Alert_DEC2011.indd 18
11/18/2011 10:22:50 AM
From The ediTor
As chief information security officer or CiSo, what is your primary
Secure State of Mind Security does not bloom in closed spaces.
role — that of a gatekeeper? If that is all you do, then who is making certain that there are windows (and I am not referring to the Microsoft variety) and other vents to ensure that your company does not become a prison? How does one guarantee that genuine users do not have to suffer because of some ‘umbrella’ approach to data security? The reason why many security leaders are obsessed with controlling internal breaches is because insider threat still looms large. As you will find in our annual Global State of Information Survey (Page 62), threats from employees and other partners continue to dog enterprises, accounting for a whopping 83 percent of total security breaches among Indian enterprises last year. Perhaps, this explains why many security leaders are focused more on blocking access, rather than installing a mechanism, There’s no perfect way to get which flags off an alert whenever a to a state of nirvana when it breach takes place. “In fact, we realized comes to security. But better during an audit that most users did communication can help. not even know they were actually committing a security breach,” said a security professional. Meanwhile, threats from external hackers and individuals are not making life any easier for security managers. So how do you balance the prevention of an internal or external security breach with an approach that does not irritate lawful users? An effective way to achieve this harmony could be to involve more users while drafting your security policies and follow an alert-based mechanism to detect a breach. So, if your marketing manager is attempting to copy the company’s customer data and e-mail it to his personal ID, your system should be able to not only stop him from doing so, but also issue an alert to you. Finally, while there is no perfect way to achieve a state of nirvana when it comes to information security, better communication and active participation from users can help your organization achieve a near harmony. Do you think user involvement can mitigate security risks? Write in and let me know.
Pankaj Mishra Executive Editor pankaj_m@cio.in
2
a u g u S t 1 , 2 0 0 8 | REAL CIO WORLD
Vol/3 | ISSUE/18
august 1 2008‑ | ‑Vol/3‑ | ‑issue/18
32
52
FeATureS 32 I Trading-off a Bank
CoVEr: dESI gn by AnIl VK
I Im AgIng by bInESH S rEEdH ArAn
An insider allegedly exploiting weak access controls at Société Générale cost the bank about Rs 28,000 crore. The case should prompt you to reassess how you balance IT security with employee access to critical systems. By Peter Sayer and Thomas Wailgum
40 I all for one, risk for all
52 I in Your own words
Your information security may be great, but what about all the other players in your extended enterprise? By Kerry Bailey
Communication skills are the number one requirement for leadership success. In security, step one in communication is: understanding the language and priorities of the business. by William Brandel
42 I The fuTure of anTi-virus As signatures proliferate, anti-virus vendors must ramp up other techniques for spotting and squashing malware. By Michael Fitzgerald
46 I daT aTa aT Ta loss PrevenTion do’s and don’Ts Data Loss Prevention software can be your answer to guarding data without hampering business. But with so many flavors, how do you know what to choose? Here’s what to look for. By Mary Brandel
4
a u g u S t 1 , 2 0 0 8 | REAL CIO WORLD
SurV ur eY urV 62 I Cio-PwC goBal sTaTe of informaTion seCuriTY surveY Find out what over 500 Indian CIOs know and don’t know about security — and how they compare against their global peers.
Vol/3 | ISSUE/18
content
(cont.) dEparTmEnTs Trendlines | 11 CIO Role | Social Networking Logs In Quick Take on | Strategic Security Voices | Should Security Policy Be Moved Out
of the IT Department?
2 6
Study | Open-Source Software a Security Risk Anti-virus | Malware Hits The Roof Opinion Poll | Risk Management Research | Uncoding DNS Attack Code Insider Threat | The Enemy Within Internet | SMBs Unarmed and Unaware Alternative Views | Who Should Own Security: IT or
Business and IT?
Essential Technology | 73 Security | Guardian Inside a Box
Feature by Bill Snyder Pundit | Disclosure: All or Nothing
Column by Bruce Schneier
From the Editor | 2 Secure State of Mind
By Pankaj Mishra
NOW ONLINE
2 0
For more opinions, features, analyses and updates, log on to our companion website and discover content designed to help you and your organization deploy IT strategically. go to www.cio.in
c o.in
security Theory YOuR DNA VERSuS SECuRITY | 20 A Nobel-winning economic theory, explains why you can’t persuade people to buy security — at least not separately. Column by Bruce Schneier
security policy WATCh ThE MONITOR | 26 Monitoring your employees’ data and network activities is no longer a technical challenge. But there are critical ethical questions to answer first. Column by Simson Garfinkel
6
a u g u S t 1 , 2 0 0 8 | REAL CIO WORLD
Pr e sen t s
star
attr ac tion
Keynote Speaker
Hearher Live at
ADVISORY BOARD
Advertiser Index
Abnash Singh Publisher Louis D’Mello Associate Publisher Alok Anand
President, IT Operations & Center of Excellence, UCB Pharma
Editor ial Editor-IN-CHIEF Vijay Ramachandran
executive Editor Pankaj Mishra
Resident Editor Rahul Neel Mani assistant editors Balaji Narasimhan , Gunjan
Trivedi, Kanika Goswami
Copy Editor Deepti Balani
Shardha Subramanian Trainee Journalists Sneha Jha, Saurabh Gupta Des ign & Production
Creative Director Jayan K Narayanan
Lead Visualizer Binesh Sreedharan Lead Designers Vikas Kapoor, Anil V K
Vinoj K N, Suresh Nair
Global Head-Internal IT, Tata Consultancy Services
SENIOR Designers Jinan K Vijayan, Jithesh C C
Unnikrishnan A V Sani Mani (Multimedia) Designers M M Shanith, Anil T, Siju P
P C Anoop, Prasanth T R Photography Srivatsa Shandilya Production Manager T K Karunakaran DY. Production Manager T K Jayadeep Ma rk eting and Sa l es VP Sales (Print) Naveen Chand Singh VP Sales (Events) Sudhir Kamath GENERAL Manager Nitin Walia Assistant Manager Sukanya Saikia Marketing Siddharth Singh, Priyanka Patrao, Disha Gaur Bangalore Mahantesh Godi, Kumarjeet Bhattacharjee B.N Raghavendra Delhi Pranav Saran, Saurabh Jain, Rajesh Kandari Gagandeep Kaiser Mumbai Parul Singh, Hafeez Shaikh, Kaizad Patel Japan Tomoko Fujikawa USA Larry Arthur; Jo Ben-Atar Events VP Rupesh Sreedharan Managers Ajay Adhikari, Chetan Acharya Pooja Chhabra
ADC Krone
15
AMD
1
APC
3
Avaya Global
5
Anwer Bagdadi Senior VP & CTO, CFC International India Services Arun Gupta Customer Care Associate & CTO, Shoppers Stop Arvind Tawde VP & CIO, Mahindra & Mahindra
Bharti Airtel
38 & 39
Ashish K. Chauhan President & CIO — IT Applications, Reliance Industries
CA
27
Cyberroam
17
C.N. Ram
Girish A V (Multimedia)
34 & 35
Alok Kumar
Chief COPY EDITOR Sunil Shah
3i Infotech
Alaganandan Balaraman
Chinar S. Deshpande CEO, Creative IT India
Dell
IBC
Emerson
BC
Fortinet
47
HID
45
IBM
52, 53, 54 & 55
IBM
IFC
Dr. Jai Menon Group CIO Bharti Enterprise & Director (Customer Service & IT), Bharti Airtel Manish Choksi Chief-Corporate Strategy & CIO, Asian Paints M.D. Agrawal Chief Manager (IT), BPCL Rajeev Shirodkar CIO, Future Generali India Life Insurance Rajesh Uppal Chief GM IT & Distribution, Maruti Udyog Prof. R.T. Krishnan Jamuna Raghavan Chair Professor of Entrepreneurship,
Interface
21
IIM-Bangalore S. Gopalakrishnan
Itanium
8&9
CEO & Managing Director, Infosys Technologies Prof. S. Sadagopan
Mcafee
Btw 48 & 48
Director, IIIT-Bangalore S.R. Balasubramnian
Nokia
7
RSA
51
SAS
13
Sigma Byte
19
Tata Communication
29
Exec. VP (IT & Corp. Development), Godfrey Phillips Satish Das CSO, Cognizant Technology Solutions Sivarama Krishnan
All rights reserved. No part of this publication may be reproduced by any means without prior written permission from the publisher. Address requests for customized reprints to IDG Media Private Limited, Geetha Building, 49, 3rd Cross, Mission Road, Bangalore - 560 027, India. IDG Media Private Limited is an IDG (International Data Group) company.
Printed and Published by Louis D’Mello on behalf of IDG Media Private Limited, Geetha Building, 49, 3rd Cross, Mission Road, Bangalore - 560 027. Editor: Louis D’Mello Printed at Manipal Press Ltd., Press Corner, Tile Factory Road, Manipal, Udupi, Karnataka - 576 104.
Executive Director, PricewaterhouseCoopers Dr. Sridhar Mitta MD & CTO, e4e S.S. Mathur GM–IT, Centre for Railway Information Systems Sunil Mehta Sr. VP & Area Systems Director (Central Asia), JWT
This index is provided as an additional service. The publisher does not assume any liabilities for errors or omissions.
V.V.R. Babu Group CIO, ITC
10
a u g u s t 1 , 2 0 0 8 | REAL CIO WORLD
Content,Editorial,Colophone.indd 10
Vol/3 | ISSUE/18
8/2/2008 11:21:58 AM
new
*
hot
*
unexpected
Social Networking Logs in site to find answers to his questions and also to respond to queries from his peers. “This enables executives to come out with result-oriented ideas as people across the world interact to produce a solution. The product is much more fruitful than what it would have been with the effort of one person,” he says. However, Vinod Gopinath, CTO, Novatium does not see CIOs using social networking actively for professional purposes and says it is mostly used in the Open-source software field. “Since the views and opinions expressed on social networking sites may not be those of experts, it should be taken with a pinch of salt," he says. He feels knowledge gained from social networking should not be taken as gospel truth but be used as pointers to enhance one’s experience of technology usage. —By Saurabh Gupta
IllUStratI on by pc anoop
Social Networking is no more just a leisure activity. Its uses in business processes are on the rise. Not only are HR professionals talking about the potential of social networking but CIOs also seem to be impressed with its advantages. Sites like LinkedIn,
Internet
which are built to serve professionals, are catching on and no one wants to be left behind. Gurpreet Singh Kochar, IT Manager, Indigo Airlines says, “I was about to buy a product for my organization when I came to know of its shortcomings through interactions on a social networking site, which I would not have known otherwise. Equipped with this knowledge we could negotiate with the company and get a better deal.” Apart from that, he feels social networking is the best way to interact with colleagues across organizations to gain knowledge about business practices and policies and he says it helps him keep in touch not only with peers in the industry but also across different levels. CIO presence on Facebook, LinkedIn and Orkut is clearly visible. Pramod L.N.S., DGM-Technology, HCL Technologies, is an active user of LinkedIn. He uses the
Quick take
Rajendra Erande on Strategic Security S e c u r I t y It is widely discussed in executive cirlces. It refuses to vacate the top spot in every CIO's priority list. They call it strategic security. Rajendra Erande, Corporate Advisor — Information Technology, Thermax, spoke to Snigdha Karjatkar on the different pillars of security that organizations should build upon and here is what he had to say:
S t r at e g I c
Do you consider information security as a strategic or a tactical component in your enterprise? Information security is both strategic and tactical. It is inherently strategic owing to its enterprise-wide impact on the fundamental asset of the organization: its information. It is also tactical as the right tools at the right place can help organizations minimize their risks. What is the top-most concern of a CIO when it comes to security? I think, the foremost concern of a CIO is to manage risks, counter unpredictable threats and proactively address the
Vol/3 | ISSUE/18
vulnerabilities. The second significant concern is to balance the tradeoff between security and availability of systems. What should CIOs focus on while charting an effective enterprisewide security policy? While framing a security policy, I think, CIOs should harbor a proactive approach. The policy should also encourage smooth scalability to adequately address dynamic business requirements. CIOs should ensure that proper access controls are built in, to enable users to access relevant information to function efficiently.
