How to Rope In Rowdy Technologies

Growing up, a friend of mine would cite entropy as the reason for never cleaning her room. After all, if the universe inexorably trends toward chaos and all systems eventually dissolve into disorder, what’s the point of picking up a T-shirt or putting away a board game? It was an ingenious, if usually ineffective, application of scientific theory. It’s also one that I suspect many CSOs can relate to as they confront the growing complexity of new technologies and its anarchic effect on their best-laid security plans.

Historically, the discovery of new security vulnerabilities has always outpaced the CSO’s ability to respond, but CSOs are now forced to play catch-up on a second front as well. Not only are hacking tools and exploits lapping the security organization’s efforts, the rapid development of presumptively useful technology is itself leaving CSOs scrambling to maintain order. Instant messaging (IM) and file-sharing programs proliferate almost virally, disguising themselves as Web traffic to zoom through firewalls unimpeded; and employees with the high-tech itch frequently purchase their own PDA and wireless local area network (WLAN) to access the corporate network with little thought to the security consequences. The CSO’s challenge: to exert some semblance of control over all this chaos.

In this story we take a look at four technologies that security organizations have admitted to struggling with. CSO talked to chief security officers and industry experts about the security and management challenges these technologies present and gleaned their best advice for reining in the chaos and balancing the business benefits of technology with the necessary controls of a solid security strategy.

The majority of these technologies illustrate a frightening truism for CSOs: The concept of the perimeter is dissolving. The idea that you could build a wall and control everything on the inside and keep disruptive elements on the outside has fallen from favor. The Webthat original disruptive applicationis now pervasive. CSOs need to find ways to assert some control. Good security is not about secure technologies; it’s about good administration, effective policy development, smart risk management and consistent auditing to test against the objectives.

The problem in all these cases is that when business units or executives become enamored of a particular technology, many CSOs lack the mandate to deny it to them. Security executives have a fine line to walk. You will see that some CSOs are able to issue blanket bans on technologies while others must negotiate a compromise with business users. Chris Byrnes, a vice president and analyst who tracks security for the Meta Group, suggests that CSOs take the tack of evaluating technologies in terms of how they serve the needs of the business, and then find the balance between achieving a business benefit and achieving good security. “It has to be dynamic; it has to be negotiated,” says Byrnes. “Security officers who try to dictate to the business what they can and can’t use are not going to keep their jobs.”

In the spirit of career longevity enhancement, then, we offer this quartet of nettlesome technologies and some coping strategies for keeping them in order.

Web Services

Commerce is about letting people in, not keeping people out, so it shouldn’t be surprising that the latest trend in technology creates a pipeline right through the firewall into some of your company’s most sensitive applicationsall in the name of cost savings and efficiency.

But it’s not people who are being admitted into the sanctum; it’s bits of executable code made available using Web services. Web services are Web-based applications that use open standards such as SOAP (simple object access protocol), XML and HTTP to glue together different computer systems and applications that otherwise would not be able to communicate. That allows companies to build distributed Web applications and to take advantage of services already out on the Internet instead of having to build their own. For example, if company A wants to build a travel site for its employees and company B happens to have a terrific vacation booking service, A can build its site using B’s booking feature instead of having to spend time and money building its own. Web services allow those disparate Web applications to talk to one another, presenting what appears to be a cohesive whole to the user.

However, while Web services may offer enormous opportunities for improved efficiency, it also raises huge concerns for CSOs who suddenly find that they have some of their most critical applications hanging out on the Internet unsecured. Because those apps have so many lines of code and are generally not written with security in mind, they are among the most difficult IT assets to secure. The problem is compounded by the fact that CSOs often don’t know about Web services projects until they are well along or completed, and because these applications that are being stitched together have their own individual security attributes, which can be uneven at best and in some cases rife with holes. “People are going to Web services to get faster delivery and completion of applications,” says Byrnes. “So you can see that while the developer could increase his workload by building in security [up front], the tendency is not to do that.”

