[Of all the newsletters I get, (both unsolicited and subscribed) I try to make the time to read The Eiden Report. Jim is a font of information on various subjects of business, and with the Internet, how it to relates busines today. Jim's newsletter is free and if you are interested in another viewpoint, I recommend mailing Jim and ask him to subscribe to his newsletter. - WK] ---------- Forwarded message ---------- Date: Wed, 5 Jun 2002 00:43:02 -0500 From: Jim Eiden <Jimat_private> To: William Knowles <wkat_private> Subject: EidenReport - Computing Security - Two Views Computing Security, Two views. In this issue, we have 2 separate views of business and computing security. Jan Hertzberg is a Principal of Axiom Security. Jan has extensive IT, security and business process experience. The overall goal of Axiom is to bridge the gap between IT and Business functions and processes as it applies to security. We then have a featured interview with Richard Forno, author of InfoWarrior, and former executive of Verisign. GUEST COMMENTARY - Aligning Security Initiatives and Business Goals, Jan Hertzberg of Axiom Security LLC Many security professionals want to know "how can I increase senior management's support for new digital, physical and employee security initiatives?" To be sure, there are many good reasons for companies to consider increasing their attention to security in the aftermath of the 9/11 tragedy including the growing prevalence of workplace violence, unrelenting hacker attacks and virus threats. Ironically, while internal and external threats still show no sign of abating, enterprise spending for security is expected to increase only modestly in the next few years. What is the most effective approach for creating awareness of the importance of security? Above all, security professionals need to resist the temptation to create a "hyper-awareness" of security issues that quickly burns itself out. While the use of fear, uncertainty and doubt may temporarily serve to convince an executive that more needs to be done to protect the company and manage risk, this approach does not succeed in creating long-term partnerships between security professionals and management. For instance, in the aftermath of Y2K, many non-IT executives lamented that they were "railroaded" into expensive and often unnecessary system changes/upgrades, based on a predicted cataclysm that never occurred. Many of these executives will think twice before approving new proposals based on perceived "scare tactics". Today's executive is faced with an increasingly competitive marketplace in which reduced margins, competing priorities and a steadily shrinking budget take their toll. While executives acknowledge that security threats are real, they may find it difficult to justify a sizable increase in spending to manage risk. They may also be unable to devote time and resources necessary to review and test the company's business continuity, disaster recovery and other security strategies. The key to creating a win-win situation with senior management lies in identifying opportunities to align with the company's established business goals and objectives as well as to find collateral benefit with other parts of the organization. These opportunities will help the executive understand how security can complement and facilitate the enterprise's current priorities. Rather than require the implementation of a "one-off" solution, security can actually be an enabler of other business goals. Here are some traditional business goals that may be enhanced by security solutions: 1. Promote Cost-Efficiency - Executives often strive to increase cost-efficiencies throughout the organization and there is constant pressure to "get lean and mean". Security solutions, e.g. biometrics or smart cards, may be used to reduce the overall volume of password resets thereby allowing help desks to reduce their costs. Also, a fully-equipped, alternate data center can help ensure business continuity and improve operational performance by providing auxiliary computing power during peak processing times. While capital expenditures are required initially to establish a robust computing environment with full-redundancy, significant savings in infrastructure and facilities may be realized over time. If high-availability is important to the objectives and goals of the business, not having it can mean the difference between profit and bankruptcy. 2. Protect Market Share - The Bank of America, Northern Trust and other financial institutions have taken highly-visible positions in promoting increased privacy for their customers. Many insurance companies now offer "eSecurity" products intended to protect the enterprise from hacking and other break-ins. As society's concern about security and privacy grows, interest in these companies and their products will inevitably grow. 3. Improve Customer Service - Consumers are regularly inundated with requests for userids, passwords and Personal Identification Numbers (PINs) from web sites, help desks and Interactive Voice-Response (IVR) systems. Responding to these repetitious requests can be a frustrating experience. Use of biometrics may offer a less stressful customer experience with improved authentication and non-repudiation. 