Rajendra Erande
What should be on a CIO’s priority list while executing a periodic review exercise? Review exercises should be conducted in phases and should be rotational in nature. The systems should be tested rigorously for both internal and external threats. In addition to the review exercise, effective monitoring tools should be in place to keep a check on threats and spot vulnerabilities well in time. REAL CIO WORLD | a u g u s t 1 , 2 0 0 8
11
Should Security Policy Be Moved Out of the IT department? While many advocate a separate department with a CSO to handle security, others feel that this would greatly undermine the position of the CIO. If security policy is moved out of the IT department, would you lose influence but still be held accountable? Saurabh Gupta spoke to your peers and here’s what they had to say: SecurIty
“Security policy needs to be set not top down but bottom up. Bilateral decisions
trendlIneS
between the CIO and senior management would ensure an effective security policy.” prof. anand SivaSubramaniam Vp & Head-It, tata t consultancy Services
“It is the responsibility of the CIO to implement the security policy irrespective of where it’s written. Loss of influence depends on the CIO’s position in the organization.“ dheeraj Sinha cIo, apollo tyres t
“Yes, it should be moved out,
because the best way to deal with security is to form a committee which includes CEOs and CFOs.” Sunil Gupta
chief Manager Ict and cIo, Ministry of Steel, Government of India
lend Your
voice
Write to editor@cio.in 12
Trendlines.indd 12
a u g u s t 1 , 2 0 0 8 | REAL CIO WORLD
Open-source Software a Security Risk S t u d y Open-source software is a significant security risk for corporations that use it because in many cases, the open source community fails to adhere to minimal security best practices, according to a study. The study, carried out by Fortify Software with help from consultant Larry Suto, evaluated 11 Open-source software packages and each community's response to security issues over the course of about three months. The goal was to find out if the community for each Open-source software package was responsive to security questions or vulnerability findings, published security guidelines and maintained a secure development process, for example. Open-source application server Tomcat scored the best in the study, titled Open Source Study — How Are Open Source Development Communities Embracing Security Best Practices? "You don't want to report bugs to a general mailing list because it would go to the general public," says Jacob West, manager of Fortify's security research group. There needs to be a measure of confidentiality in reporting bugs so that the fix for them can be provided when the public is notified, so attackers don't get early information they can exploit. But, too often the Open-source communities that offer their software for free don't appear to be as mindful about security practices as their commercial counterparts, which charge for software and support, West says. Fortify identified a total of 22,826 cross-site scripting and 15,612 SQL injection issues associated with multiple versions of the 11 Open-source software packages examined. The report itself notes, "Open-source packages often claim enterprise-class capabilities but are not adopting — or even considering — industry best practices. Only a few Open Source development teams are moving in the right direction." The reality is that while Open-source software may appear more cost-effective and just as functional as commercial software in some instances, the question of maintenance must be examined very carefully. The bottom line is that corporations may find they have to undertake remediation of Open-source packages on their own. Government agencies and corporations need to decide if they're going to try to mitigate problems with Open-source software themselves, through risk assessment and code review, and whether they plan to give that information back to the Open-source community. This is a fundamental question about the life-cycle development of the software, West says, adding that the study indicated to Fortify that the open source communities in these cases tended not to correct for identified flaws in software versions over a period of time. —By Ellen Messmer
Vol/3 | ISSUE/18
Malware Hits The Roof
trendlines
A n t i - V i r u s Malware has risen by a staggering 278 percent in the first half of 2008, thanks in part to the large number of Websites comprised last month, so says a new study by ScanSafe. And it warns that things are only going to get worse, especially after Dan Kaminsky goes public with details about his 20 year-old DNS vulnerability. The report found that Web-based malware increased 278 percent during this period. This was in part due to large Websites such as Wal-Mart, Business Week, Ralph Lauren Home, and Race for Life, being compromised in June by SQL Injection Attacks. Less than a year ago, Web surfers were more at risk from social engineering scams and rogue third-party advertisers, with the outright compromise of legitimate Websites being relatively rare, and when they did happen, they were fairly obvious cases such as Website defacements. The target nowadays is the site visitor. ScanSafe says that unlike defacement, the signs of compromise are not readily apparent as the attacks are deliberately crafted to avoid casual observation. "Today, compromises of legitimate
At Your Own Risk In the past 12 months, has your organization’s leadership placed more, less or the same value on risk management?
Web sites are occurring en masse and in nearly all cases there are no readily visible signs of the attacks," the security expert warns. Large number of these SQL injection attacks were detected back in March this year. Then in April, attacks on legitimate Web domains, including some belonging to the United Nations, expanded dramatically. In June, ScanSafe found that SQL injection attacks accounted for 76 percent of all compromised sites. ScanSafe says the increasing numbers of these attacks on legitimate Web sites can be blamed on automated attack tools, which became freely available in the last months of 2007. "The mass compromise of Websites poses a particular challenge to corporate users," said Mary Landesman, senior security researcher, ScanSafe. The report also found that password stealers and backdoor Trojans are the most commonly blocked malware. This category of malware increased from 4 percent of malware in January to 27 percent in June. And according to Landesman, things could get a lot worse. "It is already bad," she told Techworld, "but we have seen
from a study we carried out in May 2007 and then again in May 2008, that the number of DNS exploits have increased since May 2007." Landesman does not believe that DNS vulnerability discovery is a publicity stunt. "Dan kaminsky entrusted two others who criticized him to take a look at the vulnerability. They did and then they both posted retractions and said it was a very serious flaw." Landesman feels that while there has been a huge increase in raw numbers of these attacks, they are still low, but after August this will change. "If you own someone's DNS, you own everything they do online," she warned. "After the DNS disclosure it may be a very dark time. The clock is ticking for IT administrators to secure their networks." "We strongly encourage them to consider their Web security as a primary focus," she said. "They should assess their Web security, and take steps to ensure that users, when browsing the Web, are not serving as a convey belt of malware exploits." —By Tom Jowitt
No Change
32%
Less Value
6%
Infograp hics BY p c ano op
More Value
62%
Source: State of the CSO 2008 Survey
14
Trendlines.indd 14
a u g u s t 1 , 2 0 0 8 | REAL CIO WORLD
Vol/3 | ISSUE/18
8/2/2008 11:42:36 AM
Uncoding DNS Attack Code
16
Trendlines.indd 16
a u g u s t 1 , 2 0 0 8 | REAL CIO WORLD
The Enemy Within I n si d e r T h r e a t The 1979 film When a Stranger Calls portrayed the terror-filled night of a young woman fielding prank and increasingly threatening calls that climaxed when the police determined the calls are coming from inside the house. Today, IT security executives experience a similar chill down their spine when they realize the biggest threat they face comes from internal security attacks and data breaches. A recent survey conducted by the Strategic Counsel and commissioned by management and security software vendor CA showed that a majority of CIOs, CSOs, CTOs and other senior IT security executives consider security threats from within an organization a bigger threat to business than external attacks. The results revealed that 44 percent of respondents identified internal breaches as a key security challenge over the past 12 months, compared with 42 percent in 2006 and 15 percent in 2003. More than 34 percent of organizations reported a loss of confidential information as a result of security attacks and breaches, an increase from 22 percent in the same survey conducted in 2006. External attacks are decreasing in number. According to the report, virus attacks decreased from 68 percent to 59 percent in the past 12 months, network attacks went down from 50 percent to 40 percent and denial-of-service attacks declined from 40 percent to 26 percent. "The security breaches identified by IT security executives as most concerning are those coming from inside the company," says Lina Liberti, vice president of CA Security Management. "The external threats still exist, but IT security executives feel more confident that they can be quickly addressed, stopped or controlled to some degree. They identified internal security breaches and attacks as those with the biggest severity of consequences." Internal breaches strike fear in the heart of IT security executives because of the company image blow and customer confidence issues that accompany an attack and that could expose confidential customer data and require public disclosure. Business costs associated with an internal breach include loss of productivity for 61 percent of survey respondents (up from 52 percent in 2006). —By Denise Dubie
Illustration by BINESH SREEDHARAN
trendlines
R e s e a r c h Just days after details of a critical bug in the domain name system (DNS) software went public, researchers released attack code that can silently redirect users to unintended sites. HD Moore, the creator of the Metasploit penetration testing framework, and a hacker who goes by the alias 'I)ruid,' published the attack code in two parts to several security mailing lists and to the Computer Academic Underground Web site. The two exploits do essentially the same thing, said Andrew Storms, director of security operations at nCircle Network Security; both poison a DNS server's cache, and therefore can, at least temporarily, replace the legitimate addresses in that cache with bogus destinations. Users steering to what they believe are valid sites could, if they pull the routing information from a victimized DNS server, be sent instead to a fake site such as a phony banking site, where they could be easily duped into divulging confidential information. The exploit lets an attacker poison a DNS server's cache with a single malicious entry, but the attack code allows a hacker to poison large quantities of domains with one swoop. "This second exploit has the potential for a much larger impact," said Storms, "and could result in potentially thousands of fake addresses inserted into a DNS server's cache. "Both [kinds of attacks] will be difficult to detect," Storms said. "It will probably take an end user to raise the flag when they go to their banking site, for example, and then report, 'Hey, this just doesn't look quite right.'" Moore said that work on exploits able to hack Mac OS X and other operating systems would start soon, but the attack would not be tweaked for Windows. Because of the way the exploits are written, it "would never work on Windows." That doesn't mean Windows users are safe, however. "Most attacks will be against servers running Linux," Moore predicted. Storms didn't dismiss the possibility of attacks now that exploit code is available, but downplayed the threat because of all the attention the bug has received. "I think the likelihood of a mass attack is limited," said Storms, Users should patch now, said Storms, even if they're not operating a DNS server. "It's important that you look at the Microsoft patch now," he said, referring to the fix Microsoft issued two weeks ago for every version of Windows except Vista. "Anytime you can change [entries on a] DNS server, you run into a lot of other issues, including drive-by Web attacks," warned Moore. —By Gregg Keizer
Vol/3 | ISSUE/18
8/2/2008 11:42:44 AM
SMBs Unarmed and Unaware counterparts do. Many SMBs don't have anyone dedicated to information security and they devote at most an hour per week to security efforts. And often, companies that think they have sufficient protections really don't, Rodenbaugh said. McAfee's findings are an accurate reflection of attitudes toward IT security in the SMB market, said Adam Hils, an analyst at consulting firm Gartner. The situation is both the result of a lack of awareness and "a desire to not have to spend on security until you have to," Hils said. As a percentage of their IT budgets, SMBs do tend to spend more on security than larger companies do typically, 5 percent to 10 percent, as opposed to between 3 percent and 6 percent at bigger businesses, he added. —By Jaikumar Vijayan
trendlines
20 percent of the surveyed companies said they had no security protections at all in place against online threats. Yet 90 percent said they relied heavily on the Internet for their business, noted Darrell Rodenbaugh, senior vice president of McAfee's midmarket business unit. Many SMBs "think cybercrime is an issue for larger companies," Rodenbaugh said. "They think larger companies make better targets because that's where the money is." But the reality is quite the opposite, he added. "Our information says that cybercriminals prefer smaller organizations because they are more easily attacked," Rodenbaugh said. That's because smaller companies often have far less manpower and financial resources to invest in IT security than their larger
A surprisingly large number of small and midsize businesses appear to be either blissfully unaware of or uncaring about the online security threats they face, according to a survey conducted by security vendor McAfee. The report said that nearly 45 percent of the respondents didn't see their businesses as being valuable targets for cyber criminals, while more than half felt their organizations simply weren't well-known enough to attract the attention of attackers. About 35 percent admitted to not being concerned about cybercrime even though another 20 percent said their companies had been victimized by online crime, and almost one-third of the latter group said they had been attacked at least four times over the past three years. Perhaps the most surprising finding was that nearly
Internet
Get Comprehensive Network Security for your enterprise Are Firewall and Anti-Virus Enough for Network Security? ANTI-VIRUS / ANTI-SPAM
FIREWALL / VPN
INTRUSION PREVENTION SYSTEM
Traditional security solutions like Firewalls and Anti-Virus are no longer sufficient to protect you against blended network attacks. Besides external attacks, enterprises increasingly face serious threat from insiders. Thus, knowing who is doing what in your network becomes necessary for real-time protection. With a full set of security features, Cyberoam Unified Threat Management (UTM) gives you comprehensive network protection. It is the only security solution that helps you create policies by the user, giving you complete control over your employees' network activities. Cyberoam’s intelligent reporting by username allows you to zero-in on compromising activity and users instantly.
Cyberoam UTM Benefits � Identity-based Security - Identifies “Who is doing What?” � Secures Even in DHCP & Wi-Fi Environments CONTENT FILTERING
BANDWIDTH MANAGEMENT
COMPREHENSIVE REPORTING MULTIPLE LINK MANAGEMENT
� Flexible, Easy-to-deploy & Easy-to-manage � Reduces Capital & Operational Expenditures � No more Multiple Vendors, Upgrades & Patches
CYBEROAM - Identity-based Unified Threat Management
VPNC CERTIFIED Basic
Interop AES www.check-mark.com
Interop
National Distributor
Secures - SOHO l SME/SMB l ENTERPRISE © Copyright 2008 Elitecore Technologies Limited. All Rights Reserved.
India Toll Free: 1-800-301-00013
Trendlines.indd 17
For More Information Contact: North - Pankaj Jain 9971706668, East - Bishwajit Sutradhar 9748780073, Maharashtra - Shalin Patel 9820574007, Pune - Rohan Bichpuriya 9890899188, Gujarat & MP - Dipesh Shah 9925011328, Karnataka - Prasanna Kumar 9880345671, Andhra Pradesh & Tamil Nadu - Anand Ragavendra 9701483312
sales@cyberoam.com
www.cyberoam.com
8/2/2008 11:42:50 AM
alternative views BY Sneha Jha
Who should own security? IT Vs Business & IT
“IT should ensure that “Business driven security implementation supported by IT has a greater probability of success.” Shashi Kumar Ravulapaty Reliance Consumer Finance, VP & CTO
trendlines
Business is the owner of data and the corresponding information and hence the responsibility of data security should lie significantly with the business function. However, it is IT’s responsibility to establish a highly secure technology platform which safeguards the business interests. In this context, the most critical factor that business needs to address is to build a culture internal to the organization to judiciously exercise the option of accessing the digital data and monitoring its end use. It is interesting to observe that most of the research and investments made are towards technology innovation for strengthening information security, which blocks all external penetration. This curbs information leakage through internal sources. IT Security policies across organizations are more or less similar. The policy makers need to build them around the nature of business and look for specifics related to their organizational culture in handling data. The policies made, generally, are quite comprehensive and sometimes impractical. Implementation of such policies needs meticulous planning and investments. In the process, certain simple and convenient facilities for general and power users may get blocked. The implementers need to adopt the sequence of providing a stabilized alternative before withdrawing the existing facilities. Business driven security implementation supported by IT has a greater probability of success.
