CIO Focus Security Black Book

FOCUS

SECURITY



CIO FOCUS SECURITY BLACK BOOK

Presented in association with: Associate Sponsors

Executive Partner

Distributed By Interface



Knowledge Partners

Mumbai Chapter

Foreword With security issues and risk mitigation increasingly dominating technology management, CIOs are being called upon to oversee the safety of their organization’s assets, intellectual property and computer systems, and identify protection goals, objectives and metrics consistent with corporate strategic plans. We at CIO felt this was an opportune moment to create the Security Blackbook -- a compendium of the most essential reading on infosecurity, corporate security, business continuity, and related topics. This initiative has been made possible with the support of our sponsors Microsoft, Syntax Soft-Tech and Interface Connectronics and our knowledge partners ISACA and Pricewaterhouse Coopers. I trust you will find the contents of this book of value.

Copyright © 2005-2006 IDG Media India Pvt Ltd



1. 2. 3. 4. 5 6.

features



New Security Leadership.

Intellectual Property Protection.

7. 8.

pg: 13

Business Continuity and Disaster Recovery Planning

Phishing and Pharming

.

white paper

pg: 06

pg: 25

Physical and IT Security Convergence

Video Surveillance and Data Monitoring



pg: 20

pg: 33 pg: 44

Momentum and Commitment: Trustworthy Computing After Four Years

SecureTransport in Enterprise Application Integration



pg: 60

pg: 55

September 2001 profoundly changed the perception of national security; the Enron accounting scandal and a rash of similar scams alerted us to widespread deficiencies in corporate governance, accountability and ethics. But every security leader knows that as time passes after any incident - no matter how demonstrative - corporate concern for the issues brought to light by that incident tends to wane. Maintaining the right level of boardroom and employee awareness is a consequence of leadership. And more effective ideas and tactics are replacing the old, reactive security leadership paradigm. Below, we look at what’s Out and what’s In.

OUT: FUD IN: Metrics and ROSI OUT: Blame games and fall guys IN: Risk management and shared accountability OUT: Tech talk and copspeak IN: Business language and communication skills OUT: Silos IN: Holistic security Related articles from CSO magazine

it’s long been a crutch that security leaders lean on to get the budgets they need. Whether the Board seemed reluctant to spend money on firewalls or on surveillance cameras, the convenient solution was to scare them into funding everything by pulling out an anecdote about What Happened to the Company Down the Road. In the long run, however, the tactic of exploiting FUD almost always does more damage than good. Security executives and management experts agree that FUD ultimately destroys the security team’s credibility. “That [approach] may work once or twice in a true

OUT: FUD FUD stands for fear, uncertainty and doubt, and



FOCUS

SECURITY

crisis situation where the bad guys have come over the back fence,” says Jim Mecsics, vice president of corporate security for Equifax. “But when you approach corporate officers with the tactics of fear, you’re walking into a trap. Somebody will eventually say, ‘OK, show me where the real [emergency] is,’ and then your credibility is shot.” FUD is a particularly common tactic in the lower ranks of a security organization, especially among those who haven’t learned how to make a data-driven risk management argument. A CSO who doesn’t stamp out FUD in his team creates as much of a problem as the CSO who uses it in personal conversations with senior executives.

on fear, they’ll have a much harder time managing and assessing it based on merit and actual results. IN: Metrics and ROSI Like it or not, the corporation is generally managed by the numbers. Eventually, security will be almost completely metrics-driven. A reliance on metrics is, after all, the mark of a mature corporate function. Most security executives already need to develop, cull and otherwise employ risk analysis metrics and benchmarks. And experts say those leaders should devote considerably more financial resources to developing benchmarks than they do already.

Mecsics has the stories that prove the point. Just after 9/11, he was working with a government organization that decided it needed to radically increase its manpower to cope with the concerns over terrorist threats. The organization set up a conference, and hastily gathered input from all its field agents to take to the senior leadership. Instead of research and risk analysis, many of the agents’ arguments were based on guesswork and were rooted in the fear and uncertainty of Sept. 11. Mecsics says the organization’s management started asking questions and quickly saw through the panic the security personnel were creating. The net result was that the security team lost its credibility. In another organization, Mecsics says, senior executives were so frightened by the security group’s use of scare tactics that they became obsessed with concerns that the company would be irreparably harmed by a security event. In this case, they lost the ability to look at the issue rationally. “They got worked into such a frenzy that it was like a runaway train,” says Mecsics.

“The ISO is going to the CEO saying there’s a chance something bad, and possibly something embarrassing, could happen,” says Alan Paller, director of research at SANS Institute. “But how much of a chance, the ISO doesn’t know. And if he spends this kind of money, he can reduce the risk, but by how much he doesn’t know. There is simply not enough data. Every other C-level executive does better than that and takes on the responsibility for defining the risk. Here, the CISO is putting the responsibility on the CEO. The CEO doesn’t want it, and eventually he won’t take it.” So forget FUD, and start learning how to demonstrate the value of your ideas using metrics and, especially, ROSI (return on security investments). This is an approach that infosecurity pros have been slow to adopt, although it is clearly valuable. Economist Frank Bernhard’s research, for example, shows about six cents of every revenue dollar is at risk because of a lack of information security, but many companies spend barely a dime of their IT dollar on security.

FUD also wastes money by not spending it well. When CSOs buy and implement a security initiative based



FOCUS

SECURITY

“I’m not sure why IT tends to disregard these tools,” says Bob Jacobson, president of International Security Technology (IST), a private company that consults on matters of security risk assessment. “It’s a bit frustrating to keep hearing that you can’t do it accurately. That is not true. The tools are there. Nuclear uses them. Pharma uses them. The whole world has used ROI in security for a long time. [CSOs] have an opportunity to make a major contribution in their organization if they have the willingness to learn this.”

In a word, plenty. If you’re the fall guy (or if your security group is) for every incident, then chances are good that you’ve taken the wrong position in your company’s security decision-making process. Most common mistake: Setting up the CSO as the one who makes the final call. IN: Risk management and shared accountability Even on security matters, the final call should not be yours. The final call belongs to the CEO, president, and board of directors - those who are directly accountable for shareholder value.

ROSI is rarely easy. It requires legwork, and lots of it. As you begin, it’s helpful to keep in mind that precise measurements are not necessarily the goal. “This is a classic problem that technologists have,” says Kevin Soo Hoo, a researcher at the security consultancy @ Stake. “They don’t understand that you can make rough guesses to work out a problem. We dive into an ROSI study, and the engineers are focused on the minutiae and want to argue for days whether some variable should be .6 or .55. It doesn’t matter.”

The right answer to “what is security supposed to do?” (as Paller alluded to in the “Metrics and ROSI” section, above) is this: Security is supposed to educate the business leaders about the threats the organization faces, about the likelihood and consequences of those threats, and about the costs and effectiveness of possible remedies. Then the business leaders make the decisions on acceptable risk.

With ROSI, as with all risk assessment, the goal is accuracy, which is not at all the same thing as precision. The point is to provide a set of guiding principles from which you, your CEO and CFO can make more informed decisions about what’s acceptable. In other words, the CEO doesn’t (or shouldn’t) care if a return is precisely $3.13 for every $1 spent or $2.97. He cares that it’s accurate to suggest about a 3-to-1 return, and not a 1-to-1 return or, worse, a 1-to-3 return.

Craig Granger, head of multinational security for the automotive company Delphi, offers a good case study in raising an organization’s security IQ. Part of the battle is fought in the field-pressing the flesh with execs, developing an omnipresent security policy and educating every employee on process management. Granger speaks at business group meetings and consults with Delphi’s executive officers. He attends strategy meetings with top execs and governance board meetings with his vice president and regional and divisional CIOs, and he mandates that all new employees take a security course and undergo training.

OUT: Blame games and fall guys When a breach occurs, the CSO frequently takes the blame. Sometimes, he is fired. What’s wrong with that?



FOCUS

SECURITY

When Granger first arrived at Delphi, he laid out a charter detailing the differences between his responsibilities and those of corporate.

thinkers, a leadership team with MBAs, and subjectmatter experts who can “cut across security and think in terms of the whole organization,” he says. As part of the process, he and his team continually assess and reassess all of their client groups’ needs and vulnerabilities. They use eight matrices in looking at each operational area, whether it is a new proposal or a system overhaul. “I own the process,” Williams says confidently. “There are a number of processes here that have my team’s signature on them.” But, he and other CSOs add, all security processes should always have the business execs’ signatures on them as well.

Granger says his charter, which defined the global security policy at Delphi, was well received. Since then, says Granger, considerable effort has been spent spreading a “strong infosec policy that’s published everywhere. Here, people can’t say that they aren’t aware of the policy,” he says. “The charter has greatly enhanced our visibility and security awareness here. They know who we are.” But it’s not solely about getting the word out, says Granger. It’s how you speak the word and how it’s received. Often, it comes down to developing trust with your peers, which lets them, in turn, feel more comfortable shouldering some of the accountability burden.

Getting past the Fall Guy Syndrome boils down to good policies, good process management and constant corporate education. OUT: Tech talk and copspeak A not-so-secret secret: Many executives think security chiefs have a bad attitude. And we’re not just talking about information security officers. Traditional, corporate security executives are saddled with a bad rep. It’s time to learn what it means when a CEO, after eliminating the CSO or CISO, says, “There was just something about him that didn’t fit with the organization.”

Process management, with a clearly defined, easy-tofollow set of guidelines for handling security matters, is another way CSOs can manage accountability. Process management can reinforce the fact that security is not a one-group function. Moreover, its linkage to a business context-its embeddedness within enterprise business processes-suggests that other players are ultimately accountable as well. At Nortel Networks, Vice President of Corporate Security and Systems Timothy Williams, tries to involve as many different functions in his security process as possible. Williams works with members from various cross-functional groups-with internal audit and the insurance group, for example. He also breaks his security process into three core elements: risk assessment, enterprise-wide collaboration and strategic planning. Williams staffs his department with people who come from a variety of areassystems security engineers, of course, and global

The physical security chief, according to stereotype, is a rigid and dogmatic “top cop” who has an “arrest” mentality and is a no-man as opposed to a yes-man. The information security executive comes across as an arrogant know-it-all who is whiny, defensive, uncooperative and doesn’t try to work with others because, how could anyone but he possibly understand the technical challenges he faces? Not valid? So what. Unfair? Stop whining. In fact, the



FOCUS

SECURITY

security executive who raises a stink because of these preconceptions actually feeds the preconceptions. “We had one CSO candidate for a Fortune 500 not get the job,” says recruiter Tracy Lenzner. “And heI can hardly explain it, but it was so telling-lashed out about how the company didn’t know anything. He was angry. He was like a child that didn’t get his way.”

to be able to communicate with the company’s business line executives. “Everything I bring them is cost additive, and that can create a natural conflict,” says Christiansen. “I need to be able to show the bang for the buck, the ROI per dollar and how I’m going to help them solve business problems.” None of that can be achieved without a keen understanding of the business and the recognition that the CSO’s role is to enable business success in an appropriately secure context. To combat the perception that security is divorced from the business world, Bill Boni, Motorola’s CISO, has even gone so far as to shun the usual moniker, “IT security” in favor of the more business-friendly title, “information protection.” The goal is to position the department as the protector of information assets in all forms, whether it’s customer data housed in a server or confidential contracts in a sheaf of papers.

Former CISO Stephen Northcutt believes the attitude comes from the likelihood that many candidates for CISO positions are underqualified. “They are stressed out, secretive, edgy and defensive because they don’t have the understanding or mastery of tools they need,” he says. As a result, those candidates fall back on old habits such as - always using highly obscure explanations of technology, or aways having a negative reaction to any risky or unorthodox business propositions. Those forms of communication don’t fly in the boardroom.

Talking in business terms with executives can also be a tremendous asset in advancing the CSO’s agenda, which is often bogged down by the perception that it’s too technical for business executives to understand. “I’ve seen too many information security practitioners fall short in their role because what they really love is the technology,” says Boni. “They open with the technology dimension, go into technical detail, and by the time they get to the part where the executives’ insight, experience and judgment can be engaged, the executives are already disengaged. The executives conclude that security is at a level that’s inappropriate for their consideration.”

IN: Business language and communication skills When James Christiansen came to GM from Visa, where he was also head of security, he found the move from financial services to manufacturing to be a jolting transition. “You speak a different language, you look different and you dress different.” So Christiansen did two things: He signed up for classes on the workings of the auto industry, and he made a point of doing a lot more listening than talking. In learning about GM, Christiansen had to glean the intricacies of four very different business areas: manufacturing, GMAC (GM’s financial services division), OnStar (the onboard satellite communications system) and the defense industry, with which GM works closely. But immersing himself in the business was a necessary step for Christiansen

As the old saw goes: It’s not just what you say, but how you say it. So practice your delivery. As anyone who’s ever been to a security conference knows, speeches about security can be deadly dull. Faced with the challenge of having to communicate about security to large groups both inside and outside his company,

10

FOCUS

SECURITY

Bill Hancock, CSO of Exodus (which later became the US base of Cable & Wireless), took the unusual step of enrolling himself in a stand-up comedy course to improve his communication skills. The final project for the class was a performance of an actual standup routine at The Improv, New York City’s renowned comedy club, on a Friday night. “It was one of the most horrifying experiences I think I’ve ever been through,” says Hancock. “You get up in front of an audience, half the people there are probably inebriated in some fashion, and you’ve got to communicate what you have to say very quickly, very succinctly and to a whole bunch of people that don’t know you from nobody.” The lesson here is not that CSOs need to be honing their comic routines, but rather that life is full of tough audiences. When dealing with a weighty topic like security, it’s important to focus on how you communicate as well as what you communicate.

the hall, disaster recovery handled by the facilities group... you know the usual drill. Security functions have a history of fragmented organization. “Each of these departments’ main mission is ‘to protect company assets;’ however, each usually reports through a different hierarchy,” one privacy and IT security manager puts it. “It makes no sense.” Historically, the greatest chasm - not just organizationally, but culturally as well - laid between information security folks and their corporate security counterparts. Each side has a list of perjorative ways to describe the other’s profession and professionals (propellerheads vs. knuckledraggers, etcetera). IN: Holistic security Enough squabbling already. Disjointed management and lack of communication leads to a weaker security posture and wasted money due to duplicated efforts.

Building and maintaining strong relationships with business executives and their groups requires the CSO to assume a number of different guises: educator, strategist, negotiator, interpreter and, sometimes, disciplinarian. Oracle’s CSO Mary Ann Davidson has one last morsel of advice for CSOs interested in smoothing their way with other executives and the company at large. “People ought to be thanked for doing their job more often,” she says, noting that CSOs will find more cooperation if they ask for it politely and show their appreciation, instead of barking out orders and throwing their weight around. “Business is personal,” Davidson says. “It’s not being manipulative, it’s just that you catch more flies with honey.”

“The truly sophisticated companies are starting to look at a coordinated approach to physical security, information security and risk management,” says Lance Wright, principal at the Boyden Global Executive Search company. Consider these specific areas where holistic security management pays off: -Business continuity Mike Hager, who helped get OppenheimerFunds up and running four hours after their offices and systems at the World Trade Center were destroyed on 9/11, puts it best: “Some companies have people who do information security, and people who do physical security, and people who do business continuity. The three people may come up with three separate answers about what to protect. If you have a total protection program, you can save a lot of time,

OUT: Silos Information security in one stovepipe, corporate in another, audit staring suspiciously from across

11

FOCUS

SECURITY

money and effort. It just simplifies the whole process and makes it more effective.”

and the network control center notes that the CEO just logged on to her office workstation. Problem is, the building access card system notes that the CEO left the building five hours ago. If the network and building access controls were coordinated, the night watchman would know he needs to take a stroll down the hall and see who’s sitting at the CEO’s desk and using her account.

-Hiring and firing When an employee comes on board, she may need a number of assets and rights before she becomes productive… a building access card, a laptop, a network password with access to the right applications, a signed non-disclosure agreement, a business credit card, a company car. Some of these are physical and some are digital. In a company with a well-managed, holistic hiring process, that employee can be up to speed in a jiffy. Conversely, a company with disjointed access management can expect a much longer ramp-up time. That’s lost money. And if the employee is abruptly terminated, the poorly managed company stands very little chance of recovering all its assets and disabling all necessary access rights in a timely manner.

The most obvious way to manage security holisitically is to put make one person responsible - a CSO. But even in companies where that’s impractical, creating new lines of communication and knocking down formerly adversarial relationships is a must.

-Intellectual property protection IP (patents, ideas, classified research) is stored in many forms, from data on the corporate network, to CAD printouts in the trash can, to drawings on the whiteboard in the graphics department. Losing that proprietary information can cripple a company competitively. Bill Boni, CISO of Motorola and a former Army intelligence officer, notes that the only way to protect intellectual property from threats inside and outside the company is by interconnecting all the necessary defensive measures - logical, physical, legal and otherwise. -Regulatory compliance Sarbanes-Oxley says the Board of Directors has a fiduciary responsibility to know what risks its business faces. Who’s going to give them an accurate picture if no one has visibility across all security domains? -Coordinated access management It’s midnight,

12

Intellectual

Property

Protection Your company’s intellectual property—whether that’s patents, trade secrets or just employee know-how—may be more valuable than its physical assets. This primer covers everything from establishing basic policies and procedures to guarding against corporate espionage.

