Scott Collins was not caught off guard by the recent Microsoft ASN.1 vulnerability announcement, but he was skeptical of Microsoft’s claims that fixing the hole was just a matter a patching systems and being on his way. His experiences with the recent Internet Explorer 6.0 vulnerability taught him that, from an IT perspective, a butterfly flapping its wings in China can, metaphorically at least, cause a hell of a tidal wave back home.
Collins, the manager of technology and infrastructure with Canaccord Capital, a Vancouver-based independent investment dealer, found out the hard way that patching systems to reduce corporate risk, even when that patching occurs outside the corporate walls, can have unwanted consequences.
The IE patch was designed to address security issues around password credentials passed through a URL, he said. This didn’t affect Canaccord. But the patch also blocked credentials another way (Collins requested the exact method be withheld for security reasons), and that is when an authentication problem arose.
Since the new patch caused authentication problems Collins didn’t install it on Canaccord’s systems, but some clients, unaware of a potential conflict, went ahead with the patch. The result was a difficult week. Those who had installed the IE patch got an error message when they visited the Canaccord site. He said it was difficult figuring out who was responsible for the conflict. “It was almost impossible to get an answer out of Microsoft,” he said. “Microsoft finally released a patch to fix the patch,” Collins added. He has an acronym for updating and patching remotely without testing: CLM – career limiting move.
The lessons learned are threefold. First, you have to test all patches. Secondly, you have to be ready to accept that not installing a patch and leaving a vulnerability open might be less risky to your company than installing the patch. “We have not deployed that patch still,” Collins said, though admittedly some of that has to do with the fact his team is now under the gun to test and install a patch for the critical ASN.1 vulnerability. The third lesson, according to Anthony Cina, product manager of AT&T Global Services, Canada in Toronto is that “you shouldn’t rely on any one company completely for your security needs.” By installing a patch without testing it internally a company opens itself to the dreaded “single point of failure.”
ART MAJOR WITH A SCIENCE MINOR
Risk reduction or mitigation is often thought of as a science of number crunching and probabilities. But it is much closer to an art, albeit one which is not afraid of the world of statistics.
9/11 and Y2K both helped slowly move the risk pendulum away from the fire but unfortunately it required both a real and an averted disaster for this to happen. Companies, well aware of the potential risk they face, still seem to need a ‘security burn’ before they act to tighten up the corporate walls. Call it the frailty of human logic: we think we’ll win the one in a billion lottery but not be hit by the one in a thousand hack.
“There are major (corporate) initiatives where security is not part of the equation until the project is over or something major happens,” said Kent Kaufield, senior manager of technology, security risk services practice with Ernst & Young in Toronto.
Though Kaufield has seen changes for the better – “security is not the first thing to go” – he said there are only a few companies that have gone the path of having a chief risk officer. Security “depends a lot on the culture of the organization (and) the culture really stems from awareness,” he said. This in turn is driven by senior management.
Even in this era of heightened awareness, talk is cheap. Kaufield said less than half the companies that are talking the security talk are walking the walk. But fortunately companies are in the midst of a paradigm shift, he said. “People now recognize that if they are going to chop a bunch off of the security budget, inherently they are accepting some additional risk.”
Rosaleen Citron, CEO of Burlington, Ont.-based Whitehat Inc, is forthright, “if you can’t afford the security, you can’t afford the project.”
But it is no easy task to determine true corporate risk. Cina divides the task of risk assessment into three silos. First a company has to understand where it is vulnerable by knowing what technology is has and what functions the technology is responsible for. This in itself no easy job since, as Kaufield pointed out, entire department initiatives often fly under the corporate security radar. The second part of the task is to calculate the impact of and attack or “worse case scenario,” Cina said. The third task is to calculate the probability of a specific event occurring. Two and three go hand in hand.
Even if the probability of an event occurring (all financial records destroyed) is exceedingly low, due to the tremendous impact such an event would have on a company it needs to be addressed and solved at a senior level. On the other hand, an e-mail server going down for an hour once a year (high probability of occurrence, low impact) may be a risk a company can live with.