18
Trendlines.indd 18
a u g u s t 1 , 2 0 0 8 | REAL CIO WORLD
incidents of security threats are eliminated. Evaluating the potential for data loss and security breaches lies within their domain.” M. Bala Giridhar VP–IT
Evaluating the potential for data loss and security breaches lies within IT's domain, so they should guarantee that there are no threats to network security. There are two facets of security, one from the standpoint of access to IT resources and the other being threats from external world vulnerability. IT should ensure that incidents of security threats are eliminated. They should strive to attain complex security measures that can combat all kinds of security risks. IT should take charge of this paramount function. When it comes to information security, it is the responsibility of business to categorize this data as per the enterprise policy — confidential, strictly confidential, and what is for external circulation, and that part of the responsibility should be owned by the business. They are the people who generate information so they are better equipped to classify the information based on its sensitivity level. The other dimension of security is risk. If you have some risk that cannot be alleviated or it is too complex or expensive to assuage, then business departments need to take a call on acceptance levels. It is a mutual responsibility. Information security is a vital concern for both business and IT.
Vol/3 | ISSUE/18
8/2/2008 11:42:54 AM
Bruce Schneier
Security Theory
Your DNA Versus Security A Nobel-winning economic theory, explains why you can’t persuade people to buy security – at least not separately.
T
here are two basic ways to sell something. Either a product gives the buyer something he wants — as satisfaction, comfort or money — or it prevents the buyer from getting something he doesn't want: assault, fraud, burglaries or terrorist attacks. It's a truism in sales that it's easier to sell something a buyer wants than something he doesn't. People are reluctant to buy insurance, or home security devices, or computer security anything. It's not they won't buy, it's just a struggle. The reason is psychological. And it's the same dynamic when it's a security vendor trying to sell its products or services, a CIO trying to convince senior management to invest in security or a security officer trying to implement a security policy with his company's employees. It's also true that the better you understand your buyer, the better you can sell.
Why People Are Willing to Take Risks
Illustration by pc anoo p
First, a bit about ‘Prospect Theory’, the underlying theory behind the popular field of behavioral economics. Prospect Theory was developed by Daniel Kahneman and Amos Tversky in 1979 (Kahneman won a Nobel Prize for this and similar work) to explain how people make trade-offs that involve risk. Before this work, economists had a model of ‘economic man’, a rational being who makes trade-offs based on some logical calculation. Kahneman and Tversky showed that real people are far more subtle. Here's an experiment that illustrates Prospect Theory. Take a roomful of subjects and divide them into two groups. Ask one group to choose between these two alternatives: a sure gain of Rs 10,000 and a 50 percent chance of gaining Rs 20,000. Ask the 20
a u g u s t 1 , 2 0 0 8 | REAL CIO WORLD
Coloumn - 01 DNA .indd 20
Vol/3 | ISSUE/18
8/1/2008 9:13:38 PM
Bruce Schneier
Security theory
other group to choose between these two alternatives: a sure loss of Rs 10,000 and a 50 percent chance of losing Rs 20,000. These two trade-offs are very similar, and traditional economics predicts that whether you're contemplating a gain or a loss doesn't make a difference: people make trade-offs based on a straightforward calculation of the relative outcome. Some people prefer sure things and others prefer to take chances. Whether outcome attthe ion r ac tand is a gain or a loss doesn't affect the mathematics therefore shouldn't affect the results. This is traditional economics, and it's called Utility Theory. But Kahneman's and Tversky's experiments contradicted Utility Theory. When faced with a gain, about 85 percent of people chose the sure smaller gain over the risky larger gain. But when faced with a loss, about 70 percent chose the risky larger loss over the sure smaller loss. This experiment, repeated again and again by many researchers, across ages, genders, cultures and even species, rocked economics by yielding the same result. Directly contradicting the traditional idea of ‘economic man’, Prospect Theory recognizes that people have subjective values for gains and losses. We have evolved a cognitive bias: a pair of heuristics. One, a sure gain is better than a chance at a greater gain, or ‘a bird in the hand is worth two in the bush’. And two, a sure loss is worse than a chance at a greater loss, or ‘run away and live to fight another day’. Of course, these are not rigid rules. Only a fool would take a sure Rs 100 over a 50 percent chance at Rs 1 lakh. But all things being equal, we tend to be risk-adverse when it comes to gains and risk-seeking when it comes to losses. This cognitive bias is so powerful that it can lead to logically inconsistent results. Google the ‘Asian Disease Experiment’ for an almost surreal example. Describing the same policy choice in different ways — either as ‘200 lives saved out of 600’ or ‘400 lives lost out of 600’ — yields wildly different risk reactions. Evolutionarily, the bias makes sense. It's a better survival strategy to accept small gains rather than risk them for larger ones, and to risk larger losses rather than accept smaller losses. Lions, for example, chase young or wounded wildebeests because the investment needed to kill them is lower. Mature and healthy prey is probably be more nutritious, but there's a risk of missing lunch entirely if it gets away. And a small meal will tide the lion over until another day. Getting through today is more important than the possibility of having food tomorrow. Similarly, it is better to risk a larger loss than to accept a smaller loss. Because animals tend to live on the razor's edge between starvation and reproduction, 22
A u g u S t 1 , 2 0 0 8 | REAL CIO WORLD
Pr e sen t s
star
Keynote Speaker
It’s a fast business world, information is critical. People must know their business, get
down to the facts, and be right. There’s no second chance and no excuses for not knowing or for being wrong. - Cheryl Currid
Hearher Live at
s
t
e g.
d
Bruce Schneier
Security theory
any loss of food — small or large — can be equally bad. Because both can result in death, and the best option is to risk everything for the chance at no loss at all.
Pr e sen t s
NowYou Do It How does Prospect Theory explain the difficulty of selling the prevention of a security breach? It's a choice between a small sure loss — the cost of the security product — and a large risky loss: for example, the results of an attack. Of course there's a lot more to the sale. The buyer has to be convinced that the product works, and he has to understand the threats against him and the risk that something bad will happen. But all things being equal, buyers would rather take the chance that the attack won't happen than suffer the sure loss that comes from purchasing the security product. Security sellers know this, even if they don't understand why, and are continually trying to frame their products in positive results. That's why you see slogans with the basic message: ‘We take care of security so you can focus on your business’, or carefully crafted ROI models that demonstrate how profitable a security purchase can be. But these never seem to work. Security is fundamentally a negative sell. One solution is to stoke fear. Fear is a primal emotion, far older than our ability to calculate trade-offs. And when people are truly scared, they're willing to do almost anything to make that feeling go away; lots of other psychological research supports that. Any burglar alarm salesman will tell you that people buy only after they've been robbed, or after one of their neighbors has been robbed. And the fears stoked by 9/11, and the politics surrounding 9/11, have fueled an entire industry devoted to counterterrorism. When emotion takes over like that, people are much less likely to think rationally. Though effective, fear mongering is not ethical. The better solution is not to sell security directly, but to include it as part of a more general product or service. Your car comes with safety and security features built in; they're not sold separately. And it should be the same with computers and networks. Vendors need to build security into the products and services. CIOs should include security as an integral part of everything they budget for. Security shouldn't be a separate policy for employees to follow but part of overall IT policy. Security is inherently about avoiding a negative, so you can never ignore the cognitive bias embedded so deeply in the human brain. But if you understand it, you have a better chance of overcoming it. CIO
star
Keynote Speaker
Making technology work is the easy part - getting people to change the challenge. No matter
how well planned or bug free, computer systems will fail if people don’t accept the challenge of change. - Cheryl Currid
Bruce Schneier is chief security technology officer with Bt. t. Send t feedback on this column to editor@cio.in
Vol/3 | ISSUE/18
Hearher Live at
Simson Garfinkel
Security Policy
Watch the Monitor Monitoring your employees' data and network activities is no longer a technical challenge. But there are critical ethical questions to answer first.
M
Illustration by ANIL T
ost organizations have a straightforward policy when it comes to the electronic privacy of their employees: there isn't any. As a condition of employment, employees agree that their Internet traffic may be monitored, their computers may be searched and that their phone calls may be monitored or recorded. Many organizations even use video surveillance, biometric time clocks, even spies to scrutinize employee behavior and performance. But if you engage in monitoring, be sure that you have more than the law on your side. Unless you collect and use that private data ethically and appropriately, revelations about a poorly conceived or badly implemented monitoring program can damage both your employees' morale and your organization's reputation. Of course, you can try to keep the details of a monitoring program secret, but it is incredibly difficult. Mainly because you will need to restrict how you use resultant data — or risk people inferring the program's existence from its effects. And really secret surveillance programs rarely stay secret for long — look at the difficulty the CIA have keeping their surveillance programs hushhush. If you engage in any kind of monitoring of your employees or customers, you should assume that the affected individuals will eventually learn the details of the program. Electronic communications systems create ample opportunities to collect data on employees, and the massive capacity of today's storage systems makes it possible to retain most of it. It's trivial to program today's network devices to record employee e-mail, Internet browsing records and chat sessions. Indeed, many systems retain log files, audit trails and backups by default: these systems need to be explicitly configured not to record information if that is your organization's wish.
26
Coloumn - 02 A.indd 26
a u g u s t 1 , 2 0 0 8 | REAL CIO WORLD
Vol/3 | ISSUE/18
8/1/2008 9:15:22 PM
Simson Garfinkel
Security Policy
There is one good reason why you might want to avoid recording detailed information about your employees: once collected, this information can be used against your organization in both civil and criminal investigations. You may have to suffer the indignity and expense of helping your legal opponents search through your own information for the most damaging tidbits. Nevertheless, many organizations are collecting more data every day. Although some of this is driven by best practices and legal requirements, other information is kept because of the nagging feeling that the data might be useful someday. According to a survey by the American Management Association, 76 percent of US employers monitor the websites their employees visit; 55 percent retain and review employee e-mail messages. An earlier survey by the Association shows clearly the jump in data collection. Where the first survey showed that 33 percent used video surveillance, the second saw the number move up to 51 percent. The number of companies taping their employees' telephone calls jumped from 9 percent to 19 percent. Unfortunately, this kind of survey data doesn't adequately distinguish between the various kinds of surveillance and intrusions that employees can experience. Few people would object to video surveillance in a bank or casino; in those environments, surveillance protects the company, the employees and the customers. But people are likely to feel quite differently about video surveillance inside changing rooms. MIT Professor Gary Marx has thought a lot about these issues. The author of numerous books on surveillance by governments and businesses, Marx published an article in 1998 titled An Ethics for the New Surveillance in which he argues that the ethical standing of a surveillance act depends on the means that is used, the context in which the data is collected and the purposes for which the information will ultimately be used. As the case of video surveillance so plainly demonstrates, the same surveillance technology that is appropriate in one context can be completely inappropriate in another.
ExplainYour Actions For surveillance to be ethical, argues Marx, the reason for the surveillance needs to be both legitimate and publicly announced. So, one type of surveillance — for example, drug testing — might be appropriate for school bus drivers, but inappropriate for high school students who play in the school band. The means should match the goal. There should be a reasonable chance that the surveillance will detect or deter objectionable behavior. And there must be protection in place so that information collected for one purpose isn't used for other purposes. With proper explanation, many employees may be willing to accept even significant intrusions into their privacy. But they will feel their trust has been violated if the resulting data is not adequately protected — or if the data is used for a purpose far removed from the original intent. 28
Coloumn - 02 A.indd 28
a u g u s t 1 , 2 0 0 8 | REAL CIO WORLD
Organizations that engage in monitoring need to have strong internal controls that cover both the storage and the use of surveillance data. Equity is another issue, writes Marx. Does surveillance apply to all individuals, or just to those who are less powerful? Do the people under surveillance have the right to inspect the raw data to assure themselves of its accuracy? Do people review machinegenerated reports before they are acted upon? Is there a right for people who would suffer negative consequences to appeal? Organizations that engage in monitoring, need to have strong internal controls that cover both the storage and use of the surveillance data. Special attention needs to be paid to any proposed action that might make collected information available outside of the organization. This is because of the ‘barn door principle’: once information is out, it's often impossible to recall. For example, in August 2006, America Online distributed on the Internet 20 million search queries from roughly 650,000 users. It had released the data hoping to stimulate academic research into search; according to The New York Times. Although AOL's researchers replaced identifiers for the people engaging in the searches with numeric pseudonyms, that wasn't enough. Many people, it turns out, can be identified just by terms they type into search engines. And once they are identified, it isn't hard to learn a lot about a person's interests, be they legal, moral, immoral or not-so-legal. Although AOL quickly realized what it had done, it was too late: numerous people downloaded the data and made private copies. Even though AOL took the data down, others quickly put up copies. The incident demonstrated what so many privacy activists have said in recent years: by virtue of monitoring what a person searches for, companies like AOL and Google collect an incredible amount of information about their users. AOL's employees probably didn't think of this practice as putting their customers under surveillance. But this, in fact, is precisely what AOL and the other search engine companies are doing. And because this data is so incredibly sensitive, companies probably shouldn't keep it in their computers forever. So, if your organization is engaged in monitoring, make sure that there's someone watching the watchers. Make sure that uses of the data are appropriately logged. Avoid mission creep that might turn a practice that's marginally acceptable into one that's sure to be condemned. And keep your chief privacy officer informed about your organization's monitoring policy. CIO
Simson Garfinkel, CISSP, is researching computation and human thought at Harvard. Send feedback on this column to editor@cio.in
Vol/3 | ISSUE/18
8/1/2008 9:15:23 PM
InsIder threat Isn't a pIece of 2008 epIphany — that employees, former employees and partners pose a greater securIty challenge than hackers, Is not new. But the proBlem Is not goIng away. If anythIng It Is gettIng worse. the good news? there are new tools to help. read on.
