[ISN] No Security

From: InfoSec News (isnat_private)
Date: Mon Aug 12 2002 - 00:41:41 PDT

  • Next message: InfoSec News: "[ISN] Two laptops missing from U.S. Central Command recovered"

    by Linda Tischler
    photographs by Michael Lewis 
    from FC issue 61, page 42
    "Are you secure? How do you know?" That's the slightly paranoid slogan
    of a new training academy, run by Sondra Schneider, that's devoted to
    keeping corporate data safe in an unsafe world. Now, if only her
    students would talk to us ...
    It's a dreary day in Georgetown, with rain lashing at the windows of
    the Marriott Conference Center. Inside Salon H, a group of government
    employees is paying rapt attention as Sondra Schneider, a small woman
    with an arsenal of electronic gadgetry, charges through a presentation
    on the technologies that will soon make computer passwords obsolete.  
    The air is dense with geekspeak spiced with a dash of federalese.  
    There's talk about encryption and nonrepudiation, digital signatures
    and biometrics, and more acronyms than you'll find in a bowl of
    alphabet soup: PKI, VPN, CHAP, TACACS. All this for the DOD and the
    DOJ, the FAA and the OMB!
    During the break, I do what you're supposed to do at conferences: I
    mingle. Seeing me approach, Philip, a curly-haired guy in the back
    row, looks anxious. I ask him where he works. He looks at my notepad
    and considers bolting for the door. "I, uh, am a contractor for the
    INS," he says reluctantly. "Cool!" I say. "What do you do?" Panic
    creeps into his voice, as if an image of his credentials being
    shredded flashes before his eyes. "Uh, I work with biometric
    [censored], encrypting [censored] for [censored]," he replies. "But
    you can't use that."
    There's a guy in a striped sweater and glasses in the front row who
    looks brave. I lean over. "Hi!" I say, trying not to sound like I'm
    grilling an Al Qaeda operative. "What are you working on?" He looks at
    me as if I've just asked for the PIN to his Cayman Islands bank
    account. "Army. Comanche helicopters. It's classified."
    Welcome to the brave new world of high-tech security, where the
    unintelligible language of 21st-century computing fuses with the
    once-unimaginable threats that the country faces. Before September 11,
    corporate and government security experts worried primarily about
    online identity theft, credit-card fraud, and rogue hackers. Now
    they've put cyberterrorism at the top of the list of threats that keep
    them up at night.
    That's bad news for companies, but it's a business opportunity for
    organizations that are looking to train security professionals to
    defend their systems. One of the newest and savviest organizations to
    stake a claim in this space is Security University, an outfit that
    offers advanced information-security training for executives, network
    professionals, and systems administrators.
    The so-called dean of the university is Schneider, a diminutive
    cybercommando whose mission is to train an elite corps of security
    specialists -- much as the Army trains the Green Berets. "I didn't go
    to war. I didn't fight for my country. But I can make a big difference
    when it comes to training those people and giving them the tools they
    need," says Schneider, who is Security University's founder and CEO.
    A fledgling operation based in Stamford, Connecticut, Security
    University is nearly as virtual as a digital signature: There is no
    campus, no classrooms, and no war room. Schneider and her team of 18
    instructors travel the world, holding classes on such topics as
    intrusion detection, advanced firewalls, PKI ( public-key
    infrastructure, a framework for the secure exchange of digital
    information ), and forensics. Take eight classes and a tough test, and
    you could earn AIS ( Advanced Information Security ) Certification, a
    proprietary credential that the school plans to begin offering next
    Other organizations provide similar credentials in this field, among
    them recognition as a Certified Information Systems Security
    Professional ( CISSP ) from ( ISC )2 and a Global Information
    Assurance Certification ( GIAC ) from the SANS Institute. But
    Schneider maintains that the training at Security University offers
    more hands-on experience than the others -- a process, she says, that
    helps students understand how to protect the path to a network's
    critical assets more effectively and to evaluate new software and
    security devices before committing company resources to their
    "Lectures are valuable for managers, but they aren't as good for
    practitioners," Schneider says. "We take our students through the full
    life cycle of a security technology and its application, including
    multiple corporate or government scenarios. We encourage people to
    play with the latest toys that we get from vendors. Most people would
    never have a chance to do this at work. But if they don't try them,
    how can they go to management and recommend buying them?"
    While Security University's courses may seem esoteric to a
    nonprofessional, Schneider's tales of information-security lapses can
    curl the hair of even the most naive generalist. During one security
    assessment, she says, it took a team of experts just three and a half
    minutes to access a nuclear power plant electronically. Even a
    semiskilled hacker can change an IP address in under three seconds.  
    Schneider also warns that something as simple as leaving an "out of
    office" message on your computer can leave you open to cybermischief.
    Frank Groneman, a network-security engineer at Gtech Corp., a Rhode
    Island firm that provides high-tech services for approximately 70% of
    the world's lotteries, says that Security University courses gave him
    the hands-on experience that he was looking for. "I learn by doing,"  
    he says. "I can watch people put up slides all day, but it doesn't
    really sink in." Like many other firms with high-level security needs,
    Gtech encourages staffers to keep up to speed on the latest
    advancements -- or risks -- in the field. "We need to have absolute
    security," Groneman says. "One transaction could be worth $200 million
    to $300 million."
    One year after launching the university, Schneider tried to sell it to
    a New York firm ( she won't reveal the name ). When that deal didn't
    work out, she took back ownership and relaunched this past March. Now,
    she says, her goals are to expand her course offerings, recruit more
    instructors, and roll out the first AIS Certification test by
    mid-2003. But her one driving concern, she says, is to spread the word
    about the urgent need for enhanced information security. "If somebody
    said, 'Here's $100 million, what do you want to do with it?' I would
    offer 10 times more programs, decrease the cost of classes, and make
    sure that millions of people get trained."
    Tell that to Congress, says Philip, our secretive friend from the INS,
    whose agency has come under attack for its failures before and after
    September 11. "Until recently, we've had antiquated network procedures
    because improvements didn't get funded," he says. "Faulting folks at
    the INS or the Border Patrol for security lapses is totally
    Contact Sondra Schneider by email ( s0ndraat_private ).
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Mon Aug 12 2002 - 03:08:17 PDT