, his "passion" is solving new security problems. "I need the challenge of solving something new, then I move on to the next one."
Passion is a quality Dittrich's friends and colleagues ascribe to the soft-spoken researcher.
"Dave has a tremendous zeal for protecting the whole Internet infrastructure," says Ivan Orton, Sr., deputy prosecuting attorney in the Fraud Division of King County, Wash. "He is a visionary type who sees things before most of us do. I pride myself on being a fairly technical guy who stays informed, but Dave always tells me stuff that I have never heard about."
Others call him an innovator. "Dave tends to know more about security than anyone else, but the cool thing about him is that he is very self-effacing," says friend Joshua Pennell, president and CEO of IOActive, a Seattle-based computer security services company.
Dittrich is also a fine communicator, says Orton. "He does a great job of conveying his visions to others less technical than him so we can develop practical solutions."
As a researcher, Dittrich is currently studying "active defense" issues under a grant from Cisco Systems and pursuing solutions to the growing sophistication of hackers who create attacks using IRC-DDoS bots.
"What the hackers do is use a small bot, or piece of code, to compromise an unprotected computer, which they can later infect with more sophisticated programs," Dittrich says. He explains that those programs can then transmit traffic in DDoS attacks that jump from IRC to IRC, making it difficult to track which computers are involved.
"I don't want to sound too pessimistic, but these botnets are a huge problem," he says. "They are the work of hackers scanning literally thousands of systems at a time, looking for holes." Bot networks aggregate computers that have been compromised by Trojans, allowing them to be remotely controlled by hackers. In the past year, he says, the proliferation of e-mail-borne viruses and auto-downloading trojans has dramatically increased the number and size of botnets.
"These rogue networks now have economic value," he says. "Compro-mised zombie machines were recently found on the networks of the U.S. Defense Department and Senate."
Does Dittrich have a silver-bullet solution?
"No, but I am focusing on flow analysis of these networks so that I can find patterns to the hackers' behavior. The big challenge is keeping up with the bad guys, who focus on developing very advanced tools."
by Mark Baard
Stress Reliever: Races shifter karts and motorcycles; surfs, kayaks, and enjoys fine cigars and aged rums.
Favorite geek site: www.slashdot.org
Christofer Hoff grew up as a self-professed geek on a sheep farm in New Zealand. While other kids were playing games and tending flocks in the nearby hills, Hoff was in school, learning what he could from the only two computers in the building.
Today, Hoff cares for a different flock at WesCorp, a corporate credit union based in San Dimas, Calif. As the company's CISO, he keeps network predators at bay.
But, he's got good reason to be wary: WesCorp holds more than $25 billion in assets and a massive database of personally identifiable information belonging to thousands of consumers. WesCorp invests in plenty of bleeding-edge technology, including risk management and threat analytics, and has an annual IT budget of approximately $9.2 million.
WesCorp and Hoff are not alone. Security managers and IT administrators are becoming increasingly responsible for personal information as banks and their customers take advantage of new online services. Hoff and his five-person enterprise security services (ESS) team securely store more than 47 terabytes of check images, and ensure the secure annual handling of $1.7 trillion in wire and automatic clearing-house transfers per year.
"[Hoff] has moved us into a far greater security [posture] with the knowledge and technology he's brought us," says Carmen Rangel, senior security administrator at WesCorp and a member of the ESS team. Hoff helped WesCorp implement a SQL monitoring tool "when not a lot of companies were doing it," adds Rangel. "We are relying a lot more on databases and database infrastructures, and we're learning the potential dangers presented by false or captured data."
Hoff worked in startups and large enterprises as a network engineer and administrator before embarking on major security projects for global companies. Eleven years ago, Hoff entered the security business and has amassed a string of certifications including CISSP, CISA, CISM and IAM, and is active in (ISC)2, ISACA, ISSA and other security associations. During his tenure at WesCorp, he has integrated ESS with the credit union's IT department and made security a part of network design.
