Cover_october011_checklist.indd 84 11/17/2011 2:17:25 PM

From The ediTor

it’s interesting that I’ve been reading a few blog posts by Dr. Andrew P. McAfee,

Associate Professor of Business Administration at Harvard Business School, around the

time that we’re carrying Ben Worthen’s feature on how CIOs can deal with IT-savvy users

who are ‘subverting’ well-ordered enterprises by their use of tools like instant messaging

and wikis (page 30).

Dr. McAfee who teaches the MBA course ‘Managing in the Information Age’ is an

active proponent of what he’s dubbed ‘Enterprise 2.0’ and is convinced that users (in

other words your colleagues and employees) are going to plump for tools of collaboration

that are easy to use and make sense to them rather than the tools the enterprise and you

have on offer, at present.

A CIO I mentioned this to was horrified about such a situation. His biggest concerns

were about security and data confidentiality. He, unlike Dr. McAfee, was sure that

allowing users to indulge in open-ended

tools like desktop search would render

the entire system unstable. “And, the less

said about the impact on compliance the

better,” he added.

I’d like to differ. As my friends in the CIO

community keep telling me security is more

about processes and people than technology.

Business users have been able to communicate using phones and faxes and email, and even

instant messaging (where allowed) for quite some time. So, going by the objections of the CIO

I was speaking to, most organizations must be clean out of business by now, with all their

secrets up for grabs. Since that is not the case, I think for the most part users can be trusted

not to abuse tools (especially if they’re easy and fun to use and improve productivity).

Dr. McAfee suggests an interesting thought experiment. “Imagine two competitors, one

of which has the guiding principle ‘keep security risks and discoverability to a minimum’,

the other of which is guided by the rule ‘make it as easy as possible for people to collaborate

and access each others’ expertise’. Both put in technology infrastructures appropriate for

their guiding principles. Take all IT, legal, and leak-related costs into account. Which of

these two comes out ahead over time?”

Which one would you bet on? Write in and let me know.

Giving users tools of collaboration that are fun to use will rarely threaten an organization’s security.

A siege mentality hardly helps to keep the faith.

Vijay Ramachandran, Editor vijay_r@cio.in

To Protect and Serve

Vol/2 | ISSUE/09� m a R c h 1 5 , 2 0 0 7 | REAL CIO WORLD

Content,Editorial,Colophone - 038 8 3/12/2007 8:23:31 PM

ma

rc

h 1

5 20

07‑

| ‑V

ol/

2‑| ‑

iss

ue

/09

Features40 | 5 Ways GooGle is shakinG the security World Whether you’re charged with preventing hacks, protecting assets, stopping fraud or defending trademarks, Google and other search engines present a new mix of risks for everybody in the security game. Feature by Sarah D. Scalet

48 | hominG in on the storm Security practices, rather than mere tools, form a more holistic method of managing compliance issues. Here are seven best practices for network security. Feature by Gary S. Miliefsky

58 | ideas you can steal from six siGma The approach of measuring process improvement and taking the defects out can be invaluable to the security discipline. Feature by Tracy Mayor

Co

VE

r:

ImA

gIn

g b

y b

InE

Sh

Sr

EE

dh

Ar

An

1 0 m a R c h 1 5 , 2 0 0 7 | REAL CIO WORLD

2 8

Cover Story30 | users Who knoW too much (and the cios Who fear them)A new IT depa rtment is being born. You don’t control it. You may not even be aware of it. But your users are, and figuring out how to work with it will be the key to your future and your company’s success.Feature by Ben Worthen

3 0

40

4 8

58

Content,Editorial,Colophone - 0310 10Content,Editorial,Colophone - 0310 10

content (cont.)

6 8

departments

NOW ONLINE

For more opinions, features, analyses and updates, log on to our companion website and discover content designed to help you and your organization deploy IT strategically. go to www.cio.in

c o.in

peer to peer AvOID A MELTDOWn: REACTInG TO A SECuRITy BREACh | 22 How your company handles a data breach can make the difference between survival and extinction. Column by James Christiansen

Leadership vIRTuALLy SECuRE? | 27 Virtual machines have a lot to offer CISOs and security researchers alike. And, unfortunately, hackers too. Column by Simson Garfinkel

1 2 m a R c h 1 5 , 2 0 0 7 | REAL CIO WORLD

trendlines | 17 Data Centers | Security Up in Smoke Government | FBI Loses FewerAssests hotlines | SOS on Call Threat Watch | Watch Out for PHP Holes Spam | Here Comes Image Spam Malware | Bad Guys in New Guises Business Continuity | Pandemic Gets Tele-calling Anti-virus | Catching Speedy Worms

From the editor | 8 To Serve and Protect | A siege mentality hardly helps to keep the faith. By Vijay Ramachandran

essential technology | 68 Security | IT Security Gets Physical By Paul F. Roberts

Information Security | Security’s Real Value By Richard Starnes

endlines | 74

The Devil’s Infosec Dictionary 2.0

Inbox | 16

2 2

2 7

Content,Editorial,Colophone - 0312 12 3/12/2007 8:23:56 PM

ManageMent

President n. bringi dev

COO louis d’mello

editOrial

editOr Vijay ramachandran

assistanteditOr harichandan Arakali

sPeCialCOrresPOndent balaji narasimhan

seniOrCOrresPOndent gunjan Trivedi

ChiefCOPYeditOr Kunal n. Talgeri

COPYeditOr Sunil Shah

design&PrOduCtiOn

CreativedireCtOr Jayan K narayanan

designers binesh Sreedharan

Vikas Kapoor; Anil V.K.

Jinan K. Vijayan; Sani mani

Unnikrishnan A.V.

girish A.V.

Vishwanath Vanjire

mm Shanith; Anil T

PC Anoop; Jithesh C.C.

PhOtOgraPhY Srivatsa Shandilya

PrOduCtiOn T.K. Karunakaran

T.K. Jayadeep

Marketingandsales

generalManager,sales naveen Chand Singh

brandManager Alok Anand

Marketing Siddharth Singh

bangalOre mahantesh godi

Santosh malleswara

Ashish Kumar, Kishore Venkat

delhi nitin Walia; Aveek bhose;

neeraj Puri; Anandram b

MuMbai Parul Singh, Chetan T. rai,

rishi Kapoor

JaPan Tomoko Fujikawa

usa larry Arthur; Jo ben-Atar

singaPOre michael mullaney

uk Shane hannam

events

generalManager rupesh Sreedharan

Manager Chetan Acharya

AdverTiser index

All rights reserved. No part of this publication may be reproduced by any means without prior written permission from the publisher. Address requests for customized reprints to IDG Media Private Limited, 10th Floor, Vayudooth Chambers, 15–16, Mahatma Gandhi Road, Bangalore 560 001, India. IDG Media Private Limited is an IDG (International Data Group) company.

