Computer Crime Research Center

hack/030523hack100mill.jpg

Conversations in Security

Date: December 02, 2004
Source: Network Computing
By: the CMP team

... of how to do it wrong,” O’Leary quips. — Jeanne Lim

Counterpane
“Security is hard [work],” acknowledges Bruce Schneier, CTO of Counterpane Internet Security, referring to how companies continually play catch-up to network attacks.

But there is help at hand. First, users have to accept security as a chain that will break at its weakest point. While a truism, Schneier argues that determining the weakest point was subjective.

“Securing the weakest point depends on the profile of your attacker,” he elaborates. Defending against someone with little resource and a lot of time is different from defending against someone with much resource and time.

Also, their level of expertise do play a role in deciding which parts of your network are the weaker links. Hence, understanding threats means understanding an attacker’s motivations.

If an attacker’s motivation were known, it would be easier to plan and design countermeasures to suit each attacker’s profile. Too often, notes Schneier, companies tended to secure things that were obvious, or their network analyses were not adequate to discover the weakest links.

Likening security to a labyrinth of systems, with much interdependence between them, Schneier says security systems are less important in how they work than in how they fail. He cites the lack of a response plan to deal with failures as a common problem for users.

Testing that system for frequent failures, or checking to see if teams responded well to infrequent failures, would help prepare them for genuine attacks.

Another interesting trend is toward outsourced services. “Every product needs a service attached to it,” claims Schneier. He predicts that in five to 10 years, security for all computing systems will be outsourced, adding that companies will still maintain control as they outsource the function, but not the responsibility, for securing their networks.

Finally, having trusted people in the company remained a key security consideration. “[Security’s] really about people,” says Schneier, although there is a danger that these trusted personnel could subvert security.

Put people in positions of trust, and give them as little knowledge as possible to effectively do their jobs, he advises, or assign them overlapping spheres of trust with other trusted staff to address the dangers posed. — Clement Teo

End-user Perspective: Caterpillar Inc.
When it comes to his job and project details, Darrell Elven prefers to remain hush.
After all, he is Caterpillar’s senior information security specialist and a member of its Incidence Response Team (IRT).

Caterpillar manufactures construction and mining equipment, diesel and natural gas engines and industrial gas turbines. Its products and components are manufactured in 50 US factories and in 65 other locations in 23 countries worldwide.

For Elven, the biggest challenge in information security is users. “You can educate users. You can work hard to apply technical solutions, but users who are careless can undo a lot of that work unintentionally.”

What he did share were tips for a successful IRT:
- Act like you know what you are doing and as if you have the authorisation to do it. “Be decisive. When faced with an incident, take charge, ask questions, listen and evaluate. Try not to lose your sense of humour either.”
- You do not need to know everything; you just have to know who does. “I have local security agents whose job is to know who is doing what in that office. And my subject matter experts are people whom I trust to give me straight answers.”
- Plan for the worst, hope for the best, and expect surprises. “Make up situations that could happen, then think through them carefully.”
- At the beginning of an incident, find out everything you know and this will show you what you don’t know or need to know. “Establish a pattern of activity. Have the names and contact details of the lead investigator, those who were affected, and the managers. Have a good description of the incident, its physical effects and discovery process. Go through your logs, including those in the system, proxy, telephone, firewall and intrusion prevention system. Finally, remember to confirm everything!”
- It is of no use to provide very precise, clearly written, well-thought out answers or solutions if they are wrong. “Try to understand how things could go wrong. Are users going to read the manual and follow the instructions? If they don’t, what else can you do to get the message across?” – Emily Chia


Add comment  Email to a Friend

Copyright © 2001-2013 Computer Crime Research Center
CCRC logo