A frank discussion on security

We’re just about to launch our formal PDA program at Cisco. We didn’t formally support PDAs of any type for a long time because, from our viewpoint, they were a security and intellectual property exposure to us.

There are viruses attacking those Windows-based devices that can be brought into your network. People can turn the features on. Users can leave them in the cab. A former employee of a financial services company in Manhattan sold his Blackberry on eBay and it included, free of charge, the company’s confidential documents and contact list, and his own personal IRA account information.

We viewed PDAs as an intellectual-property and security nightmare. And then we looked to see how many we had. We use a tool from Altiris to inventory our software, our laptops, all our PCs, etc. We found we already had 11,000 employees that had bought either a Palm or Windows-based PDA. So the issue became no longer “when is it going to be secure?” but “how the heck are we going to secure this?”

playing by the rules

We have just finished the work in cobbling together software from some third parties, and we’ve been able to enable a Blackberry-like mail experience on Palm and Windows devices. We were looking for a more secure environment that emulated the Blackberry user experience.

We’re going to have a new silent client that we’re pushing out to all of the PCs on our network. It will sit back quietly, then if you bring in and try to install any of the software associated with one of these PDA devices, it will wake up and say, “Excuse me, if you’re planning on using this device within the company, you need to register it at this site.” By registering it, we’re going to activate certain features of the device, download some basic security things, and we’ll also set the user up with mobile mail the way we want it to be. If you, the user, choose not to do that, then we’ll have to assume that you’re no longer trusted and we’ll quarantine you with our Network Admission Control and you won’t be able to use that. We’re basically saying to our users, “If you want to play, you have to play by our rules, and we’re going to have a way to enforce that.”

We’ll try to make sure that the security experience on the device isn’t too obtrusive. That is the biggest challenge for us. We will basically track the device and refresh the configuration the next time you dock it.

If you’ve run the battery out, re-customizing the device is a nightmare; but we’ll push that out for the user by tracking the asset, tracking the configuration and testing to see if it needs to be updated. Also, if the device is lost, we can radio to it and clean it.

We’ve been in prototype with this in Europe primarily, where the whole program has been driven. We were given a customer briefing in London last month, and the group was told that if you leave the device in a cab we can erase the confidential information on it. A salesman in the meeting meekly raised his hand and said, “I just happen to be part of the program and I left my device in a cab.” Sure enough, we couldn’t retrieve it but we were able to signal it and verify that we had been able to erase everything on the device.

There’s a lot we thought we had to do to get these things secure because it is one of the easiest ways for stuff to walk out of the company.

saved by anomaly detection

We’re constantly looking outside of the company for solutions. We had our day saved when Slammer hit through some third-party anomaly-detection software that gives us a 24/7 profile of the traffic that comes into our Internet site. It gives us an alarm if something happens outside of the normal profile. We got an alarm, which was seen by an operator, who was empowered to shut down traffic coming into our network until we could determine what was happening. Within a half hour we identified what the attack was, what the threat was, we’d read the script to identify the number of hosts on our network that were potentially vulnerable, and we started remedying those things and we were able to turn on the traffic. So we basically had no impact from that.

Anomaly detection is interesting. Our provider is also building something that can give you a profile of your traffic inside your network – not just the network but the traffic coming to your network. This is interesting because you can basically take a look at the normal profile to your transaction systems, your ERP systems and categorize the traffic, and you’ll be able to adjust the priority of traffic. When all of a sudden you have an onslaught of noise in your network from a worm or something, you’ll be able to separate that from your normal traffic and keep the important transactions flowing and isolate all the traffic that is outside the norm. That’s new technology that we’re looking at.

life in the cross-hairs

Security will always keep us up every night. It’s interesting what happens when you become publicly a security company. The more you flog your security, the more the bad guys want to attack you. We have adopted the attitude that we will never be perfectly secure again. We don’t know what the next threat is or where it is coming from and we have to constantly have our eyes open and be really, really paranoid. That’s the biggest area that we continue to think about.

While we’ve had quite good success with the technology we’ve deployed, we by no means believe we have everything covered and we constantly see new things. My security team just reported that last year our internal security organization recorded 25 new strains of viruses to the virus protection companies that no one else had ever seen. It was the first identification of this type of attack happening.

Another concern that keeps us up at night is earthquakes in San Jose. We’re in the process of rethinking our preparedness, from a business-continuance perspective. We have some very good business leadership on the finance side that is driving that now. We’re going to see some significant investments in that area.

One of the interesting things I learned about disaster recovery is that it is more than just recovering the equipment; it is recovering the people as well. When I was at American Express in the early 90s, we had a very aggressive disaster recovery program in our data centre. We got real cocky and we had the disaster authorities come in and simulate a disaster to test our processes and our activation skills. The disaster they simulated was a tanker truck with chlorine in it overturning on the Interstate highway next to our data centre. A cloud of chlorine gas comes into your building and you have 15 minutes to evacuate or everyone is dead. We failed and everyone was dead. The reality was that we had no one left to run the systems and rebuild them. It created a new attitude in my mind that I’ve got to have my operating staff split between two geographic areas. From then on my strategy was to run it from two different places.

are your labs secure?

Another thing to think about is how secure are your labs? We had to go out and basically quarantine all of our labs from our infrastructure. If they wanted to have access to our main infrastructure, they had to certify and guarantee that they passed our minimum requirements. We couldn’t dictate to them because labs are doing stuff that’s non-standard. So we said, “If you’re going to have that kind of lab, here’s how we’re going to quarantine you and limit your access.”

It’s interesting, once the lab goes through one of these problems, they can change their minds. We have a Windows-based products lab in Boston and they insisted that they had to have all this special stuff. During the Code Red or Nimda attack, they were down for eight days. They finally called us for help. We bailed them out and reconstructed them, and after that they said “Well, we don’t need as much flexibility as we thought we did.” So they certified and maintained the standards. We could have tried to force them to do that but we chose not to. The more they have experienced it, the more they’ve gotten on with the program.

We’ve done a really good job of protecting our network, protecting our systems, and we’ve had very few incidents. The amount of hours we spent remediating viruses went down an order of magnitude last year while the number of attacks more than doubled. So the defensive approach we took with CSA [Cisco Security Agent] and some of the other things, such as anomaly detection, has been very helpful.

However, that doesn’t mean our network is perfectly clean. You can put an unprotected device on it and within 15 minutes it will become infected. There is stuff out there. The key is you have to protect the stuff and you have to know that you’re protecting it correctly, because if wholly unprotected, it will be taken over by someone. That’s an interesting test you should have your security guys do. Put an unprotected machine on your network and see how long it lasts. 056812

Related Download
Virtualization: For Victory Over IT Complexity Sponsor: HPE
Virtualization: For Victory Over IT Complexity
Download this white paper to learn how to effectively deploy virtualization and create your own high-performance infrastructures
Register Now