[ISN] EidenReport - Computing Security - Two Views

From: InfoSec News (isnat_private)
Date: Wed Jun 05 2002 - 01:19:49 PDT

  • Next message: InfoSec News: "[ISN] Security Flaw Found in Explorer"

    [Of all the newsletters I get, (both unsolicited and subscribed) I try
    to make the time to read The Eiden Report. Jim is a font of
    information on various subjects of business, and with the Internet,
    how it to relates busines today. Jim's newsletter is free and if you
    are interested in another viewpoint, I recommend mailing Jim and ask
    him to subscribe to his newsletter.   - WK]
    ---------- Forwarded message ----------
    Date: Wed,  5 Jun 2002 00:43:02 -0500
    From: Jim Eiden <Jimat_private>
    To: William Knowles <wkat_private>
    Subject: EidenReport - Computing Security - Two Views
    Computing Security, Two views.
    In this issue, we have 2 separate views of business and computing
    security.  Jan Hertzberg is a Principal of Axiom Security.  Jan has
    extensive IT, security and business process experience.  The overall
    goal of Axiom is to bridge the gap between IT and Business functions
    and processes as it applies to security.
    We then have a featured interview with Richard Forno, author of
    InfoWarrior, and former executive of Verisign.
    GUEST COMMENTARY - Aligning Security Initiatives and Business Goals,
    Jan Hertzberg of Axiom Security LLC
    Many security professionals want to know "how can I increase senior
    management's support for new digital, physical and employee security
    initiatives?" To be sure, there are many good reasons for companies to
    consider increasing their attention to security in the aftermath of
    the 9/11 tragedy including the growing prevalence of workplace
    violence, unrelenting hacker attacks and virus threats. Ironically,
    while internal and external threats still show no sign of abating,
    enterprise spending for security is expected to increase only modestly
    in the next few years.
    What is the most effective approach for creating awareness of the
    importance of security? Above all, security professionals need to
    resist the temptation to create a "hyper-awareness" of security issues
    that quickly burns itself out. While the use of fear, uncertainty and
    doubt may temporarily serve to convince an executive that more needs
    to be done to protect the company and manage risk, this approach does
    not succeed in creating long-term partnerships between security
    professionals and management. For instance, in the aftermath of Y2K,
    many non-IT executives lamented that they were "railroaded" into
    expensive and often unnecessary system changes/upgrades, based on a
    predicted cataclysm that never occurred. Many of these executives will
    think twice before approving new proposals based on perceived "scare
    Today's executive is faced with an increasingly competitive
    marketplace in which reduced margins, competing priorities and a
    steadily shrinking budget take their toll.  While executives
    acknowledge that security threats are real, they may find it difficult
    to justify a sizable increase in spending to manage risk. They may
    also be unable to devote time and resources necessary to review and
    test the company's business continuity, disaster recovery and other
    security strategies.
    The key to creating a win-win situation with senior management lies in
    identifying opportunities to align with the company's established
    business goals and objectives as well as to find collateral benefit
    with other parts of the organization. These opportunities will help
    the executive understand how security can complement and facilitate
    the enterprise's current priorities. Rather than require the
    implementation of a "one-off" solution, security can actually be an
    enabler of other business goals.
    Here are some traditional business goals that may be enhanced by
    security solutions:
    1. Promote Cost-Efficiency - Executives often strive to increase
    cost-efficiencies throughout the organization and there is constant
    pressure to "get lean and mean". Security solutions, e.g. biometrics
    or smart cards, may be used to reduce the overall volume of password
    resets thereby allowing help desks to reduce their costs. Also, a
    fully-equipped, alternate data center can help ensure business
    continuity and improve operational performance by providing auxiliary
    computing power during peak processing times. While capital
    expenditures are required initially to establish a robust computing
    environment with full-redundancy, significant savings in
    infrastructure and facilities may be realized over time. If
    high-availability is important to the objectives and goals of the
    business, not having it can mean the difference between profit and
    2. Protect Market Share - The Bank of America, Northern Trust and
    other financial institutions have taken highly-visible positions in
    promoting increased privacy for their customers. Many insurance
    companies now offer "eSecurity" products intended to protect the
    enterprise from hacking and other break-ins. As society's concern
    about security and privacy grows, interest in these companies and
    their products will inevitably grow.
