ISACs, Infragard, and ECTF: Safety in Numbers

Outsiders might think of security pros as silent types whose greatest strength is the ability to keep a secret. Insiders know different: Great security requires great communication, and lots of it. Today’s leading CSOs are clamoring for safe forums to share best practices, threat and vulnerability reports, and tricks of the trade.

Ron Baklarz is a good example. Baklarz, chief information security officer of the American Red Cross in Falls Church, Va., is a member of several formal information-sharing groups, including the FBI’s InfraGard programbut recently decided that wasn’t meeting all his information needs. Baklarz established the Chief Security Officer’s Round Table (CSORT) with a handful of other Washington, D.C.-area security colleagues to foster more individual contact with peers and to help each other identify specific, effective information security tools.

While industry associations such as the Information Systems Security Association (ISSA)—on the logical side—and the American Society for Industrial Security (ASIS)—on the physical side—have assisted in security networking for many years, a number of new options are opening up (or gaining renewed membership) for CSOs to connect with their peers and with law enforcement and public sector personnel in the wake of 9/11. Those groups fall into three general categories: industry-specific groups best illustrated by the Information Sharing and Analysis Centers (ISACs); law enforcement groups for geographical regions, including chapters of both InfraGard and the Secret Service Electronic Crimes Task Force; and private initiatives like Baklarz’s CSORT that bring together CSOs from a local region. Each group serves a different purpose, and for that reason few CSOs say they’ve found a single information-sharing group that meets all their needs. Following are details that can help CSOs choose which group, or groups, may suit them best.

Information Sharing and Analysis Centers

Dating back to the pre-Y2K days of the Clinton administration and supported by the current Bush administration, the Information Sharing and Analysis Centers aim to beef up the security of a given industry by bringing together those responsible for securing that industry—in other words the security professionals who work at the companies within that sector of the economy—and getting them to communicate with the government and with each other. Building an environment of trust is crucial. A successful ISAC (pronounced eye-sack) assures its participants that proprietary competitive interests are being protected while important information is shared.

The ISAC movement is all about securing economic sectors considered part of the country’s critical infrastructure, such as financial services, electric power, oil and gas, telecommunications, and transportation. The first and most developed ISAC is the Financial Services ISAC, known as FS-ISAC, which was launched in October 1999 and consists of a secure database, analytic tools, and information gathering and distribution facilities.

The FS-ISAC’s chief value lies in its ability to alert its membership to potential security threats quickly and to act as a repository for information specific to the financial services community. The June 1999 virus named Worm.Explore.Zip provides a classic example of how the FS-ISAC can help CSOs. Thanks to a phone tree, members of the FS-ISAC were alerted to the virus a full eight hours ahead of the public.

Much of the information disseminated by the FS-ISAC can be obtained from other sources, but putting it all together would be a time-consuming process for any single company. Stash Jarocki, chairman emeritus and current board member of the FS-ISAC LLC (a company created to manage the group’s operations), says the FS-ISAC provides financial services professionals with “one-stop shopping for the understanding of vulnerabilities, threats and incidents.” The FS-ISAC also conducts focused research on topics identified by polling the membership and publishes white papers summarizing the research findings.

How FS-ISAC members receive information from the group is up to them. They can visit the group’s website (www.fsisac.com), parts of which are available to the public and parts of which are for members only. They can be alerted to security threats by pager, fax, e-mail or phone. And the group also holds two meetings each year.

Information exchange goes both ways. Members can choose to share information about security threats they have experienced with other members, and they can do so without worrying about giving away sensitive or proprietary company information. The FS-ISAC takes many steps to protect its sources. Information submitted anonymously by an FS-ISAC member gets “scrubbed,” says Jarocki (who is also vice president of IT security engineering at Morgan Stanley). “We take any of the identifying nomenclature about a client off, and then the source is protected.” Even with these data-scrubbing safeguards in place, some CSOs express wariness about disclosing sensitive data to any group that does share information with federal agencies; however, that concern may be allayed somewhat by recent legislative developments. See “Everything You Ever Wanted to Know About FOIA (But Were Afraid to Ask)”.

