Growing up, a friend of mine would cite entropy as the reason for never cleaning her room. After all, if the universe inexorably trends toward chaos and all systems eventually dissolve into disorder, what's the point of picking up a T-shirt or putting away a board game? It was an ingenious, if usually ineffective, application of scientific theory. It's also one that I suspect many CSOs can relate to as they confront the growing complexity of new technologies and its anarchic effect on their best-laid security plans.
Historically, the discovery of new security vulnerabilities has always outpaced the CSO's ability to respond, but CSOs are now forced to play catch-up on a second front as well. Not only are hacking tools and exploits lapping the security organization's efforts, the rapid development of presumptively useful technology is itself leaving CSOs scrambling to maintain order. Instant messaging (IM) and file-sharing programs proliferate almost virally, disguising themselves as Web traffic to zoom through firewalls unimpeded; and employees with the high-tech itch frequently purchase their own PDA and wireless local area network (WLAN) to access the corporate network with little thought to the security consequences. The CSO's challenge: to exert some semblance of control over all this chaos.
In this story we take a look at four technologies that security organizations have admitted to struggling with. CSO talked to chief security officers and industry experts about the security and management challenges these technologies present and gleaned their best advice for reining in the chaos and balancing the business benefits of technology with the necessary controls of a solid security strategy.
The majority of these technologies illustrate a frightening truism for CSOs: The concept of the perimeter is dissolving. The idea that you could build a wall and control everything on the inside and keep disruptive elements on the outside has fallen from favor. The Web
The problem in all these cases is that when business units or executives become enamored of a particular technology, many CSOs lack the mandate to deny it to them. Security executives have a fine line to walk. You will see that some CSOs are able to issue blanket bans on technologies while others must negotiate a compromise with business users. Chris Byrnes, a vice president and analyst who tracks security for the Meta Group, suggests that CSOs take the tack of evaluating technologies in terms of how they serve the needs of the business, and then find the balance between achieving a business benefit and achieving good security. "It has to be dynamic; it has to be negotiated," says Byrnes. "Security officers who try to dictate to the business what they can and can't use are not going to keep their jobs."
In the spirit of career longevity enhancement, then, we offer this quartet of nettlesome technologies and some coping strategies for keeping them in order.
Web Services
Commerce is about letting people in, not keeping people out, so it shouldn't be surprising that the latest trend in technology creates a pipeline right through the firewall into some of your company's most sensitive applications
But it's not people who are being admitted into the sanctum; it's bits of executable code made available using Web services. Web services are Web-based applications that use open standards such as SOAP (simple object access protocol), XML and HTTP to glue together different computer systems and applications that otherwise would not be able to communicate. That allows companies to build distributed Web applications and to take advantage of services already out on the Internet instead of having to build their own. For example, if company A wants to build a travel site for its employees and company B happens to have a terrific vacation booking service, A can build its site using B's booking feature instead of having to spend time and money building its own. Web services allow those disparate Web applications to talk to one another, presenting what appears to be a cohesive whole to the user.
However, while Web services may offer enormous opportunities for improved efficiency, it also raises huge concerns for CSOs who suddenly find that they have some of their most critical applications hanging out on the Internet unsecured. Because those apps have so many lines of code and are generally not written with security in mind, they are among the most difficult IT assets to secure. The problem is compounded by the fact that CSOs often don't know about Web services projects until they are well along or completed, and because these applications that are being stitched together have their own individual security attributes, which can be uneven at best and in some cases rife with holes. "People are going to Web services to get faster delivery and completion of applications," says Byrnes. "So you can see that while the developer could increase his workload by building in security [up front], the tendency is not to do that."
Earlier this year, Adrian Lamo, a so-called white-hat hacker, hacked his way into a Web service on The New York Times intranet. During that escapade he was able to access a number of the company's databases, including one that contained the Social Security and home phone numbers for 3,000 of the paper's op-ed contributors
It's a problem that Bill Spernow, CISO for the Georgia Student Finance Commission (GSFC), has tried to minimize by ensuring that security is top-of-mind among his organization's developers. "I would classify middleware right now as the most unexplored security risk that most corporations and agencies have in their infrastructures," says Spernow, noting that there are no tools available to explore the coding structure for holes and no ability to monitor proces-ses to know when a security-based problem occurs. His solution has been to send GSFC programmers through hacking courses in order to make them aware of the various security vulnerabilities that they can create in their work and to show them how those holes are exploited. Later, that knowledge is also shared with the remaining staff.