Printed and Published by N Bringi Dev on behalf of IDG Media Private Limited, 10th Floor, Vayudooth Chambers, 15–16, Mahatma Gandhi Road, Bangalore 560 001, India. Editor: Vijay Ramachandran. Printed at Rajhans Enterprises, No. 134, 4th Main Road, Industrial Town, Rajajinagar, Bangalore 560 044, India

anilnadkarni

head IT, Thomas Cook, a_nadkarni@cio.in

arindaMbOse

head IT, lg Electronics India, a_bose@cio.in

arunguPta

director – Philips global Infrastructure Services

arvindtawde

VP & CIo, mahindra & mahindra, a_tawde@cio.in

ashishkuMarChauhan

President & CIo - IT Applications at reliance Industries

M.d.agarwal

Chief manager – IT, bPCl, md_agarwal@cio.in

ManiMulki

VP - IS, godrej Consumer Products ltd, m_mulki@cio.in

ManishChOksi

VP - IT, Asian Paints, m_choksi@cio.in

neelratan

Executive director – business Solutions,

Pricewaterhouse Coopers, n_ratan@cio.in

raJeshuPPal

general manager – IT, maruti Udyog, r_uppal@cio.in

PrOf.r.t.krishnan

Professor, IIm-bangalore, r_krishnan@cio.in

s.b.Patankar

director - IS, bombay Stock Exchange, sb_patankar@cio.in

s.gOPalakrishnan

Coo & head Technology, Infosys Technologies

s_gopalakrishnan @cio.in

s.r.balasubraManian

Sr. VP, ISg novasoft, sr_balasubra manian@cio.in

PrOf.ssadagOPan

director, IIIT - bangalore. s_sadagopan@cio.in

sanJaYsharMa

Corporate head Technology officer, IdbI, s_sharma@cio.in

dr.sridharMitta

managing director & CTo, e4e labs, s_mitta@cio.in

sunilguJral

Former VP - Technologies, Wipro Spectramind

s_gujral@cio.in

unnikrishnant.M

CTo, Shopper’s Stop ltd, u_krishnan@cio.in

v.balakrishnan

CIo, Polaris Software ltd., v_balakrishnan@cio.in

AdvisorY BoArd

avaya 4 & 5

canon 75

Ech Enn 29

Emerson 13

GE 9

hID 33

hP 2, 3, 25 & 35

IBm Road block & custom Publishing

Inflow 37

Intel 19

Interfcae 51

Krone 11

Lenovo 76

microsoft RGF

mRO-TEK 23

Sify 65

Symantec 15

Trend micro 63

Wipro 6 & 7

Vol/2 | ISSUE/091 4 m a R c h 1 5 , 2 0 0 7 | REAL CIO WORLD

Content,Editorial,Colophone - 0314 14 3/12/2007 8:23:56 PM

Good ScopeThe cover story Stretch Your Budget (March 1, 2007) covered an impressive amount of ground with areas like information and data security, enterprise risk, optimizing profit, free funds, SOA, investment in skill and virtualization. I think CIOs should expand the scope of their use of technology by exploring emerging technologies outside the boundary of business. Returns on spending are more likely to convince management to continue to invest in successful IT initiatives. ViVek Dharia

CIO, KNP SEC

Follow the LeaderIt was a pleasure to read the ‘Ones to Watch’ issue (January 15, 2007). Whatever a CIO might be doing today, it is important for him to develop an able successor. As the features pointed out, delegation can be a healthy approach to do so, because it prevents a perception, organizationally, that only one person is driving the IT organization, or even business for that matter. Team involvement is crucial.

Overall, CIO continues to maintain its standard – editorially and from a production viewpoint. However, I would like to see the magazine focus on one

industry per issue every now and then for putting the strides taken by corporates in India in perspective.

For instance, the progress made by an Indian player in the BFSI sector can be put in perspective by paring it with its multi-national counterparts. If CIO does this in one whole issue, it’ll make for a comprehensive coverage.- atuatua L kumar

CIO, Syndicate Bank

New GroundThank you for sending across the CIOBlack Book on Security. I am currently going through all the articles, and would like to write to you on these articles shortly. I would, however, like to put across one point here, which is based on Windows Active Directory security.

I feel that securing the active directory takes care of some of the basic issues on information security and leaves you with enough resources for the ‘strategic security’ initiatives.

Can we get an article on any Indian case study of securing the Microsoft Active Directory?SaNDeep kumar SiNGh, CISADeputy Manager( Information Systems)

Indian Oil Corporation - Pipelines Division

It was very thoughtful of you to courier the Security Black Book that was released during the CIO Focus Security event. Needless to say, the event was organized with appreciable efficiency and aplomb.

Last, but not the least, the current Security Black Book has maintained the quality standards that were set when the first issue was released last year. It is adequately sized with brief, concise and relevant articles that keep the reader sufficiently enthralled to finish it in one go.SatiSh Warrier

GM-Information Security

Corporate Audit & Assurance,

Godrej Industries

24X7 SecurityThe second edition of CIO Focus Security in Mumbai was very well-organized. It was a pleasure to attend it and meet peers from the industry. Such events serve as a fine platform to discuss and exchange views with fellow-IT heads on subjects such as the most recent one: Strategic or Tactical Information Security.

There were a plethora of views on that day and, if you ask me, I feel that a continually secured system that is aligned with processes and policies leads to a secure enterprise. It also goes a long way towards ensuring compliance at all times. I look forward to reading more on the subject, and to events such as this in future. V. SubramaNiam

CIO, Otis Elevators

reader feedback

What Do You Think?

We welcome your feedback on our articles, apart from your thoughts and suggestions. Write in to editor@cio.in. Letters may be edited for length or clarity.

editor@c o.in

"Whatever a cIO might be doing today,

it is important for him to develop an able successor. It prevents the

perception that only one person is driving the IT organization. "

Vol/2 | ISSUE/091 6 M A r C h 1 5 , 2 0 0 7 | REAL CIO WORLD

Inbox.indd 16Inbox.indd 16Inbox.indd 16Inbox.indd 16

D a t a C e n t e r S Where there’s smoke, there’s a door. A UK security company believes that smokers may impact IT security, leaving open doors that could let in intruders who could abuse a company’s network.

It may sound slightly far-fetched. But a penetration tester from NTA Monitor, a company based in England, gained access to a professional services company outside London in that fashion, says Roy Hills, technical director.

The company hired NTA to test if it was possible to get inside the premises without proper identification, says Hills. The penetration tester waited until the smokers finished their break, then slipped in through the unlocked door, which wasn’t the main one but was publicly accessible.

The tester — who skirted past other employees by saying the IT department had sent him — made his way to a meeting room, where he hooked up his

laptop to the company’s VoIP (voice over Internet protocol) network, according to Hills. The tester could have launched a denial-of-service attack or intercepted phone calls.

However, the VoIP network was segregated from the company’s data network, a wise precaution IT managers can take, notes Hills. “It’s much more dangerous if you can get on to the data network, copy data and be gone,” he adds.

Regulations that create smoke-free buildings or zones in some areas of the US and Europe have driven smokers outside. In the UK, a ban on smoking in buildings and facilities used by the public will come into effect in April in Wales and Northern Ireland, and in July in England. Scotland banned public smoking in March 2006. The ban includes smoking at train stations, restaurants and pubs, among other places.

— By Jeremy Kirk

n e w * h o t * u n e x p e c t e d

G o v e r n m e n t The FBI is losing fewer laptops — and weapons — these days than it used to, but the criminal justice organization still needs better controls in place to protect its assets, including potentially sensitive data.

A report issued this month by the US Department of Justice Office of the Inspector General Audit Division follows up on a 2002 report, in which the FBI was found to have lost or had stolen 354 weapons and 317 laptops over a 28-month period (October 1999 to January 2002). The new report found that 160 laptops and 160 weapons had been lost or stolen during a 44-month period

between February 2002 and September 2005.

The number of laptops lost fell from 10.7 a month during the first study to 2.6 in the second. The laptops carried everything from software for creating ID badges to the system security plan for an access control system.

