NetSec Letter #19, 31 May 2002
It's Not Just for Security Guys Anymore

Fred Avolio, Avolio Consulting, Inc., http://www.avolio.com/

[This is based on the keynote address I delivered on 29 May 2002 at the "e-Security Conference and Expo."]

In the beginning was ARPA who, with the help of US tax dollars and lots of smart folks at universities and labs, gave birth to ARPAnet. On ARPAnet, everybody knew everybody else. (And sometimes you want to go where everybody knows your name.) A few years later, corporations saw the potential, started connecting to the Internet, and the need for Internet security was born. Back then security was the job of the local security guru. Back then senior management rarely gave security a thought. Today, as it should have been back then, security must be a priority of an organization's senior management as well.

Why Our Networks Are Insecure

There are many reasons.

Privacy Concerns and Related Risks

If an organization makes use of, gathers, or stores any kind of personal (private) information, management has to understand the related risks. What is the threat of theft of private data as it flows over the Internet? Nearly zero. What is the threat on the inside (local) network? It is greater than zero. How about the threat of theft of private information from a bug-ridden web site? It depends.

That answer, "it depends," is the second most important answer in the security realm (the first being, "I don't know.") In this case, it depends on how secure your servers are. For many people, "not very."

You also need to figure out what the event-cost will be. First, what it will cost your company directly? But then you also have to consider the cost to the individual. The individual risks identity theft, which is a growing problem. This links back to the company in lawsuits (personal and class action), lost trust, etc. So, it can cost you your business. It can cost someone else his life, at least in some sense. Columnist Eileen Ambrose writes in the May 19, 2002, *Baltimore Sun*," On average it takes a victim 18 months to clear up an identity theft case and $1,100 in out-of-pocket expenses...." Businesses must protect the privacy of Internet customers for all s orts of related reasons, including the most obvious one: it is the right thing to do. (See "The Golden Rule" as related in the Bible, Matthew 23:39.)

In a Computerworld column on May 28, 2001, "Data Privacy Issues Key to Global Business, Panel Says," Kathleen Melymuka wrote, "Companies interested in doing business globally must take data privacy issues very seriously because even one slip-up could be devastating to their corporate images…"

Solutions

There is nothing new here. On the technology side, nothing much has changed in the past 10 years. You use firewalls to control access. Web and application servers must be properly configured and maintained, with all relevant security patches applied. (Note to senior management: these devices need knowledgeable people to support them.)

You also need to plan. I've written about this before (see references below). Any technology must be under-girded with policy and procedures. And senior management must back them up. Security is not optional; it never was, but we got away with treating it as optional in the past. If you get this wrong, your business could be destroyed. Someone's life could also be wrecked.

Management's Part

In a class I teach, I go through something called "The Top 10 Administration Mistakes," and 5 to 7 of them touch on senior management. All can be fixed if management is willing.

  1. No or outdated security policy. I mentioned this earlier. We all have our reasons, and they are all similar. We don't know how to start. We want to get it right. We don't have the resources (staff, money, time) to get to it.
  2. Lack of senior management "buy-in." Often senior management does not understand the expense, the event costs, the potential liability, or risks. Sometimes they remember the last big expense, and so to senior management, "firewalls" and "security" are equivalent terms. ("Didn't we spend money to secure our network last year?")

    In 2001, someone posted this to the "firewall-wizards" mailing list:

    Is there anybody out there that can help me get some configurations right on our new Gauntlet firewall? I have never configured a firewall before and have not had training and this is very important to our company so I am feeling the pressure here. Any help would be appreciated!

    I posted the following reply,

    Can anyone out there help me learn to drive an 18 wheeler? I was hired to do this, and I have a truck supplied by my company. I have a driver's license for an automobile, but I've never driven a big rig before, nor have I had any training in one. It is very important to my company that I get this right, and I have to start a cross-country run on Wednesday. Any help you other drivers can offer in your spare time as you pass through will be greatly appreciated.
  3. Propping the door open, and later forgetting to close it. People ask for changes to the network security perimeter all the time. Sometimes it is "just for this one thing." "I will call you when this important customer demo is over." The needs of the urgent take over. Does senior management allow this tyranny of the urgent, or do they support the security policy?
  4. Exceptions. Too many people need too many special Internet services. Too many want the security policy changed. They ask for exceptions to the policy. Does senior management support a need for security that is in equilibrium with business requirements?
  5. The "big boss" problem. Senior management personnel sometimes tend to be the worst offenders. Like everyone else their top priority is getting their job done, but they have the power to command instant modification to operational procedures. "I'm working from home and forgot the login password. Change it to last month's." "I can't figure this e-mail encryption software out, so I won't use it." "Oops... I lost my notebook PC."
  6. Services before vulnerability assessments. People ask for things they "need." Do they need them? What are the security ramifications? Are security requirements in balance with business requirements?
  7. Wants disguised as requirements. And solutions disguised as requirements. "I need NetMeeting" is not a requirement. " I need port 2092 allowed through the firewall," is not a requirement. "I need access to my 'hotmail' account when at work," is not a requirement. Does senior management understand the differences? Are they part of the solution, or part of the problem?

With growth in business use of the Internet, computer and network security is no longer an after-thought. Still, today, many organizations think that it is mostly the job of the security professional. While "security is everybody's business," is a fine slogan, from a business perspective, it is the job of senior management to support it as well as they support sales, marketing, or other areas. Supporting security is an obligation for any company or government agency doing business on the Internet

##

Promotions, Self and Otherwise

There is a new column on my web page, previously published for WatchGuard Technologies. "Using Your Firebox's Optional Interface," ( http://www.avolio.com/columns/OptionalInterface.html) is Firebox-specific, but useful for anyone who is thinking of putting in a DMZ (service network).

I will be speaking at CSI's "NetSec 2002" conference in San Francisco the week of June 16. Please see http://www.avolio.com/calendar.html for details and descriptions. See http://www.gocsi.com/ to get a catalog. And please stop by and say hello.

Previous writing about security planning:

I recommend the May 15, 2002 CRYPTO-GRAM ( http://www.counterpane.com/crypto-gram.html) for a good discussion about "Secrecy, Security, and Obscurity."

News articles about identity theft: