Success In Government
Emergency Response
IT Security Success
Speaker & Author
Press & Events
Bio & Contact
Home

Financial Executive Magazine
Financial Executives International

December Before Circling the Wagons, Know Your Needs
By Skip Kaltenheuser

Financial executives need to focus on critical technology needs and vulnerabilities, and not be swayed by technical jargon and their own lack of knowledge. Establishing priorities and striking a cost-effective balance are critical.

   Before you find the right solution, you need to ask the right question. That's long been a sturdy maxim, but probably never more true than with information technology (IT) security.

   "Beware the barrage of facts and statistics calculated to belittle an executive's understanding of technical issues," warns Jim Litchko, a former staff chief for the director of the National Computer Security Center. "They promote FUD - fear, uncertainty and doubt - that dire consequences will ensue if the client doesn't fly toward the solutions being sold. This is often peppered with acronyms to keep the technical jargon confusing.

   "This isn't an arena where executives, particularly financial executives, can just toss the ball to outsiders, or even in-house specialists, to call the shots," adds Litchko. "These are decisions about risks, priorities and what strikes a cost-effective balance. They require a keen understanding of a company's business operations, overall needs and growth direction, and officials who routinely make such judgment calls. If managers don't lead this effort, it will lose focus, become unwieldy and expenses will slide up."
  
 Litchko teaches network security at Johns Hopkins University and advises managers in organizations from the Defense Department to casinos. He stresses that managers need to approach an analysis like picking up a new card game. "Learn the rules and objectives, then study players' capabilities, motives and weaknesses before building a strategy," says Litchko. "Go for proactive interference, don't just wait for things to happen and luck to intervene."

   Assessments start with defining a goal, says Litchko. Why are solutions needed? Are they driven by regulation, law or fear; who is involved; and who should be? What are the individual motivations, and where is the organization in its budget cycle?

   Security assessments are cyclical processes that review an IT system's security to determine what the appropriate level of security should be, what the risks are and if there is a contingency plan to recover from any security incidents.

   This begins with identifying what information is sensitive, what services are vital and which information must be highly accurate. "A critical judgment call," says Litchko, "is who and what software applications need access to specific information, and when. Then the focus shifts to a system's vulnerabilities and the threats that might exploit them, and weighing the impacts if security is compromised."

   It is at this point, after identifying an organization's biggest security concerns, that one can start seeking the right solutions to counter the worries. Then, it's also easier to identify residual risk - where countermeasures are currently too expensive to completely eliminate the threat, and identify a recovery plan if the worst happens.

   "You can provide total security solutions, but you can never make something totally secure," says Litchko. "If you get too hooked on the technical approach, you'll miss that some of your best solutions may be oriented to physical, personnel and procedural security."

   The more complex the security solutions, in fact, the more likely things will go awry, with multiple points of failure along multilayer security defenses of firewalls, tunneling, encryption and intrusion detection. These ratchet up management and troubleshooting costs, with open-ended expenses that are particularly onerous for small businesses short on IT staff for a security arms race.

   The connection to physical security is underscored by Keith Flannigan, who heads Atlanta-based International Dynamics Research Corp. Flannigan, whose focus includes the theft of proprietary information by corporate spies, says it's of critical importance that the directors of physical security and information security work closely together, to understand the total security picture and the give and take of the security budget, with both reporting to upper management.

   Flannigan also advocates developing a company security culture that lets employees know security is taken seriously, with informational programs on proprietary security that include sending out memos on situations and incidents that have happened to other companies.

   For example, Flannigan says many employees are oblivious to the fact that "one of the largest current threats today is the widespread use of Wi-Fi." He says a recent study determined that only a third of companies using wireless Internet technologies were using encryption - and of those, more than half used it at an insufficient level.

   But Litchko notes that such efforts walk a fine line, and that executives with a total security focus must often be tempered so they don't create a situation where the measures may not be friendly to employees, who won't use them, or to customers.

   "Deploying the strongest and best security solution can kill your business faster then any virus or hacker," says Litchko. "When selecting authentication solutions, you must take into consideration the capabilities, expectations and patience of the user. You can force your customer to use the best solution, but if it requires them to wait or install something on their computer to use your service, there's a high probability that they will go to your competitor."


Perfect Is Enemy of the Good
   
Moreover, reaching for the last percentage of achieving total security is often far more expensive than achieving what is good enough in most cases, says Litchko - echoing that notion that "the perfect is the enemy of the good." Such decisions require balancing costs and priorities, including the cost of a particular security failure.

   "Ensure there is a business reason for everything," says Litchko. "Of the over 100 systems that I have reviewed, all were connected to the Internet, but only 81 had a business reason to be connected. For the rest, it was the 'cool thing to do.'    "Risk is a balance of business and security requirements, and approving what is an acceptable risk is a management decision, not a technical decision," he adds. "Risk decisions are made by those with operational, political, policy and, finally, financial authority."

Skip Kaltenheuser (skip.kaltenheuser@verizon.net) is a freelance writer in Washington, D.C., who has written about corporate security issues.