"Chris developed what we consider to be the internal network security architecture of the future," says Throop Wilder, cofounder and vice president of marketing at Crossbeam Systems, a security services switch company based in Concord, Mass., that has retained Hoff as an advisor. Rather than thinking of networks separately from security, Hoff has integrated sophisticated risk analysis with network design, resulting in a safer, simpler and cheaper network, says Wilder. "We see many cases in which people have adopted compartmentalized thinking and therefore missed key synergies and efficiencies between and among security, networking and business requirements. Chris stands out in his ability to combine these elements into a practical architecture that yields true value for his company."
In the past, WesCorp's ESS team may have deployed firewalls and other tools without thinking of their broader impact. "But what [Hoff] will bring in is less intrusive and generates less traffic on the network," says Rangel. Hoff, before deploying a technology, first assesses its "RROI," which for some stands for "risk-based return on investment," and others "risk reduction return on investment."
Security at WesCorp is now treated as something that can add value, rather than a strict policing function. "Not one piece of technology goes into [the network] without solving a business problem," says Hoff.
Answering the Call
by Michael S. Mimoso
Stress Reliever: Loves watching the New York Yankees.
Favorite geek site: www.mlb.com
There have been few more hallowed halls than one at a Bell Labs research facility in Murray Hill, N.J., during the late 1970s. Adjacent offices housed Unix pioneers Dennis Ritchie, Ken Thompson--both Turing Award winners--Brian Kernighan and Rob Pike. Nobel Prize winner Robert W. Wilson and Bob Morris, whose son would write one of the first Internet worms in 1988, were nearby.
Edward Amoroso quietly trod this hallway hoping not to attract attention, but to absorb any brainpower seeping through the doors. "Anytime I could find an excuse to walk down that hallway, I would," Amoroso says. "I was hoping some of that genius would waft out and hit me."
Almost obligated to succeed in such heady surroundings, Amoroso wanted to figure out how to secure Unix systems. Two decades later, he hasn't scaled down his dreaming or innovation and has put his inspiration to good use.
Now the CISO at AT&T--which split off in 1996 when Bell Labs became Lucent Technologies--Amoroso is responsible not only for keeping one of the largest Tier 1 telecommunication carriers in the world secure, but is trying to shift the security paradigm by having carriers provide security services from the Internet rather than inside the firewall.
"Most companies have decided they want to run a network, which leads to unbridled complexity," Amoroso says. "You have tangled networks connected by 50 different access technologies--topologies driven by nothing more than legacy issues. A network drifts from point A to point B; perimeters are almost impossible to define. This complexity leads to things being insecure."
Amoroso's first project at Bell Labs involved "pulling bugs out of Unix." Now, he's driving a sea change inside AT&T by building worldwide security teams. These teams focus on compliance and maintain consistency with audit requirements; write and maintain policies and best practices for each of AT&T's business units; build the security services used within the company and sold to customers; and defend AT&T's networks, keeping its cloud services functioning and managing its PKI, access control and authentication needs.
Amoroso's infatuation with Bell Labs began in 1978 at Christian Brothers Academy in Lincroft, N.J., at a lecture given by Wilson--who, with partner Arno Penzias, discovered cosmic microwave background radiation, which led to their formulation of the Big Bang Theory--all while working at Bell Labs. This obviously innovative environment lured the impressionable high school junior to enroll in the doctoral support program at Bell Labs and earn his Ph.D.--during which he wrote microprocessor assembly code for gyros used on the Space Shuttle and worked alongside Shuttle astronaut and 1984 Challenger crew member Terry Hart, who was the first to repair a satellite in orbit.
Amoroso eventually rose to the position of CISO, earning his chops and reputation as the co-author of one of the first firewall manifestoes, Intranet and Internet Firewall Strategies, which argued the need for network protection in the early days of e-commerce. Amoroso is eager for the day when the shift happens and carriers absorb security functions from the service provider level.
"Rather than just connect sites, carriers can help you separate them," Amoroso says. "As those services appear, the network topology will simplify; the perimeter will go away. You won't have to fight worms and viruses any more--telecoms will do it for you."
