Monday, February 12, 2007

IT Faces Networks Without Borders

A job for Dynamic Security

IT Faces Networks Without Borders

Jaikumar Vijayan

February 12, 2007 (Computerworld) SAN FRANCISCO -- As end users at different companies conduct more business with one another via the Web, corporate information security strategies are being turned inside out — literally.

Corporate security managers have spent many years and tens of billions of dollars erecting sophisticated defenses designed to keep intruders out of their networks. But they’re discovering that the network perimeter isn’t what matters so much anymore. Now what’s important is protecting the data within those walls, said security managers at the RSA Conference 2007 here last week.

That realization is being driven, they said, by the accelerating trend among companies to collaborate online with their suppliers, business partners and customers.

The “de-perimeterization” of corporate networks that has resulted from this collaboration is forcing companies to completely rethink some of their entrenched security procedures, said Paul Simmonds, global information security director at Imperial Chemical Industries PLC in London.

Future security strategies will need to focus on the fact that access to corporate data can no longer be contained within traditional network boundaries, Simmonds said. “What’s coming is IP anytime, anyplace, anywhere,” he said, adding that the role of IT security organizations will be to enable that access — not to hinder it.

“In most cases, network security perimeters will disappear,” Simmonds predicted. “It’s a question of how fast, how soon and whether you decide to control it.”

Crossing the Moat

Older “castle and moat” security architectures assumed that a firewall would keep out all intruders, said Deven Bhatt, director of corporate security at Arlington, Va.-based Airlines Reporting Corp., which provides ticket distribution and settlement services to more than 145 air and rail carriers. Increasingly, though, firewalls are becoming “useless,” he added. “Every day, you’re creating more and more openings in the firewall, so it isn’t even a firewall anymore.”

What’s needed now is the ability to more thoroughly authenticate and authorize users on a network and then to monitor all their activities much more closely than before, Bhatt said. For instance, his company has deployed network behavior modeling tools to help it monitor traffic for anomalous behavior.

Dennis Hoffman, vice president of information security at EMC Corp. in Hopkinton, Mass., said companies will have to adopt a three-pronged approach as they seek to implement information-centric security strategies. Hoffman’s mantra: “Maximize access control, minimize the amount of data that leaves your security zone, and encrypt the rest.”

In order to allow authorized users to access information whenever and wherever they want, the authentication of users and computing devices has to become a top priority, said Mike Schutz, a group product manager in Microsoft Corp.’s networking and security unit.

The security of a network typically has been defined by the firewall erected in front of it. Now the focus should be on extending the network boundary as needed by users, said Schutz. “Your laptop, regardless of where you go, should be part of the network,” he said.

Microsoft has attempted to support that approach internally by creating policy-based logical network segments in which all users and devices are authenticated and authorized via a combination of IPsec standards and Active Directory. Schutz said the architecture ensures that users authorized to operate in a particular network segment can do so regardless of where they’re located geographically, while all others are shut out.

Such access is based “not on where I’m standing, but on the trust level of my identity and the security and state of the device,” he said.

A key component of an information-centric security strategy is to first understand where your data is and how it’s used and accessed, said Art Coviello, president of conference organizer RSA Inc., a division of EMC.

“You can’t secure what you can’t manage,” Coviello said at a Q&A session with reporters, adding that combining information management and security capabilities is of “paramount” importance.

“Security has to be built more and more into an information infrastructure for it to be successful,” Coviello said. “It’s no longer enough to take an outside-in approach by building a fortress.”

Some of the changes now being implemented aren’t entirely new, said Lynn Goodendorf, vice president of information privacy protection at the Atlanta-based U.S. subsidiary of InterContinental Hotels Group PLC, which owns hotel brands such as Holiday Inn and Crowne Plaza.

“But there is a new emphasis on [data protection] now because of the maturity of the information security profession,” Goodendorf said. Increasingly, she added, corporate executives are also “starting to think of information as an asset that has some type of financial value to the business.”

Being Smart About Smart Phones

A hidden security challeng you didn't think of...

How can you integrate security for these devices in your network?