‘Intellectual property’ sounds pretty fuzzy. What exactly is it?

For many companies, such as those in the pharmaceutical business, IP is much more valuable than any physical asset. Authoritative sources report that each year, intellectual property theft costs U.S. companies about $300 billion.

Intellectual property (IP) can be anything from a particular manufacturing process to plans for a product launch, a chemical formula or a list of the countries in which your patents are registered. It may help to think of it as intangible proprietary information. The formal definition, according to the World Intellectual Property Organization is creations of the mind - inventions, literary and artistic works, symbols, names, images, and designs used in commerce. IP includes but is not limited to proprietary formulas and ideas, inventions (products and processes), industrial designs, and geographic indications of source, as well as literary and artistic works such as novels, films, music, architectural designs and web pages.

From a legal standpoint, there are four types of intellectual property. IP registered in one of those categories with state and federal agencies is protected by law, and if infringed upon or otherwise abused, the infringers can be prosecuted. The four legally-defined categories of intellectual property are:

13

FOCUS

SECURITY

1. Patents When you register your invention with the government-a process that can take more than a yearyou gain the legal right to exclude anyone else from manufacturing or marketing it. Patents cover tangible things. They can also be registered in foreign countries, to help keep international competitors from finding out what your company is doing. Once you hold a patent, others can apply to license your product. Patents last for 20 years.

in fact, a secret - and that appropriate measures have been taken within the company to safeguard the secret, such as restricting knowledge to a select handful of executives. Coca-Cola, for example, has managed to keep its formula under wraps for more than 117 years. But IP can also be something broader and less tangible than these four protected classes: it can simply be an idea. If the head of your R&D department has a eureka moment during his morning shower and then applies his new idea at work, that’s intellectual property too.

2. Trademarks A trademark is a name, phrase, sound or symbol used in association with services or products. It often connects a brand with a level of quality on which companies build a reputation. Trademark protection lasts for 10 years after registration and, like patents, can be renewed. But trademarks don’t have to be registered. If a company creates a symbol or name it wishes to use exclusively, it can simply attach the TM symbol. This effectively marks the territory and gives the company room to prosecute if other companies attempt to use the same symbol for their own purposes.

Sounds like protecting IP is mostly the legal department’s job. Legal protection is definitely part of the plan, but if your IP is stolen by ne’er-do-wells, catching them is hard, prosecuting them is harder, and getting the stolen information back - putting the proverbial cat back in its bag - is usually impossible. In this area a little bit of paranoia is quite helpful, because people really are out to get you. Consider these real-life examples.

3. Copyrights Copyright laws protect written or artistic expressions fixed in a tangible medium - novels, poems, songs or movies. A copyright protects the expression of an idea, but not the idea itself. The owner of a copyrighted work has the right to reproduce it, to make derivative works from it (such as a movie based on a book), or to sell, perform or display the work to the public. You don’t need to register your material to hold a copyright, but registration is a prerequisite if you decide to sue for copyright infringement. A copyright lasts for the life of the author plus another 50 years.

* In the week before one company released its quarterly report, employees in units that report to the CFO received 200 calls from people claiming to be with a credit reporting agency that needed information about the earnings report prior to its release. Employees were instructed to transfer all such inquiries to the security office, but the calls kept coming. It was later revealed that calls came from a research company hired by the competition. * An engineer regularly had lunch with a former boss now working for arival, and fancied himself a hero for gathering competitive intelligence. But the information he was giving up in return caused his employer, formerly the market leader, to lose three major bids in 14 months. * Immigrant scientists from Eastern Europe who were working on an American defense project kept getting

4. Trade secrets A formula, pattern, device or compilation of data that grants the user an advantage over competitors is a trade secret. It is covered by state, rather than federal, law. To protect the secret, a business must prove that it adds value to the company - that it is,

14

FOCUS

SECURITY

unsolicited invitations from their home countries to speak at seminars or serve as paid consultants. The invitations appealed to them as scientists - they wanted to share information about their work with peers. The countries saw this kind of intelligence gathering as cheaper than research and development.

Lock the rooms where sensitive data is stored, whether it’s the server farm or the musty paper archive room. Keep track of who has the keys. Use passwords and limit employee access to important databases. 5. Educate employees Awareness training can be effective for plugging and preventing IP leaks, but only if it’s targeted to the information that a specific group of employees needs to guard. When you talk in specific terms about something that engineers or scientists have invested a lot of time in, they’re very attentive.

So what does the security group need to do to keep intellectual property safe? 1. Know what you’ve got If all employees understand what needs to be protected, they can better understand how to protect it, and whom to protect it from. To do that, CSOs must communicate on an ongoing basis with the executives who oversee intellectual capital. So meet with the CEO, COO and representatives from HR, marketing, sales, legal services, production and R&D at least once a quarter. Corporate leadership must work in concert to adequately protect IP.

As is often the case, humans are often the weakest link in the defensive chain. That’s why an IP protection effort that counts on firewalls and copyrights, but doesn’t also focus on employee awareness and training, is doomed to fail. 6. Know your tools A growing variety of software tools (from vendors such as eMeta, Liquid Machines, Verdasys, and Vontu) are available for tracking documents and other IP stores. They not only locate sensitive documents, but also keep track of how they are being used, and by whom.

2. Prioritize it CSOs who have been protecting intellectual property for years recommend doing a risk and cost-benefit analysis. Make a map of your company’s assets and determine what information, if lost, would hurt your company the most. Then consider which of those assets are most at risk of being stolen. Putting those two factors together should help you figure out where to best spend your protective efforts (and money).

7. Think holistically Motorola’s Chief Information Security Officer Bill Boni explains how problems can arise if you don’t take a “big picture” view of security. If someone is scanning the internal network, your internal intrusion detection system goes off, and typically somebody from IT calls the employee who’s doing the scanning and says, “Stop doing that.” The employee offers a plausible explanation, and that’s the end of it. Then later, the night watchman sees an employee carrying out protected documents, and his explanation is “Oops...I didn’t realize that got into my briefcase.” Over time, the human resources group, the audit group, the individual’s colleagues, and others all notice isolated incidents, but nobody puts them together and realizes that all these

3. Label it If information is confidential to your company, put a banner or label on it that says so. If your company data is proprietary, put a note to that effect on every log-in screen. This seems trivial, but if you wind up in court trying to prove someone took information they weren’t authorized to take, your argument won’t stand up if you can’t demonstrate that you made it clear that the information was protected. 4. Lock it up Physical and digital protection is a must.

15

FOCUS

SECURITY

breaches were perpetrated by the same person. This is why communication gaps between infosecurity and corporate security groups can be so harmful. IP protection requires connections and communication between all the corporate functions. The Legal department has to play a role in IP protection, and so does Human Resources, and Information Technology, and Research and Development, and Engineering, and Graphic Design.... Think holistically both to protect and to detect.

more damage is done by a company’s lax security than by thieves. Consider these common examples: Salespeople showing off upcoming products at trade shows. Technical organizations trying to describing their R&D facilities in job listings. Suppliers bragging about sales on their websites. Publicity departments issuing press releases about new patent filings. Companies in industries targeted by regulators over-reporting information about manufacturing facilities to the Environmental Protection Agency or OSHA, which can become part of the public record. Employees posting comments on Internet bulletin boards.

8. Apply a counter-intelligence mindset If you were spying on your own company, how would you do it? Thinking through such tactics will lead you to consider protecting phone lists, shredding the papers in the recycling bins, convening an internal council to approve your R&D scientists’ publications, or other ideas that may prove worthwhile for your particular business.

All of that data tells a competitor what your company is doing. Combined, the right details might help a rival reduce your first-to-market advantage, improve the efficiency of their own manufacturing facility or refocus their research in a profitable direction.

Phone lists? Paper shredders? Sounds a little extreme.

2. They work the phones.

Security pros have to understand the dark forces that are trying to get information from your company and piece it together in a useful way. Some of these forces come in the guise of “competitive intelligence” researchers who, in theory anyway, are governed by a set of legal and ethical guidelines carefully wrought by the Society of Competitive Intelligence Professionals (SCIP). Others are outright spies hired by competitors, or even foreign governments, who’ll stop at nothing, including bribes, thievery, or even a pressure-activated tape recorder hidden in your CEO’s chair. But most threats to your information operate in a gray zone.

John Nolan, founder of the Phoenix Consulting Group, has some amazing stories of what people will tell him over the phone. This is the man who got his fingers burned in the infamous “dumpster diving” espionage case in 2001 involving Procter & Gamble and Unilever. Nolan won’t comment on the case, which was settled out of court, but he insists that there’s no need for his company to break the law. “In our experience, it’s just not worth it,” he explains. Nolan has other ways of getting people to talk. In fact, people like him are the reason that seemingly benign lists of employee names, titles and phone extensions, or internal newsletters announcing retirements or promotions, should be closely guarded. That’s because the more Nolan knows about the person who answers the phone, the better he can work that person for information.

To build solid defenses, consider how snoops work: 1. They look for publicly available information. Leonard Fuld, a competitive intelligence expert, says

16

FOCUS

SECURITY

“I identify myself and say, ‘I’m working on a project, and I’m told you’re the smartest person when it comes to yellow market pens. Is this a good time to talk?’” says Nolan, describing his methods. “Fifty out of a hundred people are willing to talk to us with just that kind of information.”

places for job recruiters. They also became great places for competitive intelligence professionals to overhear discussions among coworkers or to sneak a peek at a fellow passenger’s PowerPoint presentation or financial spreadsheet. Any public place where employees go, snoops can also go: airports, coffee shops, restaurants, and bars near company offices and factories, and, of course, trade shows. An operative working for the competition might corner one of your researchers after a presentation, or pose as a potential customer to try to get a demo of a new product or learn about pricing from your sales team. Or that operative might simply take off his name badge before approaching a your booth at a trade show.

The other fifty? They ask what Phoenix Consulting Group is. Nolan replies (and this is true) that Phoenix is a research company working on a project for a client he can’t name because of a confidentiality agreement. Fifteen people will then usually hang up, but the other 35 start talking. Not a bad hit rate. Nolan starts taking notes that will eventually make their way into two files. The first file is information for his client, and the second is a database of 120,000 past sources, including information about their expertise, how friendly they were, and personal details such as their hobbies or where they went to graduate school.

Employees must know not to talk about sensitive business in public places, and how to work with the marketing department to make sure the risks of revealing inside information at a trade show don’t outweigh the benefits of drumming up business.

Often business intelligence gatherers use well-practiced tactics for eliciting information without asking for it directly, or by implying that they are someone they aren’t. This is the tactic known as “social engineering.” Such scams might also include “pretext” calls from someone pretending to be a student working on a research project, an employee at a conference who needs some paperwork, or a board member’s secretary who needs an address list to mail Christmas cards.

Job interviews are another possible leak. Daring competitors may risk sending one of their own employees to a job interview, or they could hire a competitive intelligence firm to do so. Conversely, a competitor might invite one of your employees in for a job interview with no other purpose than gleaning information about your processes.

Most of those calls are not illegal. Lawyers say that while it is against the law to pretend to be someone else, it’s not illegal to be dishonest.

4. They put the pieces together. In some ways, trade secrets are easy to protect. Stealing them is illegal under the 1996 Economic Espionage Act. Employees usually know that they’re valuable, and nondisclosure agreements may protect your company further. What’s more complicated is helping employees understand how seemingly innocuous details can be strung together into a bigger picture-, and how a simple

3. They go into the field. During the technology boom, one early-morning flight from Austin to San Jose earned the nickname “the nerd bird.” Shuttling businesspeople from one high-tech center to another, that flight and others like it became good

17

FOCUS

SECURITY

company phone list becomes a weapon in the hands of snoops like John Nolan.

in the U.S. A bank in South America that suspected espionage brought in a security consultancy to sweep the place of bugs. When the loss of information continued, the bank hired a different security team. “They found 27 different devices,” Boni recalls. “The whole executive suite was wired for motion and sound. The first team that came in to look for bugs was probably installing them.”

Consider this scenario: Nolan once had a client who wanted him to find out whether any rivals were working on a certain technology. During his research of public records, he came across nine or 10 people who had been publishing papers on this specialized area since they were grad students together. Suddenly, they all stopped writing about the technology. Nolan did some background work and discovered that they had all moved to a certain part of the country to work for the same company. None of that constituted a trade secret or even, necessarily, strategic information. But Nolan saw a picture forming.

Espionage is sometimes sanctioned - or even carried out - by foreign governments, which may view helping local companies keep tabs on foreign rivals as a way to boost the country’s economy. That’s why no single set of guidelines for protecting intellectual property will work everywhere in the world. The CIO’s job is to evaluate the risks for every country the company does business in, and act accordingly. Some procedures, such as reminding people to protect their laptops, will always be the same. But certain countries require more precautions. Executives traveling to Pakistan, for example, might need to register under pseudonyms, have their hotel rooms or work spaces swept for bugs, or even have security guards help protect information.

“What that told us was that they had stopped [publishing information about the technology] because they recognized that the technology had gotten to a point where it was probably going to be profitable,” Nolan says. Then, by calling the people on the phone, going to meetings where they were speaking on other topics, and asking them afterward about the research they were no longer speaking publicly about, Nolan’s firm was able to figure out when the technology would hit the market. This information, he says, gave his client a two-year heads up on the competition’s plans.

Tell me more about global differences. I suspect the legal protections you’ve mentioned. won’t apply overseas.

5. Some go beyond the gray zones. Other countries may have vastly different ethical and legal guidelines for information gathering. Almost everything we’ve talked about so far is legal in the United States, or at least arguably so in the hands of a clever lawyer. But there’s another realm of corporate sleuthing, using bugs, bribes, theft, even extortion, that is widely practiced elsewhere.

Correct. Over the years, France, China, Latin America and the former Soviet Union have all developed reputations as places where industrial espionage is widely accepted, even encouraged, as a way of promoting the country’s economy. Many other countries are worse. A good resource for evaluating the threat of doing business in different parts of the world is the Corruption Perceptions Index published each year by Transparency International (and made famous by The Economist).

In his days as a global security consultant, Motorola’s Boni saw several things happen that probably wouldn’t happen

18

FOCUS

SECURITY

In 2003, the Corruption Perceptions Index ranked the following 12 countries as being “perceived as most corrupt”: Bangladesh, Nigeria, Haiti, Paraguay, Myanmar, Tajikistan, Georgia, Cameroon, Azerbaijan, Angola, Kenya, and Indonesia.

5. Know what risks your own organization can take. Regulated industries such as health care and financial services need to keep closer controls over data and software development than, say, packaged goods companies. 6. Work to understand the legal system and culture of both countries. Negotiate contracts that make the offshore company responsible for the actions of its employees.

Another list ranked big countries where companies are most likely to pay bribes to win or retain business in emerging markets. The worst scores belonged to Russia, China, Taiwan and South Korea, followed by Italy, Hong Kong, Malaysia, Japan, USA and France. (To download the full results of the index, visit Transparency International at www.transparency.org.)

7. Budget for greatly increased telecom costs, as well as for regular visits to the outsourcer. 8. Make sure that any test data being used does not expose real information traceable to real customers.

Here are nine practical steps for protecting IP specifically where you’re offshoring software work:

9. Always maintain an original copy of source code. This step seems obvious, but in one Y2K outsourcing case, a company was unable to prove a bug had been added to a program because it had not kept its source code.

1. Send people to inspect the physical premises where the software will be written. Note whether buildings have basic security check-in procedures and the like. Find out what kind of access people have to key systems.

Companies that don’t have the resources to take these steps should think twice about what they are putting at risk by offshoring, whether it’s software development or some other function like call centers involving sensitive customer data.

2. Look closely at the way networks function, particularly if you plan to use virtual private networks. These are good for cross-facility communications, but make it easier for remote employees to work from home or on notebook computers, which can increase vulnerability. 3. Protect important information, such as source code, with passwords and access codes, and make sure that these are not widely available, either in the United States or at the outsourcing location. Approvals do reduce flexibility, but not as much as they reduce risk. 4. Demand that the outsourcer have tight human resources screening. Look for employee retention figures, find out if competitors do business with the same companies, and if so, ensure that there is no contact between teams.

19

Business Continuity

and Disaster Recovery

Planning

Disaster recovery and business continuity planning are processes that help organizations prepare for disruptive events—whether an event might be a hurricane or simply a power outage caused by a backhoe in the parking lot. The CIO’s / CSO’s involvement in this process can range from overseeing the plan, to providing input and support, to putting the plan into action during an emergency. This primer explains the basic concepts of business continuity planning.

Q: “Disaster recovery” seems pretty self-explanatory. Is there any difference between that and “business continuity planning”?

ignoring “disaster recovery” because disaster seems an unlikely event. “Business continuity planning” suggests a more comprehensive approach to making sure you can keep making money. Often, the two terms are married under the acronym BC/DR. At any rate, DR and/or BC determines how a company will keep functioning after a disruptive event until its normal facilities are restored.

