Never has enterprise security figured so prominently, or taken its place so swiftly, in the psyche of today’s IT leader. How can it not be top of mind? In 2001, the number of security incidents reported doubled from the previous year to more than 40,000, malicious worms rampaged through corporate networks and threatened to strangle e-commerce, and then, on Sept. 11, a horrific act of terrorism tore down preconceived notions about enterprise security.
This year, the book on enterprise security gets rewritten. And some of the U.S.’s most forward-looking IT security managers will be responsible for guiding their industry colleagues through the uncertain year ahead.
As in years past, 2001 was initially about perimeter defence keeping people out of your corporate network, says David M. Hager, vice-president of network security and disaster recovery at OppenheimerFunds Distributor Inc. in New York, which manages US$120 billion in assets annually. Unfortunately, security measures rarely keep people out, says Hager; a determined intruder can always find a way into a system. Companies must instead take a layered approach that shows security administrators where intruders can go on the network once they’re in and what they can do once they get there, he says.
That represents a sea change in approach for most security administrators. For Hager and other security managers, it’s been like pulling teeth to get colleagues to realize that for years, they’ve been spending 80 per cent of their security budgets on trying to keep people out when, in fact, 80 per cent of all attacks originate from inside the firewall.
The overwhelming focus on perimeter defence should have disappeared on Sept. 11, along with the other misdirected security projects, says Hager.
“The same threats and vulnerabilities that existed on Sept. 10 are still there,” says Hager, who safely escaped from the 32nd floor of Tower 2 at the World Trade Center in New York after the first tower collapsed on Sept. 11. “Controlling where users can go within the network has gone from a nice-to-have thing to a necessity.”
Hager understands firsthand how easy it is for insider access to be abused. During a security audit of his corporation, Hager managed to crack 800 user passwords in three minutes using a standard password-cracking tool. Within 36 hours, he was able to crack all of the 27,000 passwords being used throughout the enterprise.
The New Take on Enterprise Security
Hager isn’t alone in his belief that the IT security playing field in 2002 will be drastically different from that of previous years. The events of Sept. 11 prompted David C. John, first vice-president and CIO at the New York offices of Bayerische Landesbank, to initiate a major re-evaluation of security throughout the enterprise. The bank manages more than $250 billion annually and is the sixth largest in Germany.
“It is no longer a matter of keeping the unwanted out, but in the case where that is not possible, ensuring employee survivability to continue operations,” says John. “That is true security.”
In a world where disaster recovery, continuity of operations and IT security are no longer considered separate disciplines, a greater focus on people is also necessary, says John. Personnel are key to being able to conduct rapid recovery, he says.
“More attention needs to be paid to safeguarding those who keep [the] business moving,” says John. “Security and recovery go hand in hand but cover a much broader scope than previously thought.”
Since Sept. 11, all of Bayerische Landesbank’s security directives have been squarely aimed at rapid recovery operations and expanding high-availability systems, says John. The two areas that have been given the greatest attention are redundancy and security checks and balances, he says.
“We have been planning for a major off-site location, possibly in another state, one with a separate power and communications grid,” says John. “This would enable us to have the ability to do complete and near-instantaneous fail-over to continue operations in the event of a disaster.”
In fact, had the bank not had a triple-redundant wide-area network in place on Sept. 11, it would have been out of business for days, says John.
Likewise, all departments have been given a key role in assessing the bank’s needs in terms of operations continuity. This gives all staff a personal interest in disaster recovery, says John. In addition, operators monitor end users, security administrators monitor operators, and control personnel review all actions that take place on the network. The bank has also started a biometric security program to control access to its most sensitive areas.
Security no longer means one thing or one set of technologies, says John. “Many IT leaders have become preoccupied with the physical aspects of security because of what occurred on Sept. 11. This is understandable. However, I cannot allow myself that luxury,” says John. “I cannot let one aspect of security be overshadowed by recent events. To do so is to invite trouble.”
Sticking With the Status Quo
But other IT leaders are satisfied with the security plans they already have in place. “We have undergone a [security] review due to the tragedy [of Sept. 11], but no changes were implemented,” says W. Garrett Grainger, executive vice-president and CIO at Dixon Ticonderoga Co., a consumer products company in Heathrow, Fla., best known for the yellow No. 2 pencils it makes. “We have always been security-conscious and have well-established [disaster recovery] procedures.” And although a process review had been under way prior to Sept. 11 as a means to identify cost containment opportunities, the company doesn’t plan to cut back on security spending, Grainger says.
“My feeling is that nothing significant has changed” in terms of his company’s IT security requirements since Sept. 11, says Randolph Smith, information security manager at Atlanta-based package carrier United Parcel Service Inc., in Mahwah, N.J. Investment in security remains steady, he says, and includes projects in enhanced authentication of personnel, tighter access control and secure corporate communications.
The value of company information also has these leaders taking a hard look at security. “Typical authentication methods that rely solely on an identifier and a password are not suitable for today’s high-value transactions,” says Smith. “We also want to make sure that we know all of the people who maintain the information systems.”
In the end, technology isn’t the only focus, says Smith. “We make sure that a technology deployment also establishes the ability to administer security credentials, monitor behaviour, audit for compliance and respond to incidents,” he explains.
While not everyone agrees about how much security has changed since Sept. 11 and how much it will continue to change in the year ahead, analysts see the security landscape evolving in ways never before imagined.
Bill Malick, an analyst at Stamford, Conn.-based Gartner Inc., says he sees a renewed emphasis on business continuity, corporate provisioning, user authentication, crisis directory services, biometric security services, malicious code detection, data integrity and monitoring of the types of information released to the public.
At a congressional hearing in November, Dave McCurdy, executive director of the Arlington, Va.-based Internet Security Alliance, summed up the reality that most corporate users have come to accept. “There is no such thing as Internet security or perfect security,” McCurdy told a House subcommittee. “We’re great at reacting. But we’re no good in a proactive sense. We have to develop more emphasis on practices that prevent and deter these attacks.”
1. Act, don’t react. Establish a reliable system for assigning access rights for critical company data resources.
2. Identify dormant user IDs and orphaned accounts.
3. Automate communications among IT, human resources and other departments. Link all who are responsible for granting access rights within departments.
4. Define “need to know.” You can’t assume that everybody should have access to everything.
5. Don’t forget the sharing factor. Passwords get passed around.
6. Reset passwords regularly.
7. Make nondisclosure policies routine. This contract should be brought to the attention of employees and business partners once a year.
8. Suspend terminated IDs.
9. Reconcile active IDs with reality.
10. Operate out of opportunity rather than fear.