[ISN] The Secret Service's Bob Weaver on Preparing for the New World Disorder

From: InfoSec News (isnat_private)
Date: Mon Mar 11 2002 - 22:42:38 PST

  • Next message: InfoSec News: "[ISN] Linux Security Week - March 11th 2002"

    Forwarded from eric wolbrom, CISSP <ericat_private>
    On Sept. 11 the office of the Secret Service was destroyed. In two 
    days, it was fully operational. Bob Weaver, head of the New York 
    Electronic Crimes Task Force shows what it means to respond to 
    BEST KNOWN AS THE protectors of presidents, the U.S. Secret Service
    (USSS) are often seen as the men and women in dark suits and
    impenetrable glasses running alongside limousines and walking two
    steps behind world leaders. But when the USSS was created in 1865, its
    mission was to safeguard the nation's financial payment systems from
    fraud, counterfeiting and exploitation. These days, technology is
    often the facilitator of these crimes, so understanding and using
    technology for the detection and prevention of computer crime has
    become an integral part of the USSS's mission.
    In 1995, the New York Electronic Crimes Task Force (NYECTF), a
    division of the USSS, was developed specifically to help companies
    beef up their cybersecurity. It's worked so well in New York that the
    newly passed Patriot Act calls for the Secret Service to establish
    similar groups across the nation to prevent electronic crime. Groups
    are currently being formed in Boston, Charlotte, N.C., Chicago,
    Cleveland and Columbia, S.C. Bob Weaver, the assistant special agent
    in charge of the task force in New York City, has overseen the
    training of more than 20,000 individuals in security awareness, best
    practices and contingency planning for security crises. On Sept. 11,
    Weaver and his team found themselves on the front line of a real-life
    security emergency when their offices at 7 World Trade Center came
    crashing down. Weaver's hard work at educating the corporate community
    about security paid off in spades when NYECTF members showed up in the
    days and hours that followed to work round-the-clock and rebuild his
    group. We talked with Weaver about weathering the attack, the effect
    it has had on corporate security, the renewed responsibilities CEOs
    face to provide security leadership, and how making friends with their
    peers could be the most important business decision CEOs make.
    Darwin: In the wake of Sept. 11, is there a renewed sense of
    patriotism and responsibility that carries over to business? Do
    companies now have a larger responsibility to share information about
    security breaches?
    Weaver: The president has decided that homeland security is a
    Cabinet-rank position, and I would suggest that companies should take
    that into consideration. If significant portions of the critical
    infrastructure go down and it was preventable, then what have we
    achieved as a community? Have we failed or succeeded? Reach within
    your means to help support and coordinate what can affect you, your
    company and your community. Certainly the NYECTF could not have held
    up by itself, and I will freely admit to you that because [those
    companies] extended themselves beyond their obligations, we were
    better off.
    If businesses partner with government and industry experts to share
    security information and fight breaches, how do they benefit?
    Well, I don't want to say that you become bulletproof, but you become 
    stronger tenfold. [Business and government] run parallel to each 
    other, and where there is common ground, value or mutually beneficial 
    situations is where we need to come together.
    What did your task force do to help companies deal with security risks?
    We created a no-strings-attached cyber- and physical security risk
    management survey that we give to companies for free. [To download a
    copy of the NYECTF security survey, go to the Helpful Links section of
    its site at www.ectaskforce.org.] We will help them with it, or they
    can do it on their own. When we're in our protection mode-for major
    events like the Olympics-we go to great lengths to protect the
    critical infrastructure of the community. We check the
    telecommunications, water, oil, gas, electricity, emergency services
    and transportation. All of these things are outlined in the survey.  
    It also addresses cybersecurity issues: from just simply backing up
    data, to putting up firewalls, to updating viruses and monitoring
    What is the role of CEOs in their company's security?
    That's very important. I would say to the CEO that his or her senior
    executives need to be represented [in a cross-functional security
    committee] so that communication about security happens right at the
    top of the company. That way the CEO understands what stage the
    company is in regarding security planning and where it needs to be
    because this is a work in progress. None of this stuff is cast in
    stone. That's why senior executives have to be involved in the
    process-because it will be fluid, it will change, and it will evolve.
    In most companies, cybersecurity is an IS issue, and physical security
    is a facility issue. Is this division of security the right approach?
    Some people call it enterprise protection planning; some people call
    it risk management. But I recommend to companies that directors of
    security, CIOs and CEOs consider that streamlining [cyber- and
    physical security] can provide them an extra level of fast-track
    communication when times get tough. Better coordination and
    communication between them is good business. In the corporate world,
    we're seeing an awakening in which those two components are coming
    closer together.
    Has the mission of the New York Electronic Crimes Task Force changed
    given the emphasis on security?
    Our mission hasn't changed since Sept. 11, but it has been
    rededicated. We're more highly motivated now. We know what it's like
    when a company goes down because we were down. We had our quarterly
    meeting recently, and at that meeting were 550 people. Almost 70
    percent of those individuals were from corporations. That tells you
    the stakes are high. And these are very talented people who
    collaborate regularly.
    How does the task force feed its member companies information about
    security issues?
    We've created a Listserv of the participating members of the task
    force and a running dialogue of current cases, current schemes to
    defraud, criminal enterprises and viruses. Carnegie Mellon is on the
    task force, and they run the computer emergency response team
    coordination center, so we let them do the notifications. For more
    critical conversations, members can go offline and contact each other
    Did the attacks raise the bar on the level of security that companies
