[ISN] Securing the Nest

From: mea culpa (jerichot_private)
Date: Tue Oct 06 1998 - 14:25:54 PDT

  • Next message: mea culpa: "[ISN] Geocities Rebuffs Trojan Horse"

    Forwarded From: Eric Budke <budket_private>
    
    [Just my two cents.  But any tiger team left to try whatever they want,
     and can't get into a sun box, one should rethink the team.  Either the
     article stretches the truth a little, or the "tiger team" didn't hear of
     an external scsi drive and an install CD.  
     (My experience is with Sun.  AIX I believe handles things similarly, HP I
     don't know)	- Eric Budke]
    
    http://www.infoworld.com/cgi-bin/displayStat.pl?pageone/news/features/iw100/
    98iw100.oppenheimer.htm
    
    By Tom Young
    
    Hackers need to be lucky only once. You need to be lucky all the time. At
    least it can feel that way, especially if you are striving to manage close
    to $100 billion in mutual funds. For this reason OppenheimerFunds, a New
    York-based asset-management company, two years ago brought in security
    specialist Jim Patterson as vice president of security and
    telecommunications in an attempt to reduce the company's exposure to
    potential losses resulting from attacks on its data systems. 
    
    "Our losses are zero," Patterson says.
    
    Although Patterson carefully differentiates "losses"  from "attacks," it's
    an impressive claim. OppenheimerFunds fosters a culture of secure
    computing, a legacy that Patterson happily inherited.  What he didn't
    inherit were strong, flexible systems for monitoring security-policy
    compliance on his midrange systems, detecting intrusions, and
    authenticating mobile workers. 
    
    The existing system used security auditors who periodically would come in
    and make recommendations based on their observations of security
    deficiencies, which the IT staff then would mitigate. 
    
    "When you finished, you'd sit back and say, `Gee, I'm in pretty good
    shape.' Then the next year, the audit team would come in and find more
    things [wrong]," Patterson says. 
    
    Day-to-day knowledge of the state of the system was critical given the
    company's explosive rate of growth. During the past two years,
    OppenheimerFunds has increased its portfolio from $54 billion to $95
    billion, and the number of employees has grown from about 1,500 to more
    than 2,000. 
    
    After considering a number of options, Patterson settled on Axent
    Technologies' OmniGuard, a suite of security tools that includes
    Enterprise Security Manager for compliance monitoring and Intruder Alert
    for intrusion detection. The company also uses Axent's Defender for
    token-based remote authentication. 
    
    Now Patterson and his team receive daily reports.
    
    "Many companies take a snapshot of their environment based on an audit,
    and they do that once a year," Patterson says.  "My snapshot is 365 days a
    year ... If there was a change that degraded my security posture, I'll
    know it within 24 hours of it happening, and then we can take action." 
    
    OppenheimerFunds runs about 40 servers that handle Internet services, Web
    servers, and client/server systems. The IT department embraces a diversity
    of operating environments, including Windows NT, Novell NetWare, and Unix
    variants from Hewlett-Packard, IBM, and Sun.  One of Patterson's main
    technical requirements for a monitoring system was that it had to live
    comfortably on all of his platforms. 
    
    Compliance monitoring involves comparing the configuration of a system to
    a company's security policies, for example, checking if users have enough
    characters in their passwords or whether the system requires users to
    regularly change their passwords.  The requirements to secure two servers
    can differ, even if they run the same version of an operating system. 
    
    "They're not always going to be exactly the same because of the
    sensitivity of the data, who's accessing it, and what the server is
    capable of doing," Patterson says. "I wanted a system that was tunable for
    my unique environment, so that every single instance, every single server,
    if I chose, could be measured differently from the others." 
    
    OppenheimerFunds employs a "tiger team," a consulting company paid to
    crack its clients' systems and report any vulnerabilities. 
    
    "You give them a `get out of jail free card,' and you turn them loose," 
    Patterson says. 
    
    For example, OppenheimerFunds gave the tiger team physical access to the
    systems with a window of three weeks, during which time the team was to
    break in by any means possible. 
    
    "They weren't able to penetrate our systems at all, but ... as part of
    their nosing around, they did identify a couple of things that we could do
    internally [to improve our procedures]," Patterson says.
    
    OppenheimerFunds takes the recommendations seriously, and it has
    implemented controls for each one. But just as important, the security
    system was able to detect that the intruders were attempting to get in. 
    The system not only notifies security staff that the intrusion is
    happening, but also thwarts the attack while it's occurring. 
    
    "It's important to keep people out, but it's also important to detect and
    notify when someone is attempting to gain access inappropriately so that
    you can take action," Patterson says. 
    
    The last phase of installing the security system required implementing
    strong, two-part authentication for mobile workers.  Two-part, or
    two-factor, authentication requires a user to be in possession of a unique
    physical identifier, such as a card or a thumbprint, as well as a piece of
    information, such as a user ID and password. 
    
    Much of Patterson's effort was directed at educating OppenheimerFunds
    employees. 
    
    "A lot of it is just that personal one-on-one, almost handholding --
    getting people to understand why it's important and getting them to buy
    into the concept. For the most part, I've been successful in getting
    people to dedicate the resources necessary, but it isn't something that's
    done overnight, nor was it done by mandate ...  Sometimes you have to have
    a heart-to-heart with people to get them to really appreciate that they
    have to dedicate time to it. It's a never-ending battle," Patterson says. 
    
    
    -o-
    Subscribe: mail majordomot_private with "subscribe isn".
    Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
    



    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:06:33 PDT