Security to the Letter
by Herman Mehling
Manager of secure infrastructure services
United States Postal Service
Stress Reliever: Plays ice hockey.
Favorite geek sites: www.techrepublic.com, www.sans.com and www.iss.net
Charles (Chuck) McGann has one of those job titles that simply doesn't do justice to the importance and scope of the work he performs. Describing McGann as the manager of secure infrastructure services for the United States Postal Service is on a par with describing the postal service as an organization that delivers mail.
McGann has an enormously challenging job--securing the world's fifth largest computer network, which consists of more than 500,000 IP addresses, 12,000 servers, 150,000 desktops and 225,000 users spread over 34,000 interconnected offices. Each month, this sprawling, complicated enterprise receives more than 300 million network attacks.
"My goal is to eliminate malicious traffic that could damage the postal service's brand image and potentially weaken the confidence of its customers," he says.
"Chuck is keenly aware of the range of security breaches and understands the damages they do," says Ovie Carroll, special agent in computer crimes from the Office of the Inspector General in Washington, D.C. "He knows it doesn't take much to undermine a network like ours. He has done an outstanding job of rallying all the players together, educating us and keeping us focused on protecting the network."
McGann has stellar qualifications and a unique background that make him a solid fit for the job. A CISSP and CISM, he also holds a certification for information assurance methodology from the National Security Agency. But he brings more than technical expertise to his job--he draws on considerable IT management experience from the private sector, plus a stint as acting postmaster and 18 years as a police officer.
"Chuck is very tenacious--a straight shooter who has helped me create and implement the new structure and policies of the postal service security environment," says Pete Myo Khin, CISO of the postal service. McGann injected business rationale into a security system that used to hold security as an absolute value, says Khin. "Chuck's credo is that business and security are joined at the hip. He works very hard to communicate this to our staff."
In 2004, McGann spearheaded a mammoth intrusion prevention deployment across all the desktops within the postal service. The solution was deployed on 90,000 desktops within three weeks and to the rest within a few months, thanks to a centralized deployment methodology developed by McGann and his team. As a result of this fast and smooth rollout, not a single USPS computer has been the victim of a successful attack. Yet McGann remains humble.
"I could not have achieved such success without an incredible team," he says. "I manage a group of security professionals who act cohesively to commingle their assets for the welfare of the postal service and our customers."
Recently, McGann took on more responsibility by becoming the postal service's lead liaison with the Department of Homeland Security (DHS). His role is to make certain both organizations maintain clear and constant communication about information security in order to develop, plan and execute successful security strategies. In addition to leading the postal service's interagency relationship with DHS, McGann is now driving security assessments to protect the online assets of local post offices across the country.
McGann directs a staff of about 100 who develop and enforce organization-wide security policies and procedures for postal service employees as well as for about 3,000 business partners. As a result, McGann's job becomes more challenging. The postal service's number of business partners has grown ten-fold over the past five years--boosting the potential for security risks.
"The more partners we add, the more vulnerable we are to some individual or group penetrating our security perimeter," he says. "So far, our security tools and procedures have been rock solid, but our challenge is not to become complacent."
by Michael S. Mimoso
Chief Information Protection Officer
Stress Reliever: Reads cloak-and-dagger mystery and detective novels.
Favorite geek site: www.wallstreetjournal.com
Engineering, plant management, sales management, marketing--Richard Jackson is fluent in all of them. In many ways, these proficiencies have served him better in his position as Chevron's chief information protection officer than a CISSP certification.
Jackson, a 25-year veteran of the company, moved to Chevron's information protection organization six years ago, and took charge of the group two years ago. Today, his peers believe Jackson is the model security officer of the future.
"Rich has become effective in his company; he's approached security not from a bits and bytes perspective, but from an influence perspective," says Larry Brock, CISO at DuPont and fellow member of the International Information Integrity Institute (I-4). "That's what it's going to take for CISOs."
Increasingly, security managers are morphing into conduits between IT and business units, and those who succeed will make risk assessment part of business processes.