Being Smart About Smart Phones

C.J. Kelly

February 12, 2007 (Computerworld) I like to think that not very many things can surprise me. But recently I got a big surprise that seemed to come out of nowhere, and it wasn’t that I had won the lottery.

The IT department let me know that the help desk had been asked to install client software that would allow e-mail to synchronize with upper management’s new smart phones.

Upper management has smart phones? Why didn’t anyone tell me that earlier?

My fault, really. We don’t have a specific security policy for mobile devices. Of course, we hadn’t needed such a policy because this state agency has never been all that mobile. It just goes to show that you can never be too prepared.

Had a policy been in place, we could have avoided what has turned into a security problem that’s hard to fix because upper management has a vested interest. We could have avoided the problem by setting requirements for devices like smart phones that would have satisfied my security concerns. With no policy in place, managers got what was cheap, with no real clue about what the security implications might be.

And what are those implications? For starters, these smart phones require client-side software that hooks into Microsoft Outlook, and for synchronization to occur, it seems that the user’s PC has to be left running with Outlook open.

The list grows from there. E-mail transfers aren’t encrypted. The phones aren’t password-protected. They can’t be managed remotely so that data could be wiped clean if one were lost or stolen.

But the worst thing of all, from my perspective, is that e-mails are cached on the Internet service provider’s servers for up to seven days. That particular feature lets smart-phone owners access their e-mail via the Web.

That’s a big security hole with dubious benefits. I mean, if you can get your e-mail at work or home and you are traveling with a smart phone, why do you need another alternative? We talked to the ISP’s representatives and told them we did not want e-mail cached on their servers. Their answer: “That’s the way it works.” I was striking out.

I told my boss about my concerns, but he said management wanted smart phones. You can’t really argue that point, but I wanted to document the risks we were opening ourselves up to, so that management would know just what was at stake.

Meanwhile, I started to explore the idea of upgrading to phones that would meet my security requirements. Yeah, it could be done — at twice the price. Is this some vendor plot?

What We’ve Got

Our managers are actually using two different models of the Palm Treo, the 650 and the 700p. Of those, the 650 is worse, but neither offers everything I want.

The Treo 650 seems like a good phone for a consumer or a small-business user. You can use it to surf the Web, send photos, read and send e-mail and text messages, and, of course, talk. You can also use it to access your computer remotely, and that gives me the security willies.

Then there’s that client-side software. I wouldn’t object if it were used solely for syncing the device when connected to the computer. But having to keep a computer running to make sure the phone does what it’s supposed to do is a real problem.

The Treo 700p offers more of what we need. Palm says that this smart phone uses a Secure Sockets Layer protocol to synchronize with an Exchange server, which eliminates the need to leave the user’s PC running and provides the necessary encryption.

However, our state e-mail SSL certificate is apparently not compatible with or can’t be added to the phone’s list of acceptable certificates. So the phones can’t connect directly with the state e-mail system. That seems like a problem that could be corrected by the phone vendor, but we aren’t hearing the vendor say it will solve that problem for us.

What’s more, we’ve had nothing but hardware problems with these phones, including spontaneous rebooting and intermittent synchronization.

So, what are the alternatives? Well, Palm’s Web site tells me that the Treo 700w and 700wx “deliver everything you need without compromise.” Ah, great, because I feel as if we’ve compromised our security rather severely with the phones we have. Our IT department tells me that we can get remote management software for these phones. That’s certainly a plus.

Clearly, some smart phones are smarter than others. So are some security managers, I guess, since I’m now scrambling to care of all of this before we have a real security disaster on our hands. It all could have been handled ahead of time with a formal requirements-gathering and then a quick assessment of the best tool that would meet both IT and security needs. That didn’t happen, and now I’m kicking myself.

This is where we stand: I have contacted the ISP’s reps and have let them know that the Treo phones we have don’t meet our technology or security standards. I have asked for a trade-in for the better phones, and I’m hoping we can arrange for a substantial discount. I await their proposal.

Meanwhile, potentially sensitive agency e-mails are sitting on servers somewhere “in the cloud.” You know, this would be a really good time to win the lottery.