To avoid nasty surprises, Ted Doty, director of product management with Okena, an intrusion prevention software vendor, suggests that CSOs be aggressive about staying informed. "I'd get my nose in all those meetings with the server guys," he says. "What are they doing about the next big generation of SOAP and XML? Are they even thinking about security? You've got to get involved in all these discussions before you wake up and find [some new application] out there on 10,000 machines."
Peer to Peer
As with Web services, the danger of peer-to-peer technologies
In May, Clark sent out a memo to all employees serving notice that the company would begin blocking access to all Internet instant messaging sites because of the security risks IM poses to the company's network and its clients. Within a week, Clark had to modify the ban. Executives who had been using IM as a cheap, high-touch means of communicating with customers balked at the ban. Moreover, the cost of securing IM traffic was found to be prohibitively high. In light of these realities, Clark had to rethink an outright ban.
Many file-sharing applications, such as Napster and Gnutella, and IM programs, such as AOL Instant Messenger and MSN Messenger, are designed to actively subvert the firewall and other security controls that organizations have put in place. "These apps are usually written in such a way that they're very determined to get the message through," says Shawn Hernan, team leader for vulnerability handling at The CERT Coordination Center. "In most instances they don't provide any security of the message, don't protect it from observation in travel; there's no integrity, no privacy, no digital signatures." The programs tend to be installed by the nonsecurity conscious (read: your average employee), and applications are frequently out of date, contain a range of vulnerabilities and create a situation for CSOs in which an unknown number of messages traverse their networks in clear text. This is a security executive's nightmare.
In order to work effectively, IM needs to pass through open ports. So IM systems wrap communications up to look like Web traffic, enabling them to enter the port unnoticed by the firewall or virus-scanning software. That makes IM susceptible not only to viruses but to social engineering tactics. Users are tricked into downloading malicious software that lets intruders use their systems as a platform for launching denial-of-service attacks.
Security vendors have come up with a number of possible solutions to the IM problem. Some vendors, such as IM-Age Software, add a layer of authentication and encryption to public services like Yahoo and MSN Messenger. Others, such as Jabber, offer their own IM platforms that can be used alone or with public IM services, as well as dedicated IM servers that companies can deploy and manage behind their own firewalls. So CSOs must consider whether they want to control, ban, regulate or simply endure the risks posed by IM and file sharing.
But, as Clark learned, once you've let the kids into the candy store, it's not so easy to get them out. EDS decided to designate its own secure port for IM services and to limit the program's use only to certain individuals with a high need for IM capabilities; all other access to IM and non-EDS file-sharing programs is blocked. "It's not a negative thing," says Clark of the IM trend. "It's what the information world is about. Everyone's clamoring for freedom of access to information. But it has to come with controls."
For companies that do want to block rather than regulate IM, it's not always that easy. IM and file-sharing programs are being designed with increasing intelligence and cloaking skills. They can masquerade under different protocols and test different ports until they find one that will let them in. Short of a total ban, the best thing that a CSO can do is to help users understand why these products can be dangerous.
CISO Spernow has mandated that every new nonprogramming employee at his organization must undergo four hours of computer crime and hacking awareness training so that they can understand the drivers behind computer crime and how their own behavior can contribute to the problem.
Hernan, too, suggests an active rather than passive approach. "Clearly articulate your policy, don't just let [violations] happen, and be forced to respond," he says. As with many of these technologies, forming a policy around IM and file sharing is essentially a risk-management decision. CSOs must decide what level of risk they are willing to accept in exchange for what degree of enhanced business value. Based on that they should make the call and then educate users about it.
Wireless
A lot has been written about the security flaws of wireless networks, and you've probably heard the tales of the enterprising hacker who can sit on a park bench in the heart of the financial district and tap into dozens of wireless networks. But for CSOs the challenges of wireless are only getting larger as the holes in security go unpatched, and employees either demand greater wireless connectivity or surreptitiously achieve it on their own.
"Wireless is robustly insecure," says Bruce Schneier, author, cryptographer and CTO of Counterpane Internet Security, a security-management service provider. "The only way to look at wireless is to assume that it's completely insecure."