IndeX
32 | CommuniCation | In Your own words 40 | Risk management | TradIng off a Bank 42 | infoRmation seCuRity | all for one, rIsk for all 46 | anti-viRus | The fuTure of anTI-vIrus 52 | appliCations | dos and don'Ts of daT aTTaa loss prevenTIon aT 62 | suRvey | CIo-pwC sTa sTaT aTe of Informa InformaTIon seCurITY surveY
Vol/3 | ISSUE/18
REAL CIO WORLD | a u g u s t 1 , 2 0 0 8
31
Risk Management
Risk Management
Il lUStrat Ion by Un nIkrIShnan aV
An insider who Allegedly exploited weAk Access controls At société générAle cost the bAnk rs 28,000 crore. the cAse should prompt you to reAssess how you bAlAnce it security with employee Access to criticAl systems.
Vol/3 | ISSUE/18
I
By Peter Sayer and thomaS Wailgum
t's a lethal combination of process oversights and system failures that is the
stuff of CIO nightmares: an investigation into rogue trader Jérôme Kerviel's allegedly fraudulent actions at Société Générale bank uncovered an apparent breakdown in financial and internal IT controls subverted by an employee with IT knowhow and authorized systems access.
Reader ROI:
How inadequate IT security cost Societe Generale $ 7.2 billion The disconnect between IT and risk management Questions that will help you manage risk
REAL CIO WORLD | a u G u S T 1 , 2 0 0 8
33
Risk Management
and pricing errors by a small number of traders in certain positions" The tale of Kerviel's exploits, which led to $7.2 billion (about Rs 28,800 in the company's structured credit business. Kareem Serageldin, crore) in losses for one of France's largest banks, continues to unfold Credit Suisse's recently appointed global head of collateralized debt as French police probe the 31-year-old trader's transactions. On April obligations, was among employees suspended after an internal review 18, Société Générale named its former CFO, Frédéric Oudea, as CEO, uncovered the errors. replacing Daniel Bouton, who remains the bank's chairman. The Dougan told analysts looking for reassurance that even with the company is also rumored to be a takeover target. announcement, "we feel we have actually managed our risk fairly Meanwhile, IT experts say, the case should serve as a warning that well," but that the company still needed to "continue to focus on businesses can do better to manage IT-related risk. improving its risk management practices and procedures." "Much time is spent on protecting the external threat," says BearingPoint's Reagan observes that in the case of Société Générale, J.R. Reagan, managing director and global solution leader for risk, "their activities deal with high volume, high velocity and quick tempo compliance and security at BearingPoint. "But the internal threat trading of stock," and it's likely business leaders "wouldn't put up can be even larger in terms of risk to the company." In the case of with" security measures that would slow them down. Société Générale, not only were IT security controls insufficient, but For example, Société Générale employed single-factor authentication the bank's staff did not fully investigate red flags that arose. (using one method, such as passwords, to grant access to its systems) Recent research by the Ponemon Institute concludes that "insider rather than stronger dual-factor authentication threats represent one of the most significant (requiring that individuals employ two methods information security risks." In a survey of 700 IT of identifying themselves to gain access). practitioners published by the group, 78 percent "The security team needs to explain the risk said they believe individuals have too much exposure and the possibility of losing billions in access to information that isn't pertinent to their fraudulent trades if security is not adequately jobs, while 59 percent said such access presents addressed," Reagan says. "But most security guys business risks. What's more, IT professionals see aren't well enough in tune with the business to be a disconnect with business leaders: 74 percent said of IT practitioners able to articulate a business case like that." senior management does not view governance of believe that some people That disconnect can be enormously destructive, access to information as a strategic issue. have too much access as the Société Générale incident shows. "The Many business executives don't know what their to data — data that isn't Société Générale case brings to the fore the fact risks are and, even if they do, they may have a tough pertinent to their jobs. that business risk can be directly exposed through time balancing potential losses against potential IT," Crawford says. "Kerviel allegedly manipulated gains, says Scott Crawford, a security expert and Source: Ponemon Institute the IT controls on the business systems based on research director at Enterprise Management his mid-office experience and back-office [IT] Associates. "There's always this delicate balancing knowledge and expertise." act between taking advantage of opportunities and Between January 18 and January 20, the bank discovered that doing an effective job of IT risk management," he notes. "This notion Kerviel had established trading positions — bets that the price of of business risk exposure in IT still is a challenge particularly for the securities and warrants would move in a particular direction — that CIO but for the business as a whole." were worth more than the bank itself. He bet wrongly, and unwinding The Société Générale case offers lessons for IT leaders in how to those positions over the following three days cost the bank about Rs manage access-related risks. 28,800 crore as it sold the stocks into a falling market. As an arbitrage trader, Kerviel should have been making transactions in pairs, buying and selling similar assets to exploit the One of Société Générale's primary business lines is derivatives: minute and fleeting differences in prices in markets. Arbitrage trading financial instruments that allow traders to make contracts on a wide is considered less glamorous than the one-way bets he secretly made range of assets (such as equities, bonds or commodities) and attempts from time to time by faking one half of a pair of transactions. to reduce (or hedge) the financial risk for one party in the deal. Trading A preliminary internal investigation by Société Générale noted that derivatives, however, necessitates some aggressiveness and can be Kerviel had previously worked in the bank's IT department, and so fraught with risk. (Think of the infamous story of Nick Leeson, a had in-depth knowledge of its systems and procedures. Staff mostly former derivatives trader whose unauthorized speculative trading led followed those procedures, the investigating committee found, but to the collapse of the United Kingdom's Barings Bank in 1995.) the procedures were not in themselves sufficient to identify the fraud The French bank isn't the only company recently to suffer before January 18, partly because of the effort Kerviel made to avoid from risky behavior by employees. Bear Stearns, rocked by losses detection, and partly because staff did not systematically conduct from its investments in subprime mortgages, was acquired by J.P. in-depth investigations when warning flags were raised. Morgan Chase for $2 (about Rs 80) a share in March when clients Among the tricks Kerviel used to hide his activities, the bank's lost confidence that the firm could pay its debts. In February, Credit investigation highlighted the use of fake e-mail messages to justify Suisse reported an unexpected write-down of $2.8 billion (about Rs missing trades, and the borrowing of colleagues' log-in to conduct 11,200 crore) that CEO Brady Dougan attributed to "mismarkings
78%
Exploiting a Risky Business
36
Feature - 01.indd 36
a u g u st 1 , 2 0 0 8 | REAL CIO WORLD
Vol/3 | ISSUE/18
8/2/2008 11:25:42 AM
Risk Management
trades in their name. Investigators found at least seven occasions when Kerviel faked messages between April 2007 and January 18, four of them referencing trades that never existed. The deception was uncovered when they could find no trace of Kerviel receiving the purported messages in the bank's e-mail archival system. Between July 2006 and September 2007, internal control systems raised 24 alerts when the value of Kerviel's trades exceeded authorized limits, the General Inspection department reported. At the time, the bank's risk monitoring unit put the anomalies down to recurrent problems with the way the trading software recorded operations, and asked Kerviel's superiors to make sure he didn't exceed limits again. The special committee made a number of recommendations, including the use of stronger, biometric authentication systems to prevent traders from accessing one another's accounts, and the improvement of alert procedures so warnings reach the appropriate managers. In addition, it suggests the tightening of trading controls, which do not cover cancelled or modified transactions — two of the tricks Kerviel used to conceal his bets. Auditors are still looking for suspect trades to make sure all have been uncovered, and investigators have yet to review Kerviel's use of an instant-messaging service for evidence of his activities, the special committee said. Meanwhile, on April 1, at a conference sponsored by Morgan Stanley, Oudea said the bank had tightened its IT security and access to its information systems, among other measures to improve its operational controls.
Lessons for IT Perhaps some good may come out of Kerviel's apparent fraud and Société Générale's blindness to it: the incident may spur other companies' executives to talk about risk management and IT controls inside their businesses. Organizations tend to think of access as being binary in nature: you get access to it all, or you don't, says Ian Walden, professor of information and communications law at the University of London. In reality, there are many more levels of access. "In modern, complicated systems, the granularity has to be much more sophisticated." To make the best use of systems with advanced access controls, the IT department must have a thorough understanding of how the business works and where there is risk. But IT departments and business managers have yet to find a way to wrap security into business processes so it is not an impediment, Walden says. In the Ponemon Institute study, only 30 percent of respondents said their organizations make sure user access policies are validated and checked. Meanwhile, accountability for governing access to systems is diffuse. Twenty-nine percent of respondents said business units were most responsible, followed by application owners, corporate IT, human resources, information security and compliance organizations. EMA's Crawford says companies can begin to get a better handle on access risks by asking some basic questions. These include: What kind of behavior anomalies would indicate you may have more risk exposure than you realized, and can you detect or recognize them?
Vol/3 | ISSUE/18
Feature - 01.indd 37
fIVE WAYS TO ManagE IT Risks Understand the risk. IT creates business risk, notes Scott Crawford, a security expert and research director with Enterprise Management Associates. Knowing what those risks are is the first step in managing them. The increasingly prevalent insider threat should be addressed through access control and identity management systems. Treat IT risk management as a business investment. Aligning IT risks with business requirements will help you allocate the resources you need to manage those risks, Crawford says. Reevaluate risks regularly. Periodic reevaluation of risks and controls should be part of any business's IT control strategy, not just when a problem occurs. Nevertheless, you should reevaluate your risk management strategies if your controls fail, as they apparently did at Société Générale. Use the right controls, and make them secure. You can have all the controls in the world, but if they can be easily compromised they won't do you much good. Likewise, if you have the wrong controls, or not enough of them, you're equally ill-equipped to manage risk. Implement the proper controls and grant access to your systems to only the right people, Crawford advises. Then monitor and constantly reevaluate the controls. Compliance isn't the same as security. Securing your systems and data may make you compliant, but being compliant doesn't necessarily make you secure. If your controls satisfy your regulatory requirements, but don't mitigate risk, then they are not adequate. —Katherine Walsh
Do high-level or high-risk employees have privileges that are so broad that checks and balances among individuals' duties become negated? How effective are the controls assuring that such segregation of duties could be enforced? Are your control systems or risk indicators subject to subversion? Are there ways you can enforce more effective controls and still be able to capitalize on new business opportunities? "Businesses are just now beginning to awaken to the controls within the IT environment," Crawford says. "If you're betting the farm and strategy on the IT controls, it behooves the organization to ensure that those controls are reasonably resistant to subversion." CIO With inputs from CSO staff writer Katherine Walsh and IDG News Service London . Send feedback on this feature to editor@cio.in
REAL CIO WORLD | a u g u st 1 , 2 0 0 8
37
8/2/2008 11:25:42 AM
Information Security
Your information securitY maY be great, but what about all the other plaYers in Your extended enterprise?
T
By Kerry Bailey
o say that the last few decades have introduced major changes to modern
Reader ROI:
How extended enterprises open up security holes The importance of assessing a partner's security Why CIOs need to work with business to strengthen security
40
a u g u s T 1 , 2 0 0 8 | REAL CIO WORLD
organizations, and the environment in which they operate, would be an understatement. One of the more notable trends is a shift away from isolated, ‘vertical’ enterprises to highly collaborative ‘horizontal’ networks of partners, suppliers, vendors and contractors that form what has come to be known as the extended enterprise. Fueling this transition is a need to remain competitive in an environment of rapid technological advancement, volatile markets and increasing global competition. Vol/3 | ISSUE/18
Information Security
With today's organizations increasingly relying on the Internet for half actually assessed partner security. The study demonstrated, their internal and external business operations, any security decisions however, that organizations that did conduct business partner they make can have a serious impact on their partners. At stake is the security assessments experienced a more than three-fold reduction overall security of the information infrastructure for the thousands in the likelihood of security incidents. of suppliers, collaborators and channel partners they interact with as When asked if their organizations had suffered a security incident part of the extended enterprise. involving business partners within the previous year, 32 percent of Although this business model brings numerous benefits to the respondents reported at least one type of incident, with an additional 12 organization, it comes at a price. The extended enterprise is reliant percent unsure. Of those organizations reporting incidents, malicious upon communication and accessibility among partners, which code was the most prevalent, with 43 percent of respondents reporting requires that higher levels of IT interconnectivity be maintained infections. This was followed by unauthorized network access (27 to facilitate these needs. By eliminating traditional layers of percent), denial of service (9 percent), system abuse or misuse (8 separation between organizations, IT-facilitated collaboration has percent), data theft (7 percent) and fraud (6 percent). simultaneously improved the ability to remain competitive while The survey also showed that while a good business partner is indeed increasing exposure to an array of partner-related information a valuable asset, they are also unfortunately a rare find. According to security risks. 72 percent of respondents in the study, secure business partners are With each organization in the extended enterprise requiring in short supply. access to critical business information such as product specifications, So while the 21st century connected organization stands to marketing plans and vast amounts of transactional data on product increase business productivity and competitiveness, it also sales and movement within the supply chain, managing the security increases the risk of security incidents. It is evident that they can of this sensitive information flowing across the extended enterprise no longer get by with inward-facing information security practices is a significant and under-researched topic. and policies alone, yet while there is recognition that they need to Outsourcing and globalization are only adding to the complex monitor and assess their partners' security practices, they are slow security issue. In many industries, competition is quickly changing to implement the practices that will reduce their own security risks as from firm against firm to extended enterprise against extended they continue to engage with outside organizations. enterprise. Yet against this backdrop, companies are still making However, some positive trends are also evident and they present decisions about security with very limited information about the a clear framework for organizations that need to take the first step threats their systems face, the strength their systems offer to combat towards a partner security program. these threats and intrusions and the efficacy of First and foremost, partner assessments do additional security measures. in fact result in decreased security incidents: According to a recent survey by Cybertrust the Cybertrust study demonstrated that of more than 200 organizations worldwide, 75 organizations conducting business partner percent of organizations felt that their business security assessments experience a more than partners increased their levels of information three-fold reduction in the likelihood of security security risk. It also found that some 13 percent of incidents. That statistic alone makes the case for organizations terminated a business partnership implementing partner security assessments part of organizations feel that because of information security concerns. of an organization's own security practices. their partners increase One participant in the Cybertrust survey Most importantly, information security needs to their security risk. summed it up with the following observation: be truly a management-level decision, particularly "We get infected because partners are not keeping as traditional strategic decisions, like choosing their machines up to date with anti-virus and OS business partners, increasingly involve security patches. This is a real problem. Our IT department ramifications. The survey revealed that when doesn't have control over what they do, yet we management sets a high priority on information suffer the consequences of their poor practices." security relating to business partnerships, security The frustration apparent in this comment is incidents are half as likely to occur. not unique to a sole, disenchanted participant. Making security and partner assessments of organizations Rather, it is the norm. The fact is, information a business decision rather than a technology have terminated a security is no longer a predominantly intradecision only strengthens the effectiveness of an partnership because organizational problem; it is now very much an organization's overall security posture. CIO of information inter-organizational problem. security concerns. Surprisingly, while survey respondents Source: Cybertrust overwhelmingly agreed with the need to monitor Kerry Bailey is senior vice president of global services for the security of their business partners, fewer than Cybertrust. send feedback on this feature to editor@cio.in
75% 13%
Vol/3 | ISSUE/18
REAL CIO WORLD | a u g u s T 1 , 2 0 0 8
41
Anti-virus
As signAtures proliferAte,Antivirus vendors must rAmp up other techniques for spotting And squAshing mAlwAre.
