Standing guard at the cyber-door

As everyone knows, the days when corporate security meant locking your office door are long gone. As more technology is networked, the number of cyber-doors to protect is increasing exponentially. The bottom line is simple: you can not protect all of your information all of the time and hope to get any work done.

Why would intruders unnecessarily compromise themselves by breaking into a physically secure office when the alternatives are substantially less risky, the legal repercussions less costly and the likelihood of success much greater?

But the task of identifying where to place your sentries is tricky. Knowing who your enemies are is exceedingly difficult, while knowing how they will strike is next to impossible.

If you asked the average business professional where today’s threats are coming from, the answer would invariably be hackers: the rogues of the cyber-world. The only problem is that answer would be wrong. Once again part of the problem lies with the media. It is an easy story to find, since a defaced or non-functional Web site is there for all to see.

The second reason for this misconception lies in business’s inherent desire to keep all that is bad secret, while promoting all that is good.

If a corporate firewall is breached and important internal data has flown the coop, the last place people are going is to the press. Putting a lid on the story and battening down the hatches is the recourse of norm. You don’t want your competitors to know how vulnerable you are and you most certainly don’t want your stockholders to be aware of your sloppiness.

Depending on whose statistics you agree with, the likelihood of an attack coming from within, is anywhere from 50 to 80 per cent. In other words, like the movie says, you’re sleeping with the enemy.

It could be a disgruntled employee, an ex-employee with an axe to grind or someone with personal debt hanging over his or her head.

“It is strange what millions of dollars can do to someone,” said Michael Yakimchuk, vice-president of marketing for the VeriSign business unit of CIBC in Toronto. While he admits most companies and people are ethical and would shy away from a bribe, there is always the chance.

John Muir, president of Pointsec Mobile Technologies Inc. in Walnut Creek, Calif., said he has even occasionally heard of bounties posted for laptops from certain organizations.

“I understand that Silicon Valley has an unusual number of janitors with graduate degrees, so I think there is definitely targeted theft,” he added.

Sometimes it is not even that difficult to gain access to data since it often sits in laptops and PDAs that travel the world.

“It is a lot of the elite of the company who are walking out the door every night with a lot of the key information…and that information is sitting in the backs of cars, hotel rooms and airport lounges,” Muir explained.

Call it the CSIS syndrome.

The real costs

What are the real costs of leaving the security door slightly ajar? If you look at the majority of sites that have been publicly hacked, very little. CNN and eBay have not been appreciably hurt since their visits from the faceless defacers. But those are the visible cases and, shy of the PR nightmare, ultimately the least harmful.

But what if your company is a pharmaceutical firm developing the next Viagra?

“They are so paranoid that they could lose a patent window…that would result in the loss of hundreds of millions of dollars in revenue,” said Eric Olden, CTO of Securant Technologies Inc., based in San Francisco.

To them, security is a matter of fiscal viability. Even if they could prove the data was stolen, it would take years of court battles – by then the die would have been cast and public perception entrenched.

But companies have to deal with reality from both a business and security perspective.

“You will never make a system that is impenetrable, the strength and the weakness is always the people,” said Norman Inkster, president of KPMG Investigation and Security Inc. in Toronto.

Though the numbers may be slightly inflated, the business cost from lost productivity due to the ILOVEYOU computer virus, ran in the billions of dollars globally.

The crafty social engineering of some computer viruses will almost guarantee their success so companies have to start doing serious cost benefit analysis on the security front to find a happy medium without jumping off the security deep end.

“How much would [a security breach] cost us in a business sense?” is a key question to ask, Inkster said. Companies have to sit down and figure out the corporate cost to having a Web site down for hours, having a product be second to market, the time it will take to close a breached door or the cost of replacing stolen data.

Build the security around the assets you are trying to protect not the whole system, Inkster explained. Make it hard to access data, not go to the bathroom, he added. If you set up too much unnecessary security, employees will go elsewhere.

“Security is really something you should buy [only] if you have something to lose,” Olden said. Why spend $1,000,000 dollars on security if you have only $100,000 to lose, he added.

policy, policy, policy

Today’s networks are like a very happening night club. You want to let people in, but only the coolest of the cool.

“Security is less (about) how we keep people out but how do we let them in…the Web came along and now everyone wants to Web-enable and open up the network,” Olden said.

Today, more employees from more locations have access to more data, making security personnel more worried. But if companies implement good security policies it need not be that way.

The first policy is the easiest. Brink’s never sends one guard to pick up cash and neither should you.

“Never let a single person manage [security him or herself],” said John Rombough, global security advisor at Guardent Canada Inc. in Toronto. The surprising thing is that many smaller and mid-sized companies do exactly that.

Inkster brings up another valid point. System administrators are infrequently the target of background checks since their position is not viewed as senior enough.

Even with a secure security force in place, all will be lost if it takes an Einstein to manage it.

“You can put the most stringent systems in place but if people don’t manage them correctly you are going to be prone to problems,” said Robert Lendvai, vice-president of marketing for Ottawa-based Kyberpass Corp.