    3. Improve Customer Service - Consumers are regularly inundated with
    requests for userids, passwords and Personal Identification Numbers
    (PINs) from web sites, help desks and Interactive Voice-Response (IVR)
    systems. Responding to these repetitious requests can be a frustrating
    experience. Use of biometrics may offer a less stressful customer
    experience with improved authentication and non-repudiation.
    4. Protect Innovation - Corporations that have recently gone through
    rightsizing or downsizing measures may be vulnerable to theft of their
    intellectual property (IP) or even sabotage by disgruntled
    ex-employees. Much can be done by the security professional to protect
    corporate information assets, from creation of policies/compliance
    tracking to monitoring networks and hosts with intrusion detection and
    tracking fraud with computer forensics.
    In summary, a true partnership between executives and security
    professionals requires consideration of business objectives, company
    mission and the role that security can play to enhance and add value
    to the business. In short, the security professional needs to share
    the executives' vision of the company and its future.
    Jan Hertzberg - CISSP
    Principal, Axiom Security, LLC
    - - - - - - - - - - - - -SPONSOR - - - - - - - - - - - - - - - - - - -
    Like what you see with the Eidenreport.com?  Let Mir Internet Services
    do the same for you.  From web design and database development to a
    look and feel that is appropriate for your organization.
    Mir features SEO LogicT which integrates consumer search behavior
    analysis with search engine optimization services, driving targeted
    traffic to your web site.
    Jonathan Ashton, VP of Business Development at (773) 661-1011. 
    Website: http://www.seologic.com/
    C. J. Newton, CEO
    Mir Internet, Inc.
    1608 N. Milwaukee Ave., Suite 807
    Chicago, Illinois  60647
    p. 773.661.1011
    c. 773.837.8012
    f. 773.661.1012
    e. cnewtonat_private
    w. http://www.internetmadeeasy.com
    - - - - - - - - - -SPONSOR - - - - - - - - - - - - - - - - - -
    FEATURED INTERVIEW - 21 Questions with Richard Forno 
    Hailing from a 'hands on' background in security operations, Richard
    most recently served as the Chief Information Security Officer for
    Network Solutions (now VeriSign), the company operating the central
    servers for the Internet. In this role, he built the first information
    assurance program and incident response capability for one of the
    world's most critical information infrastructures, drawing on his
    previous experience coordinating computer crime investigations and
    information security projects for the US House of Representatives and
    other government agencies. In 2001, he co-launched Whonami, an
    independent whois engine with unique translation capabilities.
    As an adjunct lecturer at The American University, he developed (and
    delivered) the University's first courses on information security and
    information warfare, and conducts recurring guest lectures at the
    National Defense University. In 2000, he was an active participant in
    the White House Office of Science and Technology Policy Information
    Security Education Research Project. He is also co-founder of
    G2-Forward and the ACCESS:INTELLIGENCE project, an innovative
    information service serving the national security and emergency
    preparedness communities since 1997.
    A student of national security studies, Richard is a frequent lecturer
    at government, industry, and academic symposia. He is co-author of the
    popular books The Art of Information Warfare (Universal, 1999) and
    Incident Response (O'Reilly, 2001). His 1998 essay on the "InfoCorps"
    (appearing in the AFCEA book CYBERWAR 2.0) helped shape DoD
    initiatives in developing information assurance and Internet risk
    assessment capabilities during the 1990s. He also pens a recurring
    column for Securityfocus.Com and his personal website,
    Richard holds degrees from Salve Regina University (M.A.,
    International Relations), American University (B.A., International
    Studies), and Valley Forge Military College (A.A., Business) -- and is
    the youngest recorded graduate from the United States Naval War
    College. His professional affiliations include the National Military
    Intelligence Association (Past President, Potomac Chapter);
    High-Technology Crime Investigations Association; and United States
    Naval War College Foundation.
    1. How did your military experience prepare you for a career in
       computing security?
    The military experience was not IT related at all.
    2. With InfoWarrior, why did you take the Chinese philosophy/military
       approach to security?
    It seemed like a fun way to approach the subject. Both my coauthor and
    I are avid readers of Asian military arts. We figured that Sun Tzu's
    Art of War text was a logical way to discuss information security at
    both the Corporate and national levels. As a result, we 'created' our
    own 'philosophers' that, like in Sun Tzu's work, discuss the
    philosophies of information security in an easy-to-follow, readable,
    and occasionally fun manner.
