Information Security Management Special Report: Under Fire [CIO Decisions, June 2007]

Security Management Special Report: Under Fire

Despite the same old budgets and resources, midsized companies have to contend with new and more complex security attacks. Here's how a few are rising to the challenge.

Editor's Note

To view our complete multimedia package, visit our Security Management Special Report.

Microsoft discovers a vulnerability in its domain name server but says it may take weeks to deliver a patch, and the W32/Delbot-AI worm promptly launches attacks using that flaw. Two research houses predict that pinpointed attacks on select companies will soon replace broadly targeted worms as the greatest threat to corporate computer security. At a Usenix conference, experts warn that botnets -- which use a collection of compromised computers to steal financial data or send spam -- are getting increasingly complex and more capable of taking over more computers and accessing important data.

Marrying the Digital
and the Physical

Tim Mathews wears two hats: electronic and physical security, including protection of company executives traveling the world. As director of risk management and corporate security at Princeton, N.J.-based Educational Testing Service, he's also responsible for ensuring the integrity of the nonprofit organization's core products: SATs, GREs and other educational tests.

It's a heavy load, and Mathews is constantly on the lookout for technologies that help keep paper and electronic copies of all testing materials under virtual lock and key. For instance, Mathews envisions keeping hard copies of near-final tests from leaving a building by hiding radio frequency identification chips in paper.

Mathews hopes to marry physical security with online access. "We can protect how people get on our network, but if someone can get through a door and into our buildings, then they can look over someone's shoulder and figure out a way of breaching the network," he says. "But if there's a login that shows up for a person [with] no corresponding entry to the building, then that should raise an alarm to security."

One answer rests in technology such as video analytics, where an image of a physical incident is an element of electronic security. Mathews says that if three people try to enter a door with only one security card recorded upon entry, the image from a security camera trained on the door can then alert guards if in fact intruders have entered the building.

Several vendors, including IBM and Cisco, have been working to marry video and electronic security tools, according to Scott Crawford, senior analyst at Enterprise Management Associates in Boulder, Colo.

Yet the concept of melding information security with physical security hasn't taken hold at many midmarket companies. Other chief information security officers say they have enough on their plate in dealing with viruses and hackers without adding the worries of building security, fire safety and guard dogs. -- J.C.

That was just some of the bad security news that came out in a single week this spring. While information security teams still struggle to plug new holes in technology and avoid broadly targeted viruses, they have to keep an eye on the threat of a carefully architected and targeted multi-vector attack.

Information security managers know that teams of hackers are working around the clock to craft multi-vector attacks, pairing the best and brightest of the bad guys. These attacks probe a company's network simultaneously in several ways -- leveraging spam, searching for gaps in firewall coverage -- thus giving hackers a better chance to find a hole in a company's security. Multi-vector attacks clearly raise new challenges for midmarket companies strapped with the same limited resources. Yet smart CIOs are turning the tables and adopting a multifaceted approach to defense that employs several security technologies as well as tools from outside the security realm.

Just how prevalent are multi-vector attacks? "The sense of people deliberately banding together to put some multi-vector threats together is relatively new," says Stephen Fried, vice president for information security and privacy at Milwaukee-based Metavante Corp. "When you take a look at the history of attacks that we've been seeing in the past few years, there has been a lot more talk about multi-vector than we've actually seen in the wild, but I think its day will come."

Multi-vector attacks can take many forms. For instance, an attacker who uses social engineering to gain personal information from users might join forces with someone who uses distributed attacks or distributed spam networks, says Scott Crawford, senior analyst at Enterprise Management Associates (EMA) in Boulder, Colo. "The ability to work together in order to achieve common goals is getting to be a much more serious concern, which raises the bar even further on the ability of IT to be able to cooperate with security and leverage integration across IT to achieve their own common goals."

Several factors set a multi-vector attack apart from the general release of, say, a virus or worm. First, a multi-vector attack targets a specific company, often with the intent to do harm or steal information. It also uses several avenues to gain entrance, with one or more of those attempts often acting as a decoy to divert the security team's attention from the real attack.

"Midmarket companies are exposed to the same types of threats as larger companies, although they probably are more at risk from multi-vector attacks," says Jerry Murphy, vice president and service director at Robert Frances Group. "It used to be that security threats were like high school kids coming by and toilet-papering a house. It was obvious that it happened, and it looked really nasty, but at the end of the day nothing was really damaged. Today, the threats are much more like spies watching from behind the bushes at all the entrances to your house to see where you hide the key so when you're gone they can sneak in and steal stuff."

SIMply Secure

Some CIOs draw on multiple security technologies to defend against multi-vector attacks. Security information management (SIM) systems, for instance, monitor and analyze huge volumes of data in the logs of firewalls, intrusion detection systems and other tools to spot attacks, thus taking the burden off human eyes.