Olden said the processes and policies are more important than they are often given their due. Companies have to make sure security technology is properly installed and that the processes are well documented so that the next person who takes over is capable of understanding how the system was put together -especially since security is not exactly plug-and-play.

“In large organizations it is a lack of organization,” he added. The left and right hands not only often don’t know what the other is doing, they often don’t know the other exists.

“Security is a process, not a technology,” said Skip Hirsh, director of advanced technology at Fairfax, Va.-based Cylinks Corp.

“If you don’t have the corporate policy it doesn’t matter how much technology I lay out on the table.”

figuring out the right solution

PKI, smart cards, tokens, biometrics and encryption are all buzzwords in the security world and all will play a role in future security implementations. To what extent and where they will be used is open for debate.

The key to many aspects of security is authentication. Are you who you say you are? Today much of our corporate access is gained by using a user name and password, the weak brother of the security world.

“Passwords in general, from our perspective, shouldn’t be considered a useable technique at all,” Hirsh said.

The number of possible passwords using words and numbers is relatively finite and has not changed in centuries, while the technology to break them has increased dramatically.

Though the human brain is extremely powerful, it is part of a larger human psyche which lends to opt for simplicity. A couple of letters and numbers is about all we willing memorize. And given our inherent laziness we tend to use the same four digit PIN (a joke in simplicity if ever there was one) for a wide array of access points.

And if we have more than one PIN or password? “Most people admit that they just write them down somewhere,” Muir said. Not exactly an example of stellar security procedures.

One can easily memorize a 10-character structure that could have literally hundreds of billions of possibilities but this pales in comparison with the digitally created complexity of hundred digit passwords, something to which we will never acquiesce to remembering.

Even if we did, a little creativity can separate the stupid from their passwords.

“Call up and pretend you are from the help desk to get someone’s password,” is one way, said Bill McQuaide, vice-president of product management at RSA Security Inc. in Bedford, Mass.

“There are multiple ways to authenticate a user and one way is not going to solve all,” he explained. It is necessary for companies to use security precautions that fit the need. For low level security, a PIN is sufficient, he said. But as you go up the security chain, greater means of protection are needed such as digital certificates, smart cards, tokens or even biometrics.

In the Utopian security world we would just press our thumb against a screen to access everything from our e-mail to our bank account, but the wide spread implementation of this biometric solution is costly, years away and fraught with complex social and ethical issues.

For the time being the general consensus is to go the “something you know and something you have” route versus two things you know (user name and password). This is essentially what your bank card and PIN are. You need both to get at your – or anyone else’s – money. Though smart cards and tokens both fit this profile, and are more sophisticated due to their ability to constantly change authentication codes, the cost of installing readers onto laptops, PDAs and all other peripherals is a stumbling block. The USB token is another option, and less costly since many devices already have USB ports.

There is a great deal of disagreement as to which security methods will dominate in the future.

“I think that [biometrics] is ultimately going to win because people are extremely hassled and burdened with passwords and PINs,” Muir said.

“I think that smart cards aren’t going to be the panacea that they were once thought to be because…it is one more thing to lose,” he added.

We will carry multiple smart cards like the multiple credit cards, Lendvai predicted. “So we are probably going to see a wallet full of these things.”

Others see the PDA acting as a smart card with biometrics protecting user access. Touch the screen, it reads your thumbprint and away you go.

But there are down sides.

“It is that Big Brother issue that makes biometrics a challenge,” McQuaide said. “If [your unique] biometric template ever gets compromised you have a problem,” McQuaide added.

“You can’t allow your biometric information to be used in any way that can be intercepted,” Hirsh stated.

Public Key Infrastructure is also a hot topic.

“Every year for the past four years has been the year of the PKI…and of course, as we all know, it really hasn’t taken off,” said Kevin Reeks, director of product management at Kyberpass.

The idea is that any information you transmit is sent with the recipient’s public key, at the other end he or she has a private key (known only to them) to access the information.

“The whole Public Key Infrastructure concept keeps collapsing under its own weight,” Hirsh said.

PKI requires an infrastructure that is so cumbersome – long before any applications are available – that it has failed over and over again, he added.

Though it could work in future if it is built for specific applications, Hirsh explained. Of course the simplest method of security is to encrypt all things at all times, except when you are using them. Several large companies are looking into this option.

Encryption is the best tool because it can push the computational power necessary to break it so high that it is not economically worth it, Hirsh said.

the law ain’t gonna help you

Billions of dollars lost and you are looking for a culprit. Even if you do find one, and they are in a country with extradition treaties, what are you going to do? Go public? Hardly! The world would see the errors of your ways, stay private and the perpetrator walks away scott free.

“Even with law in place, the reality is that companies are practising cyber warfare,” Lendvai said.

“I am not sure legislation is ever going to prevent that,” he added.

“People recognize that you can’t count on the law to retrieve all the values that they lose, so they are going to have to use proactive measures to prevent people getting in,” RSA’s McQuaide said.

So we are forced back to frontier day mentality.

“I think the safest thing to do is assume it is every man for himself and protect yourself,” Guardent’s Rombough said.