Following the Texaco merger 31/2 years ago, the company's already substantial data assets have doubled. Jackson has had to contend with refineries daily generating a terabyte of process data, simulations on drill sites creating 10 terabytes of data, and 3-D seismic projects running simultaneously that account for 350 terabytes. All of it, along with data generated by enterprise systems like e-mail and accounting, has to be safely stored, kept available and archived to appease auditors.
In perhaps no other industry does risk assessment impact decision making more than in the oil business. Oil derricks stand for 30 years, and the data used to make location and depth decisions must be reliable and accessible. Jackson's primary focus has been on the people, policies, processes and technology involved in business decisions--in that order.
"Internally, my biggest impact on the company comes from the way I view security, which is different than folks with an IT background," Jackson says. "IT thinks of security as a technology, first and foremost. My perspective is different. We coined PPPT (people, policy, process, technology), and technology is last on purpose. It gives us a road map for everything we do."
Jackson's PPPT model is applied elsewhere inside Chevron, particularly with regulatory compliance projects. His group created a comprehensive set of policies and standards through a partnership with Chevron's audit organization, and created an internal consulting practice.
"I was brought in because my background was outside of IT," Jackson says. "Chevron wanted someone who could sell security to the organization. The big issue around cultural and behavioral changes is that we can't do it with technology alone, but through the hearts and minds of people. It won't happen until they figure out it's good for them to make a change."
Jackson's group has recently taken on additional responsibilities in the areas of privacy, record retention policies, export regulation compliance and intellectual property protection. Security is less a technology practice and more an overall risk management exercise.
"Rich is right on target. We share a common belief that our role is to enable and protect the business and not be the police force," Brock says.
"We have success when they seek us out rather than us chasing them down," he adds. "He's one of those new-generation CISOs who embody that new philosophy."
In the Driver's Seat
by Bill Brenner
CISO and corporate executive director, Information Technology Centre
Stress Reliever: Enjoys game hunting. Next stop: Tanzania in November.
Favorite geek site: No particular site; he focuses on GM's credit rating, sales and the price of oil.
You'd be amazed what Hans-Ottmar Beckmann sees when he sits behind the wheel. It's not the car's dashboard lighting up like an instrument panel, its six-speed transmission or its potential for blistering speeds. Rather, he sees an intersection of security and supply-chain management where every part, person and activity in the auto-mobile industry are numbered and tracked--an electronic highway, where cars can be remotely diagnosed and fixed. It's a world fueled by passion, efficiency and identity management.
As CISO of Volkswagen AG, it's a road Beckmann will be traveling for some time, as he embarks on an project to adopt a standard approach to ID management across Volkswagen's network. "Standardization is no easy task inside a worldwide company, with local requirements and different management attitudes," says Dieter Schacher, Volkswagen's former CIO. "[Hans-Ottmar] has never given up and has found suitable approaches almost every time."
Beckmann's milestones are impressive and include implementing user administration, provisioning, password management and business process workflow controls to regulate and monitor access to critical systems and processes. Globally, Volkswagen has more than 250 companies, 300,000 employees, 80,000 suppliers, and 200,000 dealers and repair personnel.
Beckmann is a man of "big ideas and a clear vision," says Somesh Singh, vice president and general manager of Houston-based BMC Software's identity management business unit. "He thinks of the possibilities a technology offers instead of being confined by today's problem and today's solution." Beckmann's vision is for vehicles to be tracked with an ID number, and for the vehicle's history to be available online. Says Singh, "Extend this concept to Volks-wagen's ability to remotely diagnose and fix those vehicles or allow the owner to upgrade software, and extend it to dealers and parts suppliers. The opportunity to change how vehicles are built, shipped and managed through their lifecycle is enormous."