  Touching the Internet Lightly

  Prior to the widespread use of the Internet, "Security was only a minor issue, as networks were inherently secure," says Marc Coluccio, chief technology officer (CTO) of Straitshot Communications Inc., a provider of intelligent network services. "It wasn't even anything anyone had to think about, it just was. Point-to-point connections and frame relay are physically secure from outside attacks; the pipes cannot be accessed from the outside. Hence, companies running their critical applications - point-of-sale systems, accounting systems, etc. - could be confident that the network was truly theirs. There wasn't a need for additional security."

   But one side effect of the Internet is physically connecting internal systems to anyone who can hack their way in. The drawbridge to the Information Superhighway is a marvelous thing, says Coluccio, but access to cyberspace necessitates gates and barricades to protect a company from marauders.

   "Security is now almost always software-based, even when embedded in hardware like firewalls," he says. "Encryption is also a software-based security feature, effectively acting as a disguise for your traveling data. It is fighting an uphill battle to try to overcome a physical shortcoming with software-based solutions. In virtual security vs. physical security, physical wins."

   Exposure on the Internet doesn't require using applications; the issue is the connection, even merely for email. The big vulnerability coming down the road is the emergence of virtual private networks (VPNs) that connect an organization over the Internet. "In a U.S. wide-area network market already worth over $24 billion," says Coluccio, "VPNs have already caught a quarter of it. They are less expensive, using the lowest-cost carrier at each customer location instead of one big carrier. As more companies migrate to Internet-based networks, ever more companies are exposed to security risks."

   For most companies, the most critical applications are voice calls. As Voice over Internet Protocol (VoIP) migrates onto networks, security experts predict widespread "denial of service" attacks for VPN- and Internet-based VoIP. Private networks still need local area network (LAN) security, including basic antivirus, says Colluccio, but the private network mostly eliminates the need for encryption and tunneling.

   Straitshot's customers include some using third-generation (3G) wireless networks, connecting mobile workers with laptops back to the home office LAN via a 3G (cellular) antenna on their laptop. Laptop to cell tower to private network to customer LAN - the Internet is never touched. With no overhead from tunneling or encryption, more bandwidth is available to the laptop. Once connected to the LAN, users can still get to the Internet, but through company security measures that don't expose their Internet addresses directly.
- Skip Kaltenheuser

Other Technical Leaps for Security
  While there are few silver bullets that fit everyone's gun, there are emerging tools and network approaches showing promise, despite the avalanche of sensitive information into electronic formats.

   Better email security is coming to meet the growing concerns of insurance companies, doctors, banks, CPAs and other businesses with critical information security needs, says Harry Segal of Hudson, Mass.-based Networks Unlimited. Encryption and storage in web-based systems is allowing consumers to read their email without someone else eavesdropping, thanks to browsers already having built-in encryption and decryption capabilities so consumers don't have to install special software. All popular browsers have incorporated these abilities.

   Authentication is also making strides, in part, says Segal, because of a directive from federal banking regulators that will require banks to implement "two-factor authentication" for online bank access by the end of 2006. Customers will have to enter more than just a user name, PIN or password. Instead, access will require a more secure method, such as entering a random set of numbers and/or symbols generated by a smart card. This should reduce the odds of online withdrawals by unauthorized users, and of successful "phishing attacks" that con consumers into sending account information to data thieves.

   Jim Litchko, a former staff chief for the director of the National Computer Security Center, is impressed by authentication smart cards and USB (Universal Serial Bus) tokens from RSA Security, which include a version that Central Intelligence Agency employees hang around their necks. A logarithm is constantly changing the password that connects the user with the network or application. Among other things, it addresses password overload; an RSA survey showed many of its respondents managing over 13 passwords at work, and nine of ten frustrated with the challenge.

   Litchko also sees improvements in fingerprint authentication, now used in some laptops and even some Japanese cell phones. "Some banks are using them at ATMs. Piggly Wiggly's are using them for credit cards, as they have the credit card information on file. Some school lunch systems are employing fingerprints, putting a crimp in a bully's plans to demand kid's lunch money. Because scanners can get dirty at, say, construction sites, hand identification is a promising approach for employee sign-in."

   A promising big-picture development to secure data over fiber optic networks comes from Raptor Networks in Santa Ana, Calif. A patented decentralized switching architecture eliminates latency and bandwidth bottlenecks, increasing data transfer speeds 10 to 100 times above current norms .

   According to Ananda Perera, Raptor CTO and founder, the technology encapsulates data in ways that so disrupt ethernet monitoring devices that they can't read the data, which can only be monitored at a location using a Raptor adaptive switch. Internal access to data can be controlled by specific user-selected addresses on any port. Data packets that are not tagged to enter a specific port are swept into a security bucket.

   Moreover, because there's not a central device, Perera says there is no single point of failure. This is critical for disaster avoidance, particularly for financial operations that can't lose a beat on transactions.

   The system has wire speed (the fastest speed a wire is built to handle) resiliency backing up storage at any network locale within 80 kilometers of another. If part of the network is taken down by a catastrophe, the rest of the network continues to operate as a single switch, and none of the other locales is disrupted.
- Skip Kaltenheuser

 

  
| Ph: 301-661-3984  |