Earlier this year, Adrian Lamo, a so-called white-hat hacker, hacked his way into a Web service on The New York Times intranet. During that escapade he was able to access a number of the company’s databases, including one that contained the Social Security and home phone numbers for 3,000 of the paper’s op-ed contributorsamong them actor Robert Redford, commentator Rush Limbaugh, former President Jimmy Carter and even hip-hop artist Queen Latifah. Though Lamo revealed the flaw to The Times rather than selling the information, imagine the repercussions if an individual with malicious motives took a similar stroll through your company’s most valuable data.

It’s a problem that Bill Spernow, CISO for the Georgia Student Finance Commission (GSFC), has tried to minimize by ensuring that security is top-of-mind among his organization’s developers. “I would classify middleware right now as the most unexplored security risk that most corporations and agencies have in their infrastructures,” says Spernow, noting that there are no tools available to explore the coding structure for holes and no ability to monitor proces-ses to know when a security-based problem occurs. His solution has been to send GSFC programmers through hacking courses in order to make them aware of the various security vulnerabilities that they can create in their work and to show them how those holes are exploited. Later, that knowledge is also shared with the remaining staff.

To avoid nasty surprises, Ted Doty, director of product management with Okena, an intrusion prevention software vendor, suggests that CSOs be aggressive about staying informed. “I’d get my nose in all those meetings with the server guys,” he says. “What are they doing about the next big generation of SOAP and XML? Are they even thinking about security? You’ve got to get involved in all these discussions before you wake up and find [some new application] out there on 10,000 machines.”

Peer to Peer

As with Web services, the danger of peer-to-peer technologiesapplications in which users can use the Internet to exchange files with each other directly or through a mediating serveris that they cruise right through the firewall. However, the problem is complicated by the fact that the CSO isn’t just dealing with a relatively small team of Web developers; he’s trying to affect the behavior of every employee in the company. It’s a situation that EDS’s London-based Chief Security and Privacy Executive Paul Clark is all too familiar with.

In May, Clark sent out a memo to all employees serving notice that the company would begin blocking access to all Internet instant messaging sites because of the security risks IM poses to the company’s network and its clients. Within a week, Clark had to modify the ban. Executives who had been using IM as a cheap, high-touch means of communicating with customers balked at the ban. Moreover, the cost of securing IM traffic was found to be prohibitively high. In light of these realities, Clark had to rethink an outright ban.

Many file-sharing applications, such as Napster and Gnutella, and IM programs, such as AOL Instant Messenger and MSN Messenger, are designed to actively subvert the firewall and other security controls that organizations have put in place. “These apps are usually written in such a way that they’re very determined to get the message through,” says Shawn Hernan, team leader for vulnerability handling at The CERT Coordination Center. “In most instances they don’t provide any security of the message, don’t protect it from observation in travel; there’s no integrity, no privacy, no digital signatures.” The programs tend to be installed by the nonsecurity conscious (read: your average employee), and applications are frequently out of date, contain a range of vulnerabilities and create a situation for CSOs in which an unknown number of messages traverse their networks in clear text. This is a security executive’s nightmare.

In order to work effectively, IM needs to pass through open ports. So IM systems wrap communications up to look like Web traffic, enabling them to enter the port unnoticed by the firewall or virus-scanning software. That makes IM susceptible not only to viruses but to social engineering tactics. Users are tricked into downloading malicious software that lets intruders use their systems as a platform for launching denial-of-service attacks.

Security vendors have come up with a number of possible solutions to the IM problem. Some vendors, such as IM-Age Software, add a layer of authentication and encryption to public services like Yahoo and MSN Messenger. Others, such as Jabber, offer their own IM platforms that can be used alone or with public IM services, as well as dedicated IM servers that companies can deploy and manage behind their own firewalls. So CSOs must consider whether they want to control, ban, regulate or simply endure the risks posed by IM and file sharing.

But, as Clark learned, once you’ve let the kids into the candy store, it’s not so easy to get them out. EDS decided to designate its own secure port for IM services and to limit the program’s use only to certain individuals with a high need for IM capabilities; all other access to IM and non-EDS file-sharing programs is blocked. “It’s not a negative thing,” says Clark of the IM trend. “It’s what the information world is about. Everyone’s clamoring for freedom of access to information. But it has to come with controls.”