A: Disaster recovery is the process by which you resume business after a disruptive event. The event might be something huge-like an earthquake or the terrorist attacks on the World Trade Centeror something small, like malfunctioning software caused by a computer virus.

What do these plans include?

Given the human tendency to look on the bright side, many business executives are prone to

All BC/DR plans need to encompass how employees will communicate, where they will go and how

20

FOCUS

SECURITY

they will keep doing their jobs. The details can vary greatly, depending on the size and scope of a company and the way it does business. For some businesses, issues such as supply chain logistics are most crucial and are the focus on the plan. For others, information technology may play a more pivotal role, and the BC/DR plan may have more of a focus on systems recovery. For example, the plan at one global manufacturing company would restore critical mainframes with vital data at a backup site within four to six days of a disruptive event, obtain a mobile PBX unit with 3,000 telephones within two days, recover the company’s 1,000-plus LANs in order of business need, and set up a temporary call center for 100 agents at a nearby training facility.

impact, the more money a company should spend to restore a system or process quickly. For instance, a stock trading company may decide to pay for completely redundant IT systems that would allow it to immediately start processing trades at another location. On the other hand, a manufacturing company may decide that it can wait 24 hours to resume shipping. A BIA will help companies set a restoration sequence to determine which parts of the business should be restored first. Here are 10 absolute basics your plan should cover: 1. Develop and practice a contingency plan that includes a succession plan for your CEO. 2. Train backup employees to perform emergency tasks. The employees you count on to lead in an emergency will not always be available. 3. Determine offsite crisis meeting places for top executives. 4. Make sure that all employees-as well as executives-are involved in the exercises so that they get practice in responding to an emergency. 5. Make exercises realistic enough to tap into employees’ emotions so that you can see how they’ll react when the situation gets stressful. 6. Practice crisis communication with employees, customers and the outside world. 7. Invest in an alternate means of communication in case the phone networks go down. 8. Form partnerships with local emergency response groups-firefighters, police and EMTs-to establish a good working relationship. Let them become familiar with your company and site. 9. Evaluate your company’s performance during each test, and work toward constant improvement. Continuity exercises should reveal weaknesses. 10. Test your continuity plan regularly to reveal and accommodate changes. Technology, personnel

But the critical point is that neither element can be ignored, and physical, IT and human resources plans cannot be developed in isolation from each other. At its heart, BC/DR is about constant communication. Business leaders and IT leaders should work together to determine what kind of plan is necessary and which systems and business units are most crucial to the company. Together, they should decide which people are responsible for declaring a disruptive event and mitigating its effects. Most importantly, the plan should establish a process for locating and communicating with employees after such an event. In a catastrophic event (Hurricane Katrina being a recent example), the plan will also need to take into account that many of those employees will have more pressing concerns than getting back to work. Where do I start? A good first step is a business impact analysis (BIA). This will identify the business’s most crucial systems and processes and the effect an outage would have on the business. The greater the potential

21

FOCUS

SECURITY

and facilities are in a constant state of flux at any company.

East Coast. But after the attack on the World Trade Center and Pentagon, when air traffic came to a halt, Yates knew it was foolhardy to have a data center so far away. Ironically, USAA was set to sign the lease contract the week of Sept. 11.

Hold it. Actual live-action tests would, themselves, be the “disruptive events.” If I get enough people involved in writing and examining our plans, won’t that be sufficient?

Instead, USAA built a center in Texas, only 200 miles away from its offices-close enough to drive to, but far enough away to pull power from a different grid and water from a different source. The company has also made plans to deploy critical employees to other office locations around the country.

Let us give you an example of a company that thinks tabletops and paper simulations aren’t enough. And why their experience suggests they’re right. When CIO Steve Yates joined USAA, a financial services company, business continuity exercises existed only on paper. Every year or so, top-level staffers would gather in a conference room to roleplay; they would spend a day examining different scenarios, talking them out-discussing how they thought the procedures should be defined and how they thought people would respond to them.

Yates made site visits to companies such as FedEx, First Union, Merrill Lynch and Wachovia to hear about their approach to contingency planning. USAA also consulted with PR firm Fleishman-Hillard about how USAA, in a crisis situation, could communicate most effectively with its customers and employees. Finally, Yates put together a series of large-scale business continuity exercises designed to test the performance of individual business units and the company at large in the event of wide-scale business disruption. When the company simulated a loss of the primary data center for its federal savings bank unit, Yates found that it was able to recover the systems, applications and all 19 of the third-party vendor connections. USAA also ran similar exercises with other business units.

Live exercises were confined to the company’s technology assets. USAA would conduct periodic data recovery tests of different business units-like taking a piece of the life insurance department and recovering it from backup data. Yates wondered if such passive exercises reflected reality. He also wondered if USAA’s employees would really know how to follow such a plan in a real emergency. When Sept. 11 came along, Yates realized that the company had to do more. “Sept. 11 forced us to raise the bar on ourselves,” says Yates.

For the main event, however, Yates wanted to test more than the company’s technology procedures; he wanted to incorporate the most unpredictable element in any contingency planning exercise: the people.

Yates engaged outside consultants who suggested that the company build a second data center in the area as a backup. After weighing the costs and benefits of such a project, USAA initially concluded that it would be more efficient to rent space on the

USAA ultimately found that employees who walked through the simulation were in a position

22

FOCUS

SECURITY

to observe flaws in the plans and offer suggestions. Furthermore, those who practice for emergency situations are less likely to panic and more likely to remember the plan.

a nearby relocation area, the setup process for computers and phones took nearly two hours. During that time, employees were left standing outside in the hot Texas sun. Seeing the plan in action raised several questions that hadn’t been fully addressed before: Was there a safer place to put those employees in the interim? How should USAA determine if or when employees could be allowed back in the building? How would thousands of people access their vehicle if their car keys were still sitting on their desk? And was there an alternate transportation plan if the company needed to send employees home?

Can you give me some examples of things companies have discovered through testing? Some companies have discovered that while they back up their servers or data centers, they’ve overlooked backup plans for laptops. Many businesses fail to realize the importance of data stored locally on laptops. Because of their mobile nature, laptops can easily be lost or damaged. It doesn’t take a catastrophic event to disrupt business if employees are carting critical or irreplaceable data around on laptops.

What are the top mistakes that companies make in disaster recovery? Hager and other experts note the following pitfalls:

One company reports that it is looking into buying MREs (meals ready-to-eat) from the company that sells them to the military. MREs have a long shelf life, and they don’t take up much space. If employees are stuck at your facility for a long time, this could prove a worthwhile investment.

1. Inadequate planning: Have you identified all critical systems, and do you have detailed plans to recover them to the current day? (Everybody thinks they know what they have on their networks, but most people don’t really know how many servers they have, or how they’re configured, or what applications reside on them-what services were running, what version of software or operating systems they were using. Asset management tools claim to do the trick here, but they often fail to capture important details about software revisions and so on. 2. Failure to bring the business into the planning and testing of your recovery efforts. 3. Failure to gain support from senior-level managers. The largest problems here are: 1. Not demonstrating the level of effort required for full recovery. 2. Not conducting a business impact analysis and addressing all gaps in your recovery model. 3. Not building adequate recovery plans that outline your recovery time objective, critical systems and

Mike Hager, former head of information security and disaster recovery for OppenhiemerFunds, says 9/11 brought issues like these to light. Many companies, he said, were able to recover data, but had no plans for alternative work places. The World Trade Center had provided more than 20 million square feet of office space, and after Sept. 11th there was only 10 million square feet of office space available in Manhattan. The issue of where employees go immediately after a disaster and where they will be housed during recovery should be addressed before something happens, not after. USAA discovered that while it had designated

23

FOCUS

SECURITY

applications, vital documents needed by the business, and business functions by building plans for operational activities to be continued after a disaster. 4. Not having proper funding that will allow for a minimum of semiannual testing.

Hager also says that smaller companies have more (and cheaper) options for disaster recovery than bigger ones. For example, the data can be taken home at night. That’s certainly a low-cost way to do offsite backup. Some of this sounds like overkill for my company. Isn’t it a bit much?

Can we outsource our contingency measures? The elaborate machinations that USAA goes through in developing and testing its contingency plans might strike the average CIO or CSO as being over the top. And for some businesses, that’s absolutely true. After all, HazMat training and an evacuation plan for 20,000 employees is not a necessity for every company.

Disaster recovery services-offsite data storage, mobile phone units, remote workstations and the like-are often outsourced, simply because it makes more sense than purchasing extra equipment or space that may never be used. In the days after the Sept. 11 attacks, disaster recovery vendors restored systems and provided temporary office space, complete with telephones and Internet access for dozens of displaced companies.

Like many security issues, continuity planning comes down to basic risk management: How much risk can your company tolerate, and how much is it willing to spend to mitigate various risks?

What advice would you give to security executives who need to convince their CEO or board of the need for disaster recovery plans and capabilities? What arguments are most effective with an executive audience?

In planning for the unexpected, companies have to weigh the risk versus the cost of creating such a contingency plan. That’s a trade-off that Pete Hugdahl, USAA’s assistant vice president of security, frequently confronts. “It gets really difficult when the cost factor comes into play,” he says. “Are we going to spend $100,000 to fence in the property? How do we know if it’s worth it?”

Hager advises chief security officers to address the need for disaster recovery through analysis and documentation of the potential financial losses. Work with your legal and financial departments to document the total losses per day that your company would face if you were not capable of quick recovery. By thoroughly reviewing your business continuance and disaster recovery plans, you can identify the gaps that may lead to a successful recovery. Remember: Disaster recovery and business continuance are nothing more than risk avoidance. Senior managers understand more clearly when you can demonstrate how much risk they are taking.”

And-make no mistake-there is no absolute answer. Whether you spend the money or accept the risk is an executive decision, and it should be an informed decision. Half-hearted disaster recovery planning is a failure to perform due diligence.

24

Phishing and

Pharming

Phishing is a method of trying to gather personal information using deceptive e-mails and websites. Pharming also aims to collect personal information from unsuspecting victims by essentially tinkering with the road maps that computers use to navigate the Web. You don’t want either one working its evil genius on your customers. Here’s how to be on your guard.

Q: What is phishing?

from compromising a single existing bank account to setting up multiple new ones.

A: Phishing is a method of trying to gather personal information using deceptive e-mails and websites. Typically, a phisher sends an e-mail disguised as a legitimate business request. For example, the phisher may pass himself off as a real bank asking its customers to verify financial data. The e-mail is often forged so that it appears to come from a real email address used for legitimate company business, and it usually includes a link to a website that looks exactly like the bank’s website. However, the site is bogus, and when the victim types in passwords or other sensitive information, that data is captured by the phisher. The information may be used to commit various forms of fraud and identity theft, ranging

Early phishing attempts were crude, with telltale misspellings and poor grammar. Since then, however, phishing e-mails have become remarkably sophisticated. Phishers may pull language straight from official company correspondence and take pains to avoid typos. The fake sites may be nearreplicas of the sites phishers are spoofing, containing the company’s logo and other images and fake status bars that give the site the appearance of security. Phishers may register plausible-looking domains like aolaccountupdate.com, mycitibank.net or paypa1.com (using the number 1 instead of the letter L). They may even direct their victims to a well-known company’s

25

FOCUS

SECURITY

actual website and then collect their personal data through a faux pop-up window.

providers—have taken matters into their own hands. What can my company do to reduce our chances of being targeted?

Can we prevent phishing attacks? Companies can reduce the odds of being targeted, and they can reduce the damage that phishers can do (more details on how below). But they can’t really prevent it. One reason phishing e-mails are so convincing is that most of them have forged “from” lines, so that the message looks like it’s from the spoofed company. There’s no way for an organization to keep someone from spoofing a “from” line and making it seem as if an e-mail came from the organization.

In part, the answer has to do with NOT doing silly or thoughtless things that can increase your vulnerability. Now that phishing has become a fact of life, companies need to be careful about how they use e-mail to communicate with customers. For example, in May 2004, Wachovia’s phones started ringing off the hook after the bank sent customers an e-mail instructing them to update their online banking user names and passwords by clicking on a link. Although the e-mail was legitimate (the bank had to migrate customers to a new system following a merger), a quarter of the recipients questioned it.

A technology known as sender authentication does hold some promise for limiting phishing attacks, though. The idea is that if e-mail gateways could verify that messages purporting to be from, say, Citibank did in fact originate from a legitimate Citibank server, messages from spoofed addresses could be automatically tagged as fraudulent and thus weeded out. (Before delivering a message, an ISP would compare the IP address of the server sending the message to a list of valid addresses for the sending domain, much the same way an ISP looks up the IP address of a domain to send a message. It would be sort of an Internet version of caller ID and call blocking.)

As Wachovia learned, companies need to clearly think through their customer communication protocols. Best practices include giving all e-mails and webpages a consistent look and feel, greeting customers by first and last name in e-mails, and never asking for personal or account data through e-mail. If any time-sensitive personal information is sent through e-mail, it has to be encrypted. Marketers may wring their hands at the prospect of not sending customers links that would take them directly to targeted offers, but instructing customers to bookmark key pages or linking to special offers from the homepage is a lot more secure. That way, companies are training their customers not to be duped.

Although the concept is straightforward, implementation has been slow because the major Internet players have different ideas about how to tackle the problem. It may be years before different groups iron out the details and implement a standard. Even then, there’s no way of guaranteeing that phishers won’t find ways around the system (just as some fraudsters can fake the numbers that appear in caller IDs). That’s why, in the meantime, so many organizations—and a growing marketplace of service

It also makes sense to revisit what customers are allowed to do on your website. They should not be able to open a new account, sign up for a credit card or change their address online with just a password. At a minimum, companies should acknowledge every online transaction through e-mail and one other

26

FOCUS

SECURITY

method of the customer’s choosing (such as calling the phone number on record) so that customers are aware of all online activity on their accounts. And to make it more difficult for phishers to copy online data-capture forms, organizations should avoid putting them on the website for all to see. Instead, organizations should require secured log-in to access e-commerce forms.

include representatives from IT, internal audit, communications, PR, marketing, the Web group, customer service and legal services. This team will have to answer some hard questions, such as: * Where should the public send suspicious e-mails involving your brand? Set up a dedicated e-mail account, such as [email protected], and monitor it closely.

At the end of the day, though, better authentication is the best way to decrease the likelihood that phishers will target your organization. Banks are beginning to experiment with technologies like RSA tokens, biometrics, one-time-use passwords and smart cards, all of which make their customers’ personal information less valuable for phishers.

* What should call center staff do if they hear a report of a phishing attack? Make sure that employees are trained to recognize the signs of a phishing attack and know what to tell and ask a customer who may have fallen for a scam.

One midsized bank was able to cut its phishing-related ATM card losses by changing its authentication process. Every ATM card has data encoded on its magnetic strip that the customer can’t see but that most ATM machines can read. The bank worked with its network provider to use that hidden information to authenticate ATM transactions—an important step that, according to Gartner, only about half of U.S. banks had taken by mid-2005. “Since the number isn’t printed on the back of the card, customers can’t accidentally disclose it,” the bank’s CISO explained. The information was already in the cards, so the bank didn’t have to go through an expensive process of reissuing cards. “It was a very economical solution, and it’s been very effective,” said the CISO.

* How and when will your organization notify customers that an attack has occurred? You might opt to post news of new phishing e-mails targeting your company on your website, reiterating that they are not from you and that you didn’t and won’t ask for such information. * Who will take down a phishing site? Larger companies often keep this activity in-house; smaller companies may want to outsource. * If you keep the shut-down service in-house, a good response plan should outline whom to contact at the various ISPs to get a phisher site shut down as quickly as possible. Also, identifying law enforcement contacts at the FBI and the Secret Service ahead of time will improve your chances of bringing the perpetrator to justice. * If a vendor is used, decide what the vendor can do on your behalf. You may want to authorize representatives to send e-mails and make phone

What plans should my company have in place before a phishing incident occurs? Before your organization becomes a target, establish a cross-functional anti-phishing team and develop a response plan so that you’re ready to deal with any attack. Ideally, the team should

27

FOCUS

SECURITY

calls, but have your legal department handle any correspondence involving legal action.

that scour the Web looking for unauthorized uses of your logo or newly registered domains that contain your company’s name, either of which might be an indication of an impending phishing attack. This will give your company time to counteract the strike (more on that later).

* When will the company take action against a phishing site, such as feeding it inaccurate information or exploiting vulnerabilities in its coding? Talk out the many pros and cons beforehand.

b) Set up a central inbox. The easiest and most effective way to find out if your organization is being targeted by phishers is simply by giving the general public a way to report phishing attacks. “It’s your customers and noncustomers who are going to be the ones that tell you that the phish is out there,” said one security manager interviewed for a case study published in CSO. (See “How to Foil a Phish,” October 2005.) To do this, organizations typically set up one e-mail address where all suspected phishing e-mails are directed, with an address such as [email protected] or phish@ domainname.com. Ideally, this central inbox should be monitored 24/7.