“We recognize that in an organization the size of the FBI, some weapons and laptops will inevitably be stolen or go missing,” the report states. “However, it is important that the FBI take appropriate steps to minimize these losses. When losses occur, the FBI must report the loss on time, be able to identify the contents of lost

laptops, and determine whether the laptop is encrypted.”

The auditors found that the FBI had not followed through thoroughly enough on several recommendations from the earlier report. “Perhaps most troubling, the FBI could not determine in many cases whether the lost or stolen laptop computers contained sensitive or classified information. ”

The new report includes 13 recommendations for the FBI to clean up its asset oversight.

— By Team Network World

REAL CIO WORLD | m a r c h 1 5 , 2 0 0 7 1 7VOl/2 | ISSUE/09

the f.b.i. loses

assets — fewer

than before

Ill

US

Tr

AT

ION

By

AN

Il T

SeCurity up in Smoke

Trendlines.indd 17Trendlines.indd 17Trendlines.indd 17Trendlines.indd 17Trendlines.indd 17Trendlines.indd 17Trendlines.indd 17Trendlines.indd 17Trendlines.indd 17 3/12/2007 8:17:40 PM3/12/2007 8:17:40 PM3/12/2007 8:17:40 PM3/12/2007 8:17:40 PM3/12/2007 8:17:40 PM3/12/2007 8:17:40 PM3/12/2007 8:17:40 PM3/12/2007 8:17:40 PM3/12/2007 8:17:40 PM3/12/2007 8:17:40 PM3/12/2007 8:17:40 PM3/12/2007 8:17:40 PM

H o t l i n e S A report analyzing more than 180,000 hotline calls collected from 550 organizations found that in a majority of cases — 65 percent — the callers reported information that warranted an investigation. The ensuing investigations resulted in an organization taking corrective action 46 percent of the time, with outcomes that included firing, disciplining or suspending workers who violated company policies. The 2006 Corporate Governance and Compliance Hotline Benchmarking report was prepared by The Network, a hotline and employee communications system provider, using anonymized data from its clients between 2002 and 2005. The CSO Executive Council, a professional organization for security executives, performed analysis on the data with help from the Association of Certified Fraud Examiners.

The report includes some findings within vertical industries. For example, retail employees are more likely than workers in other sectors to call a hotline. Such findings could be used by CSOs to evaluate their own company’s experience, says Bob Hayes, managing director of the CSO Executive Council. Hayes believes this is the first such CSO Executive Council. Hayes believes this is the first such CSO Executive Councilcompilation in the three decades since whistle-blower hotlines were deployed. The researchers plan to produce another report this year incorporating the results of 2006.

Other findings from the study:Seventy-one percent of reports to hotlines shared information that was news to management.Callers reporting allegations of corruption and fraud were less likely to remain anonymous than callers reporting other kinds of incidents, such as concern about health, safety and the environment.Thirty-nine percent of callers learned of the hotline by seeing a sign about it.

— By Michael Goldberg

1 8 m a r c h 1 5 , 2 0 0 7 | REAL CIO WORLD

SOS on Call

Watch Out for PHP Holes

tr

en

tr

en

DDl

ine

lin

eSS

t H r e a t W a t C H In the first half of 2006, desktop filtering software maker Websense counted a 100 percent rise in websites that contained code potentially harmful to visitors. The company declined to reveal how many websites it tallied, but it did say that 40 percent of the sites were hacked. Of the hacked websites, 91 percent were commissioned to install Trojan horses that take control of visiting computers to turn them into bots — to relay spam, wage denial-of-service attacks or carry out ID theft schemes — or use them as bases for spreading malicious programs such as worms and keyloggers inside the enterprise.

Ben Butler, network abuse manager at GoDaddy.com, a website domain seller and hosting company, says he believes that 50 percent to 60 percent of those successful hacks involve some form of poorly written Web application developed in an easy-to-use, popular hypertext development language called PHP (PHP Hypertext Preprocessor).

“PHP is an extremely hacked application type because it allows server-side scripts to happen on a website. This script is communicating back to the server, and that pathway can be hacked,” says Butler, who bases his opinion on the hundreds of investigations GoDaddy opens each week into hacked and abusive websites.

At the end 2006, 2,100 PHP-related vulnerabilities existed in IBM Internet Security Systems’ database of 30,000 known vulnerabilities. Of all Web development languages, PHP is most widely used because of its ease, says Chris Shiflett, who runs the PHP Security Consortium.

And with ease of use come vulnerabilities, says Bill Boni, corporate VP of IS and protection at Motorola. Boni says that when you have lots of inexperienced people working with an easy-to-use Web development application, it leads to insecure code. He added that even experienced developers, under tight deadlines, can create Web applications that are vulnerable to common Web attacks.

What tO dO

1Web application filters are a good first step to protecting your Web applications from malicious tampering, but they don’t

catch everything. Boni strongly recommends ongoing training in coding best practices for all Web developers regardless of the development language they use. “Code reviews, application-level security scanning and rigorous security testing against your Web applications are all essential,” he adds.

2Keep your browsers patched and updated, since the malicious code gets in through vulnerabilities in the browser, says Chris

Shiflett. “If you can, get onto a less used or less targeted browser, a really solid and mature browser like Opera or Firefox,” he says.

— By Deb Radcliff

Ill

US

Tr

AT

ION

By

PC

AN

OO

P

S p a m Image spam — e-mail solicitations that use graphical images of text — is not new. But its rising sophistication has made much of it invisible to spam filters so that it makes up one-third of all spam, according to Doug Bowers, director of anti-abuse engineering at Symantec. Researchers from anti-spam company BorderWare expect image spam to grow.

Some spam filters try to recognize letters inside pictures using optical character recognition (OCR) technology. But the spammers outsmart OCR. They use unusual fonts or put noise in the picture (added color, gaps in letters that the eye overcomes). The latest image spam uses tactics like word salads (nonsensical quotes from literature) as well as animated and layered GIF images that divide a message into several images layered on top of each other. Some have even gone old-school and removed links to click on, and instead instruct users to type a link into their browser, since many filters refer to blacklists of known malicious links.

What’s more, the image spam problem is getting mashed up with botnets. Bots distribute most spam, but the botnets are also being programmed to take one spam message and alter the image

(by changing the size, shape, colors and other attributes) so that it’s still readable but looks different to the filters.

Worst of all, says Andrew Graydon, CTO of BorderWare, image spam files are twice the size of previous spam messages, a network bandwidth and storage headache for companies.

Some companies have started to update their spam filter engines, but companies should have no illusions about such reactive measures controlling the problem. New fronts in the fight — new spam delivery methods, like Google alert feeds and audio and video formats — are ahead.

what to do:Invest in technology. It costs money for software and infrastructure, and your choices may be limited.Take draconian measures with e-mail policy. Consider blocking all attachments, for example. Lobby for anti-spam policies in government and industry. Urge them to employ techniques, such as e-mail postage, to reduce spam.

— By Scott Berinato

Here Comes Image Spam

Ill

US

Tr

AT

ION

By

PC

AN

OO

P

— By Scott Berinato

m a l W a r e Attackers have raised their game markedly in the past three months. Here are some recent developments:

Advanced phishing. In the parry and thrust of phishing, one particular e-mail, sent to bank employees, showed the level of social engineering sophistication: it pretended to be from a journalist researching a news story about a data leak at that bank, and addressed the recipient by first name.

