The first network password Bill Crowell ever broke was the one used to protect a United States naval database, and he got it on the third try – it was “anchor.”
“When I got in there I even found a file called ‘passwords’ – but that was in the 1970s,” said Crowell who, as the former deputy director and senior cryptologist with the U.S. National Security Agency (NSA), has been in the security business for more than 30 years, both “exploiting” – or breaking – systems as well as building them.
“And it’s easier to work on breaking systems than to make them safe,” Crowell said. Now president and CEO of the Santa Clara Calif.-based network security firm Cylink Corp., Crowell and other security experts were in Toronto on Wednesday to brief local companies on security trends, threats and solutions as part of a seminar sponsored by the RAM Group and the local chapter of the Information Systems Security Association.
Framed by an original Group of Seven painting and the view from Toronto’s plush Ontario Club, Crowell reminded a mixed group of business-suited executives and rumpled techies that although security has become exponentially more sophisticated since the U.S. Navy’s “anchor” embarrassment, crucial networks are still plagued by both technical and human vulnerabilities.
With 300 million Internet users out there, “all of whom are you closest friends and willing to attack you,” Crowell suggested that security types need to be vigilant with their use of common operating systems that have many well-documented flaws, management systems with unencrypted SNMP routers and switches, front-end or back-end modems dropped outside the firewall and problems with their authentication practices.
“The response to threats is complicated, expensive and there is no silver bullet,” Crowell said, but as security becomes an essential marketing tool to do business over networks the only valid approach is “defense in depth.” Crowell characterized firewalls, the usual first line of protection as “necessary but insufficient” because as they become more secure they are less functional, and they need to be applied to a security process that also includes high quality encryption and good employee training.
On the human side of the security equation, the most pervasive espionage threat to both governments and industry is posed by: the “trusted insider,” said speaker Tom Stutler. Stutler is a supervisory special agent with the National Security Division of the U.S. Federal Bureau of Investigation (FBI).
The profile developed by the FBI after it carried out extremely extensive interviews with captured spies suggests that these trusted insiders are usually motivated by revenge, ideology, ego or – the most common lure among offenders from the Western World – money. These internal spies – who may be any employee from a senior executive passed over for promotion, to a janitor pushing a broom past an unencrypted terminal – are involved in 75 per cent of espionage cases, and whatever their misdeeds, the information they move almost always involves some degree of computers or computing, Stutler said.
Far from being a Cold War memory, Stutler said industrial espionage – by both friendly and unfriendly governments, as well as rival corporations – is very much a fact of life, with over 23 foreign intelligence services active among the 4,500 companies of Silicon Valley.
Stutler cited several surprisingly common methods of industrial espionage, including raiding open source databases and holding personnel interviews where eager recruits from one company spill the beans to a competitor or fake company. International conferences also present opportunities to either recruit future trusted insiders, or copy documents or hard drive files left in unsecured hotel rooms.
When it comes to actually implementing security, business managers and network providers need to form partnerships from day one, said Crowell. Too often, he said, security measures are tacked on after the fact, where they can frustrate business managers, and become a fatal impediment to the customer.
Crowell also applauded a new U.S initiative, which is beginning to define security standards in law – not at a technical level, but at a policy level so companies still have a choice of technologies and solutions.
“Let me tell you my favourite (enforcement tactic) and we know it works. When Y2K was approaching us, the Securities and Exchange Commission (SEC) passed a rule that said every public company had to report what they were doing to deal with the Y2K issue in a business sense, and to the extent that they reported it they were excused from liability. That was very powerful – everyone reported it and everyone did something. Imagine if the SEC were to say ‘if you’re going to have a network-based business you have to report the risk what you’re doing to mitigate the risk,'” Crowell said.
For now, the FBI’s Stutler said complacent or naive security managers might want to remember the motto of his codebreaker colleagues: “In the NSA they say: ‘In God we trust – all others we monitor’.”
Cylink is at http://www.cylink.com. The Federal Bureau of Investigation is at http://www.fbi.gov/. The RAM Group is at http://www.ramco.ca/. The Toronto chapter of the Information Systems Security Association is at http://www.issa-toronto.org.