4. Protect Innovation - Corporations that have recently gone through rightsizing or downsizing measures may be vulnerable to theft of their intellectual property (IP) or even sabotage by disgruntled ex-employees. Much can be done by the security professional to protect corporate information assets, from creation of policies/compliance tracking to monitoring networks and hosts with intrusion detection and tracking fraud with computer forensics. In summary, a true partnership between executives and security professionals requires consideration of business objectives, company mission and the role that security can play to enhance and add value to the business. In short, the security professional needs to share the executives' vision of the company and its future. Jan Hertzberg - CISSP Principal, Axiom Security, LLC jhertzbergat_private 866-297-9997 - - - - - - - - - - - - -SPONSOR - - - - - - - - - - - - - - - - - - - Like what you see with the Eidenreport.com? Let Mir Internet Services do the same for you. From web design and database development to a look and feel that is appropriate for your organization. Mir features SEO LogicT which integrates consumer search behavior analysis with search engine optimization services, driving targeted traffic to your web site. Contact: Jonathan Ashton, VP of Business Development at (773) 661-1011. Website: http://www.seologic.com/ Or C. J. Newton, CEO Mir Internet, Inc. 1608 N. Milwaukee Ave., Suite 807 Chicago, Illinois 60647 p. 773.661.1011 c. 773.837.8012 f. 773.661.1012 e. cnewtonat_private w. http://www.internetmadeeasy.com - - - - - - - - - -SPONSOR - - - - - - - - - - - - - - - - - - FEATURED INTERVIEW - 21 Questions with Richard Forno Hailing from a 'hands on' background in security operations, Richard most recently served as the Chief Information Security Officer for Network Solutions (now VeriSign), the company operating the central servers for the Internet. In this role, he built the first information assurance program and incident response capability for one of the world's most critical information infrastructures, drawing on his previous experience coordinating computer crime investigations and information security projects for the US House of Representatives and other government agencies. In 2001, he co-launched Whonami, an independent whois engine with unique translation capabilities. As an adjunct lecturer at The American University, he developed (and delivered) the University's first courses on information security and information warfare, and conducts recurring guest lectures at the National Defense University. In 2000, he was an active participant in the White House Office of Science and Technology Policy Information Security Education Research Project. He is also co-founder of G2-Forward and the ACCESS:INTELLIGENCE project, an innovative information service serving the national security and emergency preparedness communities since 1997. A student of national security studies, Richard is a frequent lecturer at government, industry, and academic symposia. He is co-author of the popular books The Art of Information Warfare (Universal, 1999) and Incident Response (O'Reilly, 2001). His 1998 essay on the "InfoCorps" (appearing in the AFCEA book CYBERWAR 2.0) helped shape DoD initiatives in developing information assurance and Internet risk assessment capabilities during the 1990s. He also pens a recurring column for Securityfocus.Com and his personal website, Infowarrior.Org. Richard holds degrees from Salve Regina University (M.A., International Relations), American University (B.A., International Studies), and Valley Forge Military College (A.A., Business) -- and is the youngest recorded graduate from the United States Naval War College. His professional affiliations include the National Military Intelligence Association (Past President, Potomac Chapter); High-Technology Crime Investigations Association; and United States Naval War College Foundation. 1. How did your military experience prepare you for a career in computing security? The military experience was not IT related at all. 2. With InfoWarrior, why did you take the Chinese philosophy/military approach to security? It seemed like a fun way to approach the subject. Both my coauthor and I are avid readers of Asian military arts. We figured that Sun Tzu's Art of War text was a logical way to discuss information security at both the Corporate and national levels. As a result, we 'created' our own 'philosophers' that, like in Sun Tzu's work, discuss the philosophies of information security in an easy-to-follow, readable, and occasionally fun manner. 