The e-mail provided what appeared to be a link to the ‘Central News’ story — a Url that included the bank’s name in its rl that included the bank’s name in its rlcharacters. At one bank, hundreds of employees received the e-mail. The CSO at that bank eventually determined that clicking on the link connected to a website in China and installed a keylogger on the machine that accessed the link. The targeted attack sought to acquire employee passwords and account information, which the bot would deliver to the attacker.

IM as distribution network. Chris Boyd, Chris Boyd, director (malware research) of FaceTime director (malware research) of FaceTime Communications, came across a botnet that Communications, came across a botnet that enabled an attacker to insert a link into an enabled an attacker to insert a link into an IM conversation that installed a bot on that IM conversation that installed a bot on that computer. It appeared that the compromised computer. It appeared that the compromised computer then would become part of a spam computer then would become part of a spam distribution botnet. Boyd believes that the distribution botnet. Boyd believes that the attackers were still developing the botnet’s attackers were still developing the botnet’s capabilities to go far beyond that.

Mastering IM as a malware distribution Mastering IM as a malware distribution engine concerns Boyd and others, because engine concerns Boyd and others, because once attackers can insert links, it’s hard once attackers can insert links, it’s hard to stop them. For example, even if the IM to stop them. For example, even if the IM network blocks certain IP addresses and link hosts from getting on its network, “it takes five minutes to change the link,” Boyd says.

The specter of CSRF. Cross-site request forgery, or CSrF, is when an attacker loads a Url for, say, an online banking into a page rl for, say, an online banking into a page rlhe controls. If a user visited the bank site but didn’t log out and then went to the site the

hacker controls, she would still be logged in to the banking session, a cookie would authenticate her, and the Url that the rl that the rlhacker injected into the site would continue the banking session. A test example of CSrF was used to add movies to people’s NetFlix queues without their knowledge.

— By Scott Berinato

Bad Guys in New Guises

tr

en

tr

en

DDl

ine

lin

eSS

VOl/2 | ISSUE/092 0 m a r c h 1 5 , 2 0 0 7 | REAL CIO WORLD

Trendlines.indd 20Trendlines.indd 20Trendlines.indd 20Trendlines.indd 20Trendlines.indd 20Trendlines.indd 20Trendlines.indd 20

tr

en

Dl

ine

S

a n t i v i r u S US researchers have come up with a technique that claims to be able to stop Internet worms within milliseconds of an outbreak.

The Proactive Worm Containment (PWC) system, as its inventors at Penn State University call it, uses no signatures inventors at Penn State University call it, uses no signatures to identify an attack. Instead, it relies on the frequency of connections at a packet level, and analyses the number of connections this traffic is making to other networks.

This is said to counter one of the biggest issues in worm defense, namely that they spread at incredible speed before they can be stopped. By the time security systems have recovered, the damage is often done.

To avoid the danger of false positives, the system uses what appear to be algorithmic techniques to double-check the initial diagnosis. Any host identified as spreading a worm is disconnected from the node to which it is attempting to connect and spread its payload. Taken across networks as a whole, this could at least slow down the spread of a particular worm, so that defenses can be hardened.

“A lot of worms need to spread quickly in order to do the most damage. So, our software looks for anomalies in the rate and diversity of connection requests going out of hosts,” says Peng Liu, the leader of the research team at the University.

Liu admits the technique, which is to be patented, cannot stop the movement of slow-spreading worms, though these might be reckoned to be less hazardous.

Penn State’s PWC isn't the first anti-worm system out there. IBM also has its ‘Billy Goat’, which creates a series of virtual servers in order to detect and isolate network traffic anomalies, including DDoS attacks and worms.

In the last two years, the threat of Internet worms has receded as criminals focused on more profitable forms of malware. An increasing number of worms spread through specific channels, like last year’s Javascript-based Yamanner that affected Yahoo.

— By John E. Dunn Ill

US

Tr

AT

ION

By

MM

SH

AN

ITH

Pandemic Gets Tele-calling B u S i n e S S C o n t i n u i t y Many companies and government agencies are counting on teleworkers to keep operations running in the event of an influenza pandemic. But those plans may quickly fall apart as millions of people turn to the Internet for news and entertainment, potentially choking online traffic.

A surge in usage could certainly prompt moves to restrict or prioritize traffic, such as blocking video transmissions, according prioritize traffic, such as blocking video transmissions, according to business continuity planners at a recent pandemic forum.to business continuity planners at a recent pandemic forum.

Users likely would be asked to restrict high-bandwidth transmissions, the planners said. And if that didn’t work, they warned, government action might well follow. “Is there a need for a youTube during a national emergency?” asked youTube during a national emergency?” asked yJohn Thomas, VP of enterprise systems at a large New york-york-ybased financial institution.

Businesses and government agencies could cope with traffic surges on their networks by using redundant communications systems and techniques such as diverse routing. But that might not help teleworkers or customers and business partners trying to access systems remotely.

“I think it’s definitely the most vulnerable part of the equation,” said Bernard O’Neill, VP and chief network officer at Prudential Financial in Newark, New Jersey.

Companies with an eye on the bottom line may balk at paying Companies with an eye on the bottom line may balk at paying telecommunications service providers for dedicated lines and telecommunications service providers for dedicated lines and other business-class capabilities in preparation for a problem that may never occur. But, waiting could be a risky strategy. For that may never occur. But, waiting could be a risky strategy. For instance, if the World Health Organization raises its pandemic threat alert from the current level of Stage 3 on its six-stage scale, demand for backup communications services could outstrip vendors’ ability to provide them, said forum participants.

For pandemic planners, nothing can be taken for granted. Elizabeth Byrnes, a continuity planner at AT&T, was asked how the telecom company would handle a hurricane or another secondary problem if one were to occur during a pandemic.

Byrnes said AT&T would be able to meet its customer service-level agreements in a pandemic, but acknowledged that there are unknowns. For instance, the company has identified critical employees who would be asked to come to office during a pandemic. But there’s no way of knowing in advance how people will react. “Will they come in? I don’t know,” Byrnes said.

A pandemic could also threaten the Internet and corporate networks in other ways. George Johnson, founder and CTO at The ESP Group, an application service provider in Arlington, Virginia, said that increased numbers of teleworkers may expose networks to security risks. “If you’re going to ask people to work from their home computer,” Johnson said, “how reliable is that?”

— By Patrick Thibodeau

Speeding WormSto be Caughtto be Caughtto be Caught

tr

en

REAL CIO WORLD | m a r c h 1 5 , 2 0 0 7 2 1VOl/2 | ISSUE/09

Avoid a Meltdown: Reacting to a Security BreachHow your company handles a data breach can make the difference between survival and extinction.

Over the past year we have seen many examples of breach notifications that affect hundreds to crores of victims. Studying the business impact of post-breach processes, we see that the way an

organization reacts to a breach can make the difference between a minor financial impact and a complete corporate meltdown.

Given the potential financial losses and other substantial impacts that can cost well into the crores of rupees, an investment in preparedness can really pay dividends regardless of when — if ever — an event does occur.

Looked at from the opposite perspective: “A firm’s failure to communicate effectively after an emergency strikes can be more destructive than the emergency itself,” as Richard Bierck says in an article for Harvard Management Communication Letter.

