Q&A: Security Breaches and Enterprise Culture
How an enterprise’s culture affects its IT security
Why is security given short shrift at some enterprises? Philip Lieberman, founder of Lieberman Software (a security management vendor), says a big reason is the enterprise’s culture, starting at the top. Without any direct consequences of security breaches, an enterprise is likely to continue to suffer. In our conversation, we explore mobile security, IT’s role in security, how security best practices are ignored, and what it will take to turn an enterprise’s security culture around.
Enterprise Systems: What are some of the best techniques to avoid some of the security breaches we’ve heard about lately?
Philip Lieberman: Whole disk encryption, such as Microsoft Vista’s BitLocker technology, go a long way in preventing data loss when laptop systems are lost or stolen. With respect to mobile devices, companies that use Blackberry devices with their enterprise device management software allow the administrator to wipe a lost device in minutes. In the realm of Microsoft mobile devices, Microsoft Exchange has the ability to wipe data from a lost mobile device immediately. Both Blackberry Enterprise and Microsoft Mobile device management on Exchange provide remote wiping as a no-cost feature that simply needs to be enabled to secure remote devices.
We have found that tagging mobile devices with a prominent tag with a phone number offering a reward has returned all of our lost devices. Instituting an educational policy for employees as well as a clear operational and financial penalty for the loss of devices by neglect has also mitigated the problem. We do require employees to file a police report on all lost or stolen devices before we will provide a replacement unit. If the device was lost due to neglect, the employee is responsible for the cost of the replacement device.
If these solutions exist, why aren’t they being used more often?
The solutions exist, cost virtually nothing to implement, and extract a minimal burden on their use. Unfortunately, IT does not take data loss seriously because there is no direct line consequence (i.e., job loss) to IT for its failing to educate and manage security on user systems. Another problem is laziness of in-house development to secure sensitive information on laptops or remote access systems when using live data. Very few companies implement mandatory 2-factor authentication for sensitive data access (i.e., physical devices: SmartCards, tokens, fobs, OTP devices) because it is not mandatory.
With respect to two-factor authentication, this is again a combination of lack of budget, training, and expertise. Sophisticated financial institutions and government agencies have mandated these extra layers since their invention for good reason: they work and prevent even lazy users and poorly trained IT departments from shooting themselves in the foot.
Do mobile devices pose special problems? Do we have adequate technology to protect these devices?
The technology for protecting mobile devices such as Windows Mobile, Blackberry, and laptops exist. The trick is that companies must be using modern devices (which raises capital expenditure and carrier contract issues), they have to be enrolled and managed by the e-mail infrastructure (no SMTP, IMAP or POP3 e-mail usage is allowed), and the company generally has to be sophisticated enough to have a primitive public key infrastructure (PKI) to manage both client and server mutual authentication.
These issues are primarily matters of keeping client infrastructure up to date, as well as maintaining modern versions of e-mail servers (for mobile PDA devices). In the case of laptops, modern operating systems such as Vista and Windows 7 need to be widely deployed so that modern disk encryption systems can be employed. The company also needs to manage the public key systems used in both PDA and mobile PCs because most users are incapable of managing this technical level.
Unfortunately, most IT departments seem to be run as fire departments, running from one fire to another. It is rare that an IT department will proactively plan and implement improved security, improved secure infrastructure, and implement security training for their users. Most IT departments don’t have the training, experience, or budgets to implement, upgrade, and actively manage security and also help users with their day-to-day IT support needs.
There are also few (if any) consequences to employees that lose devices. There are no consequences to IT staff for failure to secure devices or data with adequate and appropriate security barriers.
It sounds to me like you’re describing a cultural problem within an enterprise, and particularly within IT.
Yes, there is a cultural problem in many IT organizations that fundamentally comes down to the management of IT not having a financial stake in the success or failure of the enterprise. It is a frequent refrain from IT managers that they don’t have a budget or access to money to secure their infrastructure, yet in the Wall Street Journal we read about that same company’s CEO taking home a pay of over $50 million per year.
We also see IT managers who are lazy when it comes to security implementation even with budgets in place. Sometimes there are no incentives or consequences for running a secure IT shop. In other cases, the IT management may be brilliant at IT but has little training or experience making a business case to management to implement improved technology to give the organization a competitive advantage by using well-implemented technology (both security and operational).