* How far will you go to protect customers? Decide how much information about identity theft you’ll give to customers who fall for a scam, and how this information will be delivered. You should also talk through scenarios in which you will monitor or close and re-open affected accounts. * Are you inadvertently training your customers to fall for phishing scams? Educate the sales and marketing teams about characteristics of phishing emails. Then, make sure legitimate e-mails don’t set off any alarms. How can we quickly find out if a phishing attack has been launched using our company’s name?

c) Watch your Web traffic. After gathering victims’ information, many phishing sites then redirect the victim to a log-in page on the real website the phisher is spoofing. SANS’s Internet Storm Center recommends that by examining Web traffic logs and looking for spikes in referrals from specific, heretofore unknown IP addresses, CSOs may be able to zero in on sites used for large-scale phishing attacks.

Sometimes a new phish announces itself violently, as an organization’s e-mail servers get pummeled with phishing e-mails that are bouncing back to their apparent originator. There are other ways to learn about an attack, though—either before or after it occurs. a) Monitor for fraudulent domain name registrations. Phishers often set up the fake sites several days before sending out phishing e-mails. One way to stop them from swindling your customers is to find and shut down these phishing sites before phishers launch their e-mail campaigns. You can outsource the search to a fraud alert service. These services use technologies

d) Hire a firm to help. The same companies that scan the Internet for unauthorized uses of your logo can also monitor for active phishing sites. For example, Toronto-based Brandimensions hosts a vast, interconnected network of domain names and e-mail addresses intended solely to attract phishing e-mails and other spam. They’re

28

FOCUS

SECURITY

If an attack does happen, how should we respond?

called honeypots. Entire websites are built to publish e-mail addresses, point to one another, and thereby attract the attention of automated Web crawlers that compile spam lists. The company then uses “relevancy detection software” to flag the e-mails that could be most damaging to its customers.

Once a phishing attack occurs, the goal for the organization is to get the phishing site shut down as quickly as possible. This limits the window of opportunity in which the phisher can collect personal information. With any phishing attack, organizations should take three steps (or hire a firm to take these steps for them).

How can we help our customers avoid falling for phishing? People who know about phishing stand a better chance of resisting the bait. “The best defense is that a consumer has heard of phishing and is unlikely to respond,” says Patricia Poss, an attorney with the Bureau of Consumer Protection at the Federal Trade Commission. Must be trained to think twice about replying to any e-mail or pop-up that requests personal information.

Step 1) Gather basic information about the attack. This should include screen shots of the website plus the URL. Step 2) Contact the ISP (or whoever is hosting the website). Explain the situation and ask that the site be shut down. Many phishing sites are launched on hacked computers, so in a best-case scenario, taking down the site is simply a matter of contacting a website’s owners, pointing them to the URL of the webpage, and asking them to remove the offending content (and patch their Web servers). “You say, Hey, did you know there’s a URL on your website that’s a phishing attack?” says Hugh Hyndman, CTO of Brandimensions. “They look at it and go, Oh my God, and they remove that website.”

Teach employees how to recognize spoofed e-mail. Similarly, warn your customers about the dangers of phishing, and let them know you’ll never ask for their account number, password, Social Security number or any other personal information via e-mail. Train them to avoid clicking on e-mail links to reach you and instead to type your company’s URL directly into a new browser window.

How well an ISP is likely to respond depends on both the ISP and an organization’s relationship with it. “If you have good relationship with the ISP, you can get the site down in a matter of hours,” says Dave Jevans, chairman of the Anti-Phishing Working Group. “Sometimes.” Other times you won’t be so lucky. Seventy percent of phishing sites are hosted outside of the United States, so you may need a translator. You also may need to do some delicate negotiations to convince the ISP to throw the switch on a paying customer. If the representative hems and haws and says that policing the Internet is not his job, Jevans says, “rattle a few sabers” and threaten to call law enforcement.

The oft-targeted PayPal, for instance, has a Security Center on its website that includes an e-commerce safety guide, fraud protection tips for buyers and sellers, a link to let users report spoof e-mails and a prominent reminder to log in to PayPal by opening a new browser window and typing in the URL. Some companies also do physical mailings to customers. However, there’s only so much that customer education can do. The onus is also on the organization to limit the damage by shutting down the phishing site.

29

FOCUS

SECURITY

seeking someone who can and will shut down the site. They try to work with the ISP or Web hosting company, and then if necessary contact the domain name registrar that’s directing the URL to a given IP address. They’ll send e-mails and faxes; they’ll make phone calls. If necessary, they’ll send notices threatening legal action. Often, when the site is hosted outside the United States, they’ll seek help from local groups of first responders organized by CERT/CC at Carnegie Mellon. The end result? The phishing website might be up for hours instead of days.

In the most difficult scenario, a phishing site is domain-based. Hyndman has seen phishing websites set up to automatically change their IP addresses as often as every three minutes, hopping from one hacked computer to another in a complex game of cat and mouse played out across the globe. Step 3) Contact law enforcement. Although this is an important step, be warned that it isn’t necessarily the most effective way to get the site shut down quickly. The FBI and Secret Service are more concerned with patterns and big busts than individual ones, and until a customer has fallen for a scam and suffered damages, there may have been no law broken. Nevertheless, agents may be able to intervene on your behalf—and who knows, your case may be part of the bigger picture investigation needed to shut down a given fraudster. (This has happened. In May 2005, a 20-year-old Texas man was sentenced to almost four years in prison for phishing.)

What action can we take against the phishers themselves? Takedown, which essentially just relocates the problem, may be the only aggressive form of defense that the targeted company has. Prosecutions of phishers have been rare, due to the difficulty of tracing how personal information has been captured, sold and exploited.

By establishing a relationship with law enforcement, you’ll come to understand when agents want information about what kinds of attacks. For instance, the bank in the aforementioned CSOcase study gets a compact disc from its vendor with information about each phish, and a copy of that CD is then passed on to the FBI, which looks for patterns or anomalies in the attacks.

However, when a site proves to be particularly vexing to shut down, the vendor may offer to try a controversial practice sometimes known as dilution. This involves feeding fake information into a phishing site—the goal being to “dilute” the real information, making the phisher’s haul less valuable. Dilution is tricky for many reasons. Opinions differ on how best to generate the fake information. Also, patterns (where the traffic is coming from or how often) can tip off phishers that the information is bogus, possibly prompting them to retaliate against the targeted company. There are also legal concerns. High-volume dilution can amount to denial of service—an attack in which so much bogus traffic floods a website that it collapses. Jevans, of the AntiPhishing Working Group, laughs when asked about

Does all this sound like too much for your company? Then pay someone else to do it for you. The marketplace is brimming right now with companies that will do the dirty work. Brandimensions, Cyota, MarkMonitor and others offer anti-phishing services. Responders at a good service provider will have expertise in working their way up the network stream

30

FOCUS

SECURITY

dilution. “That’s the polite term,” he says. “Denial of service”—the impolite term—”is illegal. Which is why you find not everybody is using dilution.”

are looking for ways to gather information without the victims’ knowledge. This is often done with a method known as pharming. Like phishing, pharming aims to collect personal information from unsuspecting victims. The difference is that pharming doesn’t rely on e-mail solicitation to ensnare its victims. Instead, this attack method essentially tinkers with the road maps that computers use to navigate the Web, such that large numbers of users can wind up giving personal data to a bogus site even if they’ve typed in a legitimate URL.

Vendors may counter that dilution is significantly different from a denial-of-service attack because the Web traffic is supposed to at a reasonable enough rate to look like actual users. Still, most companies are leery of the practice. The bank profiled in CSO, for example, decided that dilution was worth the risk only if the situation became critical, with a large number of people responding to the phish and causing the bank “significant” losses.

Pharming combines a mix of mainstream threats such as viruses and spyware, plus more esoteric stuff such as domain spoofing and DNS poisoning. In one scenario, a user receives some kind of malware (virus, worm, Trojan horse or spyware) that rewrites local host files, which convert URLs into the number strings that computers use to find and access websites. Then, for example, when the user types a legitimate bank’s URL into the browser window, the computer is misdirected to a bogus but authentic-looking website of the same sort that might be used in a phishing attack. In another scenario, a hacker poisons a more public DNS directory cache (at an ISP, for instance), again leading unsuspecting Internet users to phony sites.

How might phishing attacks evolve in the near future? As phishing e-mails and websites have grown more sophisticated, phishers also have changed the kinds of companies they are spoofing. Early phishing e-mails usually targeted large banks, credit card companies, online payment services, ISPs and large online retailers. As those large companies put defense mechanisms in place to limit the damages, phishers have moved on to smaller companies that may be less prepared to defend themselves. At the same time, phishers have also grown more sophisticated in their use of e-mail address lists. A phishing e-mail targeting a regional credit union, for example, may be sent only to customers who use ISPs located in that same area. The latest and perhaps ultimate personalization? A technique known as “spear phishing,” in which e-mails are customized for particular users. One scam targeted just executives at certain kinds of companies.

In either case, potentially large numbers of users are drawn to the fraudulent sites or proxy servers (a computer that sits between the user and the real server and captures information as it passes through), where criminals can track activity and gather credit card data and personal identification numbers. Pharming is technically harder to accomplish than phishing. To execute a phishing attack, a hacker needs to be able to create a plausible URL, a decent webpage and an e-mail message. This is not hard.

Meanwhile, as customers become more savvy about the risks of divulging personal information, fraudsters

31

FOCUS

SECURITY

Pharming, on the other hand, requires knowledge of how to manipulate DNS caches or gain access to someone’s computer files or servers to change settings. But it can also be more damaging, because even savvy computer users may have no idea that their information has been compromised.

e) Follow developments such as the progress of the DNSSEC standards, and ensure that your company’s ISPs have the proper controls on their DNS directories and servers.

How can we guard against pharming attacks? Just as pharming is more technically difficult to pull off than phishing, it’s more technically complicated to protect against. Here are some basics. a) Deploy technologies such as intrusion prevention and antivirus software, desktop firewalls with filters to look for spyware, and logging software to look for particular events such as spikes in DNS traffic or spikes in e-mail traffic from a single user. b) Make incident response teams aware of the threat, and teach employees and customers how to avoid pharming incidents. Also ramp up education efforts aimed at business partners, especially for smaller companies that might need help to deal with the pharming threat. c) Place controls on DNS servers, such as host-based intrusion detection systems, to prevent visitors or customers to websites from inadvertently participating in a pharming attack. There are also some vendors that focus on DNS security, such as UltraDNS. d) Be prepared to have Internet service providers quickly shut down malicious sites that are set up for pharming. Consider moving ahead with plans for stronger authentication technologies that control access to systems that could be targets of pharmers.

32

FOCUS

SECURITY

Physical and

IT Security

Convergence Call it convergence, call it holistic security management. By either name, it’s the subject of much talk these days. Here’s the definition of convergence and an explanation of the desired payoffs and unexpected pitfalls that can obstruct efforts to get all security functions working off the same page.

What do you mean by “convergence”? That’s a definition that focuses on form instead of function, and as such, is the source of much of the pushback on security convergence. Yes, merged org charts are one very legitimate way to ensure cooperation and accountability, but many organizations may find valid reasons to not rejigger their reporting lines, and still achieve the cost efficiencies and security improvements that come through convergence.

Here’s what it is: Formal cooperation between previously disjointed security functions. When we say ‘cooperation’, we’re talking about a concerted and results-oriented effort to work together. Timothy Williams, CSO at Nortel Networks, notes that cooperation involves process and accountability, not just a “let’s have lunch once in a while” kind of looseygoosey connection.

It should also be said that there’s more a type of security management that is more holistic than simply information security and physical security. And there are risk management disciplines that benefit from cooperation and coordination. Those are such things as loss prevention, fraud prevention, business continuity

And here’s an important note about what convergence is NOT: Merging the information security group and the corporate or physical security group on your organizational chart.

33

FOCUS

SECURITY

planning, legal/regulatory compliance, insurance, and others. Forging connections with those functions is part of convergence too.

Sanders and other senior executives, forms the basis for an integrated security governance structure and helps keep security top-of-mind at Level3. “It’s critical to have top-down sponsorship,” Sanders says, adding that in his case, the CEO “realized security needed to be integrated into the architecture of the business.” The council, an audience for updates on physical and logical security, business continuity and disaster recovery exercises, is critical to driving this agenda, he says. “It can provide an enterprisewide perspective and accountability for managing the risks to the business; so then security becomes not just security’s problemit’s a business concern.”

Let’s cut to the chase. How will convergence benefit my organization specifically? Following are key payoff points, gleaned from interviews with security executives at organizations that have recast security in some way or another to foster better synchronization and collaboration. - A comprehensive security strategy better aligns security goals with corporate goals.

Sanders defines convergence as the integration of logical security, information security, physical and personnel security; business continuity; disaster recovery; and safety risk management. (Logical security focuses on the tools in a network computing environment; information security focuses on the flow of information across both the logical and physical environment.) Cost savings is one of the important payoffs in this holistic security strategy. Because there’s always some duplication in a stove-piped security organization-in overhead and programs, for example-it’s more costeffective to manage an integrated one. Not only thatduplication can lead to unproductive turf battles among security groups for resources, he adds.

Most CIOs these days would agree that security should dance cheek to cheek with the needs of the business. In a post-9/11 world, companies that hold the traditional view of security as just another cost centerfail to recognize the importance of security to day-to-day business activities. When Marshall Sanders, vice president of corporate security and CSO ( who served as the founding director of security for President Reagan’s strategic defense initiative program in the ‘80s), joined Level3 Communications in 1999, he had a mandate: establish a comprehensive security architecture.

- The CIO/CSO can be a single point of contact.

Sanders’ mission was made easier because senior executives at the company viewed security as a key enabler for the business. “We’re a network services provider-we’re all about network availability,” says Sanders. “If the network isn’t available due to a logical or physical incident, it’s a revenue-impacting event. So security was seen by our [company leaders] as an integral component of the business architecture.”

Bringing together different security silos into one big, happy family and running the combined organization can be a lot easier when one person sits at the top. When there’s a single point of contact, the CFO or COO can pick up the phone and speed-dial the CIO instead of having to pull out an org chart to figure out whom to call with a security question.

A corporate risk management council, comprising

34

FOCUS

SECURITY

and the uniformed services division-and has almost 300 full-time employees. (He does not manage infosec, though his department is the investigative arm of that unit.) He describes security as having a single voice with a single message, and that singularity translates into the way he handles customer service. “Our rule is, if you call anybody in corporate security on any issue, we don’t tell them to call Fred in the other group; we dial the number for them. They don’t know they’re talking to the wrong division-it’s an invisible transfer to the customer,” he says.

John Pontrelli, vice president and CSO at Triwest Healthcare Alliance, a Department of Defense contractor that manages a health-care program in the western United States for military personnel and their families, wouldn’t have left his previous job at W.L. Gore & Associates to come to Triwest unless he had that kind of accountability. To Pontrelli, convergence means one person is responsible for security, just as a CFO holds the reins over all things financial.

Still, it’s the top of the food chain that derives the greatest value. Constellation Energy’s CEO, Mayo A. Shattuck III, describes integrated security management as part of a top-down approach to getting a handle on an organization’s exposure to risk. That’s why his security department is responsible for all kinds of security, and reports into the company’s Chief Risk Officer.

Pontrelli lists numerous benefits, such as the ability to see where the organization is going. “If I didn’t have the visibility of where the organization was going, where the C-[level] folks were going, the new technologies coming, it would be hard to put together a business plan to the requirements of the organization,” Pontrelli says. “Because I have such access and visibility to the C-level leadership, they know what I’m doing. It’s not a mystery. They know my resources, what’s being spent.”

- Information-sharing among disparate security functions increases. Bringing team members into a more cohesive organization with one strategic mission and consistent goals will encourage collaboration and help break down some of the walls that can exist between people who previously had prime allegiance to their individual security function.

This status helps to prioritize risk and create a comprehensive security business plan. Having a single point of contact also makes it easier for the CEO, board of directors, contractors, external business partners and employees to know that they can call Pontrelli if they have any questions or problems. Pontrelli, who reports to the COO, says he wouldn’t work at a place “that doesn’t have a CIO reporting at the C-level with visibility and accountability at that level.”

Richard Loving is reaping the benefits of a more collaborative environment at BWX Technologies, which manages and operates nuclear and national security facilities. Loving, a 25-year veteran at BWXT, wears two hats: He’s CSO (a title he picked up last June) and director of administration. For years, the company, which runs or helps run facilities for the U.S. government in nine states, organized its facility teams as self-contained units. That often meant that people in

At Wells Fargo, CSO Bill Wipprecht likes the fact that other execs know they can pick up the phone and call him with any security questions. Wipprecht runs five divisions-internal investigations, external investigations, physical security, enterprise services

35

FOCUS

SECURITY

different locations were working on the same problem. Security directors at the plants acted independently to ensure the safety at their own sites, but there was little collaboration.. Loving and other execs decided last summer that BWXT needed a centralized focus for security, one that would improve information-sharing and get rid of the stove-piped structure. Loving began to coordinate security at the units.

became leader of a fragmented security department. “I couldn’t get a clear picture of a program for the whole enterprise,” he says. To improve efficiency, strategy and communication, he led the consolidation of the department, which was completed a year ago. (Pembleton is now chief security and privacy officer, a title he took on in January.) The four functional groups-information security, physical security, compliance and privacy-which previously reported to different parts of the organization, now reside in Pembleton’s security and privacy department. Now security can look at regulations such as the Health Insurance Portability and Accountability Act and Sarbanes-Oxley, for example, and address them with a centralized focus, not a haphazard one.