Jeff Goldstein, Mississauga, Ont.-based Canadian general manager of Network Appliance Inc. has a simple test to help understand corporate impact. “Any application associated with a company making money is absolutely mission critical.” He said 9/11 forced companies to rethink which applications were mission critical. E-mail, often thought as non-critical proved to be anything but when companies slowly realized employees were using it as their “file cabinet,” Goldstein said. “[Companies] needed to replicate a lot more data than they thought.”
Because risk assessment is often an overwhelming project, getting outside help is a good starting point. “Ultimately [risk] is the responsibility of the company but having someone (else) to rely on is an important piece of the equation,” Cina said.
THE MANAGEMENT SIDE OF RISK
The next step, risk management, is also best divided into three categories, said Tom Slodichak, chief security officer with Whitehat. Some risk can be avoided or dramatically reduce by installing technologies (firewalls, intrusion detection) or enforcing stricter corporate policies (changing passwords regularly). Though the latter “has to be relevant useable and enforceable,” Cina said. He also warned companies not to “ignore physical security.” Stories abound of internal network access being gained simply by an individual walking untouched into a supposedly secure building. Slodichak said he has seen a dramatic increase (400 per cent) in the past two months in desktop encryption solutions being installed, so even it a local system is hacked nothing can be gained from the effort. The desktop firewall has also gained a lot of traction recently.
How ever you start to reduce risk, don’t shoot for the stars. “Typically (risk reduction) is small victories,” Kaufield said.
The second piece of risk management is that risk which is accepted by the company as a necessity of doing business in today’s interconnected world. This could include anything from a partner getting hacked, to a hurricane or earthquake destroying your office. There is not a lot that can be done, cost effectively at least, so the risk is accepted.
The third category is risk that can be assigned to others, often by outsourcing it.
About 95 per cent of Internet Light and Power’s (ILAP) customers choose to let it deal with the risk associated with security and technological failures by hosting their applications on ILAP technology. The company has what it calls an N+1 approach. Every router, circuit, switch, server, firewall or power supply has a back up on site. If one goes down the replacement is right there and a new one is ordered. “We know that even the best equipment will fail,” he said. But “the fact is, the statistical probability of a hardware failure is quite low,” explained ILAP president Tristan Goguen. If the replacement piece fails before the new one arrives, ILAP is in trouble, but it is a risk ILAP has decided to accept since an N+2 approach does not make business sense.
When the blackout hit Ontario and the American northeast last summer, ILAP felt nothing. Backup power automatically kicked in. California customers of financial institutions that ILAP hosts on its equipment were surprised to find the Web sites up an running.
BUT CAN YOU REALLY OUTSOURCE RISK?
The sales pitch from most outsource companies is that they can take care of your specific needs better than you can since it is their core competency. Whether it is security or e-mail, you should let them deal with the worry while you focus on the business at hand. It is a convincing strategy, but is it reasonable when the focus is risk?
Kaufield does not agree that outsourcing is changing the risk equation. “If you actually take out a pocket of your security group and say ‘I’m going to outsource it because I don’t want to deal with that risk,’ – that is completely illogical to me because the risk still exists. Maybe you can blame someone else (but) I don’t necessarily view that as pushing risk out as much as pushing a function out.”
Whether or not your company decides to outsource crucial technological needs it needs to know precisely who it is dealing with, which is often easier said than done. Whitehat’s Slodichak said it is crucial to know your “downstream situation.” Is your outsource contract being subsequently outsourced? The Bank of Montreal got hit by this last summer when an outsourced contract was outsourced. The end result was several servers with customer information appearing briefly on e-Bay. Though this specific event was not directly related to multiple levels of outsourcing, it opened up people’s eyes to how difficult it is to control corporate information the more points it touches. As this goes story to print, Microsoft is feeling this pain with the recent release of some of its software code on the Internet. Again, most likely due to too many eyes and too few controls.
The benefits of outsourcing business processes, and along with it risk, is an ongoing debate. Yet ironically all those interviewed by ComputerWorld Canada agreed on one prediction. Security and its associated risk is coming home. Right now “it is just easier” to outsource, Citron said. “But in two years those contracts will be back home again.”
“I think that in a lot of cases most IT security is going to eventually rest back with the organization,” Kaufield agreed. But until companies bring security home again, he as some advice, “don’t give the outsourcer carte blanche to manage the risk you have to audit their work.”