3. Have you read the Cuckoo's Egg, by Clifford Stoll. If so, what are your comments regarding the book, and what happened. (Editors note: The Cuckoos Egg is perhaps one of the best books on computing security. It is a true story and is written like a spy novel, except that it actually happened). Cliff's book is WONDERFUL! It is THE book on what computer Investigations are like -- although it was written in the late 1980s, very little has changed. I use it as a required text in my INFOSEC class, to show Students that hacker-tracking involves hours (if not days) of sheer boredom Followed by a few minutes of sheer panic and excitement. I firmly endorse Cliff's text to this day. 4. According to the Cuckoo's Egg, the U.S. government was very slow to understand the gravity of what was happening as well as slow to respond. Has the U.S. Government taken computer security more seriously? (before Sept 11, 2001). The USG traditionally moves slowly in any area it touches. Regarding computer security, I'm afraid it continues to avoid taking responsibility for it at their agencies, choosing instead to fund research, reports, and studies -- long-term stuff -- instead of significant funds to close the vulnerabilities and exploits we already know about. The problem, is that USG tends to always consider 'future problems' Instead of the 'immediate' ones that present dangers. 5. Has there been significant changes in the way the U.S. government has approached computing security after Sept 11? It's been paid increased lip-service, and it now falls under Tom Ridge's organization, but I think the security emphasis on terrorism in the 'real' world is more appropriate at this point. Cyberterrorism IMO is not a major issue that we should be loosing sleep over. So, in general, INFOSEC has received some increased attention and funding, but I'm skeptical of its effectiveness. However, there has been increased bureaucracy and working groups created to deal with computer security -- as with any tragedy, the bureaucracy will be created to figure out how to deal with it. That's the nature of bureaucracies in general!! :) 6. In your opinion, what percentage of computing security is based on common sense people issues, and what percentage is technical? Why? I'd say computer security is 80% common sense and 'non-technical stuff' - with the rest being effective security technologies. Unfortunately, it seems folks are enamored with the glitter of anything technical, so they spend a fortune on so-called silver-bullet solutions instead of taking a macro look at whether or not such procurements will actually increase their level of REAL security, or it's just continuing the illusion of security. 7. What major trends are you seeing in hacking/cracking? Has activity increased or decreased? How much is malicious (such as defacements), versus more serious crimes (such as financial blackmail, code stealing, etc)? Web defacements, DDOS, viruses, etc, are nuisance attacks that while causing problems, aren't a significant issue for me that cause me worry. Rather, it's the ones I DON'T know about - folks that are on my networks and stealing information from me -- that I'm very concerned about. The stuff making headlines is noise.....but you rarely hear about 'significant' security attacks or events. 8. How many security related events do you attend per year? Which ones are the best? I attend probably a dozen or so such events. The best ones are hacker cons - such as Rubi-Con in Detroit - where you get great technical sessions and also learn in the unofficial party sessions upstairs. :) 9. In terms of attending events where there are so called "Black Hats" and "White Hats" in attendance, what kind of protocols are there so that you don't give away secrets to each other, but can also learn from each other? It's a matter of who-trusts-who. I know some black hats that trust 'feds' with information, and others that won't even be in the same room if they know a 'fed' is present. At such events it's almost like a 'thieves code' if you will, about how folks relate. For example, I've been a 'white hat' for a while, and folks know I work with law enforcement and others on computer security matters - but I've achieved a decent level of 'trust' among my underground friends, and that's a wonderful thing. 10. Have there been arrests at these type of events/conventions? Dmitry Skylarov, a Russian programmer, was arrested @ Defcon last year in Las Vegas under the Digital Millenium Copyright Act (DMCA) for releasing a tool that Adobe Systems thought infringed on its intellectual property. Every now and then, folks will get arrested for drunk and disorderly, or small-time drug stuff, but that's par for the course in hacker conferences. 11. Do you advise or work with Disaster Recovery issues as well? Occasionally - but I have friends that do more than I in this area. 12. Do you advise or work with Internet Fraud in addition to Security issues? If so, can you tell us about some of this work as well? Sure, I have been involved with credit card fraud investigations for the past several years. Usually this involves stolen credit cards, or electronic credit card generators used to rake up fraudulent purchases. In fact, back in 1993, I was one of the first to demonstrate the capabilities of PC software to generate viable credit card numbers to the Secret Service (the folks charged with these investigations) -- they were in awe of the software I showed them.....and no, I didn't write the code, I showed 'em how it worked. 