"The challenge I have from the SMB perspective is having the staff and cost-effective tools to monitor all of our systems," says Mark Willford, manager of IT at DirecTV Castle Rock Broadcast Center in Castle Rock, Colo. "We don't have the luxury of having a dedicated security department. I have a staff of 19 people that is responsible for everything from toner replacement to managing a very large ATM backhaul network. So my staff wears a lot of hats, and part of our responsibility is making sure that our data is secure."

Willford wanted a system that could correlate log files from various servers, firewalls and other components and offer real-time alerts about suspicious activity. He also wanted to be able to audit those log files. After weighing the pros and cons of four vendors, he chose TriGeo Network Security Inc.'s SIM solution. "It was almost a live-by-lunch solution that required very minimal setup," he says. "It was priced very competitively and met all requirements that I had, including minimal management and total cost of ownership."

The SIM system correlates most of the security device log files and provides real-time alerting by tracking event data from multiple firewalls, switches, routers and intrusion detection systems. Willford notes that his company may be an exception in the midmarket; rather than looking back after a problem occurs, he proactively audits logs. "We're able to catch things a lot earlier in the process, especially with virus activity that isn't necessarily recognized by one device but is recognized when correlated between two devices," he says. Previously, virus activity or a denial-of-service attack may not have been spotted until users complained.

Another midsized organization turned to SIM because it was a cost-effective way to extend the reach of its alerting capabilities. For about a year, Stillwater National Bank in Stillwater, Okla., had outsourced key monitoring functions such as alerting. While the monitoring service worked fine, it covered only one-fifth of the bank's 100 servers. It also didn't provide crucial log monitoring and reporting functions, including those required by various regulations such as the Sarbanes-Oxley, Health Insurance Portability and Accountability and Gramm-Leach-Bliley acts, says Laura Briscoe, vice president for information security at the bank.

"We already had the need for this type of monitoring. Your auditors and the laws all require that you have this type of monitoring and reporting in place, that you know who's accessing what kind of data on which box," Briscoe says.

Rather than extend its commitment -- and annual payments -- to the service provider, the bank looked at in-house SIM technology. Like Willford, Briscoe chose TriGeo. She says it not only offers functionality that beats out competitors, such as desktop agents and USB lockdown, but it also focuses on the midmarket, so the price was right. The bank was paying about $120,000 a year for limited coverage of its systems; for a little less than that on a onetime payment, Briscoe gets added functionality and network-wide coverage.

But it's important to note that SIM technology is still evolving. One IT manager says SIM's data monitoring rules, which vendors often define, allow SIM to catch some kinds of attacks but not all. Murphy says SIM also presents a resource challenge for midsized companies, which are less likely to have a dedicated analyst who can make the most of such a system through heuristic analysis. "There are some tools starting to put this stuff together," Murphy says. "But usually some human being has to put the rules in there to say what all this information coming from different locations means."

Research labs are developing technology to help midmarket companies better utilize SIM, creating tools that use histographic analysis to spot anomalies in SIM reports. The histogram would help map the mean behavior for traffic associated with specific applications. So if there is an increase in traffic on part of the network -- a sign of a possible problem -- an administrator could investigate. There may be a legitimate business reason, such as a special promotion, that creates additional activity surrounding that specific application, or it may be caused by malware.


CISO: The Technology Sheriff

As a midmarket organization grows, the environment gets more complex. Regulators come into the picture. Hackers take dead aim. Perhaps it's time to hire a chief information security officer (CISO). But when does a midmarket company need one? What triggers the need to hire one? The standard answer, of course, is that each company is different. But CISOs and other experts offer some suggestions.

"Our rule of thumb," says John Pescatore, security analyst at Gartner Inc., "is as soon as you need a chief financial officer, you know you need a chief security officer. If your finances are complicated enough to have somebody in charge, then securing your systems and data is complicated enough that somebody has to be in charge."

The size of a company's IT department can also indicate the need for a full-time CISO. "If there are 1,000 employees, there usually is a minimum of a couple dozen IT people," Pescatore says. With that many IT people, "there usually is a complicated enough IT structure that a chief security officer is needed," he adds.

Stephen Fried, vice president for information security and privacy at Milwaukee-based Metavante Corp., says companies may need a CISO even earlier. "A lot of companies, even as they are starting up, are thinking of security as a specific discipline, which is something we didn't see 10 or even five years ago," he says. "It's almost considered a due diligence kind of best practice now to have a specific security person." Fried suggests that when company security advances beyond basics such as antivirus, firewalls and intrusion detection, it's time for a CISO.

A CISO position can also allay fears from business partners or regulators. Business partners may insist that a company have a CISO who can protect their investments. Publicly held companies and those in heavily regulated sectors will probably need CISOs sooner than private companies that lie outside the government's more direct view.

