Safe house?
- Reduce text size Decrease text size
- Increase text size Increase text size
- Print article Print
- Jump to comments Comment
- Share this article Share
- Email article to a friend Email
Security technology can only go so far to ward off threats. The real challenges lie in changing user behaviour and enforcing policies.
Marcus Ranum, a senior scientist at security specialists TruSecure and a renowned developer of firewalls and other security products, believes that corporate IT security is not so much a technical problem, as a social and business processes problem.
It is a social problem because staff have to be security conscious - and, despite the corporate guidelines and the plentiful scare stories, too many are not. As Ranum says, "You can't make people behave [in a secure fashion] simply by putting a firewall in place." At the same time, IT security is a process problem because an organisation needs to define and establish robust processes in order to be protected from security threats. Moreover, these have to be enforced.
Yet traditionally, those in charge of information security - whether specialist chief security officers (CSOs) or other IT managers - have occupied an awkward middle ground. There is no traditional reporting structure for the role.
| ||
Each of these reporting lines carries its own set of advantages and disadvantages. When Jon Colombo, a consultant with Cap Gemini Ernst & Young was chief security officer at a FTSE 100-listed company, he found himself reporting to the company secretary, who was also happened to be the HR director.
"That was a very good position to work from because you could get things done that you couldn't do through the IT department," he says. "You could get the HR to put the right things in the contracts" - obligations to never disclosure corporate passwords and to avoid downloading of files for private use, for example.
Also, being in the HR department meant that security issues could be tackled at the point when new recruits joined the company, and provided the opportunity to instigate training courses on security.
His observation might come as a surprise to those steeped in technology of security. "Because security is such a cross-departmental function, sometimes it's better being handled outside [of the IT department]."
The corollary of that, however, was that dealing with the technical side was often made difficult due to a lack of trust. "IT perceived me to be an outsider," he says.
Tech-heads
Regardless of where security managers sit in the reporting structure they frequently struggle constantly to change attitudes. A recent survey by Datamonitor found that 95% of staff do not consider that computer security has anything to do with them. Rather, they said, it is something for IT to be concerned about.
"That is just the kind of thing that CSOs are battling against," says Ian Schenkel, UK managing director of security management software vendor Sygate.
These user perceptions are not helped by the traditional technology focus of many heads of security. The problem they face, says Ray Stanton, director of UK security practice at IT services company Unisys, is that they often have great difficulty making the transition from security expert to business manager. As a result, many struggle to put together strong enough business cases for security projects, and watch in despair - and sometimes horror - as the money is channelled into projects whose failure will have a much less significant impact.
Not that demonstrating a return on investment (ROI) on security projects is always easy, says Neil Chaney, CEO of user provisioning software maker OSM. "It causes security managers a lot of grief," he admits.
But not in all areas. One is identity management. Here, the efficiencies that can be generated in terms of providing single password sign-on to multiple applications and the reduced cost of administrating the user access rights, can make the case compelling.
It is straight forward, says Chaney: "You are basically taking a business process - the registration of users across an enterprise - and automating that. Therefore, in simplistic terms, you can reduce the headcount required to perform the task," says Chaney.
And in many cases, the greatest pressures for automating such processes are not coming from inside the organisation.
At risk
The impact of the slew of new legislative initiatives in the US and Europe is putting the chief security officer at the centre of corporate compliance strategies - and helping to raise the bar for security standards.
For example, the Sarbanes-Oxley Act, that since June 2002 has applied to any US and international company traded on Wall Street, requires that corporate officers can prove to regulators which individuals have had access to the consolidated financial data that makes up the the company's quarterly and annual reports.
Sarbanes-Oxley also proscribes many other aspects that impact IT security, but even tighter legislation may be just round the corner. "The European initiatives being considered at the moment are potentially more restrictive - and will have greater impact on security issues - than Sarbanes-Oxley," warns OSM's Chaney.
In the banking world, Basel II is forcing financial services organisations to look to their security officers to reduce their risk exposure as a matter of urgency. "It is particularly potent; it's all about risk management," believes Unisys's Stanton. The higher the risk, the more cash and equivalents a financial institution has to set aside in order to cover that its exposure. Therefore, the better the computer security the bank or insurance company can demonstrate, the less it will have to set aside to cover those risks.