A
By Michael Fitzgerald
nti-virus software makes Greg Shipley so mad he has to laugh. "The relationship
Reader ROI:
Why enterprises should move past signature anti-virus Why a singletechnology approach is not enough Why it is important to adopt new technologies to fight virus
42
a u g u s t 1 , 2 0 0 8 | REAL CIO WORLD
between signature-based anti-virus companies and the virus writers is almost comical. One releases something and then the other reacts, and they go back and forth. It's a silly little arms race that has no end." Shipley, CTO at Neohapsis, a security consultancy in Chicago, says the worst part is that the arms race isn't helpful either to him or his clients. "I want to get off signature-based anti-virus as rapidly as possible. I think it's a broken model and I think it's an incredible CPU hog." Vol/3 | ISSUE/18
Anti-virus
The question is, where should he go? Anti-virus as an industry billions of dollars worth of software, despite Bloor's proclamation. Bloor, though, says, "The technique of protecting PCs using virus has modeled itself on the human immune system, which slaps a signatures is now on the wane," and rattles off a list of whitelisting label on things like viruses so it knows to attack them when it sees companies offering software authentication tools not just Bit9, that same label, or signature, again. Signature-based anti-virus has but also companies such as Lumension (formerly SecureWave), moved well beyond that simple type of signature usage (though at Savant Protection, Computer Associates and AppSense. And he the beginning, it did look for specific lines of code). noted the Kaspersky deal and Apple's use of whitelisting to protect In its current, more sophisticated form, it dominates the market the iPhone. for security software, despite some obvious limitations: you don't use it to stop data leakage, for instance, though many kinds of malware are designed to siphon data out of companies. The number of malware signatures tracked by security software company Anti-virus software has its uses. If a system is actually infected F-Secure doubled in 2007, and while you might cynically expect by malware, it "may be the least painful way of removing it," says such a company to say there's more malware out there, 2007's total David Harley, administrator of Avien, the anti-virus information doubled the number of signatures F-Secure had exchange network, adding, "Whitelisting does built up over the previous 20 years. seem to be advocated currently as the panacea du Even before 2007, there were plenty of people jour. I think this relentless search for the answer, besides Shipley arguing that anti-virus was an discarding one partially successful solution set industry in trouble. In fact, in 2006, Robin Bloor, for something else in the hope that it will eliminate an analyst at Hurwitz & Associates, penned a the problem, is actually unprofessional." report titled ‘Anti-virus is dead.’ He argued that Harley makes that argument because he malware exists only because anti-virus software doubts that any single technology approach organizations exists, and said that anti-virus software was will be a 100 percent solution when it comes terminated a doomed to be replaced by new forms of software, to security. He wrote that whitelisting thus is partnership because of which he calls application control, or software likely a supplemental technology for fighting information security authentication tools. Such tools whitelist the malware, making it one of a host of newer concerns. software we use and won't run anything else technologies that have been adopted, including without the user's explicit permission. heuristics, sandboxing and behavior monitoring. Source: Cybertrust Anti-virus firms think their death is greatly Corporate CISOs certainly don't expect to find exaggerated, thank you very much even those one answer to their problems. "If you rely on that aren't overly reliant on signatures, like BitDefender, which signatures for security, you're pretty much dead in the water," says says that signature-based techniques account for only 20 percent Ken Pfeil, head of information security for the Americas Region of of the malware it catches. WestLB, a German bank. "Signatures aren't dead and you need them," says Bogdan Pfeil thinks signatures are useful and his firm uses them. But Dumitru, chief technology officer of the Romanian firm, which uses when new malware appears, he often finds it faster to try to break behavioral targeting techniques to stop the remainder of attacks. it down himself to understand its potential effects, rather than to Its main research focus is to develop an ‘undo’ feature that will wait for his vendor to give him an update. His firm has also adopted let users hit by malware reverse its effects. BitDefender hopes to tools that use heuristics techniques and anomaly testing, to add release this feature in 2008. oomph to its anti-virus approach. Meanwhile, Bit9, the application whitelisting company That kind of layered approach to software fits with where Natalie highlighted in Bloor's report, uses anti-virus software to help Lambert, an analyst at Forrester Research, thinks the market is build its database kinds of anti-virus software, in fact. In November going. She says that signature-based anti-virus is ‘table stakes’ 2007, it announced a deal to give access to this database to for security software, and techniques like heuristic information security software maker Kaspersky Labs. Bit9 officials said that processing systems, or HIPS, which looks for suspicious actions by the database will help Kaspersky check new signatures to limit software, like an application opening itself from the Temp folder. false positives.It's also true that anti-virus makers continue to sell Lambert says McAfee is probably furthest along in using HIPS
not Just whitelisting
13%
Vol/3 | ISSUE/18
REAL CIO WORLD | a u g u s t 1 , 2 0 0 8
43
Anti-virus
Waging a war against malware More than ever before, the threat of malware continued to hang over the heads of enterprise executives in 2007. Further proliferation is also a frightening possibility for 2008, according to some industry participants. Unlike problem-causing software bugs that are flaws in a computer program, malware is designed with the specific intent of causing detriment to the intended victims. As antimalware tools became more effective, malware authors responded with more sophisticated attacks. ‘Self-defending malware' first appeared last year in the form of Storm Botnet. Global data security company F-Secure, conducted a worldwide survey in the second half of last year to assess 2007's data security situation. The survey results were chilling. Some 250,000 different types of malware, including new ones and variants, were found in 2007, the same total from the previous 20 years. "The numbers were staggering because the bad guys were making money trading viruses," said Patrik Runald, F-Secure's senior security specialist. "Just like any other business, they want to improve and constantly evolve. "Improved detection abilities of anti-malware software also account for the higher statistics, Runald said. "Malware authors are not necessarily releasing anything groundbreaking. It might simply be a new variant to avoid detection from signature-based anti-virus products. They can even release multiple malwares a day, depending on who they think they're fighting." Behavior-based technology proactively looks out for bad file behaviors such as unauthorized system modifications or website downloads. "Phishing that targets online banking services is another major threat, especially in Asia," Runald warned. But to fight malware, it takes two hands to clap. "Enterprises should enable employees to help by ensuring they are aware of the threats and feel as part of the solution, not just part of the problem," Runald said. —Jared Heng
among the big anti-virus makers, having had more time than its rivals to new features added via corporate acquisitions.The downside to these technologies is that none are as simple and alluring as the old signature-based anti-virus, which she called a ‘set it and forget it’ technology. She notes that HIPS technologies are difficult to manage and will never be as simple as the old model, though she expects they will get easier over time. Neohapsis's Shipley says none of these techniques 44
Feature - 03.indd 44
a u g u s t 1 , 2 0 0 8 | REAL CIO WORLD
are really new, he notes that it's been more than four years since McAfee purchased Entercept, for instance. But "what role does it play and what percentage of things does it stop? I have no visibility into that." Shipley says he plans to bring in Bit9 to look at whether it could really replace his current anti-virus software. Anti-virus firms agree that they are becoming something different. Sophos, for instance, uses several additions to signature-based AV. Sophos examines program behavior: the modifications a program makes to things like system configuration and files as the program runs. The company has also built in a pre-execution algorithm, a kind of crystal ball to simulate what unfamiliar code looks likely to do. Richard Wang, manager of Sophos Labs in the US, says that while signatures are easy to create, things like pre-execution code are harder and thus take more time. But the payoff is that it can work against multiple strains of malicious software. He said that for the Storm worm, Sophos generated only one signature but has been able to recognize all the variants. Wang describes this type of technique as "almost like a broad-spectrum antibiotic."
Child's Play? Interestingly, the OLPC XO (from the One Laptop Per Child Foundation) is another place to look at new AV techniques. The XO uses the Bitfrost specification, developed expressly for this simple computer. OLPC claims that the system is both drastically more secure and provides drastically more usable security than any mainstream system currently on the market. The OLPC XO ships in a default mode that is basically locked down but simple for the user to open up. The Bitfrost specification uses a series of built-in protections, including sandboxes or program jails for applications and system-level protections that prevent alterations from code that could do something harmful. Whether Bitfrost would work in a corporate environment or will be commercialized outside the OLPC project is unclear. But Avien's Harley, for one, thinks that there are psychological reasons why anti-virus software is unlikely to go away. "The idea of a solution that stops real threats and doesn't hamper non-malicious objects and processes is very attractive. People (at any rate, those who aren't security specialists) like the idea of threat-specific software as long it catches all incoming malware and doesn't generate any false positives, because then they can just install it and forget about it. Unfortunately, that's an unattainable ideal." Note to Greg Shipley: don't hold your breath on getting rid of your anti-virus software. CIO
Michael Fitzgerald is a freelance writer based outside of Boston. Send feedback on this feature to editor@cio.in
Vol/3 | ISSUE/18
8/2/2008 11:30:39 AM
Data Loss Prevention software can be your answer to guarDing Data without hamPering business. but with so many fLavors, how Do you know what to choose? here’s what to Look for.