When you consider all the computerized components of a car and the potential to fix problems remotely, extending ID management to cars is a no-brainer, Beckmann says. "ID management, based on authentication, authorization and audit, is not just about the user; it's the systems--the car," he says. "Our cars have about 50 computers inside with 100 megabytes of program code. It has its own network, so we have to make sure the right networks are in place, and you need authentication as part of that." There must be a concept to send encrypted data to the car so it can verify that the signature is actually coming from Volkswagen, he says. He hopes to have the system up and running in three years, but with seven brands that include the Audi, Lamborghini, Bentley and #, he expects a challenge akin to rebuilding an IT infrastructure.
The passion Beckmann puts into bettering ID management isn't limited to his role at Volkswagen. He has also helped to develop a federated identity management protocol for the European Automotive Society. "When it comes to ID management, it's very difficult to fix all the requirements under one umbrella," Beckmann says. "You have to design your security model, how you make things secure. You need a few bright people to talk to along the way. In every corner, you find a piece of security--software, hardware, etc.--and different people managing it. The challenge is to bring everything into one plan, find all the pieces and find what's missing."
It's a jigsaw puzzle where the technological part often falls into place more easily than the people part. "Technology is something you can predict," he says. "It's 20 percent technology and 80 percent people. The idea is to make them work in the same direction."
With more than 9,000 IT staffers and more than 2,000 applications (with 500 more under development), it's a mighty big jigsaw puzzle.
"It's a problem where we literally have to educate thousands of people and organize everything, but it's all fascinating," he says.
Rx for Success
by Susan Hildreth
Vice president of enterprise security
Stress Reliever: Enjoys biking and precision rifle shooting.
Favorite geek site: www.openbsd.org
Patrick Heim has a long list of daily issues--from project planning and budgeting to evaluating new tech- nologies--but what keeps him awake at night? Worms. Given that health care giant McKesson Corp. is the 16th largest industrial company in the U.S., with more than $80 billion in annual revenues, he has good reason to worry.
"As worms get smarter, they have a higher probability of causing significant damage to the corporation with more than 20,000 computer users," says Heim.
And he should know. The 35-year-old vice president of enter- prise security is known for his thoughtful analysis of security risks and his propensity for seeing new ones lurking on the horizon. It's an instinct honed by years spent in IT security at various companies, including eNetSecure and nCircle.
His career started as a security auditor for Ernst & Young, where he was engaged in ethical hacking. "You really gain a great degree of insight into the threats that are out there and the reality of these threats," he says. "It makes it less abstract once you've participated in ethical hacking, and helps you do a more realistic risk assessment in your work."
Of course, Heim wouldn't have been hired to ethically hack anything had he not already exhibited an expertise in that area. He had been tinkering with computers and modems since the age of 10, and had his first brush with the world of hacking when he and some friends found an unprotected area on a car dealership's system where, they discovered, they could submit orders for new cars. But, Heim is quick to add, they never actually submitted a bogus order.
Those hands-on experiences messing with code as a teenager and, later, hacking into systems for E&Y have helped him understand how fairly mundane security risks can bring down a corporate network.
"The biggest issue is the availability of systems. If we do a real analysis of what the domains of security are, you have confidentiality, integrity and availability. It's the availability of our environment that we need to really look out for more than anything else," he says.
His deep understanding of technology makes it easier for IT colleagues and subordinates at McKesson to hash out their technical concerns with him--which is something they cannot always count on being able to do with an executive.
As Gary Masters, manager of systems engineering at McKesson, explains, "He's a manager and leader, but he's also a very competent technician. He not only knows direction we need to take, he also understands the ramifications of the technology."
Of course, as the top IT security executive at McKesson, Heim must also be able to speak the language of business and management. With a master's degree in finance, Heim appreciates the business aspect of IT investments and can explain IT security risks in terms of their impact on the McKesson bottom line.
Justin Dolly, chief security officer at Macromedia and a colleague and friend of Heim, describes him as someone who can bridge the gap between IT and business. "The difficult things about security are being able to identify and weigh risks--what those risks could mean and which ones you can and cannot live with--and then explain those risks to high-level management to get buy-in from the top," says Dolly. "There are a lot of security guys out there who understand the ones and zeros, but few who have that understanding and can interact with the business side well."