    3. Have you read the Cuckoo's Egg, by Clifford Stoll.  If so, what are
       your comments regarding the book, and what happened.  (Editors 
       note: The Cuckoos Egg is perhaps one of the best books on computing
       security.  It is a true story and is written like a spy novel, 
       except that it actually happened).
    Cliff's book is WONDERFUL! It is THE book on what computer
    Investigations are like -- although it was written in the late 1980s,
    very little has changed. I use it as a required text in my INFOSEC
    class, to show Students that hacker-tracking involves hours (if not
    days) of sheer boredom Followed by a few minutes of sheer panic and
    excitement. I firmly endorse Cliff's text to this day.
    4. According to the Cuckoo's Egg, the U.S. government was very slow to
       understand the gravity of what was happening as well as slow to
       respond.  Has the U.S. Government taken computer security more
       seriously? (before Sept 11, 2001).
    The USG traditionally moves slowly in any area it touches. Regarding
    computer security, I'm afraid it continues to avoid taking
    responsibility for it at their agencies, choosing instead to fund
    research, reports, and studies -- long-term stuff -- instead of
    significant funds to close the vulnerabilities and exploits we already
    know about.
    The problem, is that USG tends to always consider 'future problems'
    Instead of the 'immediate' ones that present dangers.
    5. Has there been significant changes in the way the U.S. government
       has approached computing security after Sept 11?
    It's been paid increased lip-service, and it now falls under Tom
    Ridge's organization, but I think the security emphasis on terrorism
    in the 'real' world is more appropriate at this point. Cyberterrorism
    IMO is not a major issue that we should be loosing sleep over.  So, in
    general, INFOSEC has received some increased attention and funding,
    but I'm skeptical of its effectiveness.
    However, there has been increased bureaucracy and working groups
    created to deal with computer security -- as with any tragedy, the
    bureaucracy will be created to figure out how to deal with it. That's
    the nature of bureaucracies in general!!  :)
    6. In your opinion, what percentage of computing security is based on
       common sense people issues, and what percentage is technical?  Why?
    I'd say computer security is 80% common sense and 'non-technical
    stuff' - with the rest being effective security technologies.
    Unfortunately, it seems folks are enamored with the glitter of
    anything technical, so they spend a fortune on so-called silver-bullet
    solutions instead of taking a macro look at whether or not such
    procurements will actually increase their level of REAL security, or
    it's just continuing the illusion of security.
    7. What major trends are you seeing in hacking/cracking?  Has activity
       increased or decreased?  How much is malicious (such as 
       defacements), versus more serious crimes (such as financial 
       blackmail, code stealing, etc)?
    Web defacements, DDOS, viruses, etc, are nuisance attacks that while
    causing problems, aren't a significant issue for me that cause me
    worry.  Rather, it's the ones I DON'T know about - folks that are on
    my networks and stealing information from me -- that I'm very
    concerned about. The stuff making headlines is noise.....but you
    rarely hear about 'significant' security attacks or events.
    8. How many security related events do you attend per year?  Which
       ones are the best?
    I attend probably a dozen or so such events. The best ones are hacker
    cons - such as Rubi-Con in Detroit - where you get great technical
    sessions and also learn in the unofficial party sessions upstairs. :)
    9. In terms of attending events where there are so called "Black Hats"
       and "White Hats" in attendance, what kind of protocols are there so
       that you don't give away secrets to each other, but can also learn
       from each other?
    It's a matter of who-trusts-who. I know some black hats that trust
    'feds' with information, and others that won't even be in the same
    room if they know a 'fed' is present.  At such events it's almost like
    a 'thieves code' if you will, about how folks relate. For example,
    I've been a 'white hat' for a while, and folks know I work with law
    enforcement and others on computer security matters - but I've
    achieved a decent level of 'trust' among my underground friends, and
    that's a wonderful thing.
    10. Have there been arrests at these type of events/conventions?
    Dmitry Skylarov, a Russian programmer, was arrested @ Defcon last year
    in Las Vegas under the Digital Millenium Copyright Act (DMCA) for
    releasing a tool that Adobe Systems thought infringed on its
    intellectual property.
    Every now and then, folks will get arrested for drunk and disorderly,
    or small-time drug stuff, but that's par for the course in hacker
    11. Do you advise or work with Disaster Recovery issues as well?
    Occasionally - but I have friends that do more than I in this area.
    12. Do you advise or work with Internet Fraud in addition to Security
        issues?  If so, can you tell us about some of this work as well?
