Information Security News
mailing list archives
Not So Secure? It's a great time to be a security expert...
From: Kelley Walker <kwalker2 () gte net>
Date: Tue, 26 Jun 2001 12:51:57 -0400
:) This caught my eye as I was scanning the infosec news:
Not So Secure?
June 11, 2001
By Maria Schafer
It's a great time to be a security expert. In the wake of widely publicized
hacker attacks and the infamous Melissa and Love Bug viruses that wreaked
serious damage on corporate networks worldwide, network-security groups are
getting unprecedented attention and budgets from senior management.
The risk of an attack increases as companies add more remote workers,
electronic-commerce projects and applications, such as e-learning. About 75
percent of U.S. organizations have experienced a significant
information-security breach in the past year, according to Meta Group
research. Now some big organizations have established a new high-level
security position: the CISO (chief information security officer), who
reports directly to the CIO and, in some cases, to the CEO.
Trouble is, while companies are building the technical infrastructure for
creating secure systems and networks, many are doing so without instituting
the processes, procedures and training for their IT and other employees on
the front lines of security management. Even with enforcement centralized
into a single group, the actual administration of security, such as the
daily moves/adds/changes required for users to access systems, is typically
the responsibility of the network administrator. The network administrator
is most likely to be in charge of securing systems, including firewalls,
VPNs, authentication servers, extranet directories and PKIs (public key
infrastructures), for instance.
The bottom line is that the network administrator is not a security
specialist. If a company wants to deploy its network administrator this
way, it also needs to train him or her in security software, processes and
procedures. It needs to develop security-management policies that are
common across the organization and applied consistently for password
updates and for adding or deleting user accounts, for example.
But because network security is relatively new and lacks experienced
individuals, most groups are understaffed. So they off-load security
administration to the network administrator. About half the network
administrators surveyed recently by the Meta Group say they are responsible
for security. Smaller organizations, not surprisingly, lean more heavily on
their network administrators for security: nearly half of organizations
with 1,000 to 5,000 employees use their network administrators as security
staff, and more than one-third of organizations with more than 5,000
employees use their network administrators for this role, according to Meta
A better solution is to add a network security administrator to handle
day-to-day security tasks and issues instead of overloading the network
administrator. If the network administrator isn't trained to handle
security breaches, the result can be devastating. Take one major Northeast
insurance firm, which had procedures for password requests and access to
its e-mail system. Disseminating information about potential viruses was a
standard function of the insurance company's network administrator, and he
regularly reviewed and updated virus definitions. But the day the Love Bug
virus hit the company, he was out of the office. Although reports about the
Love Bug virus had appeared in newspapers before the attack, the
administrator was unaware of it, so management and the IT staff weren't
notified of the risk. It was too late when the virus was finally discovered
in the company's network. Other network staffers were too busy fighting
fires -- down servers and other network problems caused by the virus -- to
take control of the situation. The moral is that you need a thorough
contingency plan for when the network administrator is out of the office
and an emergency hits.
Recipe for Disaster
Often, companies run their security operation on two levels. The senior
security manager, such as the CISO, is responsible for collecting and
reviewing business requirements and "selling" upper management on the types
of security systems and processes the company needs. This security
professional also develops security policy, in cooperation with
representatives from the business units.
The second level is the security staff -- which is often the network
administrator, or security managers, who work with IT groups to embed
security standards within the technical infrastructure. The network
administrator handles day-to-day password changes and other user account tasks.
This split in the security policy and implementation can lead to disaster.
The security manager, not the network administrator, should oversee things
like regular password changes across all security services at the same time
to reduce end-user confusion and forgotten passwords. He or she also should
ensure that password standards are maintained across the organization and
that user accounts are added or deleted from all system resources, not just
some. The security manager and staff should handle security reporting,
logging and audits (firewall scans, password checks) to ensure proper
compliance. All too often, however, the network administrator handles these
tasks -- without adequate preparation or training.
The key is for the network side of the house to incorporate security
elements at the start of an upgrade or other projects. That means working
closely with the security manager.
And effective security is not the sole responsibility of the security
domain team or the CISO, either: Companies need to ensure that all
employees are responsible for some aspects of security. The central
security group should develop a general strategy based on conceptual and
technical architecture principles and then apply it to the entire IT
infrastructure. The job of end users is to create unique user IDs/passwords
based on the company's password policy and standards. Even end users need
some training; all the security technology in the world won't work if users
act carelessly, e-mailing a proprietary document over the Internet without
encryption or creating an easily guessed password.
When you define and implement security policies, some due diligence goes
with them -- communicating them clearly through presentations, not cryptic
memos and publishing security policy on intranets, for instance. Security
policy should be part of new employee orientation, too.
Close to Home
Global 2000 organizations traditionally haven't outsourced their security
operations, because they mistrust service providers and are concerned about
confidentiality and performance. Security's increasing clout in most IT
organizations and the scarcity of security professionals that speak
fluently in information security and business initiatives have prompted
some organizations to pay CIO-level salaries to CISOs. Headhunters
specializing in information security professionals have also started to
The high demand for these skills has created a significant market for
information security training and certification, as organizations look to
educate and develop security people from within. Programs from training
organizations such as the SANS Institute, MIS Training Institute and the
Information Systems Security Association are proliferating.
Most organizations should not outsource the responsibility for security.
It's important to retain ownership of these functions in-house. The
exceptions are vulnerability assessment and infrastructure design. There's
plenty of pressure to hire outside talent because of a lack of personnel,
but Meta Group discourages turnkey security outsourcing.
Meanwhile, there aren't enough people in the organization with the proper
training and knowledge about security to defend against intrusions and
problems. This will change, however, as the technology matures with more
proactive tools, and security experts are "grown" within the organization.
But for now, security administration still will be delegated to the network
administrator, and the central security group -- in charge of policy --
needs to step up and ensure consistent administration across all systems.
Maria Schafer directs human capital management research at Meta Group, an
information technology research and advisory services firm based in
Stamford, Conn. Send your comments on this article to her at careers () nwc com
Organizational Researcher/Technical Writer
Interpact, Inc. Security Awareness
Interpact sponsors InfowarCon, 9/5-6, Washington, D.C.
ISN is hosted by SecurityFocus.com
To unsubscribe email isn-unsubscribe () SecurityFocus com
- Not So Secure? It's a great time to be a security expert... Kelley Walker (Jun 27)