Of course, many midmarket companies learn too late that they need a CISO. Lee Kushner, CEO of recruiting firm L.J. Kushner and Associates LLC in Freehold, N.J., warns, "For a growing company, one bad story or one damaging blow to a reputation can be completely disastrous."

So what should companies look for in a CISO? Kushner prizes leadership above all else. For a smaller firm, he says, the most important thing is having someone who can "get the message across and actually execute and build a security function."

Joyce Brocaglia, CEO of executive search firm Alta Associates Inc. in Flemington, N.J., admits she's changed her CISO criteria. "When we started recruiting information security officers, we always looked for the most technical person in the room. Today we're replacing them with people who truly understand the business."

A CISO needs to be able to show business units the value of a security initiative in terms of savings and explain how security plays into operational risk, including factors such as uptime and recovery from a security breach. "They have to be able to align investments with potential benefits," says Brocaglia.

Communication is key for any CISO, says Mark Weatherford, chief security officer for the state of Colorado. "I never miss an opportunity to speak to any group of people -- whether it is one person or a hundred -- about what we are doing and why."

Nurturing relationships with business units is crucial in terms of finding advocates for security initiatives. Khalid Kark, senior analyst at Forrester Research Inc., notes that advocates don't even have to be top managers in a business unit. "Basically, it's getting security advocates within business units to point to specific things and say, 'Hey, this may need a security review.'" -- J.C.

Driving Security Innovation

Although handicapped by a shortage of resources and more dependent on proven technologies, midmarket companies may actually help drive innovative approaches to security, EMA's Crawford says. For instance, some midmarket companies are marrying security management and IT operations by leveraging a configuration management database to improve IT operations like patch management.

The midmarket is also helping drive the convergence of security and management technologies, particularly by demanding that tools in both sectors interoperate. "We're seeing major vendors adopt this story by bringing their core management technologies to bear on both security and IT ops," Crawford says. "You can expect to see a lot more visibility around that trend this year."

When it comes to server virtualization -- a popular development on the operations side of IT -- security and operations overlap. Crawford says that while the downside of server virtualization is that IT departments may have to authenticate servers, the upside is additional security by isolating a virtualized environment from security threats.

Another example of innovative thinking to defend against multi-vector attacks is when two elements of IT -- in this case, operations and development -- are united in a partnership to improve application security. Over the past two years, experts have emphasized the importance of having security "baked in" to new IT projects, whether they involve in-house development or packaged applications. Obviously it's much easier to deal with security issues throughout the development or acquisition process than on the eve of deployment.

Crawford notes the efforts of numerous vendors to deal with security during application development. Ounce Labs Inc., Security Innovation Inc., Fortify Software Inc., Watchfire Corp., SPI Dynamics and other software providers are working to help developers spot security flaws in code long before it reaches the deployment stage.

Inside Threats

Whether or not they are multi-vector, insider attacks are perhaps the most difficult threats to defend against. "People have been focused on preventing bad guys from getting into the network, but what a lot of people don't realize is that a lot of the data that is stolen from a company is actually an inside job," says Robert Frances Group's Murphy. He notes that while 80% of threats are external, most of these threats can be dealt with. The remaining 20% come from inside companies, such as from database admins who sell information.

"It doesn't even have to be malicious," Murphy says. For example, a salesperson might have customer data that is encrypted in a back-end database but then send the data to someone in an email without knowing that Sarbanes-Oxley requires the transmitted data to be encrypted.

To address internal threats, Murphy cites Fidelis Security Systems Inc.'s Fidelis XPS (an extrusion prevention system) as a product that looks at all data crossing a network, checking patterns associated with sensitive data such as Social Security numbers. Other products take different approaches, such as Vontu's line of products designed to target specific portions of the network, such as an email server, in a search of sensitive information.

Controlling user behavior can also lead to adoption of older technologies. Murphy says a technology that once carried high expectations -- public key infrastructure, or PKI -- may attract new attention in the next couple of years. PKI isn't as ubiquitous as was predicted, largely because of the complexity of managing keys. "Using the key is easy," says Murphy, "but if you lose your key or leave the company, that data is now encrypted. So how do you or your company get access?" he says. But as standards continue to develop, vendors such as VeriSign Inc. now offer services to help companies manage keys.

Midmarket companies are looking at powerful technology such as SIM and PKI, as well as ways to combine disciplines, in order to meet the challenge of today's complex, multi-vector attacks. "In general, [midmarket companies] don't have the resources that the larger enterprises have, and so they have to look at solutions that have had wider penetration, more broad market acceptance and tend to be more mature," Crawford says. "They have to get more bang out of the buck for security."


Making the Security Pitch

In a way, all the acronym-filled headlines may have made life easier for information security directors. CEOs have been fed a daily diet of compliance and security breach news rife with terms like SOX, HIPAA, TJX -- and now JAIL. Executives know that losing data goes well beyond upset customers and embarrassment; it can land them behind bars.

