TechWeb

Security Action Plans

May 29, 2005 (08:05 PM EDT)

Read the Original Article at http://www.informationweek.com/news/showArticle.jhtml?articleID=163701629


Centralization, automation, problem prioritization--many IT-security professionals are embracing those concepts as they fight off the never-ending onslaught of threats. Security products can help businesses stem the flood of vulnerabilities, but IT teams also have to put in place processes to ensure that they're responding appropriately and being proactive in warding off potential dangers. Fact is, some companies spend too much on some parts of their organization and not enough on more-vulnerable areas.

Security pros are under increasing pressure to do the job right and cost-effectively as networks extend beyond firewalls to remote users, partners, and customers, and to cell phones, PDAs, and other mobile devices; regulatory requirements to safeguard data have risen; and concerns about identity theft are at an all-time high. Hackings and other unauthorized access contribute to the approximately 10 million instances of identity theft each year in this country, according to the Federal Trade Commission. "How sensitive is a company about being on the front page of the paper?" asks Pete Lindstrom, founder and analyst at Spire Security. InformationWeek and others have reported on a rash of cases involving inadequate security and poor handling of customer data. "If the value of assets is high, companies should follow security best practices," Lindstrom says.

To understand how companies are managing it all, InformationWeek interviewed business-technology professionals on the front lines to see how they're handling some common security issues. From the higher-level picture of risk management to the nitty-gritty details of patching, here's how they do it.

Start With A Master Plan
It doesn't make sense to spend $10,000 to protect a $10 asset. That's the way Christofer Hoff, chief information security officer at Western Corporate Federal Credit Union, sees it. Every security-remediation plan requires knowing how important a specific asset is to the company before time and money are spent securing it. For example, an E-commerce server that brings in millions of dollars in sales is more important than a print server, so it's higher on the fix and secure lists.

CISO Christofer Hoff worked with business-unit managers to set security priorities.

CISO Hoff worked with business-unit managers to set security priorities.

It's all about intelligently managing risk, rather than knee-jerk reactions to the multitudes of threats, Hoff says. Instead of looking for "some Holy Grail security-management product," he set priorities with business-unit managers. Some of the questions they discussed: What would the impact to the business be if the main E-commerce server were compromised? And what exposure would the business suffer if it couldn't process millions of dollars in transactions? "Our business units define what's needed to stay online," he says.

For many businesses, implementing a risk-management plan should be at the top of their security to-do list, says Jon Oltsik, an analyst at Enterprise Strategy Group. But few have taken that step, he says. Instead, the most common reaction to a new threat is to buy more technology. "It's like you're sick, but you just buy medicine instead of going to the doctor," he says.


SECURITY SITES
Stay up to date on vulnerabilities, research, and more:

»

www.sans.org

IT security research and education organization the SANS Institute offers research about security best practices, vulnerabilities, training information, and Webcasts.

»

www.securityfocus.com

A vendor-neutral security information Web site owned by Symantec Corp. that provides information about the latest security threats and best practices, job postings, free security tools, and listings of upcoming security-related events. The Web site also contains links to some of the best security-related mailing lists, such as BugTraq.

»

www.cert.org

The CERT Coordination Center, a federally funded security research and development center, posts information about vulnerabilities, attacks, defenses, and various security stats.

»

www.Cybercrime.gov

Computer-crime Web site run by the Computer Crime and Intellectual Property division of the U.S. Department of Justice. This site links to recent computer-crime cases, cyberlaw, and federal laws and policies regarding hacking and intellectual-property crime.

»

www.patchmanagement.org

The PatchManagement mailing list is aimed at security pros and network administrators to help them build solid software-patching procedures and policies. The list is maintained by patch-management experts from vendor companies such as Shavlik Technologies and Microsoft.
Western Corporate Federal uses a number of point products, including software from Skybox Security Inc. for threat exposure and analysis, PatchLink Corp. for patches, and open-source software for intrusion detection. All are integrated with risk-management software from Qualys Inc. called VM, which lets Hoff set and enforce security policies and prioritize responses to threats.

"With vulnerability assessment before, we'd sift through hundreds of pages for the E-commerce server or the print server," Hoff says. "Now Qualys shows us where we're vulnerable in business terms." For example, when Microsoft issues patches for its Windows operating system, the credit union uses Qualys VM to identify the first servers to patch. Other security risk-management vendors include Consul, eEye Digital Security, and Trusecure.

Manage Access
As far as security technology has come, passwords may still be the weakest link in the security chain. "Passwords are the easiest way in," says Andy Jaquith an analyst at the Yankee Group. "Bad guys get into accounts and try to escalate to a higher level." There's also potential for rogue employees to attempt to access sensitive data. That leads to an endless cycle where passwords are regularly changed to avoid trouble.

It all adds up to the need to deploy smart identity-management tools and establish savvy practices. At Vitas Healthcare Corp., with a workforce of 6,000 and operations across 15 states, authorized employees enter as many as a half-dozen passwords a day to access multiple databases. While it's important to maintain password discipline to secure customers' health-care data, maintaining and managing the situation creates a drag on the IT department. "Our help desk spends 30% of their time on password management and provisioning," says John Sandbrook, senior IT director at Vitas. The company is changing that using Fischer International Corp.'s Fischer Identity Management Suite 2.0 to manage passwords and comply with data-access regulations such as the Sarbanes-Oxley Act. Vitas implemented the suite last fall, and it expects to cut help-desk time spent on passwords by 25%.