To help members evaluate ISAC data, the credibility of each report is also analyzed by staff members at Global Integrity, a division of Predictive Systems, before being disseminated. Security alerts are rated from informational to crisis mode.

Currently, the FS-ISAC membership is confined to certified financial entities willing to spring for the $7,000 annual fee (for up to five members per company). Major banks, brokerage houses and insurance companies make up the bulk of membership, but small firms, banks and individuals, such as brokers, are currently not represented. However, Jarocki has proposed a three-tiered membership plan for the FS-ISAC that aims to remove cost as an obstacle to participation. The lowest tier would be a free or inexpensive membership aimed at brokers, traders, small banks and other small financial services companies; the middle tier would be the current type of membership; and the top tier would be a service tailor-made for each particular company. After all, profit isn’t the point. “Look, we’re all part of the same business,” says Jarocki. “Let’s help each other out and get everybody involved.”

InfraGard and Electronic Crimes Task Forces

While ISACs are focused on improving communication within a particular industry, InfraGard is all about sharing information between the public and private sectors—in particular between the FBI and its National Infrastructure Protection Center—on the one side, and businesses, academic institutions, and state and local law enforcement agencies on the other.

Developed by the FBI Cleveland in 1996, InfraGard today is a national effort involving all 56 FBI field offices, plus 16 satellite offices in larger cities, for a total of 72 InfraGard chapters. Membership recently topped 5,300 individuals and has been growing—even before 9/11—at a rate of about 20 percent each month, according to InfraGard. (The Secret Service’s Electronic Crimes Task Force, or ECTF, meetings are in many respects similar to InfraGard; the first ECTF was actually established earlier, in 1995 in New York City, but other major cities have just started to ramp up.)

Local chapters of InfraGard are formed by private sector members and an FBI field representative. These chapters set up their own boards to govern and share information within the membership, and each chapter is also part of the national InfraGard. Each chapter has an FBI field agent who acts as chapter coordinator—handling paperwork, organizing meetings, overseeing the local board, conducting background checks on members and functioning as an intermediary for the exchange of information. Chapters typically collect nominal, voluntary dues to cover such things as refreshments for the meetings.

InfraGard’s membership application is on the group’s website (www.infragard.net), and membership is approved on a case-by-case basis. There are two classes of membership: regular and secure. Regular members can be approved by the chapter coordinator, but secure members must also get clearance from a unit chief at FBI headquarters (as must anyone who has been arrested or convicted of a crime). Secure members must sign a detailed agreement with the FBI, which outlines promises on both sides not to disclose proprietary or sensitive information or to sue each other.

Whereas ISACs function primarily as a clearinghouse for information, the main benefit of InfraGard and the Secret Service effort is the chapter meetings, which typically take place once a month or once a quarter. In InfraGard’s case, participation in meetings can range from 40 people to hundreds, depending on the chapter. Meetings usually kick off with a speaker from the FBI or local law enforcement, and then continue with a less formal open forum.

The FBI’s goal is clearInfraGard provides support for private sector security but also helps establish relationships, which make skittish CSOs more comfortable reporting attacks and breaches. Meetings offer CSOs “the ability to interface with other security colleagues in the area and the ability to know a name and a face at the FBI and other law enforcement agencies who are at the table,” says Supervisory Special Agent Clayt Lemme, the FBI’s National Infrastructure Protection Center training and operations unit chief who supervises the national InfraGard program. “Having a name and a face goes a long way toward building trust. If you actually know someone from the FBI, it’s easier to call up and tell them about something that’s happened to you.”

CSOs say it works. Fostering communication between the public and private sectors is “long overdue,” says John Pontrelli, the global security director for Newark, Del.-based W.L. Gore & Associates, which makes the popular GoreTex fabric. Although not a member of InfraGard, Pontrelli gave a presentation about the public and private sectors working together at a recent meeting of the newly formed Delaware chapter. “What I’ve seen missing [in the past] is the two-way interaction with the private sector, but the government is really trying now,” he says. Pontrelli was pleased to see three local FBI agents at the meeting and impressed by a detailed 90-minute presentation about the state of Delaware’s homeland security strategy.