    Sure, I have been involved with credit card fraud investigations for
    the past several years.  Usually this involves stolen credit cards, or
    electronic credit card generators used to rake up fraudulent
    purchases. In fact, back in 1993, I was one of the first to
    demonstrate the capabilities of PC software to generate viable credit
    card numbers to the Secret Service (the folks charged with these
    investigations) -- they were in awe of the software I showed
    them.....and no, I didn't write the code, I showed 'em how it worked.
    13. How long do you think it will be before companies and governments
        view computing security as an integrated part of 
        business/operations rather than an after thought?
    When Boards and Executive Management get their collective heads out of
    Their collective backsides. Security is a function of business, and
    serves to ensure revenue streams. Until the CSO is a direct report to
    the CEO, and can brief the Board routinely, this will continue to be a
    I've seen too many cases where security issues continually impacted a
    company, but nobody upstairs was willing to accept knowledge about
    them, or mandate problems be fixed -- choosing instead to ride wave
    after wave of bad press and notoriety.
    14. Are you working on any other books, if so, when can we expect a
        new book, and what will it be about?
    Yup. A social commentary about technology, society, government, and
    Other issues.....think of it as George Carlin meets Dennis Miller as
    written by Andy Rooney.  :)  But while it will include IT, it won't be
    an IT book per se.
    15. What is the most important piece of advice you would like to give us?
    Security is only as effective as those responsible for developing,
    deploying, and participating in it. Technology can't solve the
    'people' problem, and as a result, we continue to see organizations
    operating under the illusion of security, instead of the reality of
    effective security.
    16. What is your opinion on Kevin Mittnick (sp).  Was he framed, or
        did he really do what he was convicted for?
    Never followed the case closely enough to care. However I do think
    he's gotten a bad rap though - he's not a "cyberterrorist" like the
    media portrays him.
    17. What is your opinion on the recent capture and conviction of the
        person responsible for the Melissa virus?
    Good riddance. However, I'm more concerned that the company
    responsible for laying the framework for Melissa, Code Red, Sircam,
    and other viruses/trojans never gets punished. Microsoft's
    poorly-written software has been the cause of most computer security
    news in recent years, yet NOBODY seems to care about pointing fingers
    at them.
    The MS 'Trustworthy Computing' initiative - such that it is - is
    simply too little, too late, and is probably done because folks are
    now starting to realize that MS products may not be the best thing for
    their companies, and to prevent a mass exodus of customers, Gates &
    Co. released their Public statements about being committed to
    security, etc, etc, etc.....most of the security folks I've spoken to
    think this is nothing but PR spin and marketing, that security really
    won't be improved much by MS.
    18. Cisco recently announced better than expected earnings.  Do you
        think this is due to increased spending for computing security?
    Not really, particularly since I don't think of Cisco as a 'security'
    19. Being a former employee of Network Solutions (Verisign), can you
        comment on what is happening in the domain name industry?  Where 
        do you think the industry will be 5 years from now?  What role do 
        you think ICANN will play in the future?
    ICANN was flawed from the start, and they only recently admitted it
    publicly. The domain industry is seriously flawed thanks to competing
    vendors, slamming, questionable policies (enacted by ICANN and WIPO)
    that almost always favor corporations over individuals, and other such
    issues.  ICANN (or something like it) should remain an advisory body
    for consensus, but needs to get out of its 'meddling' in areas they
    have little competence or charter to deal with.
    Unfortunately, ICANN consists of folks with little real-world
    operational IT experience (a few exceptions exist though) and is full
    of lawyers, analysts, and people that probably could have fit in very
    well on the Enron Board.
    20. In addition to Ancient Chinese Military philosophers what other
        influences have impacted your career and perspective?
    My family, and the tenets of Valley Forge Military Academy and
    College. Both taught me to seek, strive, and never settle, and to
    always do so with a high degree of energy, integrity, and empathy.
    21. What is next for Richard Forno?
    I'm currently consulting to Department of Defense on information
    warfare and critical infrastructure protection issues. With my
    masters' degree completed, I've got more time to write and lecture,
    and I aim to continue doing so, and teaching my adjunct class on
    INFOSEC (Information Security) here in DC.  I plan to remain
    consulting, since it's a flexible lifestyle that gives me variety of
    environments to work in and learn from.
    ...and, of course to hopefully make a difference in this crazy,
    mixed-up world we're trying to survive in.!!!
    Richard Forno
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Wed Jun 05 2002 - 04:11:18 PDT