D
By Mary Brandel
ata loss prevention (DLP)
Reader ROI:
What data loss prevention is Why blocking data transfers is not the answer What to consider when looking at DLP solutions
46
a u g u s t 1 , 2 0 0 8 | REAL CIO WORLD
tools — also known as data leakage prevention or content monitoring and filtering (CMF) tools — are intended to prevent inadvertent or intentional exposure of sensitive enterprise information. According to consultancy Gartner, they do this by identifying content, tracking activity and potentially blocking sensitive data from being moved. When Jack in accounting tries to e-mail customer records to his home PC — or perhaps copy the data to a USB drive — DLP software can warn Jack and/ or stop the action. Vol/3 | ISSUE/18
Applications
When Scott Mackelprang, VP of security and compliance at Digital Insight, used a tool from Tablus, he worked closely with the network folks. "Tablus sends out agents across the network, so they were afraid we'd clobber it," he says. "I'd advise people to involve the network people so they can dissolve those concerns up front." He says Tablus controls the movement of agents in a way that protects the network. Do figure out what you're trying to protect. Jon Oltsik, senior analyst at Enterprise Strategy Group, says, "It's important to start with some sort of requirement, some question you want answered." For instance, are you looking for access control violations, accidental data exposure issues or to reinforce policies? Are you mainly concerned with protecting private data, such as personally identifiable data, in order to comply with government regulations, or do you need to protect intellectual property that, if exposed, could damage your competitive advantage? Do pilot DLP tools in your own environment. You need to do this before deciding which tools will work best for you, Oltsik says. The tools can be classified in three groups: network-based tools, "Everyone talks about how their detection is better than others, but which sit at the edge of the network, monitoring data flowing there's no way to tell without running a few products side by side in through the network and in some cases filtering or blocking your environment, on your data, with a couple of your rules." See data movement. Host-based tools, which require an agent to be which ones come up with the most alerts and which have the most installed on individual PCs and servers to monitor static data false positives and negatives. "If you don't, you're really taking a risk, on these systems and, in some cases, block or control actions no matter how good the presentation is," Oltsik says. that users can take. And systems that combine both of these Don’t buy a DLP product to guard against malicious activity capabilities. Ultimately, Gartner says, tools will not only monitor such as data theft. According to Gartner, the tools but also block any channel on the network and are actually better at helping companies identify hosts from which data can be stolen, including bad security practices and accidental data leakage. the network interface, within the operating As the technology evolves toward combination system and between applications. This requires host — and network-based products, it will deal much deeper integration with servers and more directly with the problem of malicious desktops. For instance, agents running on local The amount by which attacks, Gartner says. But current systems will hosts could stop someone from downloading the market for data stop only the most basic of criminal activities. sensitive data through a USB drive, printing it loss prevention has For instance, network capabilities alone can't and walking out the door. grown between 2006 detect sensitive data that doesn't pass through Gartner says its clients find host-based systems and 2008. one of the DLP network sensors, while host-based more difficult to manage and less sophisticated systems can't detect anything on a non-managed in detections. "If someone came onto the network Source: Gartner system, Gartner points out. "They'll stop the illwith a laptop [that didn't have an agent installed informed, dumber bad guys, but not the ones who on it], they could gain access to files, and you'd know the tools are in place," Mogull says. never have insight into that activity," says Rich Mogull, research VP Don’t get confused between USB blockers and DLP at Gartner. He sees host-based capabilities as critical but believes a products that — through end point agents — enable you to combo of both approaches is ideal. "You should have one management prevent sensitive data from being copied onto USB devices. console for data discovery, data in motion, data in use and data on the The original USB blockers lack content awareness, say Gartner; endpoint system," he says. that is, they block copying altogether, not just the copying of Here are critical dos and don'ts for evaluating and using DLP tools, particular data. On the other hand, some companies offer based on input from CSOs and analysts: products that make content-based decisions. For instance, they'll Do think about network requirements. Nearly every DLP product prohibit copying of files from certain servers, certain file types claims to support Gigabit Ethernet speeds without packet loss or or files containing Social Security numbers. significant latency, according to Gartner; however, the company says, Don’t rush into blocking. More products are emerging that can few products can actually function at gigabit speeds in a production block users from performing certain actions on sensitive data, such environment. Here's what Gartner says companies need in terms of as copying, printing or e-mailing. However, users like Randy Barr, relevant sustained bandwidth. chief security officer at WebEx Communications, would prefer to Large: 200M bps to 500M bps be notified when users do something that's against security policy Medium: 50M bps to 200M bps rather than stop them outright. That's because, when he deployed a Small: Less than 50M bps Gartner, which says this market tripled from $50 million (about Rs 200 crore) in 2006 to $150 million (about Rs 600 crore) in 2007, offers the following functions as basic requirements for DLP software: Perform content-aware, deep packet inspection on network traffic, including e-mail and other protocols. Track complete sessions — not individual packets — for analysis. Use statistical and linguistic analysis techniques beyond simple keyword matching for detection (for example, advanced regular expressions, document fingerprinting or machine learning). Detect, block or control the usage of (for example, saving, printing or forwarding) specific content based on established rules or policies. Monitor network traffic for, at least, e-mail traffic and other channels/ protocols (HTTP, IM, FTP) and analyze across multiple channels, in a single product and using a single management interface. Block, at a minimum, policy violations over e-mail.
300%
48
Feature - 04.indd 48
a u g u s t 1 , 2 0 0 8 | REAL CIO WORLD
Vol/3 | ISSUE/18
8/2/2008 11:33:29 AM
Applications
Gartner's suggestions to narrow down your list of DLP products. Channels. How many protocols does the product cover, and is it capable of decoding the protocol? The market is rapidly moving toward multipleprotocol decoders, Gartner says. Blocking. Not all products perform blocking, and some block only on certain channels. E-mail. Most products block e-mail first and enable quarantining, re-routing, blocking, encryption and
other more complex handling rules, Gartner says. Few products today monitor internal e-mail, but some provide Microsoft Exchange or Lotus Notes integration. Users should be cautious of products that monitor e-mail passively or block SMTP traffic. Detection techniques. Options include rule-based detection, document fingerprinting, database matching and statistical analysis.
network-based tool from Reconnex two years ago, he found that 80 percent of the violations occurred because employees were unaware of regulatory rules or company policy. For instance, some employees were e-mailing files with sensitive data over the Web to their home computers when they wanted to work from home. And in one case, a vacationing employee revealed his user ID and password to a co-worker over an instant messaging session so that the coworker could get some needed information on his personal drive. "It helps us identify violations so we can go in and do some quick awareness training," Barr says. Barr is also concerned that blocking would hinder some employees from performing essential job tasks. "I don't want to hinder them — I want to audit what they're doing," he says. "I wanted a tool that would provide awareness to employees and also log an alert to me." Besides, he says, blocking may actually encourage someone intent on criminal activity to find other means to transport data. "If they're really malicious, they may find other ways to take the data, like storing it on an iPhone, an iPod or a USB," he says. He has looked into tools that block copying data to external drives, but for now, he'd rather be alerted and have the tool tell the user it's against policy. "Understanding network activity is the first step to knowing what to do to improve your overall security program," he says. "Going in blind and installing prevention at the desktop won't give you the visibility you want." Do inform your employees they're being monitored. Not only does this let employees know what you're capable of doing, but it also teaches them what they need to do to protect sensitive data. After deploying a tool from Vericept, Sharon Finney, information security administrator at DeKalb Medical Center, says the healthcare organization disclosed to employees that it fully monitors every piece of data that crosses the network, internally and externally, even requiring employees to sign a form saying they understand this. Do make sure the tool has built-in capabilities to detect what is most important to you. When Finney went looking for a DLP tool four 50
Feature - 04.indd 50
a u g u s t 1 , 2 0 0 8 | REAL CIO WORLD
Some products have more kinds of classifications than others like financial data, credit card data or whether people have hacking scripts on their desktop. Data-at-rest content discovery capabilities. Some products automate the discovery of where sensitive data resides. Understanding where your data is is an important. —M.B.
years ago, the main motivation was compliance with HIPAA, as well as monitoring employee Web use. "We allow some limited personal use of the Web, so we assumed a certain amount of risk in terms of what people posted to external Web sites or attached in their e-mail," she says. That's why Finney chose a tool that could monitor Web use and had built-in HIPAA rules. Do consider data at rest. The main reason that Mackelprang decided to deploy Tablus was not to see sensitive data flowing over the network or outside the enterprise but what was sitting on people's desktops. "Such a large percent of data that gets exposed is on stolen laptops, when people didn't even know the data was on there," he says. "It's bad processes, not ill intent." Do find a tool with lots of flexibility in terms of data handling. At DeKalb, Finney plans to start using the blocking capabilities of the Verdasys tool, but she also wants to use its self-compliance feature. When the tool flags sensitive data, it gives users options on actions they can take, like encrypting the data. "Some people think blocking is disruptive, but we allow users the ability to do what they think needs to be done with the information." Mackelprang is also happy with the fact that Tablus allows him to quarantine data, encrypt it, quarantine and encrypt it or just alert him of a breach. "If you're just starting out, you might want it to just alert you for a while until you educate users to change their process, and then later, after they're sensitized, if there's a clear violation, you can crack down," he says. "It allows the tool to grow with maturity." CIO
Mary Brandel is a freelance writer. Send feedback on this feature to editor@cio.in
Vol/3 | ISSUE/18
8/2/2008 11:33:30 AM
Communication
CommuniCation skills are the number one requirement for leadership suCCess in seCurity, step one in CommuniCation is: understanding the language and priorities of the business.
I
by William brandel
IllUStratIo n by p c an oo p
t never fails. Ask security executives to name the
52
biggest boon or detriment to their careers, and they'll respond with the same answer: communication skills. This isn't news. But what does ‘communication skills’ really mean, particularly when seen in the context of a security leader's success? Perhaps the answer can best be gleaned from a close look at an actual communication breakdown. Before Russell Walker became the VP of information security at Starbucks in Seattle, he was a security consultant, a role that tends to provide an unvarnished view into corporate dysfunction.
a u g u s t 1 , 2 0 0 8 | REAL CIO WORLD
Reader ROI:
Why communication skills are important How to clearly convey a message to your audience Why it is important to know how and when to communicate your ideas
Vol/3 | ISSUE/18
Communication
Communication
While working with an East Coast financial firm, he witnessed the not-so-rare occasion where a CSO struggled mightily and repeatedly failed in his efforts to sell a new Internet security solution to management. "His message to management was, 'We're vulnerable.'" Walker says. "The audience was thinking, ‘What's vulnerability? What does this have to do with me?’” What they were saying, Walker says, was, "show me how to quantify my exposure and calculate the risk to my business." So, instead of trying to sell the project through yet another presentation, the CSO tried a different format: a live demonstration. "We demonstrated how easy it was to break into the site and get personal info on the executives in the room," Walker says. "We showed we could get their salary, their 401(k) contributions and where they lived. Suddenly, the issue of personal identification and vulnerability resonated with them. It became personal." This anecdote helps underscore the various components of communication for the security executive. It was based on a format that conveyed the message. The demonstration used just enough information to get attention but not so much that it embarrassed or put off anyone in the room. In short, it was sensitive to its audience. In other words, you can write, speak and present until you're blue in the face, but unless you know how to reach your audience, you lack the communication skills needed to help provide adequate security to your company and be part of its success. In other words, you're really not communicating until the other party — most notably, the holders of the budgetary purse strings — can actually understand you. Sensitivity to the audience and its context is a cornerstone of excellent communication. This is especially important for executives who function in widely distributed business operations. Just as the security strategy for an East Coast financial services concern will be far different from that for a West Coast entertainment company, so is the business culture that permeates these organizations. At the same time, what is an acceptable tone for one region within the US, or the world, may be offensive or unacceptable in another. One CSO cites an example where a simple, to-the-point message about compliance at a finance company out of the New York City headquarters was received as a reprimand on the West Coast. The result was that the company spent more time focusing on the insensitive tone of the message than on its contents.
Always Number One Respondents to the State of the CSO 2008 peg communication as the most critical leadership skill.
What personal skills or attributes are most pivotal to your success as a security leader? (Multiple responses possible.) Ability to communicate
63%
Strategic thinking and planning
50%
Understanding business processes and operations
47%
Understanding strategy in your industry
35%
Ability to lead and motivate staff
30%
Technical knowledge/skills
20%
The Art of Clarity The fine art of communication calls for one person to clearly convey a concept to another. This involves understanding what people need to know, what the substance of the message should be, and how and when it should be conveyed. To do this effectively, the communicator must be cognizant of the context of the necessary communication and be highly sensitive to the information needs and mode of reception of their audience. For a person focused on physical break-ins, phishing attacks and intellectual property theft, this basis for communication might seem a bit low on the priority list. However, for those who want their security initiatives to be understood, valued, approved and abided by, it is the key to their survival. "Companies are no longer willing to forgive a lack of excellent communication skills," says Jeff Snyder, president of SecurityRecruiter.com, Snyder says that unlike five to six years ago when companies were scrambling to gain a new security footing, today they are no longer willing to compromise
You can write, speak and present until you're blue in the face, but unless you know how to reach your audience, you lack the communication skills needed to help provide adequate security to your company and be part of its success. You're really not communicating until the other party can actually understand you. 54
Feature - 05.indd 54
a u g u s t 1 , 2 0 0 8 | REAL CIO WORLD
Vol/3 | ISSUE/18
8/2/2008 11:37:00 AM
Communication
on effective communication skills or on a strong security only made him aware of this but helped mentor him early in his career. background. "They want it all," Snyder says. "The cake, the ice "He said, 'you need to develop a dialogue on the business of cream and whipping cream on top." security, and not just security,'" Schmidt says. Security people In short, when a company says it's looking for a security tend to focus on what could go wrong and how to avoid it. This executive, it's seeking someone with the same business is often not only off the radar for many businesspeople, but it is skills as any other departmental leader in the organization, often demoralizing and can tend to get tuned out. "When you who also just happens to know how to prevent, identify and just talk about bad things, and bad things don't happen, you just thwart threats to that company and its employees. lose your credibility." The fact that expectations are being raised might put more The major struggle for many security executives is to pressure on security executives to be well-rounded in their demonstrate that they understand that they are part of the skill set, but it's the price for having arrived, says Paul Argenti, business equation, says Bob Hayes, managing professor of corporate communication at the director of the Security Executive Council, Tuck School of Business at Dartmouth College, based in Washington, D.C. "If communication in Hanover. In the 1990s, the emphasis for is cited as an issue, it is often because of the security executives was a more technical one, failure to demonstrate alignment with their he said. Then, after 9/11, companies placed company's strategic objectives," Hayes says. more emphasis on physical security. "Management today expects a strong Argenti says that many security executives security system as a given," Hayes says. today are discovering that "the skills that of IT practitioners "The question is, what is a reasonable once made you successful as a security believe that they amount of risk? Can you add value while you professional may have had very little to do with have spent more time on provide security?" communication." But that's no longer the case. regulatory compliance As for which skills a security executive Communication skills must be "embraced as than before. should be proficient in, the answer is simply: an added value throughout the organization." all of them. Strong writing skills are needed The role of the security executive is following Source: State of the CSO 2008 to communicate in a global environment. the natural progression of maturity that other Speaking skills — knowing not only what to disciplines, such as information technology say but how to say it — are critical as well. and human resources, have followed, Argenti This is especially important when you're interacting with other says. The real and perceived threats to a company's assets have executives, who don't have the luxury of time to figure out your raised the visibility of security in many companies. Senior message. Presentation skills are extremely important, to know management have responded by hiring security expertise and how to make the point in front of a board or management team. investing in security systems. After elevating security to a Like any skill set, security executives have to play to their strategic function, most organizations have naturally attempted strengths but work on their weaknesses. While business schools to integrate it into the wider organization. As a result, people are now offering communication seminars, security executives who came from a law-enforcement or military background often should not hesitate to take Dale Carnegie courses or join groups have found themselves in the midst of corporate restructuring. like Toastmasters to help hone their public speaking skills, says And it has been in this environment, where communication recruitment manager Snyder. is perhaps the most critical tool for survival, where security Perhaps the single most important communication mission professionals and their employers have discovered whether the for the security leader is to effectively articulate the value right level of communication skills are in place. proposition of the security discipline, and its inherent programs, to the audience it is intended to serve and protect. In this sense, security executives need to be more masterful in communication While communication is a universal human experience, the because they address a world filled with evolving threats and language of security is not one that is universally shared compliance requirements. But it must be done so in a way that or understood. This nomenclature and terminology may be encourages adoption of program practices and is seen as aligned immediately recognizable between two security professionals. with business objectives. However, it can be indistinguishable to downright frightening "It's our job to get everyone on the same page," says Starbucks' to people who speak the language of business, says Howard Walker. "We do that by building awareness. We do that by Schmidt, former White House cybersecurity adviser. repeating the message over and over. We do that by using Schmidt started his career in law enforcement and had whatever tools we need to reach our audience." CIO benefited from doing public speaking in performing that role. However, even with that background, he found that as he made the transition into the business arena his communication skills still fell short. Schmidt was fortunate. A supervisor not Send feedback on this feature editor@cio.in.