Remember the 1982 Tylenol case in the US in which capsules of the famous painkiller were tampered with? It is one of the most important business cases in managing brand image. After a breach in the Tylenol packaging (and poison in the bottles), Johnson & Johnson took complete responsibility. It remedied the situation with decisiveness, leadership and effective communication. Tylenol as a brand survived the incident and continues its brand leadership where other brands and companies with less foresight might not have. The real costs in any security breach are in the long-term financial impact and productivity reduction, not the immediate remediation costs. Long after the event, the effects will be felt in increased oversight by regulators, clients and business partners. Whether that additional scrutiny reveals an effectively-managed organization deserving of the continued trust of stakeholders is entirely in the hands of top management in the moments following a major emergency.

James ChristiansenJames ChristiansenJames Christiansen peer to peer

Ill

us

tr

at

Ion

MM

sH

an

ItH

Vol/2 | IssuE/092 2 m a r c h 1 5 , 2 0 0 7 | REAL CIO WORLD

Coloumn Avoid a Meltdown Reactin22 22Coloumn Avoid a Meltdown Reactin22 22Coloumn Avoid a Meltdown Reactin22 22Coloumn Avoid a Meltdown Reactin22 22Coloumn Avoid a Meltdown Reactin22 22Coloumn Avoid a Meltdown Reactin22 22Coloumn Avoid a Meltdown Reactin22 22

What a Breach Can CostTo understand the true cost of a security event, you need to look not only at the reaction of the consumers involved (if you are facing a breach of consumer or cardholder data), but also at the reaction of your business partners and clients. How many of your clients will switch to a new provider? Some of the consumers you might lose are the same people who go to work everyday in the procurement departments of your business clients. Do not underestimate the potential cascading effect of the loss of faith in your company because of a major consumer breach.

And yet, the impact of a major consumer data breach may be more muted on your corporate relationships than on your consumer relationships. It can take a year or more to move business from one company to another, given contract restrictions, partner sourcing (e.g., RFPs) and the ability to find similar products for a competitive price. The old saying “time heals all” enters into the equation. In many cases, moving to a new provider is a more emotional decision for individuals than it is for large companies. “I am taking my business elsewhere!” for a person may be expressed by a company as, “Let’s see how they react before we incur the cost of moving our business with them.” So even though the people who make decisions in corporations are also consumers, the inherent delays and costs in the ability to shift the relationship will lower the percentage of companies that actually switch providers.

But how many lost ‘strategic accounts’ does it take to outweigh the simple remediation costs to close the immediate source of the breach? This emphasizes the importance of the immediate public reaction your company mounts — the one you meticulously planned before the breach took place.

Other serious but less obvious costs may result from a breach handled poorly. Your company may get sued by people or companies who claim (often in media-covered statements and press conferences) that you were negligent — that you knew or should have known this could happen and failed to take adequate precautions. These lawsuits will be costly and time-consuming to defend and, in many cases, will lead to settlement payments. The regulators who oversee your business may find that you must take certain costly steps to double-check and triple-check that such a breach will never happen at your organization again. Regulatory sanctions may include fines in the crores of rupees as well as regular review by independent auditors of your program of protections. Recently, one such penalty entailed biennial reviews over a 20-year period.

Internally, you may need to hire a new chief privacy officer and staff other positions dedicated to bringing about proper level of controls. And the overhead in terms of productivity of professional IT staff devoted to integrating controls into your operations are likely to be substantial. Many of these costs and

impacts are uninsurable. Any way you look at it, your breach is going to cost you a lot. But does it have to cost you the company?

What is an MIRT?Establishing a management incident response team (MIRT) is key to making a difference. The MIRT is sometimes called the crisis response team and is very different from the commonly understood cyber incident response team (CIRT). The CIRT is focused on identifying: what happened? How did it happen? What damage has been done? And how do we prevent it from happening again? The primary task of the MIRT is to take the

information from the CIRT and begin the process of managing the event from the perspective of the critical stakeholders.

The MIRT is a cross-functional team consisting of the CISO/CSO, chief privacy officer, general counsel, chief compliance officer, business line presidents and public relations (or functional equivalents). The primary role of the team is to first ensure that accurate and complete data is gathered concerning the incident (when, where, what) and to determine the appropriate parties that must be notified both under the law and consistent with corporate values. (Many organizations will decide to go beyond the legal or contractual requirements to protect the clients and consumers.) The MIRT also gets regular reports from the CIRT about necessary remediation and may set corporate funding and capital spending priorities on specific remediation initiatives.

But the MIRT’s primary role involves communicating to its stakeholders in a highly targeted manner. The goal of this communication is essentially to uphold and serve the relationships that have been built up over the years in the face of the breach incident and assure key stakeholder groups that your organization understands how the breach affects them and what you intend to do about it.

Step by StepStart by developing realistic scenarios that could possibly occur sometime in the future. A small number of different scenarios that deal with possible events such as external fraud, a malicious insider, a technology hack, lost media, data center disaster and an external security breach is a good start.

The next step is to create a high-level set of tasks that must be accomplished in each scenario. For example, notify the MIRT of the incident (this task is usually assigned to the CIRT, members of which may also be part of the MIRT). Other examples include

James Christiansen James Christiansen peer to peerJames Christiansen James Christiansen

the MIrt’s primary role involves communicating to its stakeholders in a highly targeted manner. the goal is to uphold and serve the relationships that have been built up over years.

Vol/2 | IssuE/092 4 m a r c h 1 5 , 2 0 0 7 | REAL CIO WORLD

Coloumn Avoid a Meltdown Reactin24 24Coloumn Avoid a Meltdown Reactin24 24Coloumn Avoid a Meltdown Reactin24 24Coloumn Avoid a Meltdown Reactin24 24Coloumn Avoid a Meltdown Reactin24 24 3/12/2007 7:56:14 PM3/12/2007 7:56:14 PM3/12/2007 7:56:14 PM3/12/2007 7:56:14 PM3/12/2007 7:56:14 PM3/12/2007 7:56:14 PM3/12/2007 7:56:14 PM3/12/2007 7:56:14 PM3/12/2007 7:56:14 PM3/12/2007 7:56:14 PM3/12/2007 7:56:14 PM3/12/2007 7:56:14 PM

Trendline_Nov11.indd 19 11/16/2011 11:56:19 AM

gathering facts of the incident, determining who should be notified, and creating the notification letters and notices. Given that the members of the MIRT are leaders in your organization, a detailed task plan is not necessary or appropriate. But a list of tasks in the form of a RACI (responsible, accountable, consulted and informed) chart can be very effective. Compile a reading file for members of the MIRT consisting of studies and thoughtful news stories covering similar events in your industry and elsewhere. Don’t forget developing markets where your firm is just getting established; different cultures may require a different communications approach. This background material may contain video clips of broadcast news interviews and/or testimony that others have given in the aftermath of incidents.

It will be interesting when you discuss with your MIRT the question of the notification letters. Who writes the notification? Who will be consulted, and who will approve the letter for

distribution? But if you want to see the group head for the hills, ask the question, “Who will sign the letter?” Should it be the chief privacy officer? Should it be the business line president or should it be the chief security officer? Most likely, it will be whoever missed the meeting when it was decided.

During the excitement of an event, time is important. Decisions must be made promptly about what to say publicly, and what to say to key business clients, employees, city leaders, and so on. These decisions often may require detailed consultations with subject matter experts and senior managers in charge of legal, public relations, insurance or governmental affairs, etcetera. Making as many of these decisions in advance is required not only to meet your own team goals, but also to meet any regulatory requirements.

