The Homeland Security Imperative
Impending pressure from the FBI or Congress may force companies to share evidence of break-ins, or disclose the SEC level of information security preparedness. Is your company ready?
Security—homeland security—stormed into public consciousness last September, taking on new urgency in IT organizations throughout the U.S. The FBI and Secret Service would like to require companies to report any major security breaches to them. And if Senator Robert Bennett (R-Utah) has his way, the Securities and Exchange Commission may start requiring companies to disclose their information security preparedness to investors.
But protecting public and private IT resources is no easy feat, despite newfound resolutions. As Tom Ridge, head of the Office of Homeland Security, noted last October, locking down U.S. data is "a legal challenge, because this effort raises cutting-edge questions of both privacy and civil liberties … It's a political challenge, because the government must act in partnership with the private sector … which owns and operates the vast majority of America's critical infrastructure."
The government's political and legal hands may be tied when it comes to security mandates for private companies. And years could pass before private industry comes to a general security consensus. The picture's not much brighter in the public sector; experts warn that adequately securing government IT will be incredibly costly.
Where does that leave your IT organization? If your company is actively interested in improving security—whether to make an investment in homeland security, to safeguard assets, or just to look good to investors—you have several places to start.
Howard Schmidt, vice chairman of President Bush's Critical Infrastructure Board, recommends starting with the basics: Adopt a series of best practices, create the appropriate organizational structure, and get the backing of the CEO. You're probably already on that road, and working hard at phase two: Getting the right people, processes and technology, planning for redundancy and unknown vulnerabilities, and determining what your "normal" environment should be.
But while technology plays a role, it's by no means the biggest part. "Technology itself is not the panacea. It involves the people, processes and the technology all working together," says Schmidt. "Security is not a destination, it's a journey."
Accurately assessing a company's vulnerabilities is the prerequisite for knowing which risks to mitigate first. For instance, for manufacturers, the security of the supply chain is usually paramount.
But before locking all the doors and windows, it helps to know exactly where those doors are. "If you don't want people coming in [through] doors, limit the number of doors. Every user account is a door," says Joe Duffy, head of PriceWaterhouse Coopers security practice. Simply deactivating the accounts of users who've left the company is something many companies neglect, he says, but which can greatly boost security.
And some industries are more at risk than others. Schmidt singles out telecom, banking and finance in particular—the money supply, and the communications backbone.
Given the shared condition of all industries, unfortunately there's been little cross-industry cooperation to date. Schmidt says that the lack of a unified front when it comes to securing networks increases the risk to the overall network. "Unfortunately, it's been a somewhat spotty approach. We haven't had an integrated way of increasing the level of security, so that makes us more vulnerable, because often times it only takes one ability to get inside a system, and then you can have your way with the other systems," says Schmidt.
Everyone faces some of the same challenges. Peggy Weigle, CEO of Sanctum Inc., an application-level security vendor in Santa Clara, Calif., notes that Web application security is woefully inadequate.
"Our experience with the 300 audits we've done is, we penetrated 97 percent of them, and on average we can do that in two to four hours," she says. When auditing a large financial services firm, Sanctum was able to exploit a flaw in the code to access the core back-end database, and return the financial firm CIO's username and password to him.
Weigle says passenger manifests in airline databases, and maintenance schedules for power grids, are similarly vulnerable. Those two things are especially troubling since the government is requiring that carriers forward to it the passenger manifests of all flights terminating domestically. What's to stop someone from breaking in and changing a name? Similarly, disrupting a power grid is easier when you know when parts of it are already scheduled to be offline.
The People Problem
Good security begins with people that practice good security. Dawn Meyerriecks, chief technology officer of the Defense Information Systems Agency (DISA), says they ask such questions as, "Do we have good, trained administrators? If we have a securable phone, do we turn the key? If we have sensitive communications, are they being sent encrypted?" All the protections in the world won't help if they aren't used.
Many security breaches, in fact, are simply the result of human error. "I think as technologists, we try too often to address the problem from a technological approach, when too much is human error," says Meyerriecks. For instance, she cites the 1999 Department of Defense (DOD) Joint Task Force on Computer Network Defense (JTF-CND) found that the vast majority of known security breaches were related to already known vulnerabilities, or people who knew the proper routine but failed to follow it.
The Process Problem
After people, having well-designed processes, including an organizational structure that supports those processes, is essential. In a nutshell, well-designed processes let companies prepare for the majority of attacks. Sometimes, technology is needed to get the processes in place—for instance, configuration management, to answer the question of what's loaded on all of the machines in the network.
When it comes to hypothesizing about threats, private industry can take a cue from the DOD. "One good thing about DOD is we're really good about contingency planning," notes Meyerriecks. Read: lots of bright people get together and ask big "What if" questions. "We actually came through 9/11 better than any other major enterprise that I know of," says Meyerriecks, who was in a command bunker at the time of the attacks. "They had a plan, and everybody knew what it was they needed to do."
For companies lacking the scale of the DOD or the benefit of large-scale contingency planning, consulting companies are a good way to make sure that the right questions, at least, are being asked.