59%
Mentoring and Managing
Vol/3 | ISSUE/18
Feature - 05.indd 55
REAL CIO WORLD | a u g u s t 1 , 2 0 0 8
55
8/2/2008 11:37:00 AM
Survey
CIO-PwC’s GlObal state Of InfOrmatIOn seCurIty survey
22%
The percentage of Indian CIOs who reported 3 to 9 security incidents during the last year.
Employee
43%
how many security incidents didyou face? 1-2
21%
3-9
22%
10 - 49
8%
50 - 499
3%
who was behind the breach?
y t i r u sec h c a e r B
Former employee
28% Partner/ Supplier
12%
Threats from inside
how was your organization impacted? 42% 35%
Brand / reputation compromised
35%
83%
Financial losses Intellectual property theft
Unknown
31%
22%
Customer
11%
Hacker
33%
* Data applies to Indian CIOs only
what type of security incident occured? Like surveys from previous years, the percentage of Indian CIOs who don’t know the type of security incident remains high.
Company home page altered / defaced Unknown
28%
13%
Loss of shareholder value Extortion
7%
Application exploited
15%
Fraud
21%
6%
Legal exposure / lawsuit
62
Network exploited
27% Data exploited
20%
Human exploited (social engineering)
21%
Device exploited
20%
* Data applies to Indian CIOs only
a u g u s t 1 , 2 0 0 8 | REAL CIO WORLD
VOL/3 | ISSUE/18
Survey
you conduct more risk assessments than your peers in the u.s.…
A Colleague Told You So 42% of the time, IT found out about a breach from a colleague.
who alerted you of a security event? orrelatio9n% nt c re eve ftwa rity ing so u c Se nitor mo
Intrusio n detec tion / preven tion sys tem 40 %
r er o serv is of % s ly Ana gs 46 lo and
a firew
s ll file
IT
2
18
r
%
how serious is your company about i.s.?
68% 24%
once a year
36%
42%
Less than once a year
17%
12%
Don't conDuct an enterprise risk assessment
number of information security employees in your organization.
0 4%
10%
1
11%
2
11%
3 to 5 6 to 10
23% 10%
9%
InDIA US ChInA
5% 15% 7%
9% 8%
18%
11 plus
11%
6%
4%
3%
20%
14%
27%
how well are your company's security policies aligned with business objectives?
in 2007, did your company review its i.s. policies and procedures?
NO
36%
you employ more inside the security department…
security Defense
YES
INDIa
24%
Managed service provider 19%
C su usto pp m lie er r o
* respondents checked all that applied
us twice a year (or more) t
Poorly aligned
6%
Somewhat aligned
50%
Not aligned
4%
52%
33%
DIA
Completely aligned
40%
* 8 % don’t know * Data applies to Indian CIOs only
64
a u g u s t 1 , 2 0 0 8 | REAL CIO WORLD
VOL/3 | ISSUE/18
Survey
you are arming yourself 21%
21% 18% 18%
14% 12%
US InDIA ChInA
your spend on information security in the last year‌
24%
14%
12%
13%
13% 10%
9%
7% 7%
8% 6%
6%
5% 3% 1%
Less than $10,000
$10,000 to $49,999
$50,000 to $99,999
$100,000 to $499,999
$500,000 to $999,999
4%
3% 0%
$1 million to $1.9 million
$2 million to $4.9 million
$5 million and above
US 4% 11%
you plan to spend more than some of your peers in the next 12 months...
25%
1% 1%
InDIA 14%
Increase more than 30% Increase 11 - 30% Increase up to 10%
30% 29%
Decrease 11-30% Decrease more than 30%
1% 1%
but are the right folks listening to you? 6%
Business decision makers only Who do you engage in addressing information security concerns?
percentage of cios who say 75 to 99% of their users are compliant with i.s. policies
30%
IT decision makers only
china india
6%
Neither
australia us
32% 39% 33% 44% 55%
new Zealand
58% Both
VOL/3 | ISSUE/18
singapore
46%
* Data applies to Indian CIOs only
REAL CIO WORLD | a u g u s t 1 , 2 0 0 8
65
Ensuring Security with Rightful Access Striking a balance between security and flexibility is the big question CIOs face today. CIO Magazine reached out to IT leaders in six Indian cities to evaluate the risks their systems are prone to and what they do to tackle them.
W
ith the increase in threat to information, the concern over securing it has become an issue of paramount importance to organizations. Surveys show significant increase in the number of companies adopting systems that are compliant with security policies of international standards. However, the question that haunts the CIOs across organizations is that with the tightening of security, is agility being compromised? Is this making them lose on the performance front? Alternatively, if they ensure enough transparency and availability of information in the system, confidentiality is taken for a ride. It’s the small percentage of bad guys in a system whose existence forces the need to create walls and convert the organization into a fortress. In this frantic effort to safeguard themselves against these threats, they usually forget to create enough
From left: Alaganandan Balaraman, VP, Britannia, Bala Giridhar, VP, Wipro Technologies, Charles Padmakumar, VP, Aricent, Shashi Ravulapaty, CTO, Reliance Consumer Finance
Presenting Partner
66
Event Report.indd 66
AUGUST 1, 2008 |
CIO
CUSTOM PUBLISHING
8/2/2008 1:44:23 PM
windows and doors for the good guys who bring revenue to the business.
CIOs Perspective: Organizational Agility Vs. Higher Security A CIO is not only responsible for ensuring security of information on his network within the organization but also for enabling its eligible users to have access to required information. The greatest challenge for a CIO is to strike the right balance so that security, compliance and operability work hand in hand. Voicing the challenges that CIOs face on this front, Shreehari Padmanabhan, Lead Consultant Information Risk Management, Wipro, said that cost optimization is the biggest pressure with them. It’s a major concern to bring in efficiency as well as operability. Still, security cannot be compromised. Ganapathy Subramaniam, Global Security Lead, DCN Infrastructure Support Unit, Accenture, says that security and usability are inversely proportional factors. If one is given more importance, it’s quite obvious that the other would lag. To N.S.N. Pillai, Head Risk Management and Information Security, Ashok Leyland, availability takes the lead position. He says the importance of these factors varies from business to business. At this Javed Ahmed, CIO, Sterlite Limited (Power Transmission Division), pointed out that all the data in an organization should be classified and then given role-based access. Classifying it at first may cause some inconvenience but it will make it easier to deal with it later. Burgess Cooper, Head IT Security, Vodaphone, agrees that both are equally important, but the business judgment of drawing a defined line between the two is important. According to him a CIO's role is to ensure security but ultimately accountability is with the business. He also
Col.A.J. Vijaykumar, Head Security Operations, Tata Communications adds that in order to keep a check on the misuse of data, it should be made available on need-to-know basis and not nice-toknow basis. Charles Padmakumar, VP, Aricent, says, “People usually conceive security as an IT prerogative. Whereas, all the departments are responsible towards this as all have access to different kinds of information. If the business understands this responsibility then only will people take security guidelines and policies seriously.” To Shashi Ravulapaty, CTO, Reliance Consumer Finance, balancing between the two is a continuous act. He adds, “The two factors are equally important as we are dealing with important data that drives the whole business. You need to have a stringent security policy in place as the data that resides in your servers may be sensitive to your customer. We also have a responsibility to build more doors so that this data reaches the right people.”
Opening Doors by Building Trust Some CIOs feel that fostering a sense of trust among employees can help.
From top: Sunil Mehta, Sr. VP & Area Systems Director (Central Asia), JWT, Sunil Rawlani, Head-IS & Tech, HDFC Standard Life, Sanjeev Kumar, CIO, Philips Electronics (Lighting Division), Sachin Jain, CIO, E-Valueserve, Rajeev Seoni, CTO, Ernst & Young
Event Report.indd 68
8/2/2008 1:44:27 PM
From left: Pramod LNS, Deputy General Manager IT, HCL BPO, Javed Ahmed, CIO, Sterlite, Rajendra Erande, Group Advisor IT, Thermax, Burgess Cooper, Head IT Security, Vodaphone
Sanjeev Kumar, CIO, Philips Electronics (Lighting Division), says, "Trust is very easy to break whereas, it’s very difficult to build. At Philips, we make everyone in the organization feel connected to IT and make everyone feel responsible for whatever they are doing. We must challenge existing compliance standards. It should move in a cycle — evaluate, challenge, educate and reinforce." Rajeev Seoni, CTO, Ernst & Young, points out that developing trust amongst employees cannot be achieved by the IT department alone. It largely depends on the culture and value system in the organization. Lots of organizations find pride in their value systems. What IT can do is to increase awareness in terms of various security policies by making them feel more responsible towards the data they handle. BLV Rao, VP, Networks and Systems and CISO, Infotech Enterprises, believes that one should try to avoid suspecting all employees. It’s only a small percentage of employees that contribute to the bad guys in an organization, but the good guys that bring revenue to the company are there in large a proportion. D. Chandra Sekhar, AGM IT, Midhani, adds to this and says, “Trust comes voluntarily. It’s good to trust your employees but it’s also important to analyze the risk level and breach of compliance — password sharing is like breaking into your system. We have induction programs to ensure this but people still tend to experiment with security systems. To what degree can you make your system transparent to the people must be pre-planned.” 70
Event Report.indd 70
AUGUST 1, 2008 |
CIO
Sunil Rawlani, Head — IS & Tech, HDFC Standard Life, says that it is vital for the company to make its people understand that they are dealing with the assets of the organization. He says, “Today we have an information-driven economy and the work force wants access to all the information, and they have mobile phones with access to the Net. We cannot take it away from them, so we need to create identities and put identity management systems in place. The focus earlier was data security, which shifted to network security later, but the coming system would be focused on user security. We need to create and manage that identity, if some system to ensure this is put in place then one can assure that the data is secure. Which is why identity theft has become dangerous today and the only way to combat this is to develop trust in organization.”
Monitoring Perception of Users towards Security Policies Compliance and security policies being an integral part of security measures are given high importance in an organization. Therefore, it becomes necessary to ensure that these policies are not seen as hurdles to be side-stepped. In this regard, Alaganandan Balaraman, VP, Britannia, opines, “When you make it easier for the people to comply then they tend to do it, and when you make it complicated then they don’t. They think of this to be one hurdle. When we automate a lot of things in security, it becomes easier for people to stick to the policies. The moment you streamline the security process for users , you are actually opening a lot of windows and doors to them.” Pramod Reddy, AVP, IT AppLabs raises the need for educating people about
From left: Ganapathy Subramaniam, Global Security Lead, DCN Infrastructure Support Unit, Accenture, N.S.N. Pillai, Head Risk Management and IS, Ashok Leyland
CUSTOM PUBLISHING
8/2/2008 1:44:33 PM
From left: T. Jaganathan, Director IT, Ajooba Networks, Roop Chander, GM-IT, HCL Technologies, Shreehari Padmanabhan, Lead Consultant Information Risk Management, Wipro, D. Chandra Sekhar, AGM IT, Midhani
security policies. He says, “We generate a lot of matrix on security; most organizations have a firewall security. Sometimes because of ignorance (like freshers do not know they can write a socket program but they do not know how to strengthen it) some employees unknowingly breach security. These threats can be minimized by creating awareness through induction programs and repeated awareness programs.” Adding to this Burgess says that educating people about the policies and the consequences of breaching would help to an extent. Sunil Mehta, Senior VP and Area Systems Director (Central Asia), JWT, says, “It is important to convince the management and employees when some compliance policies are being implemented to system. It always starts with education. At first when the entrance is blocked, the change is unwelcome and you may find some resistance. If you educate them in a different way, and not force compliance policies down their way, they might cooperate. You need to explain in what manner compliance is good. There is no need to communicate it as some tool. You need to use a positive technique using human psyche, so that they agree.”
of security, compliance is a part that can’t be compromised even at the cost of operability. Rajendra Erande, Group Advisor IT, Thermax says, “We should not be restrictive towards accessibility of data. We should allow people to see data and there are few tools that can help in restricting them from copying sensitive data. We can concentrate on security at server level.”