    should aim for? How does a company know when it has enough security?
    Well, imagine getting up from your desk right now, walking out the
    door and running for your life while everything you left behind is
    destroyed. Then tomorrow, go back to work. When you can stand up under
    that battle-tested environment and actually go to work the next day,
    then you'll know that you have a robust and redundant system that can
    come only from preincident planning. You cannot make that up as you go
    along-that would be like trying to change the tire on a car as you're
    driving down the road. You've got to set policies and procedures at
    the strategic, tactical and operational levels while protecting your
    information and your intellectual property. Companies that don't do
    this are risking everything every day.
    To what degree have you found most companies and CEOs willing to seek
    help and share information?
    >From my experience, all of that is based on trust and confidence.  
    It's very difficult to call up a stranger and tell him about the crown
    jewels. If you have a preexisting relationship, that becomes a very
    important component when times are tough. If you look at Secret
    Service credentials, they tell you that the agent in front of you is
    worthy of trust and confidence. It's not about controlling or
    dictating partnerships, it's about caring about what's in companies'
    best interests.
    Is trust a stumbling block when companies are competitors and you're
    trying to foster an open discussion about security?
    Companies usually come to us as a referral from an existing member.  
    We don't have memorandums of understanding or nondisclosure
    agreements. We don't sign any paperwork. We believe that there are
    policies and procedures in place now-criminal laws and civil laws-that
    protect both of us. If I have to ask you to sign a 35-page document
    before I can talk to you, maybe we can't do business.
    Because there's not going to be complete honesty there?
    Having different objectives doesn't mean we can't be completely
    honest. But I would suggest to you that this group is the last place
    on earth that you'd want to come to destroy your reputation, end your
    professional career or steal intellectual property. You'll have just
    announced to the world-100 to 200 of the top high-speed companies-that
    you cannot be trusted, that you may be a crook or a thief.
    In testimony before Congress last October you mentioned the Secret
    Service recognizes that information sharing between law enforcement
    and the private sector must shift. What kind of relationship do you
    hope to build between the two groups?
    The way that we conduct business is the shift I'm referring to where
    relationships and partnerships are the watchwords and the high
    watermarks that we need to be at. Firemen do it right. They don't
    really want to be at your house to put out a fire. Instead they go to
    great lengths to educate with regard to fire prevention. But if you
    need them, call, and they'll be there. I think that's a good lesson
    for all of us. We believe in crime prevention; we believe in
    cybercrime prevention-and the best way to do that is to share
    What happened to your group after losing your offices at 7 World Trade
    For a long time it was our job to take care of the [business]
    community, and we never thought the community would have to take care
    of us, but that's what happened on Sept. 11.  We had total
    catastrophic failure. Everything was destroyed-from tables and chairs
    to vehicles, computers and phones. We lost all of our information at
    that location. Our data is backed up and stored at a remote location,
    so that was all recoverable, but no hard copy or hard drive data was
    recovered from 7 World Trade. Yet we were able to rebuild within 48
    hours, and in seven days we were twice as strong with robust and
    redundant wireless communications and computer network capabilities. I
    attribute that to the partnerships we had formed with the companies in
    the NYECTF.
    They rebuilt us from the ground up. I'm not just talking about regular
    people showing up. I'm talking about presidents, CEOs and CIOs showing
    up to help us. When it's 2 or 3 o'clock in the morning and the CEO or
    CIO of a company is connecting computers and building firewalls, it's
    All the companies that came to your rescue were members of the NYECTF.
    Had you contracted with any of them ahead of time, or were they coming
    strictly out of friendship?
    They're participating members of the task force, but they gave back to
    us of their own volition. We can't require the private sector to do
    anything unless mandated by law. They came without being called.
    How important is it for companies to have those kinds of relationships
    with service providers before tragedy strikes?
    If you want to talk about due diligence, best practices and risk
    management, companies should have a contingency plan in effect. And if
    that involves third-party contractors, coalitions or alliances that
    they have set up, I think it's a very smart thing to do.  Equipment,
    resources and contingency plans are important because if they're not
    in place, you risk everything. So I would say to any company-small,
    medium, large or global-have a plan in effect to fall back on.
    Are there lessons that you learned from your experience?
    Nothing replaces well-trained people. But the events aren't always
    going to be catastrophic. We sit down and have debriefings to discuss
    what we could do better every time [a security breach] happens. It's a
    powerful way to take lessons learned and turn them into action items.
    On Sept. 11 we had a relocation plan, a contingency plan, an
    evacuation plan, a communications plan and a network plan. These
    things need to be up and running in a time-sensitive way. That's where
    the companies stepped in to help us. That's the difference between
    being operational in 48 hours and 48 days.
    Eric Wolbrom, CISSP			Safe Harbor Technologies
    President & CIO				190 Goldens Bridge Ct.
    Voice 914.767.9090 ext. 6000		Katonah, NY 10536
    Fax   914.767.3911				http://www.shtech.net
    This electronic transmission and the documents accompanying it 
    contain information from Safe Harbor Technologies, LLC which is 
    confidential. The information is intended only for the use of the 
    individual or entity named on herein. If you are not the intended 
    recipient, you are hereby notified that any disclosure, copying, 
    distribution or the taking of any action in reliance on the contents 
    of this email is strictly prohibited, and that the documents should 
    be returned to this firm immediately so that we can arrange for the 
    return of the original documents at no cost to you.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Tue Mar 12 2002 - 01:52:46 PST