Computer Crime Research Center

Security strategies: fortress or airport?

(By Craig Healey)

If a man’s home is his castle, then securing it adequately is of supreme importance. CIOs are scratching their heads, trying to figure out if they should adopt fortress-type security systems or move towards a multi-layered security strategy.

Electronic commerce or e-business as it’s more commonly called is a fact of life. However, the options for doing business securely using public (electronic) networks are less clear and increasingly costly.

Highly sophisticated hackers and hacking tools, organised hactivism, poorly engineered software, cyber terrorism, identity management and lack of corporate security management are some of the most important internal and external challenges for organisations looking to trade electronically.

Gartner research director Steve Bittinger uses fortress and airport metaphors for two potential extremes in IT security. Simply put, the fortress allows little movement in and out using a single-dimensioned security mechanism (a moat and draw-bridge). The fortress produces a reasonably secure operation, but one not able to support business in a global marketplace that demands rapid and flexible business models.

Conversely, the airport allows large volumes of movement using a multi-layered security strategy (passport, baggage scanning, sniffer dogs, random searches, etc).

Gartner research conducted in mid 2002 involving more than 1,000 corporations in Asia Pacific found the top priority for CIOs surveyed is the need to enhance IT security.

Bittinger says the most common questions CIOs ask him are: ‘How much should I spend on security?’ and ‘What’s the average amount of money spent on security in my industry?’

“Of course we can tell them the answer but that’s not the issue,” says Bittinger. “Just because you’re spending the industry average doesn’t mean your security is good. The question is how effectively are you blending together people, process and technology? The money you are spending is almost irrelevant.”

Model evaluation
So how does a CIO know if he’s on the right track? One highly regarded framework for evaluating corporate security postures is the capability maturity model (CMM) for security, derived from the US Software Engineering Institute’s CMM for software development.

The model describes four layers or levels that begin with a position of total lack of awareness (level one) and culminate with corporate security being culturally entrenched and providing potentially significant competitive advantage (level four).

Bittinger says the majority of organisations are at level two: “Organisations say security is important, those IT guys need to take care of it for us.” At this level, security is regarded as purely a technical challenge and the total corporate security investment comes from the IT budget.

In fact 39.7 per cent of the 1,004 Asia Pacific organisations surveyed by Gartner fall into the level two category. It’s also interesting there is wide disparity in the maturity levels from country to country in the region. Thailand, Taiwan, Singapore and Hong Kong all have relatively mature security profiles, while Australia, New Zealand and Malaysia predominantly have companies that believe it’s the ‘IT guy’s’ job.

The prevailing view corporate security is the domain of the ‘IT guy’ is very much flawed.

Bad culture
According to Bittinger, “The CMM is not about technology, it’s a framework for cultural change and the inherent level of understanding in the organisation. The biggest risk any organisation runs is having a bad security culture.”

The Gartner Information Security Hierarchy describes the components of a pervasive corporate security system. These components include policies and procedures, standards, training, technology, monitoring and validation. Technology is but one element of the mix, yet it typically consumes the majority of the security investment.

To demonstrate the point about culture, he gives a recent example of a large US organisation with a security policy requiring all staff to display name/security cards. The CEO walked around for a full half-day without wearing his security badge before finally being questioned by a staff member about why he wasn’t wearing his badge.

The CEO immediately rewarded this woman with US$20. The CEO’s minute investment made a massive statement about the need to observe security protocols. Bittinger says this is a great example of the need for commitment and understanding at the executive level in order to elevate security to levels three and four. It also demonstrates you don’t need to make huge investments – rather it’s about how you spend your dollars.

Another indicator of level three or four security maturity is the existence of a chief security officer (CSO) or equivalent. Bittinger describes the position as being a function of the CMM. If you’re a level two organisation, then there is no point having a CSO. The CSO role has most to do with cultural and business change, is independent of any business unit or the IT group, and ideally reports into the CEO or the board.

Bittinger provides a somewhat disturbing anecdote regarding the challenges of the CSO role. In the aftermath of September 11, the board of one of the organisations formerly resident in the World Trade Center called in their security manager and fired him. Six months prior, the manager had provided the board with an extensive security proposal that would have minimised the economic impact of the disaster to the company.