For companies that do want to block rather than regulate IM, it’s not always that easy. IM and file-sharing programs are being designed with increasing intelligence and cloaking skills. They can masquerade under different protocols and test different ports until they find one that will let them in. Short of a total ban, the best thing that a CSO can do is to help users understand why these products can be dangerous.

CISO Spernow has mandated that every new nonprogramming employee at his organization must undergo four hours of computer crime and hacking awareness training so that they can understand the drivers behind computer crime and how their own behavior can contribute to the problem.

Hernan, too, suggests an active rather than passive approach. “Clearly articulate your policy, don’t just let [violations] happen, and be forced to respond,” he says. As with many of these technologies, forming a policy around IM and file sharing is essentially a risk-management decision. CSOs must decide what level of risk they are willing to accept in exchange for what degree of enhanced business value. Based on that they should make the call and then educate users about it.

Wireless

A lot has been written about the security flaws of wireless networks, and you’ve probably heard the tales of the enterprising hacker who can sit on a park bench in the heart of the financial district and tap into dozens of wireless networks. But for CSOs the challenges of wireless are only getting larger as the holes in security go unpatched, and employees either demand greater wireless connectivity or surreptitiously achieve it on their own.

“Wireless is robustly insecure,” says Bruce Schneier, author, cryptographer and CTO of Counterpane Internet Security, a security-management service provider. “The only way to look at wireless is to assume that it’s completely insecure.”

Bob Degen is the former supervisor of the financial crimes unit for the U.S. Secret Service, where he additionally served on protective detail for presidents Nixon, Reagan and Bush. Currently he is senior vice president for corporate security of First Data (the parent company of Western Union), where he has seen proof of wobbly wireless security. A high-placed executive at the company bought himself a WLAN and, despite Degen’s numerous warnings about the security problems, was bound and determined to use it. After a business trip to Paris, he came to Degen and apologized for having ignored his warnings. The executive sheepishly went on to explain that he had been on his WLAN in the hotel, had turned it off, but was puzzled when a light indicated that he was still connected to the network. It turned out that a guy two rooms down had been on a WLAN as well and the lines had gotten crossed. Each had become connected to the other company’s LAN, and the light was on because the other guy was still on First Data’s network.

The standard security protocol for wireless is WEP (wired equivalent privacy), and since its release in 1997 a number of flaws have been found that allow anyone with the right tools to break the encryption. Even the example of the hacker on the park bench is out of date. By using increasingly powerful receivers and transmitters, it’s now possible to break into a wireless network from as far as 10 miles away. According to one vendor, a telecom customer that realized its exposure even went so far as to put special windows into its new facility to block transmitters and protect internal wireless communications. It had to evaluate up to six window systems before it found one it couldn’t transmit across. But for most companies, security-driven window replacement is an unattainable and expensive luxury.

This is not the only problem that wireless presents. Like Degen’s executive who was determined to use his wireless LAN out of the office, employees can easily set up their own WLAN access points within the company walls. WLANs use wireless network cards and small boxesthe size of a CD driveas network access points. They can easily be tucked in a drawer or under a desk. Whether they are set up by an employee who wants to e-mail during meetings or by a hacker looking to establish 24/7 access to your network, it is virtually impossible for CSOs to find them.

While security experts such as Schneier contend that wireless will never be secure, others see hope. “Well-implemented end-to-end cryptography or a virtual private network offers strong protection against certain kinds of attacks,” says Hernan. While he cautions that there are other kinds of attacks for which these solutions may not work, he believes that “most organizations would be well served to use end-to-end security or a VPN as part of a strategy for securing a wireless network.” The biggest problem with wireless security systems is that many companies aren’t bothering to use them. An informal 2001 Gartner survey found that more than 60 percent of companies operating wireless networks didn’t even have WEPthe most basic security that comes packaged with a wireless LANturned on.