Examples of those questions to ask include: "Do we have concept of operations? What do we do in certain attack scenarios? Do we make sure the front door is locked? So, all the way from physical to IT security," says Meyerriecks. Her last point is especially important—physical security is as important as any firewall or router. Computer criminals often take the easiest way in, whether it's a known vulnerability in a Web server or an unsecured door into the server farm room.
In fact, poor security often results from two simple things—not patching, or configurations with known vulnerabilities (both of which point back to the people problem). "That's a huge percentage of what's left—we knew there was a patch available but we hadn't gotten around to applying it yet because we're [so busy]," says Meyerriecks. One process to put in place is simply a commitment from staff to maintain up-to-date patch levels, and to practice proper security.
Processes must also cover all aspects of a company—from Web applications to handheld devices and everything in between. Securing everything helps guard against insider attacks.
At this point, the Office of Homeland Security's effect on U.S. business is more question than answer. Will the new Office of Homeland Security created by the president be a boon to U.S. companies, or will the complexity of the security issue, not to mention legal and privacy concerns between private industry and the government, relegate the office to the role of administration window-dressing?
In effect, the new agency lets the government say it's tackling security issues, even if it's almost ridiculous to task one agency to unite many government agencies on the federal, state and local levels—not to mention private industry. In a word, security is complex.
So is the mission to make us secure, or to make us feel secure? Will the political mandate to better secure our nation's vital resources persist in the absence of further attacks?
Legislative maneuvers are coming that may require companies to report intrusions, and possibly open their servers and data—especially customers' information—to government investigators. That's a red-hot issue that already worries some corporate legal departments.
Fortunately, even proponents say that any moves in that direction are a long way off. There simply hasn't been enough money allocated to take on disclosure at that scale. "The additional $37 billion for homeland security is going into a lot of other things besides technology—physical security, procedures, bio-terrorism, border security," says security expert Warren Suss. In fact, "Less than 1 percent of the $37.7 billion is going for cyber security."
Those figures underscore the vast improvements that have to be made to effect security improvements. "Even for the federal government, it's too expensive to guarantee 100 percent security for all data and all communications," says Suss.
But private industry is worse. In a keynote at the RSA security conference in February 2002, federal cyber security head Richard Clarke chastised private industry for spending a mere 0.0025 percent of their budgets on information security. "If you spend more money on coffee than IT security, you will be hacked. And moreover, you deserve to be hacked," he scoffed.
The government is under pressure to secure itself. Last year, after an investigator proved that the Bureau of Indian Affairs Web site was incredibly easy to breach, a judge ordered it offline until it could be adequately secured. As of March 2002, only a little more than half of its systems were back online.
In the short term, Suss says, we probably won't see any comprehensive security approach issued by the government. Instead, he says, smaller concepts will be fast-tracked, such as fail-over sites. The success of fail-over sites in the 9/11 attacks, he says, will lead greater numbers of companies to invest in them. "There were agencies that were in the World Trade Center towers that had established advanced sites with mirrored databases and strong software that didn't miss a beat when their facilities were destroyed," he says. "Then there were other agencies that did not have that capability that are still recovering," he says. For many government agencies and companies, he says, creating fail-over sites will be priority number one.
The Technology Problem
As the federal government's Schmidt noted, technology is only a small part of security, and technology alone won't save the day. According to the 2001 Computer Security Institute survey, 98 percent of companies that reported security incidents (to the tune of an average loss of $2 million per incident) had anti-virus software, and 95 percent had firewalls. Obviously, a higher-level perspective is needed.
Meyerriecks says her IT investments typically go toward "reliability, availability, single points of failure, reports and analysis" of whatever has been defined as mission-critical. In her case, command and control operations is one critical capability, and she's made significant investments to make sure that the failure of one data node won't compromise operations.
A side note regarding technology: Don't create systems that kick in only when there's an emergency. Not only will their costs be difficult to justify, but also they might not work. "If you have a network that is standing idle except in the event of an emergency—unless it's redundant—then not only does it increase your cost, but it leaves you vulnerable to failure, because if you only use it one percent of the time, it's likely that it won't work," says security expert Warren Suss.
The Unknown Vulnerability Issue
Solid people, processes and technology are great, but what about when the unforeseen happens? "Very often, we find that folks don't have backup plans or recovery plans—they haven't thought through what happens if that farmer finds my fiber with his backhoe," says Meyerriecks.
As part of the DOD, DISA writes policies and procedures for everything it thinks might be pertinent, then trains people accordingly, as well as for disaster recovery. But, notes Meyerriecks, "It's probably the thing we haven't answered that will get us—that's the lesson of 9/11."
For the unforeseen, DISA has "short-fuse deployable teams that deal with the unforeseen or unpredicted catastrophe," says Meyerriecks. These "skunk works teams" are like the special forces to the regular branches of the military. "It's kind of like the Delta Force. You have the Army, Air Force, Navy, Marines, and then you have the special forces that we send out when—darn—there wasn't any playbook for that contingency," she says.
