[ISN] Questions for Ben Rothke, Senior Security Analyst, Camelot, Ltd.

From: InfoSec News (isnat_private)
Date: Thu Aug 23 2001 - 02:12:07 PDT

  • Next message: InfoSec News: "[ISN] Inept would-be hacker gets three years in jail"

    By Erin Joyce
    August 22, 2001
    Even amid the tech and tech-spending slowdown, many information
    officers across the enterprise are still scratching their heads about
    what parts of their systems to throw open externally and internally.
    At the same time, security experts lament that enterprise protection
    issues are never given enough due in the corporate budgeting process.
    But with more and more employees getting laid off, and plenty of
    disgruntled staff tempted to throw a monkey wrench into the works as a
    parting shot, some experts think network security may get a higher
    Look at any number of surveys on network security and most of the
    results cite end-users' access to systems they don't need as one of
    the top issues facing network administrators.
    The other major security issue: user accounts left open after an
    employee has left the company.
    Ben Rothke, a senior security analyst with network intelligence and
    security software firm Camelot, has seen the problem from both sides.
    As a network analyst with the three-year-old Camelot, his
    responsibilities include helping clients address network monitoring
    and management functions across the enterprise systems.
    And as a 10-year veteran of network security issues, with expertise in
    PKI, access control, Windows NT, firewall configuration and
    cryptography to name a few, he had to face a pink slip himself from
    Baltimore Technologies, where he was before joining Camelot.
    These days, when he's not working on security issues for clients of
    the three-year-old Camelot, Rothke also writes a column for
    Information Security magazine, a monthly security book review for
    Security Management magazine and articles for other periodicals.
    AtNewYork.com chatted with him about what's hot in his world.
    Q: What are the major issues in network security for enterprise
    Two things come to mind. In the past 18 months or so, privacy issues
    (have been piling up) along with internal security issues. With so
    many consumers on the Internet, and so much information on the
    Internet, privacy is (getting lots more attention from corporations).
    There's also the legislative aspect, such as the Graham-Leach-Bliley
    (financial modernization)Bill, which has resulted in many letters from
    banks (to customers explaining how customer information is used and
    whether customers can opt-out). There's the (Health Insurance
    Portability and Accountability Act ) HIPPA legislation in healthcare,
    which was meant to enable easier processing of claims; but once that
    information gets on the Internet, it causes huge reverberations.
    And then there are internal security issues that need to be thought
    through a whole lot more. In days of old, users had dumb terminals to
    an IBM mainframe and you really couldn't do anything with that. Now,
    if I'm a pharmaceutical company, someone could FTP huge amounts of
    proprietary information and take off with a huge investment in trade
    It can happen both maliciously and accidentally. With Windows, it's
    very easy to move around files and delete them accidentally. One
    delete key could wipe out huge amounts of information.
    Q: With so many people getting laid off (especially in the technology
    sector), what are some key issues regarding protecting the enterprise
    from disgruntled employees?
    If a company doesn't have pre-existing policies in place, everything
    is reactive and that doesn't work that well. Many times, the
    (information technology or MIS) staff gets the list of laid off
    employees days after human resources releases it. If communication
    isn't tighter, that's a problem.
    Part of the issue is that from the get-go, all these employees have
    huge amounts of information they have access to (on the network), be
    it via a VPN, dial-up, kiosks. If you don't control that from the
    start, you probably don't have enough policies and procedures on
    shutting down these accounts.
    In any large organization could be anywhere from five to 15 different
    entry points (to the network). There might be internal accounts for an
    NT server, UNIX server, a Web server, order systems, Customer
    Relationship Management systems, numerous Web-based services,
    time-keeping systems. Keeping track of all those accounts (and access
    to them) is critical from the start.
    There are so many platforms and environments (within an enterprise)
    that it can be difficult to control.
    Q: Any advice for network administrators?
    You need to develop policies and procedures that address who gets
    access and who monitors control. You need to make sure you're
    addressing a macro problem with a macro solution.
    Access control is huge. Storage is cheap, bandwidth is cheap, and
    terabytes are portable. It's mind boggling how open the networks are.
    To the degree you throw open the network, that's how much you need to
    make sure your corporate jewels are protected. The jeweler Cartier
    accounts for every jewel, every ring, every gem, They know what's in
    their inventory. If one earring is missing, they know about it.
    Unfortunately in corporate security, it's not like that. When a laptop
    is stolen, that could be 30 gigs of information to control. They need
    to create these controls from the onset (of issuing the laptop).
    Q: What are examples of those policies?
    When working with out-of-the-box (applications), before employees are
    given access, make sure their needs are defined, that there are
    methods for enforcement, open-ended reviews of data access points.
    One big problem in access control is the number of users and defining
    them in groups. You can start with an Excel spreadsheet and before
    long, you're out to column 250 with employees and resources to
    You have to treat data security in much the same way you treat
    physical security in the corporate world. If I have an appointment at
    the World Trade Center, for example, I know I have to arrive about 25
    minutes before hand in order to get through certain checkpoints.
    Let's say you're a pharmaceutical company; you know the threat is not
    so much from some hacker overseas. It's the guy on the inside with the
    keys to the kingdom, with access to a half a billion dollars worth of
    R&D, who could download it to a disk on his way to a meeting with some
    guy in the Grand Caymen Islands. That's no joke.
    Q: Sounds like you're saying we need more of big brother
    I think it's an inappropriate term and completely misguided in its use
    now. In the book "1984", the term (big brother is watching) was about
    mind control and a totalitarian government. Citibank doesn't care what
    employees do in their off hours. Chase doesn't care if you're a member
    of the NRA or Amnesty International. It's about access inside their
    own corporate house.
    If want to listen to Britney at 2:00 AM at 200 watts, and the
    corporate homeowner says you can't do that, that's not big brother.
    So much of this client-server computing (and powerful desktop
    computing) is being rolled out all over, and it's being rolled out
    without any due diligence or controls.
    In old days, you had to be an engineer to get the information. Now
    with Windows, you can install the most complex software package on NT,
    point, click and paste the entire corporate jewels.
    If guy wants to download a gig of MP3 files, he can do it to his
    heart's content on his own time, but he can't expect to use my
    bandwidth and servers. That's not big brother, that's due diligence.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Thu Aug 23 2001 - 04:59:42 PDT