The buck stops here!

When it comes to corporate IT security an argument can be made that the most difficult job falls into the laps of CIOs. They are usually caught between a rock and a hard place as they navigate what can only be described as an unfriendly sea. Higher up the chain of command, and frequently even lower down, there is demand for increased efficiencies and lower IT costs. On the other side are the security mavens within a company, for whom nothing less than bullet-proof security postures will do.

In order to safely navigate these unsettled waters, CIOs have to be armed with the latest information. So to make your lives a little bit easier CIO Canada spoke to a variety of security gurus – those that understand both the constraints of 21 st century business and the requirements of 21 st century IT security – and asked them what they would tell you if given 20 minutes to bend your ear.

On the upside there was a great deal of consistency in their advice, but on the downside there was a noticeable annoyance.

“Many CIOs underestimate the issues of security,” said Adel Melek, a partner with Deloitte & Touche in Toronto.

“Security is not taken very seriously, no matter what they say,” added Mike Kennedy, general manager of RSA Security Inc. Canada.

“CIOs are often blissfully unaware of entire department initiatives,” said Whitfield Diffie, chief security officer with Sun Microsystems Inc.

Having said that, everyone agrees that good security always starts with having the right people. Usually in IT, and especially in a down economy, this is a relatively straightforward task. But unfortunately security is the exception.

“Skilled security people are still somewhat scarce,” said Richard Reiner, CEO of FSC Internet Corp. in Toronto. And to drive home the point, he added a warning. There are “snake oil” salesmen out there with the right initials after their names but who are sorely lacking in the skills that should come with the credentials, he said.

Though no one wanted to go on the record suggesting the easiest way to find top-end security experts is to pilfer from the competition, the practice is common, though not always publicly acknowledged.

Shy of luring away top-notch help, employee training is often the best (and cheapest) place to start. Those interested can be trained in everything from patch management and intrusion detection to firewall maintenance, and then branch out into more managerial roles.

But even with the proper people in place there are difficult challenges ahead, many of which will turn into long-fought battles in an effort to change corporate perceptions.

The potential list of security holes in a company reads like the back of a Tom Clancy novel – flagrant password abuse, Web applications with holes large enough to comfortably let a Mac truck pass through, porous corporate security practices and unencrypted corporate strategies, just to name a few.

General strategies

A good starting point is to create a realistic threat model of your company and your assets. This is not always an easy task, so the experts suggest the best approach is to get feedback from IT security experts outside the company. Regardless, as a CIO it is your responsibility to fully understand your corporate environment and precisely what information your company has exposed.

There is some debate as to how security is best sold to corporate higher-ups (and even to CIOs) since it is often viewed as a non-recoverable cost.

Though there are those who are unafraid of scaring the pants off CEOs, painting pictures of IT hell that would make Dante proud, the consensus from our experts is to use fear only as a last resort. Admittedly, there are public-relations and legal disasters that can come from security breaches, so if painting a picture of burning in hell is the only way they can be avoided, then paint away. But use fear sparingly. On that note, if your own security people come to you with these same predictions, don’t write them off as paranoid security freaks bent on locking the company down tighter than a drum. Research their complaints, even asking for third-party evaluation if necessary, because if they are right the anvil will be hanging above your head.

A less dramatic approach is to point to regulatory compliance. For example, in Canada next year all companies will have to abide by the rules and regulations of PIPEDA (Personal Information Protection and Electronic Documents Act), an act designed to ensure the sanctity of Canadians’ privacy. Since security and privacy are tightly linked, revisiting corporate security can be a way of ensuring compliance.

Another place to look is the ISO security standard 17799. “It is a great source of blind-spot prevention,” Reiner said. It allows a company to compare its security posture and see how it stacks up against an accepted standard.

Identity management

But as a CIO, you are often looking down from 30,000 feet, wondering what can be done to improve security on a daily basis. Across the board, the experts pointed to identity management as one of the biggest holes in corporate security.

Companies are unsure of who has access to what. When this is the case the potential for security breaches increases exponentially, because identities are nebulous. Your own identity may vary from e-mail to ERP to simple file-sharing, and it shouldn’t. You are one person, not three. The more identities that exist, the more ways there are into the system.

