Howard Schmidt has quite a resume: former chief security officer at Microsoft, chief security strategist for eBay, deputy to former cybersecurity czar Richard Clarke in the Bush administration, and president of the Information Systems Security Association (ISSA). With all that expertise, his approach to IT security best practices is somewhat surprising.
“I’d outsource it,” he says. “Use third parties. They can see the entire spectrum. There is only so much that internal security officers can do, whereas a managed security service provider (MSSP) has it all. In effect, they are the best practice.”
But whether in-house or outsourced, there are no best practices without the involvement of management. Often executives roll their eyes and wonder what the fuss is all about. It’s not like they’ve got a tsunami alert system at the cottage.
Michel Arredondo, strategic consulting vice-president for Above Security out of Boisbriand, Que., has certainly heard that rationale. From his perspective a change of thinking is required.
“This is not a project,” he says. “This is a multi-step process, and once you get to the end there is a timeline for re-starting.”
The advantage of a policy-based approach is that in the long run it can reduce the amount of time and money invested. Aron Feuer, president of Cygnos IT Security in Ottawa, says that the risk-reward models usually pay off after three years.
“But this is not an easy chore,” he says. “It has to be something management can adopt and IT can digest. It requires analysis and some forward thinking.”
IT security best practices, then, are cyclical in nature, and require long-term operational funding. Estimates range from four per cent of an IT budget for a typical mid-sized company, to more than 10 per cent for a large financial services firm.
There are a lot of references out there, but Arredondo likes the ISO 17799 standard (soon to be ISO 27002). For Arredondo the process breaks down into four areas: plan, do, check, and act. “It can sound big and cumbersome,” says Arredondo. “But even smaller companies should be able to provide for some level of governance based on revenues and the financial capability to back up activities.”
Lawrence Rogers is a senior member of the technical staff at Carnegie Mellon Software Engineering Institute CERT Program. He worries that the emphasis on IT best practices often overlooks issues outside of the IT department.
“My personal bias is that training of non-IT professional is important,” says Rogers. “They will always be confronted by new technologies.”
However, Johannes B. Ullrich, chief technology officer for the SANS Internet Storm Center, is cautious regarding the merits of training non-IT users. For Ullrich, policies must be backed up with technology.
“You can teach them not to click on attachments,” he says. “But if you have legitimate attachments, and don’t have technology in place for filtering, then that’s kind of pointless advice.”
The SANS approach is more fluid than Above Security’s use of ISO standards, and assumes that an organization has already developed some sort of policy framework. Some of it is plain common sense — “Stick with proven policies” — but other practices are subtler, like the requirement that a policy be enforceable.
“It has to have some fight behind it,” says Ullrich. Other suggestions are for a policy library and the now ever-present mantra that the policies adapt to business needs. “You’ve got to ask yourself business questions, and that includes the IT staff. What does the business do? Why do people need network access? Answering these questions is the only way to set policy priorities and eliminate business risk.”
This brings us back to ISSA’s Schmidt and the question of outsourcing. His argument is simple: A lot of today’s software and hardware was not designed to work in a high-threat environment. It’s supposed to be safe and sound behind the wall. But the prevalence of peer-to-peer networks in distributed environments makes it difficult for companies to keep up.
“Data is the gold and the silver and the diamonds of the online world,” he says. “The Internet will always have a level of criminality, and with SOA and Web 2.0 we need to operationalize security in the day-to-day. Businesses should not be worrying about patching Web servers.”
For his part, Feuer believes that awareness training is the only way for stakeholders to take an interest in quantifying risk, no matter the approach. Only then can they put in effective controls and safeguards. And they need someone, either internally or externally, who is charged with putting all the pieces together. Simply listening to vendors won’t do it.
“A Symantec or a Cisco can get me up and running,” he says. “The pieces would work well together. But you need to decide what frameworks you’re taking from, whether ISO, ISACA, or Treasury Board. There are lots to look at.”
And a pick-and-choose, mix-and-match approach to IT security policy isn’t necessarily a bad idea. An organization can define the elements for methodologies and frameworks that make sense. The important thing is that it results in a single, coherent, and living policy.
Danny Allan, director of strategic research for Watchfire, a Web application security software company recently acquired by IBM, believes that IT security has to be dealt with by skilled practitioners.
“From an audit perspective, cross-site scripting, SQL injections, and buffer overflows represent three distinct issues,” he says. “An IT security professional would know that they have the same root cause.”
Allan takes his mid-tier customers through a five-step process, one of which is to build on simple, addressable action items, and to investigate policy automation. As a rule, a lot of scanning, automatic patching, and encryption will follow on regulatory requirements. In effect, this could bring the benefits of an MSSP in-house. Sadly, many ISVs treat security as a last priority.
“Most small ISVs do a security audit at the end. It’s call the ‘waterfall’ approach,” says Allan. “But this is changing. Now you can build compliance right into the product.”