As corporations struggle with continual IT security shortcomings, two strategies are consistently identified as the keys to reducing the scope of opportunity for those with malicious intent: the creation of a buck stops here, Harry Trumanesque, corporate IT security czar and a security-savvy workforce. Unfortunately neither is the norm.
At the IT Security Solutions Roadshow seminar held in Toronto on Monday, several attendees were asked who their company’s IT security’s point person is. “If such a security czar exists, I don’t know who he is,” said an IT security specialist with one of the world’s largest multi-national IT vendors. Another attendee, from one of the big-three automobile manufacturers, said though his CEO is ultimately responsible, he couldn’t name a specific person responsible for the company’s IT security.
“It doesn’t surprise me, but it scares the hell out of me,” said Scott Lupfer, senior director, security evangelism with McAfee Inc. and one of the seminar’s presenters. The fact that one was a technology vendor was no surprise either, he said.
Part of the reason for this problem is the difficulty in balancing the three side of business risk; security, business availability and investment. The security guys want to lock systems down tighter than a drum, the business units want them open and ready for business and the holder of the purse strings doesn’t want to let go. “Weird things happen when people have to spend money,” Lupfer said. Without a point person it is difficult to balance the three.
Those companies with the most IT security success, such as financial institutions, tend to have a very senior IT security executive who answers to the CEO or the board, Lupfer said, and by extension carries some decision-making weight. Those interviewed, who had no corporate IT security czar, said though it would be nice to have someone doing their bidding at an executive level, it was not a major inhibitor to sound IT security. But the lack of someone at the top to oversee on-the fly exemptions to IT security policy was one major downside, the auto manufacturer IT specialist said.
For example, at his company all e-mail attachments are filtered out, and though this works most of the time, for most users, it does make life hard for the designers and machinists. They would much rather e-mail encrypted blueprints back and forth — than having to post them on an ftp server, as they do now — to figure out whether a new design can be built. “It’s just faster,” he said. On the “savvy-workforce” side, as is the case at almost all security seminars, there was palpable distain for the average user who is stereotyped as an automaton who “just clicks” and doesn’t think.
But Kevin LeBlanc, a marketing manager with RSA Security Inc., was not so quick to heap all the blame on the end user. “The things we have done to make passwords stronger has made them weaker in the long run,” he said. Making users change 10 character passwords every 30 days is just asking for the post-it note on the monitor, he said. Across the rooms the heads nodded in agreement, both in the absurdity of the policy and the likelihood of it being undermined.
RSA’s solution — to end the password dilemma — is to use a token which generates a new six-digit key, to be added to the original PIN or password, every 60 seconds. The entire system is tied into the backend with an RSA authentication manager. The user has the same interface, which is extremely important to reduce helpdesk calls LeBlanc said, and only has to look at his or her token to find the last six digits to type in.
The automotive security specialist said his company still uses user name and password, and sees little reason to change for the time being. They change their six to eight character passwords every 45 days. LeBlanc said if a company does not envision moving to a token-type solution then frequent forced changes “closes the window of opportunity” for compromised passwords, he said.
“Most people can remember a phone number,” he said, and if you put a character at the beginning and at the end, the solution is “pretty secure.”