The results were immediate. Last July, the Department of Energy ordered a stand-down of all DoE operations that used controlled removable electronic media after two Zip disks containing classified materials were reported missing at the Los Alamos National Laboratory. DoE facilities were not allowed to resume operations until new security procedures were put in place.

One project his team completed last year was reducing the 125 or so websites that had references to some type of privacy or security down to one portal for all internal security. Pembleton says the move improved efficiency and communication to the company and clients,” he says.

“In the past, each site would have recieved guidance from the government, then they’d go off and put protections in place,” says Loving. “We were able to bring an expert from each site together to talk about the changes in regulations, how they were going to protect media and share that information back and forth so that as one site found a new and different way to control something, they would share that information the same day,” says Loving. (In January, the Energy Department released a report announcing that the two missing disks never actually existed.)

Pembleton is also replacing customized solutions with standardized ones. For example, he’s consolidated security monitoring and access control to regional data centers so that policies, while managed locally, are set at a central location. (That took place prior to the security department reorganization.) Next up: centralized user authentication.

Another payoff Loving cites involved changes in a physical protection hardware system. Blueprints of the system were obtained from one site and shared with others. “That saved significant costs,” he says.

- Convergence gives you a more versatile staff. Although the unified security theme resonates today at Wells Fargo, it wasn’t long ago that the message was a little more garbled. Previously, external and internal investigations operated separately. Each had its own manager. That led to inefficiencies, which sometimes

Bob Pembleton has also been experiencing the benefits of closer collaboration. The 30-year security veteran (he held positions at IBM and MCI) arrived at EDS in 2001 as director of global security operations and

36

FOCUS

SECURITY

allowedtwo separate teams to investigate the same case. And if the case happened to be in Boise, Idaho, Wipprecht spent money to send somebody from the corporate office in San Francisco to work with the regional agent.

Pontrelli mentions lower staffing costs. Wipprecht mentions lower travel costs. Sanders mentions reduced duplication of efforts and fewer time-wasting turf battles. There’s also savings to be wrung from technology convergence. Security Manager Eduard Telders put smiles on the suits at Pemco Insurance by replacing proprietary systems with a centralized, IP-based security management system for both field offices and headquarters that encompasses closed-circuit TV, door controls, access card controls, sensors, alarm monitoring and panic buttons. The system has obviated the need for local security guards; instead, guards monitor the system 24/7 from a central location. Burglar alarm monitoring is also done from that location, so outside contracts with third parties have, for the most part, become unnecessary. And video recording takes place on server disks, not on local digital video recorders. “If a DVR goes out, it could cost five grand,” he notes. “If a disk goes out, it costs $150.”

That changed in February 2004, when Wipprecht brought external and internal investigations into his new, converged organization and began cross-training most of his agents. Now the regional agent, trained in external and internal investigations and physical security, can run the case from Boise solo, giving security more bang for its buck and improving response time. Crosstraining has also made his agents more aware of areas that weren’t previously part of their job descriptions. In the past, the physical security folks thought a lot about homeland security but not investigative issues; investigators, conversely, were less observant about homeland security. Now the security organization is more cohesive, with different divisions pursuing similar goals. “The cross-training is an awakening of what they ought to be looking at internationally, nationally and locally,” says Wipprecht.

Telders says the system saved Pemco on the order of $2 million in the first year. (Most came from eliminating the guards; bringing burglary and security monitoring services in-house saved more.) The company can also use the surveillance cameras in the various locations to hold teleconferences at no additional cost. And Pemco has tied building control systems such as HVAC and lighting into the centralized system, which allows the real estate staff to remotely manage some building systems, largely freeing them from having to install their own network or wiring.

Triwest’s Pontrelli and Pemco’s Telders cross-train their physical and infosec staff. “It’s mostly a people cost savings,” says Telders. “I can take someone trained in CPR and have them do e-mail filtering and password accounts. I can cross-train staffs so they can cover each other, so my staffing costs are down. People assigned to projects can get cross-trained on the job,” he says. Pontrelli also likes the fact that cross-training gives his team members greater career opportunities.

Likewise, at Intel, Alan Rude did a lengthy ROI study on switching to digital surveillance recording. In the process, he not only saved lots of money, he also wound up connecting much more closely with the IT department. Stephen Baird, vice president of corporate security at

- You save the company money. You’ve probably already picked up on this thread.

37

FOCUS

SECURITY

- Investigations.

United Rentals, North America’s largest equipment rental company, is also using CCTV improvements to reduce costs. Baird joined the company last July and has become the single point of contact for security. (Previously the top security role wasn’t as clearly defined.) He reports to the company’s president and CFO. Since coming on board, he’s been working on upgrading the company’s digital CCTV systems to make them motion-based. That will save his staff major chunks of time when conducting investigations-using the old system, watching the DVR could take hours; now it takes minutes. He plans on rolling it out in the company’s corporate facilities first and hopes to roll it out in stores eventually. He’s also looking to save money by standardizing DVRs across the company and by buying those DVRs in bulk.

Jim Mecsics arrived on the job at credit bureau Equifax in 2002 with a mandate to create a corporate security program-to bring together disparate pieces of security, including physical and information security, under one roof. It didn’t take long for the reorganization to bear fruit. Some three months into his tenure, a large identity theft ring began hitting credit reporting agencies and was attempting to penetrate Equifax’s networks. Mecsics and his team went to work-they set up a plan, mapped out the bad guys’ architecture and worked closely with the FBI. Soon they pinpointed the intermediary company where the breach was taking place. (A former help desk employee at the intermediary company had stolen user codes and passwords and sold them to more than a dozen mostly Nigerian nationals in the New York City area.) At the end of 2002, the U.S. attorney’s office in New York arrested the culprits, putting a stop to what it said was the largest identity theft ring in the country (some 30,000 identities were stolen). “That was a pure example of [the benefit of] us having everything under one umbrella,” says Mecsics. “I had the ability to bring the data and fraud folks and everyone else together and come up with a cohesive strategy,” he says. Mecsics didn’t have to get authorization from people’s bosses to work on the converged effort. He had the authority, he acted, and the coordinated security groups worked to the company’s benefit.

Another technology Baird is exploring is global positioning systems, or GPS, which the company was prototyping before he arrived. One application would involve putting GPS systems on large pieces of equipment, such as light towers. United Rentals has more than 600 types of equipment, including 4,200 light towers. GPS systems would allow security to track where the tower is, how long it’s been there and even if it was turned on. And, of course, it would function much like a LoJack auto antitheft device (a tool they’ve also used) to make sure customers aren’t walking-or driving-away with equipment. And lest one think that light towers, backhoes and skid steer loaders don’t disappear, guess again. “We’ve had theft of everything,” says Baird. But rolling out a GPS system won’t happen automatically-as with any big project, Baird will first assess the risks and the costs before he and his fellow execs give a thumbs-up or thumbs-down.

- Terminations (and, conversely, new hires). Also referred to as provisioning and deprovisioning. When your company brings new employees on board, they need all sorts of things, from network passwords to access cards to corporate credit cards. And then when they leave the company, the company needs to gets its belongings back and also shut off access to

Give me some more specific scenarios where this is necessary and worth the effort involved (because I suspect that effort will be big).

38

FOCUS

SECURITY

networks and buildings in a timely manner. Companies with a coordinated approach to provisioning and deprovisioning do those things efficiently. Those who do these things in a scattershot manner are more likely to leave the door open for ex-employees to abscond with materials or intellectual property.

way: “Some companies have people who do information security, and people who do physical security, and people who do business continuity. The three people may come up with three separate answers about what to protect. If you have a total protection program, you can save a lot of time, money and effort. It just simplifies the whole process and makes it more effective.”

Quick case study: Children’s Hospital in Boston has a complicated workforce. It’s a teaching hospital, so in addition to normal staff turnover, new physicians come and go “in waves,” according to CISO Paul Scheib. Some doctors are actually employees of various foundations rather than of the hospital itself. To help keep pace with creating and managing new network accounts and assigning the right privileges, the hospital first implemented password-management software and later a more complete identity-management suite from Courion. While the impetus was on the hiring end of the employee lifecycle, Scheib says a big payoff is that access can be shut off in a more timely manner when an employee leaves the organization. And Scheib finds himself working closely with the hospital’s physical security group to integrate door access badges into the identity management approach. In the past, Scheib notes, “we had our information and they had theirs”-there was very little sharing of information. “Now we’re working on a metadirectory project and starting to map both physical and infosecurity data and to define roles that require physical access to high-security areas such as surgical suites.” Children’s Hospital has no organizational initiative dubbed “convergence”; it’s just security people recognizing the efficiencies of working together.

- Dealing with camera phones, USB tokens and other gadgets. An employee (or visitor, or janitor for that matter) connects a thumb drive to his work PC, copies a database with juicy customer details, and walks out the door. Or he uses a camera phone to wirelessly email a surreptitious snapshot of your company’s R&D area. Are these digital threats? Or physical ones? Who cares! Again, good communication between the information security and physical security functions will help you craft intelligent policies and enforcement measures to stop this kind of incident. - SCADA and process control systems. At manufacturing companies and utilities, Supervisory Control and Data Acquisition (SCADA)systems sit directly at the intersection of the physical and digital worlds. They are used to electronically control and monitor the actual machines that mix chemicals, control temperatures, and so on. Typically, network security professionals don’t know much (if anything) about securing SCADA, and process engineers don’t know anything about information security.

- Business continuity.

For Keith Antonides, corporate information security director at Rohm and Haas, a large specialty chemical manufacturing company, convergence has meant establishing a closer working relationship with the process control engineers. In the past, the engineers

Mike Hager, who helped get OppenheimerFunds up and running four hours after their offices and systems at the World Trade Center were destroyed on 9/11, puts it this

39

FOCUS

SECURITY

took care of the systems themselves. “When I joined the company six years ago, it was hands off, you have no authority here,” he says. “After 9/11, they were asking for my input. It was a major shift.” Antonides boned up on process control networks, and now he works in tandem with the engineers to do cybersecurity vulnerability assessments at the plants.

You can propose the most wonderful, cost-saving, mega-ROI convergence project in the universe, but if the CEO doesn’t feel as warm and cuddly about it as you do, your proposal will stay just that-a proposal. One way to get the green light for your initiative is to demonstrate smaller-scale successes first. At EDS, Pembleton wanted to consolidate data security management (which includes policies, standards, education and security compliance monitoring) from multiple local sites, with multiple standards and approaches, into a centralized site. “We had conversations about what we were trying to do, then did a couple of sites to prove the concept,” he says. “The centralization proved so efficient that the senior leadership raised the question, ‘Wouldn’t it be more efficient to put all four lines in the same security organization?’” Ultimately, the success of the consolidation project helped pave the way for Pembleton to converge the privacy group and the physical, logical and information groups under one umbrella.

What are the roadblocks and potholes we need to plan to avoid on our way to convergence? - Turf battles. Many employees, both managers or lower-level employees, will be unhappy with any change to their turf. They’re not going to like whom they report to, whom they have to work with and the new projects they’re assigned to. Egos will be bruised, if not battered. When Mecsics consolidated security functions at Equifax, he had to deal with pushback from certain process owners. For example, the CIO was reluctant to turn over control of his systems to Mecsics. So Mecsics used a personal approach in which he listened to their concerns and tried to win their hearts and minds. “I said, ‘I’m not going to do anything to hurt your system or inhibit your business processes. I’m here to protect you so our CEO isn’t standing before a congressional committee someday explaining why credit reports are in front of some gym locker,’” he says. He used the same approach with HR, which, prior to his arrival, handled all company personnel issues. Mecsics convinced the HR leadership that the security organization should take over responsibility for developing background check policies. He also assuaged their fear that he was coming in there to steal people from their department.

Communication is also critical-if you don’t get buyin initially, communicate with the leaders who are feeling the impact of whatever change you’re trying to make, says Pembleton. “Try to put yourself in the other person’s position, and ask yourself, What would I want to know if someone from headquarters showed up and wanted to change the way I deliver security services?” he says. Another way to sell a convergence project, advises Steve Hunt, a former vice president and research director at Forrester Research, is to package it with something that executives can more easily understand. He cites, as an example, trying to build a better security architecture using public-key infrastructure (PKI)-a major undertaking. Executives might view it as an expensive

- Executive buy-in.

40

FOCUS

SECURITY

investment that doesn’t return immediate value to the company. Implementing PKI would require every business unit to conform their applications to the system, and users would have to change their behavior. Trying to sell that kind of project is a lot of work, says Hunt.

Wipprecht took a long, hard look at the structure of his department. His guiding question became, Do we have the right people with the right expertise in the right jobs in the right locations? “With 300 people, it becomes a significant issue evaluating where your needs are,” he says of his security organization. After spending several months studying case metrics, such as volume of work and number of phone calls, Wipprecht found that there were some redundant management positions. That led the company to offer retirement packages to some of the agents and management team members (he declined to say how many).

A better way to sell it is to package it with a one-card system that controls both cyber and physical access. Moving to one card will save money and increase operational efficiency. “Everybody gets a digital smart card-a big step toward PKI-and you can help sell it by saying the card would contain a smart chip that contains all of a user’s passwords. Users would get behind the idea, and it would be only a small step toward moving to full-fledged PKI,” says Hunt. “A convergence project will fail if it can’t demonstrate business value. Some convergence projects have to be made more relevant to the business,” he says.

During the review process, Wipprecht also sought the input of his staff. “You have to communicate. You redefine the new organization, set goals, then go to the agent level for their input. We want participatory management. The responses I got really helped formulate what our organization was going to be today,” he says.

- Cultural differences. It’s no secret that, in many companies, corporate security people are from Venus and IT security people are from Mars (see “Mad About You,” and Smackdown!). So CSOs with a bent toward convergence need to be aware of the cultural differences-and not just between physical and information, but among all security-related departments-and have a plan to deal with them. Cross-training is one effective way to make people more understanding of their fellow employees. Pontrelli at Triwest and Telders at Pemco both crosstrain their physical and information security staffers.

Wipprecht also says training is key to a successful, converged department. “We as a management team have an obligation to have the best and the brightest,” he says. “To do that, we need to provide the training they need to maintain an expert level. If they’re the best they can be, that can only assist you in the field as agents communicate with customers, the FBI, Secret Service, whatever. It saves time and money.” - Information sharing.

- Organizational structure.

Think about information-sharing between the FBI and CIA. Or the FBI and CIA and NSA. Or FBI and CIA and NSA and DoD. You get the drift: Getting security folks to share information can be as hard as telling your boss his putt isn’t a gimme.

As part of the convergence process at Wells Fargo, in which external and internal investigations were brought under the corporate security umbrella,

41

FOCUS

SECURITY

Security pros “are not accustomed to talking a lot; they’re trained to protect information,” says Richard Loving, CSO and director of administration at BWX Technologies (BWXT), a manager of nuclear plants and other high-security facilities.

Second, a small but growing number of academic programs (at Northeastern and Carnegie Mellon, for example) are available to help round out your background. John Petruzzi, an ex-Marine now leading security at Constellation Energy, took SANS Institute classes to get up to speed on information security. It can be done.

Loving says communication across his organization was the biggest challenge he dealt with when he centralized security, which had been the domain of each individual nuclear facility. To get over that hurdle, Loving has emphasized to facility security managers that working together is in the best interests of the company and that headquarters is trying to enhancenot control-their local operations.

Third, other companies get around this by not putting a single individual in charge. Having all security functions report equally into a Chief Risk Officer or a department of risk mitigation is one possible solution. The aim is to achieve cooperation without making one group feel that they’ve been put under the thumb of another. (See next question.)

He also advises showing employees the successes of their collaboration. “One time you may be sharing, the next time you may be on the receiving end,” says Loving. For BWXT, the benefits of information-sharing came after the Department of Energy ordered all its facilities to improve security of controlled removable electronic media (CREM). Loving and his colleagues coordinated a group response across BWXT facilities rather than having each plant act on its own to comply.

If we don’t choose to combine operational groups, can we still get some of the benefits? Steve Hunt, the former Forrester Research analyst (and CPP) who founded consultancy 4A International, believes convergence is better handled on a project-by-project basis. “You might have two employees, both with the company for 10 years, and [the infosecurity person] gets paid twice as much as the [corporate security person]. That makes for a natural cultural segmentation in the department,” says Hunt. “My argument is, let’s keep talking about converging the departments, but what’s the hurry? The business doesn’t care who people report to as long as value is delivered.”

This kind of sharing won’t come easily; it’s an evolution, Loving says. “It really is getting people to open up and share and recognize that there will ultimately be benefits, whether in operations, security or safety.” Given that most security personnel are from one background but not the other, how is such a person going to have the credibility and expertise to manage both functions?