Do We Need to Change the Way We Think About Security? Talking about this Bala Giridhar, VP, Wipro Technologies says that when we look at the past five years of dealing with security policies, we know what not to do rather than what to do. Access based on a user's profile may help. “With new devices
coming up in the market there’s a need to extend the security walls. We need to offer secure networks." Pramod LNS, Deputy General Manager IT, HCL BPO, says that, “We always talk about the security from the technology perspective. It’s time for us to change our way of looking at it. All the employees from top to bottom should view it as an organizationwide agenda and should feel responsible towards security.” Bala also adds that he is looking forward to desktop virtualization as a promising and secure option of work environment. Sachin Jain, CIO, E-Valueserve, says, “Security is an evolving process and pertaining to changing business demands, it should keep on updating. Unless you have updated yourself, you cannot serve the customer proactively."
Placing Information Availability on the Security Roadmap T. Jaganathan, Director IT, Ajooba Networks says, “I don’t find them mutually exclusive, there’s no race between operability and security. All the three have to have their own proportion.” Whereas, according to Roop Chander, GM IT, HCL Technologies, when availability is in question in terms 72
Event Report.indd 72
AUGUST 1, 2008 |
CIO
From left: B.L.V. Rao, VP, Networks & Systems and CISO, Infotech Enterprises, Pramod Reddy, AVP, IT AppLabs
CUSTOM PUBLISHING
8/2/2008 1:44:38 PM
Essential
technology Considering unified threat management (UTM) appliances that combine many security jobs? Here's some advice from CIOs who've tried these all-in-one wonders on for size.
Vol/3 | ISSUE/18
Essentisl Tec.indd 73
From Inception to Implementation — I.T. That Matters
Guardian Inside a Box By Bill Snyder
| Protecting the secrets of a uranium enrichment plant should be enough to keep any CIO very busy. But when Sarbanes-Oxley mandated even tougher controls on databases containing key financial information, David Vordick, CIO of USEC, a $1.9 billion (about Rs 7,600 crore) public company that operates a gaseous diffusion plant in Paducah, Kentucky, knew he was going to get even busier. His security defenses are complex and multi-layered; and while simplicity is generally a good thing, it's not really Vordick's priority. "Our philosophy is defense in depth. That means looking at multiple (security) products from multiple vendors. We can not be dependent on any one layer," he says. Not every CIO has the same worries as Vordick, of course. But as regulations like SOX and PCI standards place increasing demands on IT's security capabilities, more and more companies are choosing to simplify network defense by using a security appliance that combines hardware, software, and networking technologies in to one convenient bag. Companies in the United States spent $3.85 billion (about Rs 15,400 crore) on network security appliances in 2006, an expenditure expected to nearly double by 2011, according to market researcher IDC.
Security
REAL CIO WORLD | a u g u s t 1 , 2 0 0 8
73
8/1/2008 9:29:39 PM
essential technology
When USEC designed its security architecture, Vordick and his team had a wealth of options. They could have chosen to install one or more UTM (unified threat management) appliances — devices that handle multiple threats from a single chassis, or opted for a series of single function, best of breed appliances. USEC choose a best-of-breed database security appliance by Guardium, plus point products from other vendors, largely because the defense-in-depth strategy meant that the convenience of deploying and managing a single device was outweighed by the fear of creating a single point of failure, Vordick says. Moreover, USEC sought a security appliance that would serve as a check on IT employees with privileged database access who might seek to view or change data without proper authorization, a function that is atypical for an UTM. The choices regarding network security appliances are complex, but as a CIO, your decision won't just come down to a technology issue, says John South, senior security consultant for Plexent, a Dallas-based IT service management company. "The real question is how do we
if I choose a series of point products, will the overall solution be able to handle a blended threat, and do the separate devices work well together? Does the appliance, best of breed or UTM, offer adequate reporting capabilities? And if you're thinking of combining functions in a UTM, consider this: services such as firewalls, VPNs and intrusion detection are not particularly compute intensive, but are latency intolerant. Anti-virus, URL filters and the like are compute intensive, but much more tolerant of latency. Mixing the two classes of services on your network can slow down applications that are sensitive to latency, says South.
Case for UTM San Francisco-based DriveSavers had a different set of concerns when it decided to shore up its security strategy. Though the company has about 80 employees, its network handles an average of 12 terabytes to 14 terabytes of data every day that it opens its doors for business. Since the company handles critical data, including passwords, for its clients, the tolerance for security lapses is very small.
The choice of which network security appliance to choose is complex,but as a CIO,your decision won't just come down to a technology issue. get our business done and still protect the corporation?" he asks. Here are some of the issues South suggests CIOs should consider regarding security appliances: how does security fit into my overall architecture, and where is the boundary of my network? How many people will it take to support my choice? Do I have the staff or can I count on support from the vendor? If I choose a UTM, do I know that the services are well integrated and the device is ultra-reliable; 74
Essentisl Tec.indd 74
a u g u s t 1 , 2 0 0 8 | REAL CIO WORLD
"We have the keys to (our client's) kingdom, so they want to be absolutely sure that their information can not be compromised," says chief security officer Michael Hall, whose company retrieves data from damaged hard drives. "An easy way for [clients] to validate is to probe our ports. We like to say 'hit me with your best shot,'" he says. After taking the benign hit, techies at DriverSavers collect the log data and get the evidence to the client. That seemingly
By 2011,
companies in the US are expected to spend nearly double the $3.9 billion they paid for network security appliances in 2006. Source: Aberdeen
simple task, however, was becoming a problem, "We were compiling logs from a number of different (security) appliances and had to consolidate them. It was cumbersome, time consuming and from a business point of view, well, ineffective," says Hall. Meanwhile, DriverSavers was growing rapidly, and it was a good time to look at the company's overall network architecture and see how security could be better integrated. It was a way to prepare for the future. Security goals included simple, 24-hour reporting capabilities, consolidated management, better use of space, ease of deployment and good network performance. Ultimately, Hall deployed Cisco's ASA Adaptive Security Appliance, which consolidated intrusion detection, firewall, anti-virus and data leakage protection, plus a Cisco MARS (monitoring analysis and response system) box, which consolidates reporting functions. What about concerns regarding a single point of failure? Forrester Research analyst Rob Whiteley says that vendors have done a good job building reliability and redundancy into their devices. "Reliability has become moot," he says.
Vol/3 | ISSUE/18
8/1/2008 9:29:39 PM
essential technology
Hall agrees, but just in case, he's kept his old, single function appliances installed and ready to use as a failover.
Compliance Tool Compliance requirements can be another key reason to choose a UTM appliance, as was the case for San Diego's Paradigm Investment Group, which holds 96 Hardee's burger franchises in seven states. The problem: Paradigm needs to collect sales data and manage Web traffic, including feeds from security cameras, at each restaurant. While that sounds
The system includes a firewall that segments traffic and sets up different security rules for each segment, an antivirus function and content filtering. The system includes even more functions, such as a VPN, that Paradigm could easily turn on if needed.
One Device Versus Best of Breed Security appliances are getting a lot of buzz and there's plenty of debate about the virtues of UTM versus a best of breed approach. But it's worth noting that
There's plenty of debate over the virtues of UTM vs. best of breed.But it's worth noting that any security appliance, whether multi-function or single function,comes with some caveats. fairly straightforward, the PCI Security Standards Council mandates that point of sale servers must not only encrypt data, but also ensure that data related to credit card billing is securely separated from other types of network traffic, while remaining capable of moving data and fetching anti-virus updates. It's regulation that has real teeth. Bogus credit card charges resulting from a hacker's efforts lead to a security audit. And the fines can go up to $500,000 (about Rs 2 crore, notes Paradigm CTO Greg May. Since Hardee's restaurants don't have an IT staffer behind the counter, the company looked for a solution that would include a central management console. They found it in UTMs from Fortinet, choosing the Fortimanager, FortiGate and FortiWiFi products. Why WiFi? The chain has WiFi hotspots that need to be locked out of X-rated sites, and in the future the company hopes to mine valuable marketing data from its public network, says May.
Vol/3 | ISSUE/18
Essentisl Tec.indd 75
any security appliance, whether multifunction or single function, comes with some caveats. "In general, appliances can not be virtualized," says Joel Pogar, director of security and network solutions with the Forsythe Solutions Group, a technology consulting and infrastructure solutions provider. And once an appliance is integrated into the network environment, it can be difficult to remove, he adds. Even so, Pogar says that appliances — whether you choose multi-function or best of breed — have a number of advantages over conventional solutions, including performance. That's because the hardware and the operating system are optimized for each other. And since applications are pre-installed on the appliance, configuration and deployment can be completed very quickly. If UTMs are easier to manage, and best of breed devices offer tailored functionality, is there a way to get both? There may be. Crossbeam Systems offers an appliance that allows customers to run
security services from any of Crossbeam's 20 or so best-of-breed partners. Richard Isenberg, director of security for CheckFree, a provider of financial e-commerce products and services recently purchased by Fiserv, says his company's growth spurt brought on an epidemic of what you might call box creep. "We were adding boxes in every function, with more hardware costs and more people to manage." Although that sounds like an argument for deployment of a conventional UTM, Isenberg says he didn't like the idea of getting all of his software from a single vendor. "Sure, the firewall might be great, but maybe the IDS isn't," he says. "Why should I settle?" Checkfree was able to consolidate 20 IDS devices, 20 switches and 26 firewalls onto seven of Crossbeam's X-series appliances. Cost savings? Nearly $200,000 (about Rs 80 lakh) per year, with ROI in about three years, he says. Isenberg disagrees with those who say UTMs create the risk of a single point of failure. In fact, he believes the opposite: "Every additional box creates more failure points." John South, the Plexent security consultant, says Crossbeam is one of the few companies taking a hybrid approach. "All of the major players are designing point devices for secure services or packaging services into various sizes of appliances scaled from small to medium businesses up to large enterprises." The debate over UTM versus best-ofbreed is really a debate that you must decide within your enterprise's walls. As Vordick puts it: "Risk tolerance and understanding the tradeoffs in the different platforms are decisions each company has to make." CIO
Bill Snyder is a California-based writer. Send feedback to this feature to editor@cio.in
REAL CIO WORLD | a u g u s t 1 , 2 0 0 8
75
8/1/2008 9:29:40 PM
Pundit
essential technology
Disclosure: All or Nothing Why full disclosure — or the threat of it — forces vendors to patch flaws and improves security. By Bruce Schneier security | Full disclosure — the making public of details of security vulnerabilities — is a very good idea. Public scrutiny is the only reliable way to improve security, while secrecy only makes us less secure. Unfortunately, secrecy sounds like a good idea. Keeping software vulnerabilities secret, they say, keeps hackers at bay. The problem, according to this theory, is less about the vulnerability itself and more about the information about the vulnerability. But this assumes hackers can't find vulnerabilities on their own, and that software companies will invest in fixing vulnerabilities. Neither is true. Hackers have proven they
researchers with legal action if they disclosed a vulnerability. Later, researchers announced problems existed but did not publish details and vendors labeled the vulnerability theoretical. They would still ignore the problem and maybe threaten researchers with legal action. Then, of course, some hacker would exploit the vulnerability — and the company would release a quick patch, apologize profusely and then go on to explain that the whole thing was entirely the fault of the evil, vile hackers. It wasn't until researchers published complete details of the vulnerabilities that software companies started fixing them. The
norm. And it only remains a good idea as long as full disclosure is the threat. The moral doesn't just apply to software; it's very general. Public scrutiny is how security improves, whether software or airport security or government counterterrorism measures. Yes, there are trade-offs. Full disclosure means that the bad guys learn about a vulnerability at the same time as the rest of us — unless, of course, they knew about it beforehand — but most of the time the benefits far outweigh the disadvantages. Secrecy prevents people from accurately assessing their own risk. Secrecy precludes public debate about security and inhibits
Secrecy prevents people from accurately assessing their own risk. Secrecy doesn't improve security, it stifles it. can discover secret vulnerabilities, and full disclosure is the only reason vendors routinely patch their systems. To understand why the second assumption is false, you need to understand the economics of a software company. To them, vulnerabilities are an externality: they affect users much more than the vendor. Vendors treat vulnerabilities more as a PR problem. So if users want vendors to fix vulnerabilities, we need to make the PR problem more acute. Full disclosure does this. Before this was the norm, researchers discovered problems and sent details to software companies — who ignored them, trusting in the security of secrecy. Some went as far as threatening 76
ET-Pundit.indd 76
a u g u st 1 , 2 0 0 8 | REAL CIO WORLD
companies hated this. They received bad PR every time a vulnerability was made public, and the only way to get some good PR was to quickly release a patch. For a large company like Microsoft, this was very expensive. So some vendors and security researchers got together and invented ‘responsible disclosure’. The idea was that the threat of publishing the vulnerability is almost as good as actually publishing it. A responsible researcher would give the software vendor a head start on patching its software before releasing the vulnerability to the public. This was a good idea — and these days it's normal procedure — but one that was only possible because full disclosure was the
security education that leads to improvements. Secrecy doesn't improve security, it stifles it. I'd rather have as much data as I can get to make an informed decision about security, whether it's a buying decision about a software product or an election decision. I don't want to live in a world where companies can sell me software they know is full of holes or where the government can implement security measures without accountability. I prefer a world where I have all the information I need to assess and protect my own security. CIO Bruce Schneier is a noted security expert and founder and CTO of BT Counterpane. Send feedback on this column to editor@cio.in
Vol/3 | ISSUE/18
8/1/2008 9:30:26 PM