[ISN] Not So Secure? It's a great time to be a security expert...

From: Kelley Walker (kwalker2at_private)
Date: Tue Jun 26 2001 - 09:51:57 PDT

  • Next message: Kelley Walker: "[ISN] Cyber Ethics contest will join Hacker Jeopardy"

    :)  This caught my eye as I was scanning the infosec news:
    Not So Secure?
       June 11, 2001
       By Maria Schafer
    It's a great time to be a security expert. In the wake of widely publicized 
    hacker attacks and the infamous Melissa and Love Bug viruses that wreaked 
    serious damage on corporate networks worldwide, network-security groups are 
    getting unprecedented attention and budgets from senior management.
    The risk of an attack increases as companies add more remote workers, 
    electronic-commerce projects and applications, such as e-learning. About 75 
    percent of U.S. organizations have experienced a significant 
    information-security breach in the past year, according to Meta Group 
    research. Now some big organizations have established a new high-level 
    security position: the CISO (chief information security officer), who 
    reports directly to the CIO and, in some cases, to the CEO.
    Trouble is, while companies are building the technical infrastructure for 
    creating secure systems and networks, many are doing so without instituting 
    the processes, procedures and training for their IT and other employees on 
    the front lines of security management. Even with enforcement centralized 
    into a single group, the actual administration of security, such as the 
    daily moves/adds/changes required for users to access systems, is typically 
    the responsibility of the network administrator. The network administrator 
    is most likely to be in charge of securing systems, including firewalls, 
    VPNs, authentication servers, extranet directories and PKIs (public key 
    infrastructures), for instance.
    The bottom line is that the network administrator is not a security 
    specialist. If a company wants to deploy its network administrator this 
    way, it also needs to train him or her in security software, processes and 
    procedures. It needs to develop security-management policies that are 
    common across the organization and applied consistently for password 
    updates and for adding or deleting user accounts, for example.
    But because network security is relatively new and lacks experienced 
    individuals, most groups are understaffed. So they off-load security 
    administration to the network administrator. About half the network 
    administrators surveyed recently by the Meta Group say they are responsible 
    for security. Smaller organizations, not surprisingly, lean more heavily on 
    their network administrators for security: nearly half of organizations 
    with 1,000 to 5,000 employees use their network administrators as security 
    staff, and more than one-third of organizations with more than 5,000 
    employees use their network administrators for this role, according to Meta 
    Group research.
    A better solution is to add a network security administrator to handle 
    day-to-day security tasks and issues instead of overloading the network 
    administrator. If the network administrator isn't trained to handle 
    security breaches, the result can be devastating. Take one major Northeast 
    insurance firm, which had procedures for password requests and access to 
    its e-mail system. Disseminating information about potential viruses was a 
    standard function of the insurance company's network administrator, and he 
    regularly reviewed and updated virus definitions. But the day the Love Bug 
    virus hit the company, he was out of the office. Although reports about the 
    Love Bug virus had appeared in newspapers before the attack, the 
    administrator was unaware of it, so management and the IT staff weren't 
    notified of the risk. It was too late when the virus was finally discovered 
    in the company's network. Other network staffers were too busy fighting 
    fires -- down servers and other network problems caused by the virus -- to 
    take control of the situation. The moral is that you need a thorough 
    contingency plan for when the network administrator is out of the office 
    and an emergency hits.
    Recipe for Disaster
    Often, companies run their security operation on two levels. The senior 
    security manager, such as the CISO, is responsible for collecting and 
    reviewing business requirements and "selling" upper management on the types 
    of security systems and processes the company needs. This security 
    professional also develops security policy, in cooperation with 
    representatives from the business units.
    The second level is the security staff -- which is often the network 
    administrator, or security managers, who work with IT groups to embed 
    security standards within the technical infrastructure. The network 
    administrator handles day-to-day password changes and other user account tasks.
    This split in the security policy and implementation can lead to disaster. 
    The security manager, not the network administrator, should oversee things 
    like regular password changes across all security services at the same time 
    to reduce end-user confusion and forgotten passwords. He or she also should 
    ensure that password standards are maintained across the organization and 
    that user accounts are added or deleted from all system resources, not just 
    some. The security manager and staff should handle security reporting, 
    logging and audits (firewall scans, password checks) to ensure proper 
    compliance. All too often, however, the network administrator handles these 
    tasks -- without adequate preparation or training.
    The key is for the network side of the house to incorporate security 
    elements at the start of an upgrade or other projects. That means working 
    closely with the security manager.
    And effective security is not the sole responsibility of the security 
    domain team or the CISO, either: Companies need to ensure that all 
    employees are responsible for some aspects of security. The central 
    security group should develop a general strategy based on conceptual and 
    technical architecture principles and then apply it to the entire IT 
    infrastructure. The job of end users is to create unique user IDs/passwords 
    based on the company's password policy and standards. Even end users need 
    some training; all the security technology in the world won't work if users 
    act carelessly, e-mailing a proprietary document over the Internet without 
    encryption or creating an easily guessed password.
    When you define and implement security policies, some due diligence goes 
    with them -- communicating them clearly through presentations, not cryptic 
    memos and publishing security policy on intranets, for instance. Security 
    policy should be part of new employee orientation, too.
    Close to Home
    Global 2000 organizations traditionally haven't outsourced their security 
    operations, because they mistrust service providers and are concerned about 
    confidentiality and performance. Security's increasing clout in most IT 
    organizations and the scarcity of security professionals that speak 
    fluently in information security and business initiatives have prompted 
    some organizations to pay CIO-level salaries to CISOs. Headhunters 
    specializing in information security professionals have also started to 
    The high demand for these skills has created a significant market for 
    information security training and certification, as organizations look to 
    educate and develop security people from within. Programs from training 
    organizations such as the SANS Institute, MIS Training Institute and the 
    Information Systems Security Association are proliferating.
    Most organizations should not outsource the responsibility for security. 
    It's important to retain ownership of these functions in-house. The 
    exceptions are vulnerability assessment and infrastructure design. There's 
    plenty of pressure to hire outside talent because of a lack of personnel, 
    but Meta Group discourages turnkey security outsourcing.
    Meanwhile, there aren't enough people in the organization with the proper 
    training and knowledge about security to defend against intrusions and 
    problems. This will change, however, as the technology matures with more 
    proactive tools, and security experts are "grown" within the organization. 
    But for now, security administration still will be delegated to the network 
    administrator, and the central security group -- in charge of policy -- 
    needs to step up and ensure consistent administration across all systems.
    Maria Schafer directs human capital management research at Meta Group, an 
    information technology research and advisory services firm based in 
    Stamford, Conn. Send your comments on this article to her at careersat_private
    Kelley Walker
    Organizational Researcher/Technical Writer
    Interpact, Inc. Security Awareness
    Interpact sponsors InfowarCon, 9/5-6, Washington, D.C.
    ISN is hosted by SecurityFocus.com
    To unsubscribe email isn-unsubscribeat_private

    This archive was generated by hypermail 2b30 : Wed Jun 27 2001 - 00:01:31 PDT