Melek is a firm believer in simplification. Some companies like to create an individual user profile for each employee, a solution which Melek said is neither efficient nor wise, since the increased complexity can lead to more holes. For the average company, 80 to 90 per cent of the employees can have their access dictated by their corporate position. With generic role-based rules, 500 employees might be defined by five rules, not 80, as is often the case.

“The model is very logical but… many organizations have not understood or rationalized this,” Melek said.

Though it is never as simple as plug and play, whatever the vendors tell you, technology can play a significant role in creating simple rules-based access. The starting point is to figure out who works for the company.

“Most companies don’t have one clean core directory” of all of their employees, said Robert Garigue, chief information security officer with the BMO Financial Group. He said the corporate e-mail list is often a good starting point since the information is likely to be current, consistent, and contain few redundancies or conflicts.

The task of identity management has to work flawlessly internally if there is any hope of rolling out access to contractors, customers and suppliers – those individuals with less than a vested interest in your company’s security.

Web application holes

Web applications are a CIO’s nightmare on two fronts. First, when there is a hole and a hacker comes in, it is the CIO who gets the call at 3 a.m. Secondly, correcting the problem is not a simple task, but one which will require perseverance, tolerance and time.

Over the past several years Reiner’s company has tested customers’ B2B applications before (and sometimes unfortunately after) they went live. His words are frightening. “We have a 100 per cent rate of at least one critical hole” being found, he said.

The solution: test, test and test again. If your company does not have the necessary skill-set, get outside help. One large Canadian financial institution using software built by a reputable vendor came to FSC, and “huge holes” were found,” Reiner said. The problem is that application vendors often view security as a secondary issue since the application in question resides behind corporate firewalls, ignoring the fact that ports are intentionally left open for legitimate traffic. The result? There is no need for hackers to fly under the radar since the radar has been turned off.

For those companies buying their Web-facing applications, Reiner said there is a variety of questions that can be asked of vendors to ascertain their level of security awareness.

Ask them to supply you with a copy of their coding standards and/or documentation of software security architecture. Ask them who reviews the code and what level of security awareness and training the developers have. You might be perceived as a pain in the butt, but it is your butt on the line.

For those who build internally, developers must be properly educated on security matters.

“There are entire classes of vulnerabilities for applications that most developers are not aware of,” Reiner said. Cross-site scripting is one, which allows a hacker to walk in the front door (remember the ports are open for legitimate traffic) and hijack an ongoing customer session.

Melek warned that developers are not typically security-focused; instead they are more worried about functionality, time lines and budgets. To change that you will have to create standards and consistent methodologies around security when developing new Web applications. He suggested pulling as much of the security as possible out of the Web application itself (a notoriously weak link) and putting it in the infrastructure level. His third suggestion is to standardize, as much as possible, on one set of tools for developers. For those companies where this is impossible, “develop some sort of tailored security approach to each language,” he added.

Education and awareness

Even if you do everything recommended, there are no guarantees the sailing will be smooth, which is why you need help.

“Everybody is in it together (so you) need to make people more security conscious,” said Tom Slodichak, CSO of Whitehat Inc.

This is achieved by driving security from the top. Microsoft successfully changed its corporate attitude when Bill Gates wrote a company wide e-mail promoting the importance of security. Although the change was not overnight, employees had no doubt that it was being driven from the top.

The ones who are doing a good job? “The banks and government departments that carry guns tend to be in pretty good shape,” said Slodichak.

Ultimately, the role of the CIO is to be “aware of the value of information and the cost of it being compromised,” Garigue observed. In order to do this they have to trust their instincts.

“The CIO doesn’t have to go to security people to find about problems,” he added. He suggests asking business managers simple questions like whether they have had any recent virus problems or whether they are using a lot of peer-to-peer technology (an often difficult area to secure), or even how current their technology is. Around security, everything you do has to be planned.

“The CIO is accountable for the lifestyle of the organization,” said Garigue. “Some like a lot of risk; some don’t.”

So when you go to bed tonight, repeat this mantra from Gartner’s Ray Wagner: “I want to stop being someone who puts out fires and start being someone who has a plan.”

Chris Conrath is a Senior Writer with ComputerWorld Canada and an occasional contributor to CIO Canada. He is based in Toronto.