What Do You Think? This week’s journal is written by a real security manager, “C.J. Kelly,” whose name and employer have been disguised for obvious reasons. Contact her at mscjkelly@yahoo.com, or join the discussions in our security blogs: computerworld.com/blogs/security. To find a complete archive of our Security Manager’s Journals, go online to computerworld.com/secjournal.

Labels:

County Coroner in Handcuffs - Gave out his password

Dynamic Security could have easily identified that the person logging in was not the coroner, since he or she was in the wrong place at the wrong time, or there were multiple logins.



Trust Isn’t Security

Frank Hayes February 12, 2007 (Computerworld) -- In Lancaster, Pa., last week, the county coroner was brought to court in handcuffs. A grand jury indicted Dr. Gary Kirchner, charging him with giving out his account name and password for a county Web site that contained confidential police 911 information. What kind of information? Names of accident victims and police informants, medical conditions, witness accounts, autopsy reports and not-yet-substantiated accusations. The site was the access point for real-time data generated and used by firefighters, ambulance crews and other emergency responders.

And who did the coroner allegedly give his password to? Newspaper reporters. Now there’s a trusting user.

Wait, it gets scarier. According to the grand jury, the reporters said Kirchner gave them the password because he didn’t want to be bothered with their phone calls asking for details about homicides, fatal accidents and suspicious deaths.

The reporters weren’t charged with illegally accessing the Web site, because they testified under immunity from prosecution. Kirchner has denied the charges against him.

But the grand jury report quotes e-mails and computer forensic evidence that paint an ugly portrait of the coroner (who apparently ignored security policies and gave away his password within weeks of taking office in 2004) and the reporters (who ignored “authorized personnel only” warnings and accessed confidential information hundreds of times over an 18-month period).

And where was IT all this time? Not noticing, mostly. Eventually, an IT staffer checked Web site logs and discovered that the site was accessed more than 50 times in two weeks from computers at a newspaper office. But that was only after one reporter mentioned in a news report that some information came from the Web site, and a reporter from a competing newspaper called the county to find out why he didn’t have access.

That’s when a supervisor realized there had been a security breach, a police investigation began, logs were checked, passwords were changed, and the grand jury went to work.

Until then, everyone apparently assumed that because users were trusted with the information on the emergency 911 Web site, they could be trusted to keep it secure. Now there’s a trusting IT department.

That trust was misplaced. And not just trust in the coroner. After the reporters’ intrusion was discovered, logs were scrutinized more carefully. In 2006, four emergency responders were prosecuted for giving out their passwords, and two other people were arrested for accessing the site.

According to the grand jury report, the results of those password leaks weren’t trivial. In one incident, a 911 caller reported suspicious drug activity in his neighborhood. His name was supposed to be kept confidential. Because of the password leaks, it wasn’t. “That caller’s name was made known on the streets, and the caller was severely beaten in retaliation,” the grand jury report said.

We want to trust our users. We have to trust them, mostly — we can’t afford to watch them every second. And most of them are worthy of that trust.

But some aren’t.

Trusting is nice. It’s sociable. It’s convenient.

Don’t do it.

We have the technology to control network access to confidential information. Beyond passwords, we can limit users’ access with IP address whitelists and blacklists. We can use VPNs. We can scan logs after the fact, looking for IP addresses that don’t belong. We can’t catch every breach, but we likely can discover some accounts that have been compromised — and some users who can’t be trusted.

Yes, that gets ugly and unpleasant. So does what comes after: the why, the how-bad and the what-to-do-now.

But the alternative is a lot uglier. The results could be lost business and exposed customer information.

Or — as they’re learning in Lancaster — assaults and handcuffs. Frank Hayes, Computerworld’s senior news columnist, has covered IT for more than 20 years. Contact him at frank_hayes@computerworld.com.


Labels: , , ,

Made4biz Security Translating real-world security knowhow into state of the art security systems.
Made4biz Security

Turn on Sound for Demos:
Bill Gates Demo (Location-based)
Elvis Demo (Location/Context-based)
Clint Eastwood Demo (Temporal-based)

Powered by Blogger

Subscribe to
Posts [Atom]

Technorati Profile

RSS Syndication

Made4Biz Security Inc