http://www.atnewyork.com/people/article/0,1471,8511_870981,00.html By Erin Joyce August 22, 2001 Even amid the tech and tech-spending slowdown, many information officers across the enterprise are still scratching their heads about what parts of their systems to throw open externally and internally. At the same time, security experts lament that enterprise protection issues are never given enough due in the corporate budgeting process. But with more and more employees getting laid off, and plenty of disgruntled staff tempted to throw a monkey wrench into the works as a parting shot, some experts think network security may get a higher priority. Look at any number of surveys on network security and most of the results cite end-users' access to systems they don't need as one of the top issues facing network administrators. The other major security issue: user accounts left open after an employee has left the company. Ben Rothke, a senior security analyst with network intelligence and security software firm Camelot, has seen the problem from both sides. As a network analyst with the three-year-old Camelot, his responsibilities include helping clients address network monitoring and management functions across the enterprise systems. And as a 10-year veteran of network security issues, with expertise in PKI, access control, Windows NT, firewall configuration and cryptography to name a few, he had to face a pink slip himself from Baltimore Technologies, where he was before joining Camelot. These days, when he's not working on security issues for clients of the three-year-old Camelot, Rothke also writes a column for Information Security magazine, a monthly security book review for Security Management magazine and articles for other periodicals. AtNewYork.com chatted with him about what's hot in his world. Q: What are the major issues in network security for enterprise customers? Two things come to mind. In the past 18 months or so, privacy issues (have been piling up) along with internal security issues. With so many consumers on the Internet, and so much information on the Internet, privacy is (getting lots more attention from corporations). There's also the legislative aspect, such as the Graham-Leach-Bliley (financial modernization)Bill, which has resulted in many letters from banks (to customers explaining how customer information is used and whether customers can opt-out). There's the (Health Insurance Portability and Accountability Act ) HIPPA legislation in healthcare, which was meant to enable easier processing of claims; but once that information gets on the Internet, it causes huge reverberations. And then there are internal security issues that need to be thought through a whole lot more. In days of old, users had dumb terminals to an IBM mainframe and you really couldn't do anything with that. Now, if I'm a pharmaceutical company, someone could FTP huge amounts of proprietary information and take off with a huge investment in trade secrets. It can happen both maliciously and accidentally. With Windows, it's very easy to move around files and delete them accidentally. One delete key could wipe out huge amounts of information. Q: With so many people getting laid off (especially in the technology sector), what are some key issues regarding protecting the enterprise from disgruntled employees? If a company doesn't have pre-existing policies in place, everything is reactive and that doesn't work that well. Many times, the (information technology or MIS) staff gets the list of laid off employees days after human resources releases it. If communication isn't tighter, that's a problem. Part of the issue is that from the get-go, all these employees have huge amounts of information they have access to (on the network), be it via a VPN, dial-up, kiosks. If you don't control that from the start, you probably don't have enough policies and procedures on shutting down these accounts. In any large organization could be anywhere from five to 15 different entry points (to the network). There might be internal accounts for an NT server, UNIX server, a Web server, order systems, Customer Relationship Management systems, numerous Web-based services, time-keeping systems. Keeping track of all those accounts (and access to them) is critical from the start. There are so many platforms and environments (within an enterprise) that it can be difficult to control. Q: Any advice for network administrators? You need to develop policies and procedures that address who gets access and who monitors control. You need to make sure you're addressing a macro problem with a macro solution. Access control is huge. Storage is cheap, bandwidth is cheap, and terabytes are portable. It's mind boggling how open the networks are. To the degree you throw open the network, that's how much you need to make sure your corporate jewels are protected. The jeweler Cartier accounts for every jewel, every ring, every gem, They know what's in their inventory. If one earring is missing, they know about it. Unfortunately in corporate security, it's not like that. When a laptop is stolen, that could be 30 gigs of information to control. They need to create these controls from the onset (of issuing the laptop). Q: What are examples of those policies? When working with out-of-the-box (applications), before employees are given access, make sure their needs are defined, that there are methods for enforcement, open-ended reviews of data access points. One big problem in access control is the number of users and defining them in groups. You can start with an Excel spreadsheet and before long, you're out to column 250 with employees and resources to control. You have to treat data security in much the same way you treat physical security in the corporate world. If I have an appointment at the World Trade Center, for example, I know I have to arrive about 25 minutes before hand in order to get through certain checkpoints. Let's say you're a pharmaceutical company; you know the threat is not so much from some hacker overseas. It's the guy on the inside with the keys to the kingdom, with access to a half a billion dollars worth of R&D, who could download it to a disk on his way to a meeting with some guy in the Grand Caymen Islands. That's no joke. Q: Sounds like you're saying we need more of big brother I think it's an inappropriate term and completely misguided in its use now. In the book "1984", the term (big brother is watching) was about mind control and a totalitarian government. Citibank doesn't care what employees do in their off hours. Chase doesn't care if you're a member of the NRA or Amnesty International. It's about access inside their own corporate house. If want to listen to Britney at 2:00 AM at 200 watts, and the corporate homeowner says you can't do that, that's not big brother. So much of this client-server computing (and powerful desktop computing) is being rolled out all over, and it's being rolled out without any due diligence or controls. In old days, you had to be an engineer to get the information. Now with Windows, you can install the most complex software package on NT, point, click and paste the entire corporate jewels. If guy wants to download a gig of MP3 files, he can do it to his heart's content on his own time, but he can't expect to use my bandwidth and servers. That's not big brother, that's due diligence. - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Thu Aug 23 2001 - 04:59:42 PDT