13. How long do you think it will be before companies and governments view computing security as an integrated part of business/operations rather than an after thought? When Boards and Executive Management get their collective heads out of Their collective backsides. Security is a function of business, and serves to ensure revenue streams. Until the CSO is a direct report to the CEO, and can brief the Board routinely, this will continue to be a problem. I've seen too many cases where security issues continually impacted a company, but nobody upstairs was willing to accept knowledge about them, or mandate problems be fixed -- choosing instead to ride wave after wave of bad press and notoriety. 14. Are you working on any other books, if so, when can we expect a new book, and what will it be about? Yup. A social commentary about technology, society, government, and Other issues.....think of it as George Carlin meets Dennis Miller as written by Andy Rooney. :) But while it will include IT, it won't be an IT book per se. 15. What is the most important piece of advice you would like to give us? Security is only as effective as those responsible for developing, deploying, and participating in it. Technology can't solve the 'people' problem, and as a result, we continue to see organizations operating under the illusion of security, instead of the reality of effective security. 16. What is your opinion on Kevin Mittnick (sp). Was he framed, or did he really do what he was convicted for? Never followed the case closely enough to care. However I do think he's gotten a bad rap though - he's not a "cyberterrorist" like the media portrays him. 17. What is your opinion on the recent capture and conviction of the person responsible for the Melissa virus? Good riddance. However, I'm more concerned that the company responsible for laying the framework for Melissa, Code Red, Sircam, and other viruses/trojans never gets punished. Microsoft's poorly-written software has been the cause of most computer security news in recent years, yet NOBODY seems to care about pointing fingers at them. The MS 'Trustworthy Computing' initiative - such that it is - is simply too little, too late, and is probably done because folks are now starting to realize that MS products may not be the best thing for their companies, and to prevent a mass exodus of customers, Gates & Co. released their Public statements about being committed to security, etc, etc, etc.....most of the security folks I've spoken to think this is nothing but PR spin and marketing, that security really won't be improved much by MS. 18. Cisco recently announced better than expected earnings. Do you think this is due to increased spending for computing security? Not really, particularly since I don't think of Cisco as a 'security' company. 19. Being a former employee of Network Solutions (Verisign), can you comment on what is happening in the domain name industry? Where do you think the industry will be 5 years from now? What role do you think ICANN will play in the future? ICANN was flawed from the start, and they only recently admitted it publicly. The domain industry is seriously flawed thanks to competing vendors, slamming, questionable policies (enacted by ICANN and WIPO) that almost always favor corporations over individuals, and other such issues. ICANN (or something like it) should remain an advisory body for consensus, but needs to get out of its 'meddling' in areas they have little competence or charter to deal with. Unfortunately, ICANN consists of folks with little real-world operational IT experience (a few exceptions exist though) and is full of lawyers, analysts, and people that probably could have fit in very well on the Enron Board. 20. In addition to Ancient Chinese Military philosophers what other influences have impacted your career and perspective? My family, and the tenets of Valley Forge Military Academy and College. Both taught me to seek, strive, and never settle, and to always do so with a high degree of energy, integrity, and empathy. 21. What is next for Richard Forno? I'm currently consulting to Department of Defense on information warfare and critical infrastructure protection issues. With my masters' degree completed, I've got more time to write and lecture, and I aim to continue doing so, and teaching my adjunct class on INFOSEC (Information Security) here in DC. I plan to remain consulting, since it's a flexible lifestyle that gives me variety of environments to work in and learn from. ...and, of course to hopefully make a difference in this crazy, mixed-up world we're trying to survive in.!!! Richard Forno http://www.infowarrior.org rfornoat_private - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Wed Jun 05 2002 - 04:11:18 PDT