We’ve seen more and more convergence articles and presentations in the media and at trade shows. Why all the buzz at this point in time?

First, CIOs/CSOs leading formally converged programs stress that the leader doesn’t have to be an expert in every sub-field of security. That’s what you hire smart infosec and physical security specialists for.

Here are five current trends knocking down the walls between traditional security stovepipes.

42

FOCUS

SECURITY

1. Technology convergence. Corporate security services-video surveillance, access control, fraud detection and access control, for example-are increasingly database-driven and network-delivered. In other words, IT is ever more tightly woven together with physical security.

3. Community convergence. Security is an associationdriven world, and for years the associations gave little acknowledgement of each other’s existence. That changed in a big way in 2004 and 2005, notably with a statement of solidarity from CISSP promulgator (ISC)2 (in the infosec corner), CPP certifier ASIS International (from the corporate security side) and IS audit association ISACA. Observers such as Williams (who is active in ASIS) anticipate ever more concrete cooperation between these communities over the near term.

2. Vendor convergence. Not so long ago, infosec vendors protected networks, and physical security vendors protected bricks and mortar, and the two never met. Now a growing roster of security companies operate in both spaces, as well as in other risk-related areas. Brink’s, the armored car company, offers managed network security services. Unisys, the former mainframe purveyor, has a consulting business in supply chain security. Software giant Computer Associates is mixing with smart-card vendors like HID in the Open Security Exchange consortium, developing a network-and-building-access standard called PhysBits. Kroll, historically a physical security services provider, owns digital forensics unit Ontrack Data Recovery.

4. Threat convergence. Hancock, among other experts, has been sounding the klaxons about the idea of blended threats (combined physical and logical attacks) for some years. The most likely scenario is a physical attack (such as 9/11) with its effect multiplied by concurrent digital denial-of-service attacks aimed at telecommunications or other infrastructure. This scenario becomes more likely as digital controls become more and more prevalent for physical systems. Hancock tells of a company that extolled its foresight in implementing a door-lock system at headquarters requiring verification of digital certificates to allow employees to enter. Hired as a consultant, Hancock used his laptop to launch a “mini-DDoS” attack against the server that handled the verification. Throughout the building, the door locks stopped working.

Bill Hancock, CSO and vice president of global security solutions at Savvis, points out that this is a rudimentary form of convergence. Nevertheless, Hancock expects vendors to continue to merge and meld these distinct product lines into more tightly integrated offerings. And aside from these well-known companies with roots in one discipline or the other, a growing fleet of smaller vendors now present all kinds of interesting examples of cross-functional services. Green-Tech Assets is an interesting illustration, offering a computerdisposal service that blends physical, digital, legal and insurance safeguards against potential liabilities created by inadvertently dumping hard drives and other technology assets containing sensitive financial or customer records.

5. Educational convergence. This trend is just picking up steam, but universities such as Carnegie Mellon and Northeastern have launched programs aimed at equipping students with a portfolio of knowledge and skills in both corporate and information security. I’ve also seen some companies who’ve tried a single security department and then moved away from it.

43

Video Surveillance

and Data

Monitoring It’s getting easier to keep an eye on employees and customers, both in terms of video surveillance, with ever smaller and cheaper digital cameras, and data monitoring, with powerful tools for examining emails, web activity, and network packets. Done correctly, these surveillance activities can help deter or catch theft and fraud. Done poorly, however, surveillance can be expensive and ineffective, and can create legal risks and morale problems. Here are pointers on creating and communicating your policy, determining return on investment, and other video surveillance basics.

Why is the policy so important, and what should my corporate policy include?

policy might state where cameras can be placed, as well as the fact that employees have no right to privacy in the general working areas of a facility. An electronic monitoring policy might state what forms of communication the company monitors; a very broad policy might include use a phrase such as “all electronic communication media including, but not limited to, e-mail, instant messaging, and web browsing”. Some companies choose not to monitor so extensively. In any case, policies should also make clear the disciplinary consequences that can result from unprofessional employee actions caught on video or over the network.

Policy is important because mismanaged security surveillance is expensive and wasteful and can create legal and employee morale problems. Four simple rules to follow: 1. Create a written policy that’s fair and clear. This is the smartest step toward intelligent workplace surveillance, so it’s a little surprising that so many organizations fail to do it. A video surveillance

44

FOCUS

SECURITY

the scene, he worried that he was about to take a giant step backwards.

2. Put the policy in your employee handbook and require an employee signature.

Then Bielec had an inspiration. Because two sides of the control center were glass, he decided to turn the monitor banks around, so that the monitor screens faced outward. With this change, any SAS employee walking by the control center can see exactly what the cameras are being used to observe. “I told employees, come on down, you can see what we’re looking at. We can show you how [the system] works; we’ll let you play with the joysticks,” he says. “That alone allayed the monitoring fears.”

3. Periodically remind people being monitored of what the policy says. This helps with legal liability (so that, for example, an employee fired for breaking the policy can’t file an effective ‘wrongful termination’ lawsuit using the “I wasn’t notified of the policy” excuse). Also, simply communicating the fact that a company has a policy can act as a deterrent to potential wrongdoers. 4. Enforce the policy consistently and fairly. Otherwise, you send a confusing message to your employees and risk creating the appearance of favoritism. (This also means the policy needs genuine buy-in from upper management.)

What Bielec came up against was a very open, creative corporate environment, not unlike that found on a college campus. To many employees, the installation of cameras screamed of Big Brother syndrome. Bielec assured employees that the system was more about customer service (such as letting employees back in the building if they accidentally got locked out during a smoking break), to give employees peace of mind and to keep an eye on more places than was otherwise humanly possible (data centers, for example).

I am concerned about employee morale if we institute a strict policy. A key strategy is to communicate not only your policies and practices, but also the reasoning behind them. Here’s a great example. In 1993, software company SAS built what’s known as Building R on its Cary, N.C., campus. A security control center was located in the subbasement to monitor the new CCTV cameras that were being installed around the campus in lobbies, entry points and the campus day care. (Before 1993, SAS use of CCTV was minor.) However, SAS failed to anticipate the displeasure that spread its way through the employee ranks. Soon rumors started floating around that there were covert cameras. Questions arose: Why are they putting in cameras? What are they watching? Why do we need so much surveillance? “I had done my best to develop a relationship with the employees,” says Miles Bielec, head of security at SAS. When the cameras came on

If your policy is strict, but the reasoning and motivation is clearly explained, and if you also demonstrate a certain level of reasonableness in the way you handle surveillance and monitoring matters, it’s likely that employees will understand. On the technology side, the choices between CCTV and newer digital systems is difficult. How about some guidance? Experts say video surveillance technology adoption is progressing over three phases: Phase 1: Standalone CCTV systems. These are

45

FOCUS

SECURITY

regarded as relative dinosaurs, but sturdy and simple. They will fade as surely as typewriters did.

repeatedly mishandles egg cartons during scanning) can be identified and ameliorated quickly. “Almost immediately,” says Ramos, “we’ve seen a significant decline in shrink.”

Phase 2: Hybrid digital-analog systems. Sometimes networked, they use black-box digital video recorders (DVRs, essentially TiVo boxes). This represents the transition between old and new— such as those word processors that came after typewriters, but before PC programs.

Here are four considerations in support of newer technology. 1. Better visual data. Optics have vastly improved with the new generation of cameras, which, are more widely available. Dave Kent, CSO of Genzyme, says, “You can now buy equipment online that you used to have to go to some custom shop in an alley in New York to get. Good lenses. Low light. Thermal imaging. This stuff is smoking.” Director of Corporate Security Sheila Bramlitt’s bank, First Horizon National, helped solve a case involving kidnapping and homicide by using pictures captured from a camera at one of its ATM machines. “It looked like the person was posing for a portrait,” she says. “We’ve come a long way from the blue-gray fuzzy blurs.” With better resolution, one camera can cover a wider area, or digitally zoom for fine detail. Casinos love this.

Phase 3: Fully digital, networked IP-based surveillance. Here, video surveillance is just another node on the IT network. Cameras have IP addresses, controlled centrally with any number of software applications on top of the raw visual data. Joseph Freeman’s market research shows that CIOs are certain that they want to move off standalone closed circuit TV, but unsure that they’re ready to move on to what they’re being told is the more powerful, more dynamic future of video surveillance—fully digital systems. So they network their DVRs to get a few benefits of the new technology without a real commitment. They add some digital systems, while keeping CCTV with DVR. They’re milking their old investments.

2. Standard IT infrastructure. Historically, “You were tied to your supplier,” says Joe Freeman, a security industry consultant and president and CEO of J.P. Freeman. IP-based video will allow CSOs to use the same servers and bandwidth as the rest of the company. What’s more, cameras running IP over ethernet can have both data and power go through the same ethernet cable, with backup power on the same supply as the IT systems backup power supply. Prisons and areas vulnerable to wide-scale natural disasters love this.

New digital technologies can pack some punch. One example: Pedro Ramos, director of loss prevention for Pathmark Stores, identified a problem universal to grocery stores. Most inventory shrink—shoplifting, employee theft and damaged goods—occurs at the point of sale. So he installed digital video that links to the cash registers at all of his stores. “I can look at the [the digital archive of the] register tape, pick out any item on that tape and be taken to the archived video of that moment in that transaction.” This allows quicker response to incidents and deters theft. Recurring problems (such as a cashier who

3. Efficiency through centralized monitoring and automation. Simple math: When you have 30 sites worldwide, feeding video into a single control room

46

FOCUS

SECURITY

instead of having 30 control rooms creates efficiency. Automated alarming further reduces the need to keep eyeballs fixed to screens everywhere. Digital archives are easier to access (“Tape,” says one integrator, “basically requires a full-time employee.”) Global companies with small sites love this.

after hours or all day? It will require intense review and possibly modification of business processes. “What we’re looking for is actionable intelligence,” says Sandra Jones, a security industry consultant for Sandra Jones and Co. “That means we have to filter, filter, filter.” IT expertise will also be required.

4. New applications. It is software that will finally revolutionize video surveillance. Vendors are promising seemingly limitless applications to make video smart: Motion triggers, which can tell cameras to jump into high-resolution mode and track objects; software which can discriminate between a human form and, say, a skunk (thus reducing false alarms); applications which link video surveillance to access systems and safety systems, so that the surveillance system could call the fire department or help turn on sprinklers. Insurance companies love this.

3. Information overload is a real threat. Sheila Bramlitt, director of corporate security at First Horizon National, says she could put surveillance everywhere, but that’s just asking for trouble. A company would drown in visual data and false alarms. “That’s where we go to risk analysis,” she says. “We use our own case intelligence, public crime stats, lots of sources. We form this picture of where we need it most and start there. It’s easy to use video surveillance. Using it efficiently is the challenge.” 4. Buying now means not buying something better three months from now. Like a consumer buying a PC knowing faster, cheaper ones will be out tomorrow, CSOs have to make a leap of faith to get into digital video surveillance. This is a fact: The technology will continue to improve and come down in price. So when do you make that leap?

Four caveats on digital IP video: 1. Digital IP surveillance requires a higher capital investment. The vendors will promise that despite this, they’ll also provide higher returns faster. Make them prove it, like Pedro Ramos, director of loss prevention at Pathmark Stores, did. The cost of the cameras is actually negligible compared to application costs, storage costs, bandwidth costs, training costs, and, critically, security costs of using the Web to transmit image data and other security data. “They’re making money in this industry, believe me,” Genzyme CSO Dave Kent says.

What are the best practices for handling and storing CCTV tapes? According to consultant John Kingsley-Hefty: “The key is building a tape swap and storage schedule that rerecords the tapes equitably. Tapes will wear, over time, to the point of failure. Color-coding by day and/ or shifts, and numbering by week works well. The key is designing your system around your required video storage retention schedule. To ensure that tapes are rerecorded according to the proper sequence and schedule, shuttling tapes per day or week to a separate secure area—or in some cases, offsite—works well.”

2. New skill sets are needed. While CCTV was largely a monitoring game, the whole point of digital video surveillance is to reduce the need for eyeballs plastered to screens. It’s a rules-based game. What triggers an alarm? A moving object? What kind? How is it moving? And when does it trigger? Only

47

FOCUS

SECURITY

A big cost consideration is frame rate, which affects our tape requirements or storage and bandwidth requirements.

Walter Palmer, founder and principal of PCGsolutions, a retail loss-prevention consultancy, also advises caution. “One of the things you have to be careful of is, do you have an obligation to provide certain levels of security? If you don’t have cameras and something occurs or you have dummy cameras, could you be liable for negligent security?” he asks. The short answer is yes.

How many frames per second do you need for your surveillance project? It depends. Thirty frames per second, used by televisions in the U.S., is the gold standard, but it’s often unnecessary, says Aaron Chesler, NiceVision’s director of sales for the Eastern region. But video quality with 15 fps is usually good enough he says. With 15 fps, you also use only half as much bandwidth and disk space.

All things considered, attorney Jennifer Shaw of Jackson Lewis thinks there are limited circumstances in which fake cameras are appropriate, but generally they do more harm than good.

You can use various architectural tricks for helping reduce storage and bandwidth requirements. For example, you may find that in some instances you can store digital video locally (on a DVR near each camera) rather than streaming it all back over the network to a central location.

Here’s an illustration of similar risks created through covert surveillance. In November 2004, nurses at Good Samaritan Hospital in Los Angeles were in a break room when, according to accounts, they spied a thin beam of light coming from a clock. They were shocked to discover a hidden camera with a tiny lens behind the number nine. The nurses immediately spread the word to their colleagues; eventually they discovered a total of 16 hidden cameras in the clocks of break rooms, a pharmacy and a fitness center, among other locations.

What about using fake cameras, deactivated cameras, or hidden cameras? All of these strategies may have a place in your overall surveillance plan. Fake or deactivated cameras are an attempt get the deterrence value of surveillance without incurring the expense of video storage and maintenance. Hidden cameras, obviously, aim not to stop illicit behavior but to catch it on tape.

In addition to the fact that the nurses hadn’t been informed about the cameras, they were also upset because some of them changed their clothes in the break rooms. They felt that their right to privacy had been violated. In a press release, a California Nurses Association spokesperson said, “This is a pervasive problem throughout the hospital that is a disgraceful violation of the legal privacy rights of the RNs and reflects a deplorable attitude of the hospital administration towards its caregivers.”

However, all of these strategies create risks of different sorts. Douglas Durden, manager of safety, security and asset retention at Mallory Alexander International Logistics, thinks fake cameras can impart a false sense of security. “Let’s say someone is standing in front of what appears to be a camera. If a guy pulls a gun and takes a person’s wallet, you should be able to pull it up on tape [but you can’t]. Then you have to tell the person it was a fake camera,” he says. Lawsuit, anyone?

Hospital officials defended their actions—they claimed the cameras were installed for security reasons, that

48

FOCUS

SECURITY

it was standard practice in hospitals, that they had planned on informing the nurses and that the cameras hadn’t been turned on. They also noted (see the first tip) that the nurses’ employee handbook, which all must sign, states that surveillance might be used.

higher the ROI. What software applications, or even business activities, exist to extend the usefulness of the surveillance infrastructure? Training? Marketing? Find those that are realistic and attach a value to them.

Ultimately, the messy situation might have been avoided if hospital execs had informed the nurses of their plans beforehand, explained that the cameras were for their safety and made them overt instead of covert. By neglecting to inform the nurses until the cameras had been discovered, the hospital aroused suspicion and ill will. The bottom line on hidden cameras is that there may be a place for them, but CSOs need to weigh the risks and use such strategies with due caution.

*Digital video surveillance scales well. The larger your planned installation, the more remote sites you plan to monitor from a central control room, the more efficiency you can create and the faster your return will come. *Cost calculations favor digital video over closed systems. “The economics of storage favor standard IT infrastructure,” over closed systems such as DVRs, says Bob Degen, senior vice president of corporate security of First Data. “The equipment functions better with less repair. It’s easier to expand on. We’re in the process of building a command center. We’ll put all alarms, images, sound and voice over the Web to that centralized site. That will create huge advantages.”

How do I determine the return on investment for surveillance equipment and efforts? It is not possible to create a generic return case for video surveillance because, while its applications overlap, they are also varied. At the Pathmark Stores grocery chain, Pedro Ramos, director of loss prevention, looks at inventory shrink and insurance fraud (customers taking pratfalls), among other issues. Sheila Bramlitt, director of corporate security at First Horizon National, must focus on cash theft and safety (armed robberies). At Genzyme, a manufacturing and R&D venture, CSO Dave Kent monitors assembly lines and corporate espionage.

*Integration with other systems will cost more up front but will also facilitate positive ROI. Linking video surveillance to access and safety, especially, could possibly allow you to lower insurance premiums, but also to facilitate response times to crises large and small. *Cross-threading applications and systems allows you to share the cost burden with other departments. “We partner with safety and business continuity of course, but also, say, our real estate group,” says Bramlitt. “If we can partner with them when they’re building a new site, we can share the costs and benefits.” It makes upgrades an easier sell, she says.

Having said that, here are five ROI rules of thumb that apply to these sources and others.. Some of these rules pertain to all surveillance, while others are specifically about the differences between CCTV systems and IPbased digital ones.