Teams are given broad-based training that's essential, and mentoring with more experienced staff. In a crisis, she says IT people with established relationships with vendors are critical, since there's often little time for by-the-book contracts or vendor niceties in the midst of a crisis. The approach, she says, is "you call this vendor, explain what you're doing, get approval to use this stuff—and then we'll clean up the license later," she says.
A response team can literally save the day. "I happen to know a large distribution company that got hit with Nimda, and they were using their Y2K manuals—they were running their company off of manuals," says Duffy of PriceWaterhouse Coopers. The company hadn't taken the appropriate steps to protect itself from a Nimda-like virus. Fortunately, it still had the policies, procedures and training in place for a potential Y2K-related failure, and the policies worked for this crisis too. In fact, none of the company's customers noticed a problem. Behind the scenes, things weren't pretty, but the company averted disaster.
The CEO Issue
Experts agree that a good security plan requires the backing of the CEO, but say that many CEOs just don't understand security—or they think it's purely a technology issue. In fact, when it comes to security, "I think the big mistake is, users say, oh that's IT's problem," he says. "Well, that's great, let's say you lose a building, you can't get access to a building. The systems are running, but IT can't help you," says Duffy. Security is about much more than technology—it's about securing everything needed to run the business. Hence, CEOs need to ensure that their most valued assets are protected.
CEOs can also overcome rampant security funding difficulties. Duffy says for a project to get funding today, it often has to have an ROI of one year or less. But it's notoriously difficult to define ROI for security—as a standalone event. "The big mistake people make is they evaluate security as a standalone event, but it has to be in the context of a business. It has to be, you want to deploy a collaborative supply chain? Then what's the cost [should] that supply chain go down?" asks Duffy.
Key Players in Homeland Defense
Richard Clarke, Special Advisor to the President for Cyber Security
Appointed as the first national coordinator for security, infrastructure protection and counter-terrorism in May of 1998.
Vice chairman of President Bush's Critical Infrastructure Board; former chief security officer of Microsoft.
Finding Out What's "Normal"
Security technology is often a patchwork of different kinds of software and hardware. Intrusion detection systems (IDSes) analyze it all to help determine when someone is attacking the network. But there's a catch: IDSes must be finely tuned, or else they trigger too many false alarms to be useful. To get that level of granularly, DISA collects petabytes of data from its network and data mines the results. "We spend a lot of time trying to map out what normal is, then looking for ways to gauge abnormal," says Meyerreicks.
That way, the agency knows whether it's under attack, or if a farmer simply dug where he wasn't supposed to. "Failures can look a lot like intrusions as well. But we'd like to know whether somebody is going after us, rather than, ‘Whoops—someone just cut our fiber by accident,'" says Meyerreicks.
The downside of gauging what's normal is that you're only as good as your data. "What that leaves us concerned about is the folks who are smarter than that," says Meyerreicks—what she characterizes as the low and slow attack. If someone attacks a part of the network often enough, but not too often, then security administrators could eventually just stop paying attention to those attacks. And that's when someone could really break in.
The Redundancy/Single Point of Failure Problem
Companies need to make sure they have redundant infrastructure, unless they can afford to be offline for a day or two. Unfortunately, getting network redundancy is quite a bit more difficult than just signing up with two carriers, because both carriers might use the same physical infrastructure. And you can't just ask the carrier where their single points of failure are; they probably won't tell you!
Those that do know aren't allowed to talk about it. The big telcos, says Meyerreicks, "all file with us where their fiber runs and where it's strung out across the U.S. We're the third-party holders, the bank, and we sign agreements that say we won't share it." DISA needs the information to gauge military readiness. "We have a lot of interesting information, but most of it's classified," she says.
But some organizations, she notes, such as NASDAQ, have been able to get that information by stipulating in their SLAs that telcos must demonstrate that there aren't single points of failure on the network. Smaller companies, unfortunately, may have no leverage. But if it's any consolation, DISA actively works with telcos to reduce the single points of failure in the national infrastructure.
A Unified Front
These are starting points for better securing companies and hence the national infrastructure. As Schmidt points out, what's needed next is a unified front. But to date, there hasn't been one, not even across government agencies.
"One of the government's biggest vulnerabilities is the difficulty in establishing the contacts and processes—this involves people, not technology—across agencies so that databases/sources of information with pertinent and related knowledge can be accessed for the purpose of finding, tracking and apprehending terrorists before they do damage," says Miriam Browning, Director for Enterprise Integration, Office of the Army CIO/G6. The technology exists, she says, but establishing shared access rules and procedures requires not only cultural but political change, she says.
Before private industry buys into any kind of broad-based security proposals from the government, they'll likely want to see the government put it to work themselves. And that isn't something that will happen this year, or even next year. In fact, the funds might not come through for another five years. Until then, it's up to companies to better secure themselves. But will they? In the absence of new legislation or pressure from Wall Street, probably not. Should they? Security is a journey—but no one's "there" yet.