At the same time, external auditors - many of whom feel their reputation is on the line after the run of financial scandals - have also started homing in on corporate security arrangements.
"Since Enron, Tyco and WorldCom, I think audit firms have become more careful. They are all accountable to partners for any potential law suit and they tend to be more diligent than they used to be," says Chaney.
But imposing higher standards of security first requires some robust business processes and a coherent security policy.
A good starting point, believes Ray Stanton at Unisys, is British Standard 7799 (BS7799). It provides a comprehensive management framework around which an organisation's security business processes can be built or evaluated against.
BS7799 does not go into any technical detail on how to implement firewalls or virus protection. Rather, its managerial focus provides a checklist of objectives that every organisation should achieve in their security processes. "It's a very simple, flexible model for security management. It's easy for anybody at any level to pick up and understand," says Stanton.
As a result, while few organisations - little more than a hundred - have actually gone to the time and expense of certifying their organisation to the BS7799 standard, many security and IT executives have nevertheless used the guidelines as the foundation for their own company's security policy.
"There are companies of all shapes and sizes that are actually using it as a benchmark. They are applying the parts that they think are relevant to their businesses, but not necessarily going for the 'tick in the box' full certification," says Colin Gillingham, regional director of vulnerability software and consulting company @Stake.
Security police
Even companies with the best security policies, however, can struggle unless these are enforced. "A security policy is only as good as the police that enforce it," says Schenkel at Sygate. He argues that most organisations can already boast a comprehensive security policy, but that it is not adequately applied.
"Most organisations, for example, will establish a rule that antivirus software is installed on all their machines and that it is updated regularly. But what happens when a user independently decides to shut down that antivirus application?" he asks. Very often no one even knows, and the organisation as a whole is put at significant risk.
There are plenty of monitoring packages that can help with the enforcement of such elements of security policy, and others that can, for example, carry out content filtering to stop staff accessing inappropriate web sites and stop the use of peer-to-peer file sharing applications. But for the bulk of potential security problems, there are few fully automated tools.
Intrusion detection systems, for instance, have proved to be no panacea. Many security experts complain that these tools generate many more false alarms than actual intrusion alerts, making it impossible to respond to genuine emergencies immediately. "If a security alarm guesses wrong too often, you're going to stop listening to it," Bruce Schneier, co-founder of security services company Counterpane Internet Security
The main problem is that intrusion detection systems take many months of configuration and fine tuning before they are ready to be put into the business front line. "And too few security professionals, let alone ordinary IT staff, are prepared to put in the time and effort required," says Ray Stanton. "I've stood in front of audiences of security managers and asked how many had spent more than 100 hours tuning their intrusion detection systems. Sometimes only a single hand goes up," he outlines.
"People aren't putting the effort into tuning, so are getting a load of crap coming through. No wonder they complain about the products," he adds.
One attempt to filter the serious threats from all the noise are so-called 'security management consoles'. These analysis engines taking feeds from firewalls, intrusion detection systems, antivirus software, as well as logs from PCs, servers and routers, and try to filter out the data that can safely be ignored so that security administrators can get a clear picture of potentially nefarious activity. The claim is that millions of events per day can be cut to a few thousand.
"Without such filtering, security experts are often forced to track data on separate monitors, engage in manual de-duplication, rely on paper-based reports. It's just impossible to achieve a state where they can take real-time action to prevent or react to problems," says Richard Lowe, senior vice president of Europe at network management software specialist Micromuse.
In organisations where the security policies need to be rigorously enforced - and also within companies offering managed security services such as Unisys and Counterpane - security management consoles have become a must - for cost reasons alone.
Unisys uses the ArcSight console to reduce costs, says Stanton, "because it can dramatically cut the time from when something happens to the actual closure of that incident."
Such tools are a help, but equal if not greater emphasis needs to be placed on improving the management of security. OSM's Chaney cites a conversation with a bank where the chief security officer declared that his organisation did not have too many problems. "He calmly revealed that while the bank had 3,000 employees in the UK, it had 3,250 Microsoft Exchange accounts.That's almost 10% of all accounts unaccounted for," says Chaney.
As that underscores, the technology may be there to stop a hacker or a former employee exploiting a lapse. The best practices may even be written in stone. But unless the will is there to use those, the security headache will only get worse.