Communication Is the KeyAs part of your scenario exercise, prepare the press releases and major stakeholder communications. This allows an added benefit of preparing communications that can be reviewed by your executive team, internal public relations and your external public relations firm. The style of the communication is very important: it should be informative, take responsibility and reassure your audience that the matter is being handled. It should state how importantly your company views the matter and establish how clearly your company understands the impact on its customers and partners. Your best decisions are not made during a crisis, nor

are your best communications. An advantage of planning will be in being able to pull out that document — already reviewed — and change a few words to meet the situation. Being able to review and create these communications during times of less stress results in a better product consistent with your corporate values and public marketing strategy. Thorough advance preparation will put your company in a position to truly minimize the impact of a breach. Without preparation, you may be lucky even to survive it.

Once the reporting requirements are determined, the team focuses on defining the target audiences and the form of communication they require. Key audiences that need to be considered are the affected clients and consumers, partners, law enforcement, government regulators, investors, board of directors, executive management team, corporate affiliates, foreign country operations and employees. Each of these bodies requires a consistent message but certainly will differ in the style of communication that works best.

Here is where all the preparation pays off. Your organization will communicate to the target audience with accurate information presented to reassure rather than alarm the audience.

Recently, my aunt received a security breach notice and called me for advice. It was obvious from her tone that she was very upset and she said, “It says here in the letter that I should call them if I have any questions, but I don’t even know what to ask!” Remember that the general public is not going to have the same level of understanding as we do working with identity theft and account takeover. Make sure the communication includes key FAQs targeted to the audience so that the reader can understand the risks and what you have done to mitigate them.

Now Execute!How are you going to take responsibility? One way is to offer assistance to your customer. Consider such things as telephone hotlines to assist the customer in understanding what the risks are and how you are willing to help. Offering free monitoring of a customer’s credit report in the event of a breach of consumer-oriented information is another way. Depending on the nature of the breach, you may want to tailor some special services to those of your customers most seriously affected.

Make sure your executives are prepared to answer the questions that are going to come hard and fast from the media, customers, employees and even suppliers. If there is an event, all the work will pay off. The main mission is to retain the trust in your brand that has been built over years of hard work. Take responsibility, sympathize with your customers, and provide accurate and complete information to your stakeholders. Remember that lightning can strike anywhere and, as a prepared organization, you will be able to weather the storm. CIO

James Christiansen is CISO at Experian. Send feedback on this column to

editor@cio.in

James Christiansen James Christiansen peer to peer

Vol/2 | IssuE/092 6 m a r c h 1 5 , 2 0 0 7 | REAL CIO WORLD

If there is an event, planning will pay off . the main mission is

to retain the trust in your brand, which has been built

over years of hard work.

James Christiansen James Christiansen

Coloumn Avoid a Meltdown Reactin26 26Coloumn Avoid a Meltdown Reactin26 26Coloumn Avoid a Meltdown Reactin26 26Coloumn Avoid a Meltdown Reactin26 26Coloumn Avoid a Meltdown Reactin26 26 3/12/2007 7:56:15 PM3/12/2007 7:56:15 PM3/12/2007 7:56:15 PM3/12/2007 7:56:15 PM3/12/2007 7:56:15 PM3/12/2007 7:56:15 PM3/12/2007 7:56:15 PM3/12/2007 7:56:15 PM3/12/2007 7:56:15 PM3/12/2007 7:56:15 PM3/12/2007 7:56:15 PM

Virtually Secure?Virtual machines have a lot to offer CIOs and security researchers alike. And, unfortunately, hackers too.

Virtualization is the hot new trend in corporate data centers today. Virtualization servers from Microsoft, VMware and XenSource allow many virtual computers to run on a single (real)

computer system. In practice, this means that 20 or 30 physical servers in a machine room can be turned into the same number of virtual machines running on a single physical system with two, four or eight processors.

Turning 30 computers into one can dramatically reduce the need for power, cooling, cabling and management. And even though the typical virtualization server saps between 5 percent and 10 percent of the physical computer’s processing capabilities, virtualization frequently makes an organization’s applications run faster, not slower. That’s because the physical servers being replaced are quite often underutilized single-CPU machines running on hardware that’s a few years out of date. By contrast, new multiprocessor systems can give each virtualized machine a boost of CPU power at the precise instant when that CPU power is needed — and give that same boost to other machines when they’re the ones who need it most.

But besides being a powerful tool for saving money, virtualization is one of the up-and-coming power tools in the arsenal of today’s security practitioners.

Crash, Burn, RepeatFor example, just a few years ago, most security consultants had one or more “crash-and-burn” machines for experimenting with potentially hostile programs like spyware, Trojans and computer viruses. These days, most of this dissection

Simson GarfinkelSimson Garfinkel Machine Shop

Ill

us

tr

At

IOn

PC

An

OO

P

REAL CIO WORLD | m a r c h 1 5 , 2 0 0 7 2 7VOl/2 | IssuE/09

Coloumn Virtually Secure.indd 27Coloumn Virtually Secure.indd 27Coloumn Virtually Secure.indd 27Coloumn Virtually Secure.indd 27Coloumn Virtually Secure.indd 27Coloumn Virtually Secure.indd 27Coloumn Virtually Secure.indd 27Coloumn Virtually Secure.indd 27Coloumn Virtually Secure.indd 27Coloumn Virtually Secure.indd 27

and examination work has moved to the world of virtual machines. Besides the obvious savings in desk space and power, it’s easier to figure out what a piece of spyware has done to a virtual machine than a physical machine because many of the tools of the virtualization server’s host operating system can be used in the analysis.

Using a virtual crash-and-burn machine can also be a lot faster than using a physical machine. One of the positively mind-numbing tasks with my old crash-and-burns was the need to install operating systems onto the hard drives, make “images” of these hard drives, restore the images after the spyware had done something nasty and so on. I had one 9GB drive configured with a copy of Windows 2000, another configured with Linux, and a lot of 9GB drives holding versions of these systems in various states of damage and attack. When I was done experimenting with a new nasty, I would take my reference hard drive and copy it block-for-block back over the work drive. This assured me that I had a nice clean install of the victim operating system ready for another experiment. But, I had to boot from CD-ROM and then spend between 20 and 30 minutes to copy the blocks.

It’s faster to work with disk images of virtual computers because today’s virtualization servers are better at intelligently managing hard drives than physical servers ever could be. Instead of having a block-by-block copy of the logical drive, virtualization servers employ a variety of compression and remapping techniques, so that the virtual disk contains only the disk sectors that the virtual computer actually needs. Some virtualization servers, like Microsoft Virtual PC, can even store virtual disks in two files: a “base” or reference file and a second file that just keeps track of the changes. With this kind of configuration, the second file contains a perfect record of the damage that the spyware has done. To restore the original computer, you just throw away that second file.

What Could Be Easier?Throwaway virtual machines can be used for a lot more than testing spyware. Positively the safest way to browse the Web today is to download a copy of the VMware Player and the company’s “Browser Appliance” virtual machine. Start it up and within a few seconds, you’ll have a virtual machine running Ubuntu Linux with a copy of Mozilla Firefox ready to surf. Firefox running on Linux is an extremely secure configuration for browsing the Web. And if some hacking group has managed to find an exploit that allows them to take over your virtual machine, what do you care? The worst that exploit will do is corrupt the virtual machine — there is no way for the hackers’ hostile programs to break out of the VMware Player and infect your desktop. Likewise, there is no way for a cross-site scripting attack to steal your home banking authentication cookies, and there’s no way for some zero-day exploit to search for your confidential documents.