Here are two examples of companies doing detailed ROI analysis regarding system upgrades.

*The more things a video surveillance system does, the

49

FOCUS

SECURITY

was security. And the tertiary function was human resources, using the video for training. “That made it a pretty easy sell actually,” says Darryl Marshall, an integrator who oversaw the project (which, by the way, he says was led by Dreams’ IT project managers).

Pathmark’s Ramos hesitates to endorse the IP-based digital video hype. His system is, in fact, a hybrid (similar to those of Bramlitt and Genzyme’s Kent). Pathmark combines digital and analog, and even uses some tape storage. It’s on the cusp of a phase 3 system, but not quite there. Why? “The cost to convert over fully isn’t quite where we need it” [as of early 2005], Ramos says. He’s not just guessing either. Ramos demanded and is getting an average of about 13.5 percent ROI from his video surveillance upgrade. And, under the right conditions, some of his stores will recoup costs in less than two years, some stores in less than one. “We need a six-month time frame for video storage, and I can’t cost-justify a fully digital system with that requirement yet,” Ramos says. (Ramos declined to share specific surveillance investment figures.)

As digital video quality improves, training rapidly gains purchase as a prime application. Ramos uses his new system to train cashiers and other storelevel associates. Captured images of employees doing something well are posted as a method of positive reinforcement, and captured images of common mistakes get tacked up too, as an awareness tool. In retail industries, especially, marketing wants in on video surveillance. Consultant Jones is working with retailers to map store traffic to improve the flow of customers and increase safety. Others are using the visual data to watch inventory levels.

Intel security manager Allen Rude also did a detailed ROI study before moving from CCTV to digital systems.

Companies are cutting travel expenses by using the infrastructure for meetings. Or using it for OSHA-like inspections of restaurants, allowing more inspections with less travel dollars spent. Genzyme’s Kent uses video for quality control by monitoring production trains.

Give me some examples of non-security applications for video surveillance. The new era of video surveillance is comparatively airy and bright, where cameras give CSOs better pictures faster, in any light or weather; where the Internet allows us to log on from home and check in on any of our sites; where sleek technology focuses on business growth; and where it focuses on, say, four business problems at once. Video surveillance suddenly has street cred in marketing, HR, travel services, even customer relations.

A public utility uses cameras to validate trespassing incidents. Police issue tickets and revenue increases. At the same time, costs incurred by the court system fall, because perpetrators don’t challenge the visual evidence. A hump yard, where train cars come off boats and trucks and are assembled into trains, repurposes its video surveillance. Now managers not only watch fence lines for trespassers and would-be thieves, but they manage the logistics of assembling the trains correctly and getting them, literally, on the right

Thus, when Dreams bed stores in Britain recently put its system in place, its primary function wasn’t even security; it was marketing. The company is measuring foot traffic around the store. The secondary function

50

FOCUS

SECURITY

track—a job that used to involve several men in towers talking to each other and people on the ground as they looked out over their vast yards with binoculars.

upgrade from the IT department. “When I’m asked how I ended up in security,” he says, “I say it invaded my world.” In the case of the New York State Unified Court System, the team in charge of the surveillance project was the CIO’s, not the security officers from the Department of Public Safety (although the two groups did work closely throughout).

A major transit authority watches its stations, measures footfall and traffic patterns, reconfigures stations to reduce congestion, adjusts train schedules based on the visual data, locates common loitering spots and makes them less loiterer-friendly. All of the following increase: safety, ridership and revenue. If we go with digital systems, the CIO is going to have to be involved because of the network demands.

But the CIO smartly deferred to the security team on issues he didn’t know about. First, he says, the security team determined the most vulnerable locations, determined camera positions, types of cameras—stationary versus pan-tilt-zoom, indoor versus outdoor—and then did a cost impact.

New video surveillance technology makes it imperative that the security team and the information systems group work closely with each other. Here are two reasons why: One, many of the new generation of video surveillance vendors are going to them, not you, to sell this stuff. “CSOs are not always driving this purchase,” says David Levine, a surveillance systems integrator. Vendors target IT because there’s more familiarity with technology, and probably more receptiveness to upgrading it too.

What we have here with digital video surveillance is security convergence—one of the first major security purchases that not only could benefit from but absolutely requires the cooperation of the CIO and CSO. CSOs can’t do this without IT’s technological expertise. Bramlitt at First Horizon was ready to cede control of managing the IT requirements—network bandwidth demands, server capacity, storage configurations, data security—to her CIO and CISO.

Two, trying to make video surveillance part of the IT network will obviously require heavy participation from IT. Says Levine, “If you try to deploy digital video surveillance without the full support of IT, you’re done.” Pathmark’s Ramos underscores that: “Get IT involved; get them to help you build an ROI model; get them to help develop the best system for your needs.”

“We come to mutual agreements on what’s adequate,” she says. “There’s no in-fighting. I understand their business needs; they understand my security obligations.” The CIO is also involved with data monitoring. How is that related?

It’s not surprising then that Ramos and every other CSO we spoke with who had dabbled in upgrading their video surveillance claimed to have an excellent relationship with his or her CIO. At Dallas Fort-Worth Airport, Bowens managed the video surveillance

They’re just two different means of watching people. And it’s silly to spend a lot of time and energy doing one well while doing the other in a haphazard manner.

51

FOCUS

SECURITY

The Massachusetts Department of Revenue has been practicing data surveillance longer than most. More than a decade ago, top managers at the state agency realized that some employees would be unable to resist the lure of the department’s treasure trove of personal taxpayer information. “Sports figures seem to be the biggest draw. It’s like a disease. People just can’t seem to resist” peeking at athletes’ private financial information, says John Moynihan, a 22-year veteran of the department who is now deputy commissioner and internal control officer.

consequences could be immeasurable,” he says. In 1997, the Department of Revenue spent $300,000 (out of an overall IT budget of $25 million) to custom develop its Transaction Tracking system based on a Unisys mainframe. The system captures every access of taxpayer data in Massachusetts and creates audit trails for future reference. Once auditors monitoring the database identify a potential violation of the data access policy, such as an anomaly in the audit trail, they give the employee a chance to explain. If there is no reasonable explanation for the data access, the case is referred to internal investigators for further analysis and an interview with the employee. Disciplinary actions that could follow include firing an employee for a first offense.

Other people’s tax data may be a draw for the curious, but resist they must, as it is against department policy for anyone, including employees, to access taxpayer data without a legitimate business reason. And it’s illegal under Massachusetts law for anyone to disclose such data. So in 1992 the agency built a homegrown system that would alert the information security department every time an employee accessed a high-profile resident’s income tax file. The system worked well, catching a handful of illegal browsers (some of whom immediately lost their jobs) each year, including a case where an employee accessed the income tax records of one of her husband’s coworkers. Seems the husband had been passed over for a promotion (which went to the coworker), and snooping through that person’s financial data made the couple feel better.

Today, Moynihan consults with other states and gives presentations to both public- and private-sector audiences on how to take a commonsense approach to data surveillance and privacy policies. He advises clients to create a strong data access policy, train employees on that policy and then enforce violations. Sounds simple enough, but there are many traps for the unwary. Technology and tools now exist to scan and store just about anything—employee access to databases, as well as e-mails, instant messaging transcripts, Web surfing habits, keywords entered and even each individual keystroke in files. In addition, it’s long been established that employees have no expectation of privacy in their use of company systems. But how do you do this well and cost-effectively? It takes an assessment of your organization—the purpose of your business, the kind of data you have, the nature of employees’ work, and the culture that allows them to be successful—balanced with the need to secure the integrity of your key information assets.

Eventually, Moynihan—and his boss, the commissioner—realized the DoR had to monitor every access of every taxpayer’s personal information on the database. Integrity of the process was not only an ethical matter—a public-sector breach could lead to major political ramifications. “If at any time a confidentiality problem hit the papers and taxpayers felt the system was not protecting their information, it could impact voluntary [income tax] compliance. The

52

FOCUS

SECURITY

Remember the insider threat

Rogers says her job is not made easier by the fact that most of the company’s 56,000 employees (such as the garbage collectors) do not use computers. She says that “while only about one-third of our employees work on the computer systems,” a number of factors— network and application configurations, the number of company locations, variations in user roles and compliance requirements among them—drive the information access and protection workload.

Information security has for the most part focused on the perimeter of the network. But experts and CISOs agree that the biggest threat to data security comes from insiders who have free and easy access to the data, not outsiders who manage through extraordinary means to penetrate a firewall and various authentication measures.

Know which electronic resources are most valuable

“I worry most about the insider threat. An unhappy employee is far and away the most difficult to track down and potentially the most dangerous,” says David Mortman, CISO for Siebel Systems, a customer relationship management software maker in San Mateo, Calif.

You could make a reasonable case (as the vendors do, every day) that data monitoring is a cost-justified, loss-avoidance tool that every company should employ. Surely all public companies that are subject to Sarbanes-Oxley and similar regulations should use some form of data monitoring to ensure compliance as well as safeguard data. But every company is unique in terms of the kind of data it keeps, the value of different data and its intellectual property. Figure out what you can’t afford to lose, and apply the most rigorous monitoring there.

To combat the internal menace, you’ve got two choices: Lock down data access (not possible or desirable for most companies) or keep watch over what employees are doing with your critical corporate data. If the most valuable intellectual property (IP) your company possesses is about to walk out the door (on a laptop, USB drive, MP3 player or CD, or sent to an FTP site), wouldn’t you want to know about it? There might be a perfectly innocent reason the employee did what he did.

Joe Rizzo, acting CISO at multiplayer online game developer Perpetual Entertainment, acknowledges that it is a continuing struggle for organizations to find the right balance between knowing what’s happening with data and maintaining employee morale. “It’s touchy because our employees don’t want to feel like they’re being watched,” he says.

Many companies also need to monitor the way employees interact with data to ensure adherence to policies for compliance with Sarbanes-Oxley and other regulations. “We monitor key corporate financial systems to ensure there is no inappropriate activity,” says Anne Rogers, director of information safeguards for Waste Management, a $12.5 billion publicly held trash services provider. The company also uses Web filtering software to block access to sites that contain inappropriate material.

Rizzo has arrived at what appears to be a reasonable compromise: Perpetual uses Tablus’s Content Monitor Alarm to monitor access of its game source code, especially since it often works with third-party developers. The system makes a digital footprint of the source code. “It’s our livelihood. We have to control

53

FOCUS

SECURITY

and monitor that data. If we see our IP leaving, we will take action,” he says. But he does not block any websites or curtail the use of IM. Education is still key Some CISOs elect not to alert employees that they are being monitored, preferring to watch the activity in its raw state. Others give explicit warnings about the monitoring and consequences of improper behavior. Moynihan of the Massachusetts Department of Revenue says it is essential to let them know in advance. If there is no legitimate business justification for accessing the taxpayer’s file, the employee (any employee) could be dismissed the first time (view copy of the department’s seven-page confidentiality memo). He also believes the up-front warning has a deterrent effect. Moynihan’s agency helps workers avoid inadvertent improper behavior. He has set up a training program to educate employees on everything from what constitutes legitimate file access to what employees should do if they access the wrong file by mistake. The agency has gone so far as to show a training video that new hires see during orientation and everyone else can see via the agency’s intranet. Every single employee, from the lowest to the highest, must sign the confidentiality memo once a year. Don’t forget contract workers Companies with poor deprovisioning processes often leave contractor access open longer than necessary. Make sure your contractors know the rules, and then pull the plug on them as soon as their work is done.

54

Momentum and Commitment:

Trustworthy Computing

After Four Years A Microsoft Contribution

Four years ago, Bill Gates sent an internal e-mail to all employees committing Microsoft to work toward Trustworthy Computing. It was just an e-mail, but it was a bold move in that it focused the company in a new direction.

It committed Microsoft to making its products more secure, even as the number and sophistication of attacks continued to grow. It committed Microsoft to making products that protect user privacy, focusing on Fair Information Principles that put people in control of data about them. It committed Microsoft to making its products more reliable, recognizing their place in worldwide critical infrastructure (meaning that they are crucial to providing public safety, national security, and economic prosperity). And it committed Microsoft to business conduct of the highest integrity, ensuring that we are open and transparent with customers.

no longer an initiative—it’s a Microsoft corporate tenet that guides nearly everything we do. Microsoft has made tremendous progress in providing people with computer use that is safer, more secure, more private, and more reliable. Our customers tell us so, and industry experts have also published statements indicating that they are impressed with what we’ve done. Are we finished, or even satisfied? No, not by any means. We know there remains a lot to do, but we’ve achieved significant momentum. We are proud of our progress so far, and I would like to share some highlights of recent accomplishments in the areas of technology innovation and investment, industry leadership and collaboration, and customer guidance and engagement.

Microsoft employees across the company took up the challenge. Four years later, Trustworthy Computing is

55

FOCUS

SECURITY

Technology Innovation and Investment Other innovations from 2005 include: Anti-phishing technology: The Microsoft Phishing Filter warns people of potentially “phishy” Web sites. It is currently available as an add-in to the MSN Search Toolbar, and is being beta tested in Microsoft® Internet Explorer 7. Windows AntiSpyware beta: This beta improves Internet browsing safety by helping guard against spyware. As of December, 2005, this tool has removed tens of millions of spyware packages for more than 25 million users. Windows Malicious Software Removal Tool (MSRT): The MSRT, which checks for and removes the most prevalent malicious software families, has been executed some 2 billion times since its launch in January, 2005. Microsoft Client Protection: This service for business systems, announced in October, will combine strong anti-spyware tools, comprehensive virus protection, and centralized management capabilities for laptops, desktops, and servers. Windows OneCare: Set to be released in a series of betas this year, OneCare helps protect and maintain computers and provides an integrated service, including antivirus, firewall, PC maintenance, and data backup and restore functionality. OneCare is offered as a continual service, but customers can also get one-off “check-ups” by visiting the Windows Live Safety Center site. Microsoft also added to its trustworthy technology in 2005 through investment. We completed our acquisition of Sybari, which will enable us to offer our enterprise customers the Antigen anti-virus products. These help provide reliable server-level protection and improved virus detection rates using a multiple scan engine approach, offering customers choice and the most up-to-date protection possible. Other investments in 2005 help our customers

Our core competency is technology and, over these four years, we’ve worked hard to develop trustworthy products and tools. Significant examples include: Windows XP Service Pack 2, an update to Windows XP dedicated almost entirely to security; anti-spam and e-mail authentication tools such as the SmartScreen filter and the Sender ID framework; Windows Error Reporting technology, which automatically collects information about technology failures and allows the user the opportunity to return this useful information to Microsoft, and also offers the user a solution, should any be available; a number of development tools that analyze and test code before it is completed; and information rights management technology to protect sensitive information at the document level. We made additional technological advances in 2005, both through internal innovation and through investment. We are particularly excited about dividends coming from our Security Development Lifecycle (SDL), a formalized process for incorporating security checks, tools, and best practices into every phase of a product’s lifecycle. In late 2005, we launched SQL Server 2005, Visual Studio 2005, and the BizTalk Server 2006 beta, the first three products to complete the SDL process from their inception through release. Additionally, we’ve integrated the Privacy Process for Product Development into the SDL. This creates a central location for determining the required and recommended practices for developing privacy and security compliant products at Microsoft. Further, we’ve now incorporated both privacy and security requirements into Checkpoint Express, our release management tool that every product must clear before they are released.

56

FOCUS

SECURITY

with their security management. Alacris technology helps enterprise customers with the process of managing multiple smart cards and other strong authentication devices. FrontBridge and its managed services technology, in conjunction with the Microsoft Exchange Server group, allows Microsoft to deliver services for enforcing compliance through archiving, ensuring e-mail availability in the case of a disaster, and improving protection of employee inboxes from viruses and spam.

reached a $7 million settlement with former selfproclaimed “Spam King” Scott Richter. Microsoft contributed to the investigation leading to the filing of seven anti-spam enforcement lawsuits by the U.S. Federal Trade Commission (FTC) against companies that hire others to send illegal, pornographic spam. Microsoft technical and investigative support helped the FBI and overseas law-enforcement authorities arrest the alleged authors of the Zotob and Mytob worms, only 11 days after the worms were unleashed. On July 8, Microsoft made its first payout under its Anti-Virus Reward program, awarding $250,000 to two informants who helped identify the creator of the 2004 Sasser worm, following the conviction of the worm’s author in German court the same day. Microsoft also supported more than 135 legal actions against spammers worldwide, including filing 86 lawsuits in the United States. From these, in excess of $184 million in judgments have been awarded. Microsoft also continues to be active in industry organizations that work toward trustworthy computing goals. These include TRUSTe, an independent organization dedicated to promoting privacy policy disclosure, informed consent, and consumer education, the Global Infrastructure Alliance for Internet Safety (GIAIS), and the AntiPhishing Working Group, which work to increase Internet safety and security for all users. At the same time, we recognize that we also must lead by example, through our own internal efforts toward Trustworthy Computing. We have offered security training for our developers for many years, and now we also have role-based privacy training that is mandatory for all employees who have any access to customer or partner information. Our new Privacy Response Center facilitates cross-company

Industry Leadership and Collaboration Microsoft recognizes that people look to us to address problems with technology. We do this not just by making better software, but also by taking an active leadership role in building the trustworthiness of the industry and the environment in which it operates. In one significant example, Senior Vice President and General Counsel Brad Smith spoke in November before the U.S. Congressional Internet Caucus to advocate for federal privacy legislation that would not only better coordinate privacy protections within the U.S., but also better align U.S. protections with those offered by countries around the world. We’re also using the legal system to hit technology abusers where it hurts: in their cash flow. In 2005, we took a number of legal and enforcement actions to get spammers, phishers, and virus launchers off the Web for good. These include: • On August 22, the FBI and the U.S. Attorney’s Office for the Southern District of Iowa announced the arrest of Jayson Harris, the “MSN Billing” phisher. This was the first civil case filed by Microsoft related to phishing. In March, Microsoft filed suit in Washington federal court against 117 “John Doe” operators of phishing sites. On August 9, Microsoft announced it had

57

FOCUS

SECURITY

integration of privacy response, using a multi-tiered infrastructure that includes subject matter experts within each product group. Additionally, we’ve simplified and shortened our privacy notice by giving customers a clearer one-page summary of our online privacy practices, paired with a full privacy statement that contains more detailed and specific information. For our product teams, we’ve upgraded our PoliCheck content-scanning tool, which scans more than 100 different file formats, including system registry files and Web sites, to search for sensitive geopolitical terms, profanity, and trademarked terms in Microsoft products.