But, for IT execs, these dangers combine to make senior management more open to security initiatives. "The media has done a great job with the scare-tactic thing, violently displaying all the compromises to privacy and making sure that CEOs understand the consequences of not complying," says William L. Bell, director of security at CWIE Holding Co. in Tempe, Ariz., and Web hosting firm Cavecreek LLC.

"Nobody likes to have their name in the paper" when there's a security problem, adds Stephen Fried, vice president of information security and privacy at Metavante Corp., a banking and payments services company based in Milwaukee. "Then you add things like potential jail time for violation of certain regulations and laws, and that has the effect of getting management's attention on security issues."

While today's data breach spotlight has made senior executives more receptive to security initiatives, it doesn't mean freeing money for security projects is easy. Security remains a tough internal sell, and CIOs must reach out to business managers to ensure that security is a priority in every technology project.

The Midmarket Challenge

Security can be a particular challenge for a growing midmarket company with limited security resources. Smaller firms face increasing regulatory scrutiny as they transition to publicly held entities. And they may now have larger trading partners and customers with greater due diligence demands.

"There are a lot of regulatory things coming down the pike. The biggest problem for most midrange organizations is keeping up," says Tim Mathews, director of risk management and corporate security at the Educational Testing Service in Princeton, N.J. "The technical part of it is pretty much best practice. The biggest challenge is the myriad contractual obligations and regulatory requirements."

So how do CIOs get the message across to management? CIOs can play up the fear factor in a way that business execs understand. Fried says CIOs must stop proposing security purchases as simply a good thing to do and present initiatives as part of the company's overall product set. "You have to tie your proposal back to what is in the best interest of the organization, whether [it's] retaining customers to making or losing money to keeping folks out of trouble with the law," he says.

"Talk in terms of things they understand," says Scott Megill, enterprise architect and program manager at Philadelphia-based chemicals manufacturer Rohm and Haas Co. Megill implemented single sign-on and identity management programs that include the Passlogix module in Tivoli's security suite.

Megill first approached executives about the project by emphasizing data and access management and intellectual property protection. Their eyes glazed over. And so Megill turned the conversation to single sign-on. As soon as he said that the project could eliminate the need for executives to keep 15 usernames and passwords, "their ears perked up," he says. "Then we could start to roll in those other things."

Other CIOs use numbers to make the pitch. CIO Paul Valle of Papa Gino's Inc., a Dedham, Mass.-based chain of 400 pizza shops, saw a potential 3-to-1 return on investment in a security project. Employees were taking security into their own hands by encrypting files like spreadsheets. Problems arose when employees forgot passwords or left the company. Papa Gino's had to re-create some documents from scratch because IT couldn't break through the encryption.

Chris Cahalin, a network manager, learned that the Dell PCs at Papa Gino's, as well as PCs from other suppliers, are equipped with the Trusted Platform Module (TPM). The module can generate secure encryption keys and restrict user-generated keys. TPM could put the keys back in IT's hands.

And so Papa Gino's enabled TPM and brought in Wave Systems Corp.' s Embassy Trust Suite software to manage TPM for the company's 1,700 desktops and notebooks. So far the total cost is $6,900; the estimated savings is $22,000. "Take just the savings in support costs, things like resetting passwords," Cahalin says. "Those calls disappeared because people didn't have to call the help desk anymore."

These kinds of projects help IT build credibility. "Until recently, the CEO and CFO typically were the most difficult people to get support from," Valle says. "Now IT is becoming more of a partner in helping a company succeed."

Last year, Bell needed management buy-in for a project designed to limit users' ability to install applications and thus reduce help desk tickets by eliminating spyware and malware. To sell management on the idea, Bell established a test program in the call center. And he ensured support by talking with business people in their own language.

"You have to know the business value of certain assets," Bell says. "Let's say you have gone to the CFO and said, 'What data do you have that you would absolutely 100% hate to have someone else get?' Then you come back to them and say, 'Here's how I can improve protection of these assets.'" Bell's project got the green light, and CWIE deployed SecureWave on 320 systems at a cost of $25 to $50 a system. The payback: an 80% decrease in the number of PC replacements in the call center and a decrease in help desk tickets.

Business execs, says Barbara Anson, director of IT security at Baptist Memorial Health Care Corp. in Memphis, "don't need to know all the technical aspects" of a security initiative. "They need to know what the technology means and how it can affect their job either adversely or not." -- J.C.

James Connolly is a freelance writer in Norwood, Mass. He can be reached at editor@ciodecisions.com.

This was first published in June 2007

Join the conversationComment

Share
Comments

    Results

    Contribute to the conversation

    All fields are required. Comments will appear at the bottom of the article.
    Back to top