As a vendor of security solutions, we find ourselves frequently taking the role of educator and advisor to IT to help customers improve their operational capabilities and security. We take the role seriously and find that we need to educate many layers of executive management about the risks and opportunities that IT provides. In many cases our advice is highly valued and implemented, in others our advice is discarded and the “old ways” that don’t work are held to religiously even though they have been proved dangerous and possibly fatal to an organization (“not invented here” and “we want to write it ourselves” are big stumbling blocks in the adoption of new software and practices).
We see IT setting all the root/administrator passwords on the machines to the same credentials, leaving open shares open for years, failing to turn off accounts of departed employees, giving administrator-level access to all employees to everything, and the worst possible scenario: not patching their systems against known vulnerabilities, all because it is too much work to do things right.
Another criticism of IT is that it doesn’t do a good job of building security into the in-house applications they write.
Microsoft has made a serious investment in the development of tools and methodologies to create secure applications. There are plenty of books. The compilers and tools check for security flaws, and there are plenty of third-party tools.
Unfortunately, all of these great development resources do not mean a thing to many organizations because there are ingrained defective mindsets about the security of in-house application. There is a fundamental assumption that applications used in-house do not have to be secured against threats. This assumption is naïve given that the greatest security threats are from disgruntled employees and by the compromise of internal systems by careless users and unpatched systems. These poorly secured applications provide the “keys to the kingdom” to anyone with the will and capabilities to try.
There is also a fundamental mindset about the time and cost of verifying an internal product’s security. Very few development product specifications include time and budget allotments for security and penetration testing. In most cases, once the feature set has been completed and the major bugs are cleaned up, the product is considered suitable to internal use. Most organizations are more concerned about application response times and scalability, rather than the gigantic open pipe for the extraction of their most precious secrets that they may have created.
What will it take to increase attention to these security issues? Greater fines? Dismissal of employees involved in, or C-level executives responsible for, security breaches?
I believe the improvement of this situation begins with the education of C-level executives in the practices and patterns necessary to make IT a competitive advantage rather than a cost center. There needs to be financial and public accountability for the investment/lack thereof in securing their information. C-level executives should not be give a passing grade just because they signed off on a huge budget for their financial auditors (who may sideline as security auditors).
In the case of firms and professionals hired to provide security auditing for companies and fail, I believe their identities and faults should be publicly disclosed and their reputations tarnished or burnished based on how well they secure and educate their customers, rather than by how much they can bill their clients for their services. In the case of job site Monster.com, the name of the firm responsible for its security was never disclosed. Similarly, in the Heartland exploit, there was no disclosure of the firm responsible for auditing their security. In both of these cases, no CEOs lost their jobs and there has been no public consequence to the CSO or CIO involved. Clearly there is little consequence to C-level executives or their high-priced auditing firms for completely blowing their security management.
President Obama recently ordered his National Security and Homeland Security advisors to conduct an immediate review of the U.S. government's cyber-security plans, programs, and activities. Why was this review necessary?
The recent review of U.S. government cyber-security warfare was a long overdue review of an essentially dysfunctional system that has been crippled by lack of an appropriate and effective body of law that balances the rights of intellectual rights holders, ISPs, end users, privacy rights advocates with the fundamental and irrevocable fact that the Internet is under constant attack. As things stand now, any and all who attempt to improve the situation are caught in a Catch-22 that effectively punishes anyone who attempts to mitigate the problem.
The government must clearly define the rights and duties of law enforcement, the military, and intelligence community to protect the Internet and its users from attacks internally and externally. The previous few administrations were beholden to special interests that negated the rights of virtually all citizens and organizations that use the Internet.
My hope is that with this presidential administration being more “tech savvy,” they will put into place policies and laws that effectively protect the greater good by allowing our vast government resources to protect the Internet from foreign attack and by allowing users the right to protect themselves, as well as allow ISPs to protect their users/consumers without fear of being sued by the ACLU, RIAA, and MPAA.
Currently there is no coordinated policy for cyber-security, and anyone who attempts to do anything other than absorb or ignore attackers is subject to prosecution. The legal and policy changed needed are obvious; I only wonder if the administration has the enormous strength, courage, and wisdom to overcome a very vocal and powerful set of media and social interests so that the country can be protected and prosper without the fear of retribution from the IP and privacy professional litigators.
What products or services does Lieberman Software offer?
Lieberman Software Corporation (http://www.liebsoft.com) is a U.S.-based independent software vendor (ISV) that creates products used by government and commercial enterprises to report on and manage the security of their systems to comply with governance, risk, and compliance (GRC) regulations such as SOX, PCI, and HIPAA. Founded in 1978, our products focus on the mass management of the local security of workstations and servers. We also provide solutions for issues such as privileged account password management (section 404 of SOX), fire call account management, and service account management.