Information at the chapter meetings is considered confidential. InfraGard members must sign a nondisclosure agreement as part of the membership application process. “When a chapter gets together and you find out that people are attacking Company XYZ using a certain methodology, you’re learning about another company’s proprietary information,” says Lemme. “The reason the other company is willing to discuss it is because everybody else in the room has signed the nondisclosure agreement.”

Regional Roundtables

The rapid growth of ISACs, InfraGard and the Electronic Crimes groups attests to their usefulness. Even so, many CSOs also want less formal, more interactive formats. Carl Lorenzo, CISO of Deltanet, a dental insurance provider based in Rancho Cordova, Calif., says he and other CISOs who met at ISSA meetings do call each other from time to time to share strategies about particular threats, such as the Nimda and Code Red viruses. But, he says, “there’s no coordinated effort to get us together.” Lorenzo would like to see a monthly or bimonthly meeting, in person or by teleconference, of all the top CISOs in his region “to discuss significant events that we feel are critical to homeland infrastructure and security for our companies.”

In both New York City and Washington, D.C., CSOs have formed ad hoc discussion groups to do just that.

In New York City, a roundtable of security professionals in the financial services industry was formed about eight years ago. Approximately 20 security directors from several major brokerages and large banks meet periodically to compare notes. There are no membership dues or specific membership requirements, and the group has no formal name. “We’re a group that had been in place but whose time has come,” says Henry DeGeneste, vice president of global security for Prudential Financial and one of the original roundtable members. Since 9/11, the New York City roundtable has increased the frequency of its meetings from once a quarter to approximately once a month. Between meetings, the group keeps in touch through an e-mail tree. Sept. 11 has changed the nature of what gets discussed at the roundtable meetings. In the past, the focus had often been on government regulations relating to such issues as money laundering and financial fraud, says DeGeneste. Now, he says, “we’re focusing on almost a weekly basis on physical security and protecting our employees and allaying their fears.” Echoing the sentiment of many CSOs, DeGeneste says the emphasis has shifted from information security to a mix of both physical and information security.

Guests at the NYC meetings might include members of the New York Police Department, Secret Service, FBI, or Office of Homeland Security from the state of New York and the national office. The roundtable “helps us sort the wheat from the chaff,” says DeGeneste. “We have the chance to say, What about this story we heard? And somebody from the public sector will say, No, it’s not true.”

Because the New York City roundtable has existed for several years and the members all know each other, there’s an atmosphere of trust. Most of the roundtable participants have a law enforcement background and are accustomed to confidentiality and the protection of proprietary information. “What we say in the room doesn’t leave the room,” says DeGenestea less formal but still binding version of InfraGard’s nondisclosure agreement.

Ron Baklarz’s CSORT group in D.C. is just slightly more formal than the NYC version. Approximately 20 members participate in a weekly conference call. Topics on a recent call included regulations that might affect information security, virus mitigations and virtual private network solutions. Baklarz has invested his own money in setting up a website to recruit others in the security field and plans a face-to-face meeting later this fall. Baklarz’s goals for CSORT (www.csort.org) are real simple. He hopes to “offer a forum where people can feel comfortable discussing their security issues knowing that it’s not going to go outside the enterprise, just having somewhere you can ask for help and get support, a sort of support group for security professionals, and a sense that we’re all friends here.”

CSORT has a particular focus on members helping each other evaluate information security tools. Baklarz says the current climate demands ROI analyses of security tools out of a concern for budgets and an increased need for products proven to really work. “Security product costs are out of hand,” he reports, “so our CIOs are coming back to us and asking for some sort of analysis to justify why we need these tools. My rationale for CSORT is to build up a relationship within a group so that we can feel comfortable to say, I tried this product and it’s terrible, or, conversely, This other one was great.”