But one thing that CSOs need to educate their executives about is that while it is possible to conceal specific content, the fact that person X is having a conversation with person Y can’t be hidden. This creates a scenario similar to one in which White House reporters see 20 pizzas being delivered to the West Wing at 2 a.m. and conclude that something big is brewing. At times, the very fact that communication is taking place at all can become a security breach. For example, a flurry of text messages between execs at two rival banks could signal that a long-rumored merger is in the works.

Although CSOs can controlor at least have significant input intocompany-sponsored wireless installations, the greater vulnerability may come from employees, like Degen’s executive, who go out and set themselves up on wireless. While it is a must to create and enforce strong policies, Degen also advocates a touch of humiliation as an effective deterrent. “I didn’t get to where I was because I’m such a persuasive guy,” he says. “We have a saying in my group that ‘adversity is my friend.’ When something bad happens, jump on it, make a big example out of it, don’t hide it.” When a bank or government group comes in and gives First Data a bad security audit, Degen believes in making it public within the organization to increase the pressure on business units and employees that might be tempted to ignore a security mandate. “Look at what’s at risk,” he says. “Take advantage of bad things and parlay them into as much as you can get.”

Many CSOs might be horrified at the idea of tarnishing their own reputation within the company by exposing security flaws, but Degen plays the strong security mandate he’s been given for all its worth. When it was recently discovered that a facilities executive was flouting the company’s security policy by letting his employees use a loading dock door instead of the employee card-reader turnstiles, Degen organized a sting operation. He asked an employee from the company’s Tulsa, Okla., office (a stranger at the company’s Colorado headquarters) to piggyback on facilities employees going in and out through the dock doors. Time after time employees let him in, even though nobody knew who he was. Degen wrote up a ticket for every violation.

“I’m going to take all 30 of these tickets and throw them on [the facilities executive’s] desk,” he says. “Then I’m going to hold a remedial security class for all his people, and it’s going to be long and gruesome.”

Portables

PDAs and cell phones are becoming central tools in the organizational communications infrastructure. And as the computing power of these devices has increased, CSOs have seen the big security wall around their systems crumble. Now they struggle with the problem of how to control the usage and ensure the security of these new digital mobile assets.

The ease of use and mobility of portable devices have increased dramatically in the past five years, but as Byrnes points out, that’s not always a good thing. “Data stored on any handheld device is even more mobile than a stolen laptop,” he says. “For devices that communicate via wireless, the ability to steal or alter the data is a significant risk.” The solution is encryption, he says. “If critical data must be stored, it must be encrypted; and if critical data must be communicated, it must be strongly encrypted.”

However, the current generation of hardware devices is not powerful enough to support strong encryption, and only in late 2002 will a new generation of devices hit the market with a processor architecture robust enough to be truly secure.

That offers little hope for CSOs whose enterprises are already flooded with these devices. Frustrated with the lack of security, Degen ruled that employees could not use PDAs and wireless modems to connect to First Data’s systems. He notes that the decision is still a sore point with executives but was necessary because the company handles too much sensitive information to allow those kinds of holes to exist. “All we need is to lose 373 million credit card numbers,” he says. “Western Union has 9 billion transactions per month. What if somebody was listening to those?”

At EDS, Clark has dealt with the issue by ensuring that every system that dials in to the networkwhether it’s a home PC or a PDAgets an automatic download of virus control software. By putting controls at the access points, Clark can cut off any messages that might contain a virus.

As CISO of Contra Costa County in California, Kevin Dickey has the added burden of not only protecting these devices but ensuring that taxpayer funds aren’t being wasted when they’re bought. He is now in the process of working with all the county’s department heads and elected officials to develop a policy that governs their usea process that he knows won’t earn him any friends. As in other organizations, the problem in Contra Costa County is that many employees purchase PDAs themselves. Consequently, there’s no way for Dickey to know how they’re being used or what kind of information is being loaded. “Allowing employees to put county assets on a PDA gives me heartburn from a security perspective,” says Dickey.

If economically feasible, one heartburn-avoidance strategy would be for companies to provide the devices to employees as a means of gaining an added layer of control. That way the CSO can make sure all such devices include appropriate security and are properly configured.