[ISN] Security's Fighter Pilots

From: InfoSec News (isnat_private)
Date: Thu May 31 2001 - 03:11:32 PDT

  • Next message: Anshuman Sharma: "RE: [ISN] OpenPGP Alliance omits PGP Security"

    http://www.zdnet.com/intweek/stories/news/0,4164,2765371,00.html
    
    By Robert Bryce, Interactive Week
    May 28, 2001 5:51 AM ET 
    
    Rick Fleming vividly remembers the look on the executives' faces. The
    officials already knew that their credit union had some
    Internet-related security problems. But when Fleming, vice president
    of security operations at Digital Defense, showed them a slide of the
    computer screen used by the credit union's tellers - a screen that was
    obtained by Digital Defense's hackers over the Net - "their faces just
    went white," Fleming says with a chuckle.
    
    During another presentation to a different set of clients, Digital
    Defense flashed each manager's supposedly secure computer password on
    the wall of the conference room. The two demonstrations are among the
    company's most memorable events. Created just 18 months ago by a group
    of former Air Force information warfare veterans and a talented group
    of young hackers, Digital Defense, in San Antonio, is finding a ready
    market for its security services.
    
    Although dozens of security firms are already providing risk
    assessment, security monitoring and other security consulting
    services, Digital Defense is proving it can play with the big boys.
    Earlier this month, it signed a deal with Grupo Financiero
    Banamex-Accival, one of Mexico's largest banks, to do information
    security analyses on all 1,200 of the bank's branches. Banamex is the
    target of a $12.5 billion takeover by Citigroup.
    
    By targeting the financial sector, Digital Defense is aiming at the
    richest segment of the Internet security business. IDC recently
    estimated that spending on information security in the banking sector
    will rise from $1 billion this year to nearly $1.9 billion by 2004.
    Add another $1 billion or so that will be spent by the insurance,
    financial services and medical sectors, and it becomes apparent that
    information security is growing into a very big business.
    
    In the U.S., there are more than 20,000 banks and credit unions, all
    under increasing pressure to make sure their Internet-related
    operations are secure. Much of that pressure is coming from a federal
    law known as the Gramm-Leach-Bliley Financial Services Modernization
    Act. By July 1, all financial entities in the country are supposed to
    have policies and infrastructure in place to assure the privacy and
    security of consumer-related information. That law, combined with
    recent highly publicized hacker attacks on targets such as Microsoft
    and the White House, has meant a surge in demand for security
    services. And yet, Joe Cooper, Digital Defense's founder and
    president, says much of his time is spent educating clients.
    
    Companies "are just now waking up to risks they face," Cooper says.
    After doing security assessments on about 60 credit unions, Digital
    Defense claims it has had a 100 percent success rate in breaking into
    its clients' networks.
    
    Pentagon Offspring
    
    Founded in January 2000, digital defense is largely a product of the
    Pentagon. About a half-dozen of the company's senior people are
    retired Air Force computer security specialists. Marc Enger, the
    company's executive vice president of security operations, retired
    with the rank of colonel and was operations director at the Air
    Intelligence Agency, the Air Force's intelligence and computer
    security arm. Many of the company's other personnel worked at Computer
    Sciences Corp., which employs hundreds of people at the Air Force's
    Information Warfare Center in San Antonio. According to Cooper, only
    one of the people at the firm has not worked either inside the
    military or as a government contractor to the military.
    
    The company got its start after Cooper and Fleming were asked to
    assess the security at a small San Antonio credit union. After
    completing that job, they began looking at the broader credit union
    market and saw a potential niche. A few months later, armed with
    $700,000 in venture capital, Digital Defense opened its doors. Today,
    the company is nearing profitability. Cash flow is reportedly strong
    and Cooper sees a bright future. The private firm would not release
    revenue figures.
    
    Employing two dozen people, Digital Defense has done security work for
    dot-coms and insurance companies, as well as credit unions. It is also
    training examiners at the National Credit Union Administration to
    analyze the security systems used by various credit unions.
    
    "They are coming from an audit background," Cooper says. Auditors are
    accustomed to following checklists to examine compliance on matters
    such as accounting and operations. Security is much harder to assess.
    So Cooper is training the examiners to "go from a checklist
    environment" to knowing how to "determine if someone's firewall is
    working."
    
    A pivotal growth area for Digital Defense and other security firms is
    in managed security services, an area in which larger companies such
    as Counterpane Internet Security, Internet Security Systems and
    NetSolve already have a strong foothold. Digital Defense aims to
    increase its share of the market by providing less frequent monitoring
    at a lower price. "We are not trying to offer total security or
    intrusion detection services, just vulnerability analysis," Enger
    says. "When we find a problem, we tell our clients how to fix it."
    
    That approach appealed to Gil Roman, information systems director at
    Pacific Service Credit Union in Walnut Creek, Calif. Pacific Service
    offers Internet-facing services, including home banking and online
    auto loans. "We have to be very, very, concerned about security,"
    Roman says.
    
    After looking at a number of security firms, Roman decided to sign a
    three-year contract with Digital Defense at $1,650 per month. The deal
    requires Digital Defense to do annual security audits and remote
    penetration tests, as well as monthly external and internal
    vulnerability assessments. Digital Defense will also provide daily
    updates on new vulnerabilities and advise the credit union about the
    best way to configure new hardware and software. Roman says the key
    factor in his decision was that "their prices were good."
    
    As the market expands, Digital Defense faces the same problem that
    other small businesses face: hiring enough talented people to keep the
    business growing. To deal with the Banamex contract and other
    business, Digital Defense will likely have to double its work force by
    year's end. But it must be careful in hiring. Digital Defense's
    employees have access to financial records and information that could
    easily be misused. Enger believes some of the company's best recruits
    will come out of the military because they "are prequalified in terms
    of their security backgrounds."
    
    And if Digital Defense can't get the people it needs, Enger says,
    "it's going to be difficult to grow."
    
    
    
    
    ISN is hosted by SecurityFocus.com
    ---
    To unsubscribe email isn-unsubscribeat_private
    



    This archive was generated by hypermail 2b30 : Fri Jun 01 2001 - 02:58:34 PDT