Security Alliance to promote Internet safety, particularly around National Cyber Security Awareness Month in October. Joining forces with others in business, industry, and government to support Americans for Technology Leadership (ATL) as it launched its “Take Back the Net” tour in Tampa, Florida. Creating Learning Paths for Security, an online security curriculum for developers and IT professionals, organized around four key learning paths: Threats and Vulnerabilities; Identity and Access Control; Regulatory Compliance; and System Integrity. Launching or enhancing numerous online consumer resources, including: Staysafe.org Windows Live Safety Center Windows OneCare Live beta Windows AntiSpyware beta Malicious Software Removal Tool Anti-Phishing Technologies Security information for home users in more than 45 languages We also will continue to offer users direct means of influencing product improvements, by incorporating feedback from automated tools such as our Windows Error Reporting technology and Microsoft Online Crash Analysis service. These tools offer us a look at how our products perform when actually in use by customers, which helps us see how to improve them. Customer interaction is part of the mandate for the Microsoft Security Advisors, consultants who work directly with customers on their particular security issues. We expanded our roster of Security Advisors, who are now in 24 countries and regions around the world, with more to be hired. A Look Ahead

Customer Guidance and Engagement Microsoft has always believed that customers get the best use from our products when they have the knowledge they need to maximize performance. In the last four years, we’ve developed and implemented numerous tools and programs, and published extensive prescriptive guidance materials. For example, we offer education and training worldwide, both to consumers and to IT professionals and developers. In fact, we’ve provided direct security training to more than 750,000 technology professionals in the last year. We continued this effort in 2005, undertaking a number of education and guidance programs that include: • Partnering with the U.S. Federal Trade Commission (FTC) and the National Consumers League to promote awareness of phishing scams via an event in Washington, D.C., which coincided with Microsoft’s filing of 117 civil lawsuits against worldwide phishers. Supporting the U.S. FTC in its development of OnGuardOnline.gov, a new consumer Web site about online safety and security. Working closely with the National Cyber

Microsoft harbors no illusion that achieving

58

FOCUS

SECURITY

Trustworthy Computing will be easy or that we can ease off on our efforts. There remains much to do and our work will continue no less energetically. Indeed, Trustworthy Computing has become so firmly woven into the Microsoft corporate culture that the effort advances every day our employees work. Even with that said, we do want to maintain and even increase our momentum. In truth, computer technology today is significantly better than it was 10 years ago, or even just five years ago. The industry has made major progress in its abilities to keep computers secure and stable. We intend to do our part to keep that ball rolling in the coming year. In 2006, customers can look forward to the release of Microsoft Windows Vista, which is built to have more security and privacy protections than any previous version of Windows. Specifically, Windows Vista users will experience security improvements in such areas as user account control, better support for smartcards, enhanced firewall protection, and improved security and privacy capabilities. Customers will also benefit from enhanced information protection functionality in Windows Vista, such as BitLocker Drive Encryption, a hardware-based feature that addresses the growing concern over unauthorized access to corporate and customer data on lost or stolen machines. Consumer users of Windows Vista will see Family Safety Settings that enable greatly enhanced parental controls and Web filtering. In addition, the upcoming Office “12” release will include numerous security, privacy, and reliability enhancements. These will help protect against junk email and phishing, provide documents with enhanced information rights management protections, and improve recovery from crashes or hangs. A new feature called Trust Center will help protect against risky macros and other harmful code. Another new tool, Document Inspector, checks documents, prior to publication, for personal or hidden information the

user might not want the public to see. Internally, Microsoft will continue to refine and enhance its processes and practices to build even more on our progress to date. We will continue to innovate and improve our technology. We will continue to take a leadership role in building a more trustworthy technology ecosystem. We will continue to ensure we interact transparently with our customers and provide them with all the guidance they need to make our products—and the customer’s environment in which they are used—as trustworthy as possible. That was the commitment Microsoft made four years ago, and we remain dedicated to it today and every day.

By Scott Charney VP, Trustworthy Computing

59

SecureTransport in

Enterprise Application

Integration Sourced from Tumbleweed

A Web-server portal tries to address the issues of cost and deployment complexity by allowing partners to use a Web browser for their data exchange and communication needs. This leads to a compromise in a different direction - browsers by themselves cannot provide support for advanced data exchange needs such as guaranteed delivery, data integrity checks, checkpoint/restart, multiprotocol support, legal-grade audit trails and client-side automation options such as scheduled and batch transfers.

Server Deployment

SecureTransport bridges the worlds of EAI and the Internet by providing a unique solution for these requirements. When deployed as a gateway to an EAI environment, SecureTransport ensures secure and reliable connections over the Internet and enhances ease-of-deployment, robustness, data integrity and automation. Tumbleweed SecureTransport™ provides a more robust solution for Web browser users than a standalone Web portal and much easier hub-and-spoke deployment that is significantly more cost-effective to deploy, support and own than EAI vendors’ gateway solutions.

A number of vendors support full enterprise-grade data transfer functionality only in Server-to-Server mode. For example, Vitria requires deploying their B2Bi server at each partner in order to gain full benefits of security and reliability. To understand the challenges, consider a deployment requiring hundreds or thousands of partners to be connected to the EAI hub. Even a simplified, stripped-down version of the server presents a significant cost in software acquisition and even more significant cost in supporting the initial rollout and ongoing operation of literally thousands of deployed

Enterprise-Grade Data Transfer without Server-to-

60

FOCUS

SECURITY

servers outside of your organizational control and easy reach. Even sophisticated IT organizations may shy away from these tasks: • Negotiating and complying with partner’s security and firewall policies, • Tracking changing members of the user community, who are not your employees, • Software distribution of server patches and new upgrades to thousands of partners

this control provides guaranteed delivery through data integrity checks and auto-restart capability, as well as a checkpoint/restart feature allowing a failed connection to be restarted at the point it left off and ensuring the convergence of a transfer operation over poor (e.g., dial-up) connection. Coupled with HTML templates and dynamic HTML support, this provides the lowest cost, yet completely secure and reliable connection with customizable user interface. • Windows GUI Client. A simple client that can be downloaded and installed in minutes, it provides all of the reliability and security features, supports both HTTP/SSL and FTP/SSL, provides multiple user connection profiles, and offers batch capabilities as well as built-in scheduler for automated, scheduled transfers with a comprehensive calendar support for multiple events. Additionally, tunneling FTP protocol over HTTP enables it to navigate complex network environments with multiple firewalls and proxies. • Command Line Client for Windows and UNIX. Supporting command line invocation for easy scripting, this client maintains the same security and reliability features as all other clients, supports both HTTP/SSL and FTP/SSL, and offers batch data transfer support. Scheduling can be provided by using native platform features (e.g., UNIX cron) to schedule events. FTP tunneling is supported similar to Windows GUI client. • OS/390 (MVS) Client. Supporting both binary and ASCII transfer modes, this client can be invoked from a command shell under UNIX System Services (USS), TSO executive, or from within a JCL job. Sophisticated firewall and IBM Tivoli Policy Director support ensures compliance with corporate security policies for datacenter networks. • AS/400 Client. Supporting IBM iSeries users, this java client can be invoked from a command line

Tumbleweed SecureTransport™ provides a unique solution that preserves all of the robustness and security of partner connections without requiring each partner to deploy a server. SecureTransport provides anuncompromising set of enterprise-grade data transfer features using a hub-and-spoke model, where the spokes are lightweight clients. This keeps the deployment cost low, and requires minimal user support. Tumbleweed customers have deployed SecureTransport into communities with thousands of users. For example, • One of the largest health insurers in US is using SecureTransport with over three thousand of their partners, including small and large healthcare providers, pharmacies, other insurance companies, clearinghouses, and regulators. • A large US bank with over $290B in assets is using SecureTransport to support its electronic Treasury services with 6,000 of its corporate banking customers. • A major Central Bank is deploying SecureTransport to support over 13,000 of its banking customers as part of check image transfer project for inter-bank clearing. SecureTransport provides a wide range of client needs based on platform and feature requirements, including: • Web Browser Support (w/ActiveX Control.) Downloaded automatically and under 100KB in size,

61

FOCUS

SECURITY

or incorporated into clients’ applications. • Software Development Kits (SDKs). These are available in C and Java and support client-side application integration for those partners that need complete application-to-application connectivity. Imbued with the same security and reliability features, the SDKs provide premier client automation solution for customers wanting to evolve their environment from EAI to IAI (Internet Application Integration.) The usual deployment mix for customers’ partner communities uses large numbers of Web browsers and Windows or UNIX clients in large numbers, with a smaller number of participants using OS/390 (MVS) clients, AS/400 clients and the SDKs.

However, even when relying on HTTP/SSL data transfer, these solutions are limited by the native browser capabilities and lack the ability to verify the integrity of the data uploaded or downloaded by the user. Nor can they offer an auto-restart if the connection drops or checkpoint/restart for a file partially transferred before a dropped connection. All these capabilities require the client to provide more capabilities than available in the browsers. SecureTransport addresses these requirements by providing a small but sophisticated ActiveX Control that is downloaded when a browser-based user first connects to the SecureTransport server. From that point on, the control will: • Create an MD5 file hash on the user’s side and provide it to the server to let it determine if any errors occurred during the transmission that may have violated data integrity • Auto-restart the transfer if an error occurs or the server notifies it that the hash doesn’t match • Checkpoint the file transfer in progress and restart a failed transfer at the appropriate place These capabilities provide for guaranteed data delivery in a browser-based environment and use built-in browser functionality to maintain the currency of the ActiveX control, downloading a new version when it appears on the server. For non-IE platforms, similar functionality can be provided using Java SDK.

When Partner Portal Is Not Enough Another alternative for partner communications is a partner portal – a dynamically driven Web site that allows partners to view documents, execute transactions, and track status. However, when security, integrity and reliability of the data transfer are critical, so-called “partner portals” may fall short. Consider TIBCO Partner Express, which provides a document-centric partner data exchange solution through a set of functions added behind a Web server designed to make user experience richer and more customized. It can even allow users to upload a file attachment or download one to their machine. This is typically done using HTTP/SSL, which is supported by every browser. In some cases, as does TIBCO, portals can also offer out-of-bound communication channels, most often SMTP email with attachments. Lacking guaranteed delivery and audit trail, facing the firewalls that often reject emails with large attachments (e.g., 2 or 3MB attachments often aren’t allowed past a corporate firewall,) – email makes an even poorer choice than direct HTTP transfer for critical data exchange.

Of course, partners who require automated or scheduled transfers cannot use an interactive browser connection to the portal. SecureTransport GUI and command line clients provide the automation and scheduling capabilities often required by the partners to support unattended transfers. And C and Java SDKs provide an even tighter degree of integration when automation within a context of a partner application environment is required. When business process integration requirements

62

FOCUS

SECURITY

include straightforward data exchange with the partners, SecureTransport hosted mailboxes and shared directories provide a compelling solution that is more secure and reliable while also easier to adapt to specific data exchange needs. Alternatively, if the requirements include transaction-related features unique to a portal, SecureTransport can be coupled with a partner portal to offer a seamless reliable data exchange to portal users.

SecureTransport offers a unique defense against these threats. Instead of deploying a common proxy, SecureTransport Security Gateway server can be deployed in the DMZ to act as an application proxy in front of SecureTransport Data Management server deployed on the secure network to host the data and control the data exchange, and thus requires protection from Internet attacks. What’s the difference? When the SecureTransport Security Gateway is deployed in a DMZ to act in a proxy mode it brings added application intelligence to this task by: 1. Requiring the users to be authenticated before their requests can be passed on to the protected Data Management server. The user credentials are sent over to the protected server to be examined since the Security Gateway server doesn’t host any user information (which therefore prevents it from being compromised if the server itself is breached.) Back-end Data Management server then determines if the user should be granted access to the proxy server using any of the numerous authentication mechanisms, such as userid/password, LDAP, digital certificates, smart cards, secure tokens, single sign-on session IDs, or custom solutions for other enterprise authentication services. 2. Restricting the content that can be passed to the backend Data Management server using very granular access control mechanism. In effect, the Secure Gateway server can be put into a stealth mode, allowing only specific data requests to be passed on to the protected server and rejecting any other requests or commands. 3. Communicating with the protected Data Management server over SSL, thus ensuring that anyone who may have breached the DMZ (e.g., in case of a snooping attack) will remain powerless to intercept or compromise the communication with the protected server. 4. Streaming data transfers from/to the protected Data Management server without writing them to disk,

Increasing Security of Externally Accessible Data One of the critical issues facing organizations that need to exchange critical data with an external community is a tradeoff between making the data accessible over the Internet, while protecting its confidentiality and integrity. More specifically, a server (such as Vitria’s B2Bi server or TIBCO’s PortalExpress) must be accessible, and therefore visible from the Internet. Of course, strong authentication and access control measures add a degree of security. But all too often we hear about a server’s application software or operating system being compromised, allowing a hacker to take over the application or machine – no user credentials required. A common way to address this problem is to use a network proxy in front of the server, typically locating it in the DMZ as a point of presence on the Internet. The proxy can then “hide” the real server on the secure network, but still deliver all network traffic destined to that server. Common proxy solutions pass through network data without regard to the user credentials or whether the data is properly authorized by the application. This allows for attacks – where intentionally bad content is delivered to the application with the purpose of either shutting it down to deny the service to other users or to gain unauthorized access (e.g., through buffer overflow or other applicationspecific attacks).

63

FOCUS

SECURITY

thus ensuring that no sensitive data resides in DMZ, subject to compromise if someone penetrates the DMZ. These capabilities are supported by SecureTransport ActiveAgent framework that makes it possible to launch an event-driven agent for any login, directory access, navigation command, or data transfer event in SecureTransport.

dynamic HTML generation through agents allows it to easily present a seamless look-and-feel. 3. Ability to execute specific modules or commands on user navigation or data exchange (upload, download) events. ActiveAgent framework is specifically provided to make this an easy-to-use capability of SecureTransport. 4. Ability to perform data extraction, transformation, and loading (ETL). SecureTransport provides one of the premier ETL tools for this purpose, Data Junction™, which makes it possible not only to convert data formats without writing a line of code, but also to extract the data from or post it to any of the common databases, corporate applications, and datacenter data communications environments such as IBM MQ Series or MS MQ. This optional SecureTransport module can be used to make the integration between SecureTransport and EAI environment much deeper than simply sending and receiving files. Incoming data can be cleansed, enriched, burst, or converted to/from XML or EDI formats before being passed into the core EAI application or loaded into a database. Transaction status, reports, and other information can be automatically extracted from the EAI application and provided back to the users in any suitable format, including files and HTML formatted Web pages.

When considering the options available to secure critical data while making it available to partners over Internet, network security exports now have a new and powerful weapon in their arsenal – an applicationlevel Security Gateway proxy that can be deployed on a dataless server in DMZ and stream the data from and to the secure Data Management server hosting partner information. SecureTransport can also be deployed as an application proxy to protect an EAI server - using custom agents to connect a SecureTransport Security Gateway server to an EAI environment such Vitria or TIBCO. Integrating SecureTransport Environment

into

an

EAI

Now that we have shown the benefits of using SecureTransport as a secure data exchange solution for partners, customers, and large trading communities, the question is raised, “Can it be easily integrated into an EAI environment to fill this role?” For integration to be easily accomplished, the following capabilities must be present: 1. Ability to integrate into a shared or 3rd party authentication and access control environment. SecureTransport can easily do that using shared session-Ids in Single Sign On (SSO) environments, using LDAP directories, or custom integration using ActiveAgents. 2. Ability to customize the UI for common look-andfeel. SecureTransport’s static HTML templates and

Contributed by Syntax

64

65