However, the board rejected the proposal. The board explained to the manager he was being fired for not having been able to persuade them to accept the security proposal.

Transparency critical
Bittinger believes transparency is critical to the security role. “The worst thing you can do as a security manager is to cover up any security breaches that do occur. Top executives actually need to know and understand the impact,” he says. “For example, the loss of laptop computers containing highly confidential corporate data needs to be shared with senior executives so they understand the costs associated with maintaining security or the risks of not doing it.”

What then are the key security issues for corporations moving into 2003? According to Gartner research director Rich Mogull they are:

Risk- management
- Web services
- Wireless LAN and mobile devices
- Identity management – identification, authentication and authorisation
- Intrusion detection and prevention
- Hactivism – enterprise level with political motivations
- The next Code Red/NIMDA
- Instant messaging
- Infrastructure
- Privacy and protecting intellectual property
- Transaction trustworthiness and audibility.

One of these key concerns is the increasingly common occurrence of mobile devices being used to access corporate networks using wireless technology. There is a huge array of devices available with new devices hitting the market almost daily, or so it seems.

Stephen Rath is group communications manager at John Fairfax Holdings, a role that includes responsibility for IT security. Rath is currently evaluating several mobile devices for use by Fairfax executives and mobile workers including Telstra Blackberry, PC e-phone, HP Jornada and Toshiba Portege.

Blackberry is essentially a Palm Pilot size device with phone, e-mail and a calendar that connects using the general packet radio services (GPRS) network. The PC e-phone is a Windows CE device with 640 by 480 screen and QWERTY keyboard. The Hewlett-Packard Jornada is also a CE device with a Bluetooth card that is used to connect to the GPRS network via a Nokia 6310 mobile phone. The Portege is an ultra light laptop PC with built-in 802.11 (see definition) network card and Bluetooth.

Most remote connection is either by Wireless LAN (802.11); GPRS or dial-up. Bluetooth is the other major technology with a range of two to 10 metres designed to replace any wire connecting devices.

Rath provides the following simple overview of the wireless mobile devices world: “There are three layers to establishing full connectivity to a corporate network from a remote device: 802.11 and GPRS get you connected to the Internet (layer one). GPRS is inherently more secure for authentication: the connection is managed by the network (and your pre-existing relationship with the network provider). However, GPRS is much slower than 802.11.

“A virtual private network (VPN) tunnel is layer two. The VPN tunnel creates a secure, encrypted connection to a corporate network and each of the devices referred to above would use a device specific VPN client.

“Layer three concerns authentication. In other words, how do we know it’s really you attempting to make the connection? Username and password alone is flawed as they are often shared and can be easily guessed. In particular, with 802.11 others can ‘watch’ what you are doing and easily obtain your username and password due to inherent security weaknesses,” says Rath.

One good solution for an 802.11 network situation is the SecureID device that generates a new password every 60 seconds. For a modem connection from pre-defined numbers or circuit switched mobile data, Rath says, “we allow a combination of CLI (call line ID) and username/password instead of the SecureID device”.

Rath describes the basic authentication concept as “something you have and something you know”. This holds true for the SecureID device (there is a PIN number you must know as well as physically having the device to generate the pass-codes) and the CLI password combination (you need to have the correct mobile or be in the correct place and you must know the username/password).

Instant messaging is a good example of a seemingly innocuous communication tool that has become pervasive almost overnight and which is terrifying for many corporate security managers. Rath describes it as, “a very useful tool for e-communication; more immediate than e-mail.

“However, you are relying on a third-party to facilitate the connection, which therefore has security implications, especially in the file transfer scenario, where you have granted control of your PC to others, making access to your corporate network by non-trusted third parties possible.”

And if you start using instant messaging as a corporate transaction tool, there are no service level agreements in place, so best efforts and goodwill form the basis of the service – hardly the basis for a sound commercial process. “It’s a huge business issue,” says Rath.


Home | What's New | Articles | Links
Library | Staff | Contact Us

Copyright © Computer Crime Research Center 2001, 2002 All Rights Reserved.
Contact the CCRC Office at +38 061 220 12 83