[ISN] Seven ways to succeed in your first year as a network security officer

From: InfoSec News (alerts@private)
Date: Wed Jul 19 2006 - 22:30:11 PDT


By Bert Latamore
July 19, 2006

Alstom Transport is not exactly a household name. But its products are 
well-known, particularly among travelers. They include the French TGV 
high-speed trains and the Euro Star high-speed train that travels the 
Chunnel under the English Channel, new high-speed Amtrak passenger trains 
in California and new metro trains in Singapore. 

This French-based, $16 billion gross company operates in 60 countries 
including most of Europe, the People's Republic of China and several South 
American nations.

So nine months ago when Nikk Gilbert joined the company as IT security and 
telecom director, he knew he was taking on a real challenge. He needed to 
hit the ground running. Here are the key things he focused on to succeed:

1. Choose a good company to work for. 

Before he interviewed for the job he researched it to be sure it was a 
good company to work for. Alstom values its employees and proves that with 
its actions. At the end of its last fiscal year, for instance, it gave 
every employee several shares of stock as a bonus.

2. Get executive backing. 

"I interviewed with the CFO and asked him point-blank what their level of 
commitment was, what kind of budget and support I could expect," Gilbert 
says. "I left knowing that senior executives knew they needed security and 
that I would have the level of support necessary to get the job done. 
Without that you are out of money, out of luck and probably on your way 

3. Partner with HR and Legal. 

A good rapport with these two departments is essential to success in the 
security role, particularly in a multinational company such as Alstom. 
Just keeping track of the privacy and data security regulations in more 
than 60 countries worldwide is a challenge. Gilbert has to depend on HR 
and Legal to advise him on the varying legal requirements he must meet in 
his job.

4. Develop a rapport with users. 

IT network security programs flounder when end-users refused to follow 
them. "Security means inconvenience for users who are just trying to get 
their jobs done," Gilbert says. "It is important both to remind them of 
the importance of security and to minimize that inconvenience." Right now, 
he says, he is in the pilot phase of implementing a smart card/SSO/PKI 
system across the company because smart cards only require the entry of 
one PIN rather than the seven or eight passwords users are often asked to 
enter to access various systems. "We are showing our users that we care 
about their problems and are working to make things as easy as possible 
for them. We have determined that this will provide us with good security 
without annoying people too much."

5. Know what you have. 

An asset inventory is absolutely necessary and should include a network 
diagram that shows the schematic locations of workstations, servers, 
switches and routers as well as a list of hardware. "You may have the 
budget and know the rules, but if you don't know what you have, you are 
blocked," Gilbert says. "And when your network is spread out over more 
than 60 countries, this becomes even more important."

6. Get the right tools. 

The security officer for a small office can do things by hand. The 
security officer for a multinational company is totally dependent on his 
tools for basic activities such as PEN testing and vulnerability scanning. 
"We picked Core Impact, and it just turned things around unbelievably," 
Gilbert says. "A lot of the tools out there detect the problems or find 
the systems that require patching. With Core you can find the 
vulnerability, execute on the vulnerability, and you own the system." 
Core's tools are particularly helpful in convincing co-workers that they 
have security problems "Instead of telling the e-mail supervisor he has a 
vulnerability, I showed him his last three days of e-mail traffic. That 
ends any attempt by the system administrator to pass the warning off as a 
false positive."

7. Review and update corporate security policies. 

The security officer needs to know corporate policies concerning such key 
issues as security and remediation procedures. Change management and 
tracking logs are important. And Gilbert says one of the first things the 
security officer should do is build a security dashboard that captures and 
displays information including how many virus attacks are attempted, how 
many outside probes hit the firewall, etc. Having those statistics in one 
place is very useful, particularly when talking to senior management. The 
continual issue for security is that ideally executives never see it. Good 
security means nothing happens. So executives tend to forget the need to 
continue to invest in strong security. Statistics that show all the 
attacks that failed are a good reminder that the organization is getting 
good value for its security investment.

8. Use strong authentication. 

Finally, he says that strong authentication is "a good start on fixing the 
problems." When the system knows the identity of everyone on the network 
with a high degree of certainty, it can manage their access and shut out 
unknown individuals, even those who log into the network from inside the 
company. If the organization does not already have a strong authentication 
system installed, building one should be a high priority of the first nine 

"Really, when you come into a new situation you need to have a clear set 
of priorities and hit the ground running," Gilbert says. "This list has 
guided me in my first nine months, and we have gotten a lot done in a 
short time following it."


Bert Latamore is a journalist with 10 years' experience in daily 
newspapers and 25 in the computer industry. He has written for several 
computer industry and consumer publications. He lives in Linden, Va., with 
his wife, two parrots and a cat.

Attend the Black Hat Briefings and
Training, Las Vegas July 29 - August 3
2,500+ international security experts from 40 nations,
10 tracks, no vendor pitches.

This archive was generated by hypermail 2.1.3 : Wed Jul 19 2006 - 22:39:06 PDT