Home page logo

isn logo Information Security News mailing list archives

Not So Secure? It's a great time to be a security expert...
From: Kelley Walker <kwalker2 () gte net>
Date: Tue, 26 Jun 2001 12:51:57 -0400

:)  This caught my eye as I was scanning the infosec news:

Not So Secure?

  June 11, 2001
  By Maria Schafer

It's a great time to be a security expert. In the wake of widely publicized hacker attacks and the infamous Melissa and Love Bug viruses that wreaked serious damage on corporate networks worldwide, network-security groups are getting unprecedented attention and budgets from senior management.

The risk of an attack increases as companies add more remote workers, electronic-commerce projects and applications, such as e-learning. About 75 percent of U.S. organizations have experienced a significant information-security breach in the past year, according to Meta Group research. Now some big organizations have established a new high-level security position: the CISO (chief information security officer), who reports directly to the CIO and, in some cases, to the CEO.

Trouble is, while companies are building the technical infrastructure for creating secure systems and networks, many are doing so without instituting the processes, procedures and training for their IT and other employees on the front lines of security management. Even with enforcement centralized into a single group, the actual administration of security, such as the daily moves/adds/changes required for users to access systems, is typically the responsibility of the network administrator. The network administrator is most likely to be in charge of securing systems, including firewalls, VPNs, authentication servers, extranet directories and PKIs (public key infrastructures), for instance.

The bottom line is that the network administrator is not a security specialist. If a company wants to deploy its network administrator this way, it also needs to train him or her in security software, processes and procedures. It needs to develop security-management policies that are common across the organization and applied consistently for password updates and for adding or deleting user accounts, for example.

But because network security is relatively new and lacks experienced individuals, most groups are understaffed. So they off-load security administration to the network administrator. About half the network administrators surveyed recently by the Meta Group say they are responsible for security. Smaller organizations, not surprisingly, lean more heavily on their network administrators for security: nearly half of organizations with 1,000 to 5,000 employees use their network administrators as security staff, and more than one-third of organizations with more than 5,000 employees use their network administrators for this role, according to Meta Group research.

A better solution is to add a network security administrator to handle day-to-day security tasks and issues instead of overloading the network administrator. If the network administrator isn't trained to handle security breaches, the result can be devastating. Take one major Northeast insurance firm, which had procedures for password requests and access to its e-mail system. Disseminating information about potential viruses was a standard function of the insurance company's network administrator, and he regularly reviewed and updated virus definitions. But the day the Love Bug virus hit the company, he was out of the office. Although reports about the Love Bug virus had appeared in newspapers before the attack, the administrator was unaware of it, so management and the IT staff weren't notified of the risk. It was too late when the virus was finally discovered in the company's network. Other network staffers were too busy fighting fires -- down servers and other network problems caused by the virus -- to take control of the situation. The moral is that you need a thorough contingency plan for when the network administrator is out of the office and an emergency hits.
Recipe for Disaster

Often, companies run their security operation on two levels. The senior security manager, such as the CISO, is responsible for collecting and reviewing business requirements and "selling" upper management on the types of security systems and processes the company needs. This security professional also develops security policy, in cooperation with representatives from the business units.

The second level is the security staff -- which is often the network administrator, or security managers, who work with IT groups to embed security standards within the technical infrastructure. The network administrator handles day-to-day password changes and other user account tasks.

This split in the security policy and implementation can lead to disaster. The security manager, not the network administrator, should oversee things like regular password changes across all security services at the same time to reduce end-user confusion and forgotten passwords. He or she also should ensure that password standards are maintained across the organization and that user accounts are added or deleted from all system resources, not just some. The security manager and staff should handle security reporting, logging and audits (firewall scans, password checks) to ensure proper compliance. All too often, however, the network administrator handles these tasks -- without adequate preparation or training.

The key is for the network side of the house to incorporate security elements at the start of an upgrade or other projects. That means working closely with the security manager.

And effective security is not the sole responsibility of the security domain team or the CISO, either: Companies need to ensure that all employees are responsible for some aspects of security. The central security group should develop a general strategy based on conceptual and technical architecture principles and then apply it to the entire IT infrastructure. The job of end users is to create unique user IDs/passwords based on the company's password policy and standards. Even end users need some training; all the security technology in the world won't work if users act carelessly, e-mailing a proprietary document over the Internet without encryption or creating an easily guessed password.

When you define and implement security policies, some due diligence goes with them -- communicating them clearly through presentations, not cryptic memos and publishing security policy on intranets, for instance. Security policy should be part of new employee orientation, too.

Close to Home

Global 2000 organizations traditionally haven't outsourced their security operations, because they mistrust service providers and are concerned about confidentiality and performance. Security's increasing clout in most IT organizations and the scarcity of security professionals that speak fluently in information security and business initiatives have prompted some organizations to pay CIO-level salaries to CISOs. Headhunters specializing in information security professionals have also started to appear.

The high demand for these skills has created a significant market for information security training and certification, as organizations look to educate and develop security people from within. Programs from training organizations such as the SANS Institute, MIS Training Institute and the Information Systems Security Association are proliferating.

Most organizations should not outsource the responsibility for security. It's important to retain ownership of these functions in-house. The exceptions are vulnerability assessment and infrastructure design. There's plenty of pressure to hire outside talent because of a lack of personnel, but Meta Group discourages turnkey security outsourcing.

Meanwhile, there aren't enough people in the organization with the proper training and knowledge about security to defend against intrusions and problems. This will change, however, as the technology matures with more proactive tools, and security experts are "grown" within the organization. But for now, security administration still will be delegated to the network administrator, and the central security group -- in charge of policy -- needs to step up and ensure consistent administration across all systems.

Maria Schafer directs human capital management research at Meta Group, an information technology research and advisory services firm based in Stamford, Conn. Send your comments on this article to her at careers () nwc com
Kelley Walker
Organizational Researcher/Technical Writer
Interpact, Inc. Security Awareness

Interpact sponsors InfowarCon, 9/5-6, Washington, D.C.

ISN is hosted by SecurityFocus.com
To unsubscribe email isn-unsubscribe () SecurityFocus com

  By Date           By Thread  

Current thread:
  • Not So Secure? It's a great time to be a security expert... Kelley Walker (Jun 27)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]