Remote PossibilitiesOrganizations can also use the VMware Player as a tool for providing their employees with a consistent set of applications for their home computers or secure remote access. Instead of using a resource-intensive remote-access system like Citrix or Microsoft Terminal Services, you could create a VMware virtual machine that is preconfigured with a trusted operating system, all of your organization’s productivity software and a virtual private network client. Employees would run the virtual machine to access company software or network resources, storing their work either in separate virtual disks, in the host operating system or on network shares. Software updates could be distributed as whole-new VMs.

Increasingly, I’m also seeing VMs as a way to protect myself when I’m working on a sensitive network that belongs to a client. Instead of bringing up a VPN client on my home computer, I’ll create a VM and use that to connect to the client instead. Now I can be sure that no unrelated activity on my desktop will inadvertently make it into the client’s network. Likewise, I’m assured that any confidential information I download will be confined to that VM.

A number of academic researchers are trying to leverage this concept into an easy-to-use desktop interface that would split the typical home computer into different virtual machines for the different kinds of “roles” that home users typically play. For example, I might have one virtual machine for word processing; a second for doing home banking and other high-value, high-risk activities; a third for browsing the Web and playing games; and a fourth for high-risk activities like running programs that people send me by e-mail.

Although many researchers seem enamored with the idea of using virtualization to solve the spyware problem, I suspect that such a system wouldn’t provide nearly as much security as its proponents imagine. The problem is that home users will surely want a way to move information between these different virtual desktops — and as soon as there is a way to move information, attackers might be able to exploit it. For example, an attacker might send the user an e-mail message claiming to be from his bank, which contains an allegedly “mandatory update to your secure home banking virtual

VOl/2 | IssuE/092 8 m a r c h 1 5 , 2 0 0 7 | REAL CIO WORLD

clever security mavens see the dark side of virtualization. Because cookies and browser cache files are stored on virtual machines, a bad guy will not leave telltale forensic trails.

Simson Garfinkel Simson Garfinkel Simson Garfinkel Simson Garfinkel Machine Shop

Coloumn Virtually Secure.indd 28Coloumn Virtually Secure.indd 28Coloumn Virtually Secure.indd 28Coloumn Virtually Secure.indd 28Coloumn Virtually Secure.indd 28Coloumn Virtually Secure.indd 28Coloumn Virtually Secure.indd 28

machine.” Although it is possible to build a virtual machine that allows no communication with other desktop VMs as a matter of policy, it’s unlikely that consumers will want to use a system that doesn’t allow cut-and-paste between the different desktops.

Going to the Dark SideClever security mavens will realize that there’s a dark side to all of this virtualization as well. Because the cookies and browser cache files are stored in the virtual machine along with everything else, a bad guy who browses the Web inside VMware’s Browser Appliance won’t leave any of those telltale forensic trails on his PC. This can make it much harder to prove that someone has been using a computer for illicit purposes such as downloading child pornography. At a recent forensics conference, I heard that some sophisticated attackers are doing this today, so that they won’t leave traces when they break into other machines. Contrary to what’s frequently said in the media, virtual machines give us a way to browse the Web, download information and then completely clean a machine so that no trace is left behind.

Virtualization technology can also be used by attackers to hide the existence of viruses, Trojan horses and other kinds of malware, although currently such attacks are strictly in the proof-of-concept phase. The theory here is that the malware becomes the virtualization server itself; the victim operating system then runs as the client. To date, the only person who has been able to pull this off is Joanna Rutkowska, a researcher at Singapore-based IT security consultancy Coseinc. Rutkowska’s creation, called “Blue Pill,” was the subject of much media hype last summer when it was first announced. The system is based on AMD’s SVM/Pacifica virtualization technology and reportedly can fool even Windows Vista x64. You’ll get a more realistic understanding of what the technology can and cannot do by paging through Rutkowska’s Black Hat PowerPoint presentation, which you can download from her blog at www.invisiblethings.org.

Virtualization is likely to be as big a step forward for computer security as protected-mode operating systems were back in the 1970s in academia and government (and in the 1990s, when business made the transition from DOS and Windows 95 to Windows NT). It won’t be a cure-all, but then again, nothing ever is. CIO

Simson Garfinkel, CISSP, is researching computer forensics and human thought at Harvard

University. Send feedback on this column to editor@cio.in

Simson Garfinkel Machine Shop

VOl/2 | IssuE/09

Coloumn Virtually Secure.indd 29 3/12/2007 8:05:07 PM

User ManagementUser Management

3/13/2007 9:19:16 AM3/13/2007 9:19:16 AM3/13/2007 9:19:16 AM3/13/2007 9:19:16 AM3/13/2007 9:19:16 AM3/13/2007 9:19:16 AM3/13/2007 9:19:16 AM3/13/2007 9:19:16 AM3/13/2007 9:19:16 AM

An April 2006 survey by the Pew Internet and American Life Project found that 45 percent of adults who use the Internet said it has improved their ability to do their jobs ‘a lot’.

These are your employees, and their message couldn’t be clearer: technology, at least in their eyes, has made them significantly more productive. But CIOs shouldn’t be patting themselves on the back just yet. For this productivity boost the study credits the Internet, not enterprise IT, not the technology you provide, not, in short, you. And while Pew’s finding undoubtedly includes people who use the

Reader ROI:

ConsumerIT'simpactontheCIO-userrelationship

Thecaseofnon-standardtechnologies

ManagingconsumerITintheenterprise Il

lU

St

ra

tIo

n b

y M

M S

ha

nIt

h

REAL CIO WORLD | m A R c h 1 5 , 2 0 0 7 3 1Vol/2 | ISSUE/09

A new IT department is being born. You don’t control it. You may not even be aware of it. But your users are, and figuring out how to work with it will be the key to your future and your company’s success.

By Ben Worthen

(And the CIOs WhO FeAr them)

tOO Users

WhO KnOW

mUCh

Feature_ 01 Users Who Know Too M31 31 3/13/2007 9:19:18 AM

Internet to access your corporate applications, Lee Rainie, the Pew project director, says the research is not pointing to what a good job CIOs have been doing.

It tells a different tale.“The big story is that the boundary that existed in

people’s lives between the workplace and the home has broken down,” says Rainie. Almost unlimited storage and fast new communication tools allow people to use whatever information they choose, whenever they want to, from wherever is most convenient for them.

According to Pew, 42 percent of Internet users download programs, 37 percent use instant messaging, 27 percent have used the Internet to share files, and 25 percent access the Internet through a wireless device. (And these numbers are all one or two years old. Rainie “would bet the ranch” that the current numbers are higher.)

Does that sound like the tools you’ve provided your company’s employees? Do you encourage them to download programs and share files? Do you support IM? Have you outfitted a quarter of your company’s employees with wireless devices? Really?

“A consequence of the blending of worlds is that people bring gadgets from their home life into the workplace and

vice versa,” says Rainie. For example, a December 2006 survey by Searchsecurity.com found that only 29 percent of companies had a corporate instant messaging tool, a number that seems relatively small when compared with the percentage of people Pew says use IM in the office.

Users have a history of providing their own technology, but the capabilities of today’s consumer IT products and the ease with which users can find them is unprecedented. Thumb drives, often given away free at conferences, provide gigabytes of transportable storage. Google spreadsheets and other online documents let multiple people collaborate on one file. The Motorola Q, a phone that uses the cell network as an always-on high-speed Internet connection (and can be yours for just Rs 5,625 on eBay) lets users forward their work e-mail to their phones without ever touching a mail server. And that’s only three examples. There’s a consumer technology out there for every task imaginable — and if there isn’t, there’s a tool that will let someone create it tomorrow.

