As corporations struggle with continual IT security shortcomings, two strategies are consistently identified as the keys to reducing the scope of opportunity for those with malicious intent: the creation of a buck-stops -here, Harry Trumanesque, corporate IT security czar and a security-savvy workforce. Unfortunately neither is the norm.
At the IT Security Solutions Roadshow seminar held in Toronto on Monday, several attendees were asked who their company’s IT security’s point person is. “If such a security czar exists, I don’t know who he is,” said an IT security specialist with one of the world’s largest IT vendors. Another attendee, from one of the big-three auto manufacturers, said though his CEO is ultimately responsible, he couldn’t name a specific person responsible for the company’s IT security.
“It doesn’t surprise me, but it scares the hell out of me,” said Scott Lupfer, senior director, security evangelism with McAfee Inc., and one of the seminar’s presenters. The fact that one was a technology vendor was no surprise either, he said.
Part of the reason for the problem is the difficulty in balancing the three sides of business risk; security, business availability and investment. The security guys want to lock systems down tighter than a drum, the business units want them open and ready for transactions and the holder of the purse strings doesn’t want to let go. “Weird things happen when people have to spend money,” Lupfer said. Without a point person it is difficult to balance the three, he said, while admitting some industries, such as retail, often do not see the need for such a position given their focus is not primarily IT.
Those companies most successful with IT security, such as financial institutions, tend to have a very senior IT security executive who answers to the CEO or the board, Lupfer said, and by extension carries some decision-making weight.
Those interviewed, who had no corporate IT security czar, said though it would be nice to have someone doing their bidding at an executive level, it was not a major inhibitor to sound IT security. But the lack of someone at the top to oversee on-the fly exemptions to IT security policy was one major downside, the auto manufacturer IT specialist said.
For example, at his company all email attachments are filtered out, and though this works most of the time, for most users, it does make life hard for the designers and machinists. They would much rather email encrypted blueprints back and forth — than having to post them on an ftp server, as they do now — to figure out whether a new design can be built. “It’s just faster,” he said.
On the “savvy-workforce” side, as is the case at almost all security seminars, there was palpable disdain for the average user who is stereotyped as an automaton who “just clicks” and doesn’t think. But Kevin LeBlanc, a marketing manager with RSA Security Inc., was not as quick to heap all the blame on the end user. “The things we have done to make passwords stronger has made them weaker in the long run,” he said. Making users change 10 character passwords every 30 days is just asking for the post-it note on the monitor, he said. Across the rooms the heads nodded in agreement, both in the absurdity of the policy and the likelihood of it being undermined.
RSA’s solution — to end the password dilemma — is to use a token which generates a new six digit key, to be added to the original PIN or password, every 60 seconds. The entire system is tied to the backend with an RSA authentication manager. The user has the same interface, which is extremely important to reduce helpdesk calls LeBlanc said, and only has to look at his or her token to find the last six digits of their ever-changing password.
The automotive security specialist said his company still uses user name and password, and sees little reason to change for the time being. They change their six to eight character passwords every 45 days. LeBlanc said if a company does not envision moving to a token-type solution then frequent changes “closes the window of opportunity” for compromised passwords, he said. “Most people can remember a phone number,” he said, and if you put a character at the beginning and at the end, the solution is “pretty secure.”