The ID-management product includes automated audit, reporting, and compliance capabilities, and a common platform for password management, provisioning, and self-service. "Any company must have unique user IDs and passwords that change frequently," Sandbrook says. With the software, Vitas can enforce strong passwords that some legacy systems won't require on their own, such as those with seven, eight, or nine characters, numbers, and capital letters. And when Sandbrook does an audit, "I see who changed [password] information with good practices, and I feel assured."




Centralize To Survive
To counter spyware, spam, viruses, and unauthorized network intrusions, companies must consolidate and automate. Sounds simple, but many companies still are recent converts to those practices.

For HNTB Corp., a large architectural and engineering firm, moving to an antivirus product with a central console to manage and impose security policies and monitor employees' system usage has dramatically improved the company's security performance. "We haven't had a major outbreak since we put this in place" nine months ago, information manager Travis O'Dell says. In fact, there have been no outbreaks of any kind. Previously, the company saw two or three over the same time period.

SANS Institite

WHITE PAPERS

The following security white papers are courtsey of The SANS Institute, a cooperative research and education organization. In additional to the following papers, The SANS Institute offers more than 1,500 original computer security white papers across 71 different categories online at www.sans.org/rr/ free of charge.

»
A Guide to Discovering Web Application Insecurities, Before Attackers
Don Williams
Category: Web Servers
Posted: March 9, 2005

»
Security Improvement Of A Wide And Heterogeneous Set Of Network Devices: A Global Approach
Jean-Marc Millet
Category: Network Devices
Posted: February 19, 2005

»
Network Security - A Guide for Small and Mid-sized Businesses
Jim Hietala
Category: Security Basics
Posted: January 26, 2005

»
Governmental Effects upon the Cyber Security Decision Making Cycle
Bruce Norquist
Category: Security Modeling
Posted: March 9, 2005

Before centralization, computer users were responsible for updating their own security software. "Our biggest concern when users updated the security themselves was whether the [new software was] ever really getting loaded," O'Dell says. With McAfee Inc. antivirus software, HNTB sees any PCs that don't have the current software and can push it to those machines as needed. "We're updating clients, and it's safe," O'Dell says. "End users should just know that they're protected."

They do at the AAA Reading-Berks office in Pennsylvania. The auto club's IT director, Peter Wallace, attacks spyware and viruses--which often enter a network as spam--in the same manner, by letting automated tools spot and fix problems. When spyware entered the vernacular, Wallace drew on his experience dealing with viruses to help shape his approach. A server in his office goes out and checks for updates to Computer Associates' eTrust Antivirus software. "I pull up the console, see how many machines are online, and update them as needed," he says. The number of viruses infecting systems has shrunk. "I just know I can sleep better at night because my server is updating in the middle of the night," he says.

The onslaught of spyware fractured some of that hard-won control over potential security holes. Wallace was spending most of his time last fall trying to keep spyware off the PCs that the auto club's 95 employees use. It slowed systems to a crawl and required Wallace and his single IT staffer to wipe machines clean, reload operating systems and applications, and reset user access rights. "The biggest pain was seeing a clean machine that was fine for a month, but then experiencing problems again," he says. During a bad week, the two-person team spent about 40 hours cleaning infected machines.

Since deploying CA's Pest Patrol, Wallace has cut the time he spends on spyware to 15 minutes a week. The software detects and removes spyware, so Wallace no longer has to pull customer-service agents' systems offline to fix problems. The greatest benefit is the impact on operations: fewer outages and fewer people needing to move off their systems while working with customers, Wallace says. Other vendors with spyware-fighting products include InterMute, Microsoft, and Webroot. Symantec also offers anti-spyware software, along with antivirus and anti-spam products.

Staff training and the support of company management are crucial in fighting all these threats, analyst Oltsik says. Employees need to understand what spyware is and how to avoid it. "Users and the help desk should know what to do when a PC gets flaky, and the training should be consistent and related to benefits," he says. "Any of these efforts need to involve the whole company."

Patch Properly
Patch management is moving into the automated era, too. The amount of time an IT security pro spends patching often depends on the number of patches Microsoft issues on the second Tuesday of each month and the impact they have on a business' IT infrastructure.

Patch Tuesday didn't used to be pleasant at OMD, a media buying and planning subsidiary of Omnicom Group Inc., network administrator Ryan Hudson says. "Before, we did patches manually. We'd have to upgrade a critical patch on all 100 servers, and it took more than a week to get to them all," he says. OMD tested patches before deployment, loading them onto a test LAN before installing them on live machines.


Impact of Malicious Code: Virus, Worms, and Trojan Horse Attacks

This executive summary on Malware costs and trends is courtesy of research company, Computer Economics Inc. and is compiled from their special report, The Impact of Malicious Code Attacks - February 2005.

»

download the 65K PDF now

(Requires Adobe Acrobat Reader)

Get Acrobat Reader
To reduce the time and effort involved in deploying patches, OMD decided to centralize and automate the testing and installation of software fixes. It also wanted to be able to deploy fixes without having to take down systems while the patches were being applied. Earlier this year, the company tested the Altiris Management Suite for Dell Servers, which let it move ahead with many of the patch-management policies it wanted to implement, such as balancing patch-deployment timing among servers so that all departments aren't down at once. Dell sells the Altiris software as part of its systems-management suite and offers a service to help companies test and deploy patches. Many other companies, including Microsoft, sell their own products for patch management.

For Hudson, the new patching policies and technology have made Patch Tuesday much easier. "I don't have to think about patch management now," he says.

Given everything else that security pros do need to think about, that's a welcome relief.

Illustration by Steven Lyons

Continue to the sidebars:
Criminal Intent: What, Me Worry?
and Lock The Doors