The era in which IT comes only from your IT department is over.

So where does that leave you?

the shadow It departmentThe consumer technology universe has evolved to a point where it is, in essence, a fully functioning, alternative IT department. Today, in effect, users can choose their technology provider. Your company’s employees may turn to you first, but an employee who’s given a tool by the corporate IT department that doesn’t meets his needs will find one that does on the Internet or at his neighborhood Best Buy.

The emergence of this second IT department — call it ‘the shadow IT department’ — is a natural product of the disconnect that has always existed between those who provide IT and those who use it.

And that disconnect is fundamental. Users want IT to be responsive to their individual needs and to make them more productive. CIOs want IT to be reliable, secure, scalable and compliant with an ever-increasing number of government regulations. Consequently, when corporate IT designs and provides an IT system, manageability usually comes first, the user’s experience second. But the shadow IT department doesn’t give a hoot about manageability and provides its users with ways to bypass corporate IT when the interests of the two groups do not coincide.

“Employees are looking to enhance their efficiency,” says André Gold, director of information security at Continental Airlines. “People are saying, ‘I need this to do my job.’” But for all the reasons listed above, he says, corporate IT usually ends up saying no to what they want or, at best, promising to get to it...eventually. In the interim, users turn to the shadow IT department.

Vol/2 | ISSUE/093 2 m A R c h 1 5 , 2 0 0 7 | REAL CIO WORLD

User ManagementUser Management

Rob Israel, cIO, Lincoln health, says it is

unreasonable for an I.T. department to expect users

to know every policy well. So he laid systems in place that

put some automation behind their policies.

Feature_ 01 Users Who Know Too M32 32Feature_ 01 Users Who Know Too M32 32Feature_ 01 Users Who Know Too M32 32Feature_ 01 Users Who Know Too M32 32Feature_ 01 Users Who Know Too M32 32Feature_ 01 Users Who Know Too M32 32Feature_ 01 Users Who Know Too M32 32Feature_ 01 Users Who Know Too M32 32Feature_ 01 Users Who Know Too M32 32Feature_ 01 Users Who Know Too M32 32Feature_ 01 Users Who Know Too M32 32Feature_ 01 Users Who Know Too M32 32Feature_ 01 Users Who Know Too M32 32Feature_ 01 Users Who Know Too M32 32Feature_ 01 Users Who Know Too M32 32Feature_ 01 Users Who Know Too M32 32Feature_ 01 Users Who Know Too M32 32Feature_ 01 Users Who Know Too M32 32Feature_ 01 Users Who Know Too M32 32Feature_ 01 Users Who Know Too M32 32Feature_ 01 Users Who Know Too M32 32Feature_ 01 Users Who Know Too M32 32Feature_ 01 Users Who Know Too M32 32Feature_ 01 Users Who Know Too M32 32Feature_ 01 Users Who Know Too M32 32Feature_ 01 Users Who Know Too M32 32Feature_ 01 Users Who Know Too M32 32Feature_ 01 Users Who Know Too M32 32Feature_ 01 Users Who Know Too M32 32Feature_ 01 Users Who Know Too M32 32Feature_ 01 Users Who Know Too M32 32Feature_ 01 Users Who Know Too M32 32Feature_ 01 Users Who Know Too M32 32Feature_ 01 Users Who Know Too M32 32 3/13/2007 9:19:25 AM3/13/2007 9:19:25 AM3/13/2007 9:19:25 AM3/13/2007 9:19:25 AM3/13/2007 9:19:25 AM3/13/2007 9:19:25 AM3/13/2007 9:19:25 AM3/13/2007 9:19:25 AM3/13/2007 9:19:25 AM3/13/2007 9:19:25 AM3/13/2007 9:19:25 AM3/13/2007 9:19:25 AM3/13/2007 9:19:25 AM3/13/2007 9:19:25 AM3/13/2007 9:19:25 AM3/13/2007 9:19:25 AM3/13/2007 9:19:25 AM3/13/2007 9:19:25 AM3/13/2007 9:19:25 AM3/13/2007 9:19:25 AM3/13/2007 9:19:25 AM

For many good and not-so-good reasons, the CIO’s first instinct is often to fight the shadow IT department whenever and wherever he detects it. But that approach, according to people who have thought long and hard about this potential war between IT departments, is a recipe for stalemate, if not outright defeat for CIOs.

The employees in your company are using consumer IT to work faster, more efficiently and, in many cases, longer hours. Some are even finding new and better ways to get work done. CIOs should be applauding this trend. But when you shut down consumer IT, says William Harmer III, assistant vice president of architecture and technology of financial services company Manulife, “You end up as a dissuader of innovation.”

Yes, the shadow IT department presents corporate IT with security and compliance challenges. Users could be opening holes in the corporate firewall (by

downloading insecure programs), exposing company data irresponsibly (by scattering laptops, handhelds, and thumb drives hither and yon) and handling information in any number of ways that could violate any number of federal regulations. But CIOs need to deal with these problems strategically, not draconically.

“There’s a simple golden rule,” says David Smith, a vice president and research fellow at Gartner. “Never use security and compliance as an excuse for not doing the right thing. Never use these as sticks or excuses for controlling things. When you find that people have broken rules, the best thing to do is try to figure out why and to learn from it.”

Successful companies will learn how to strike a productive balance between consumer IT and the need to protect the enterprise. This will require CIOs to re-examine the way they relate to users, and to come to terms with the fact that their IT department will no longer be the exclusive provider

of technology within an organization. This, says Smith, is the only way to stay relevant and responsive. CIOs who ignore the benefits of consumer IT, who wage war against the shadow IT department, will be viewed as obstructionist, not to mention out of touch. And once that happens, they will be ignored and any semblance of control will fly out the window.

And that won’t be good for anyone.

how the shadow It department WorksHere’s an all-too-common response to the shadow IT department, courtesy of Bill Braun, vice president of information systems for the Texas Credit Union League: “What’s good for me is that it’s simple to say no [to consumer IT]. There goes most of the problem. Possibly some of the benefit, but certainly the problem.”

Passing over the fact that Braun admits that he’s willing to forgo the potential innovations consumer IT can provide, this approach also assumes that the shadow IT department has a similar structure to its corporate counterpart and can be managed in the same way.

It doesn’t and it can’t. The shadow IT department is an entirely different beast.

Striking the right balance between corporate It and shadow It requires possessing detailed knowledge about how the employees in your company are really accessing and using information. this calls for network monitoring, content monitoring and restraint.

Unfortunately, no one vendor can give you everything you need to do these things. this is because different types of workers use different types of data in — you guessed it — different ways. Forrester research breaks the data into three broad categories.

TRAnsAcTIonAl conTenT: this is information that’s as likely to come from a business partner as from someone in your company. It includes faxes and forms that people fill out, as well as scanned images and corporate information like tax files. this type of information is often closely aligned with a company’s workflow processes and business process management systems. according to Forrester, vendors whose tools work well for capturing this type of content include: 170 Systems, adobe, Captiva, EMC, Filenet, Mobius, Whitehill technologies.

BUsIness conTenT: this category includes the multitude of spreadsheets, documents and presentations that the people in your company use to do their jobs every day. these files — and the information that they contain — are typically found throughout an enterprise and are probably managed by any number of systems. but this information is also easily passed on as attachments or as unstructured data removed from the applications in which it is supposed to reside. Forrester says the following vendors help companies monitor the movement and whereabouts of this kind of data: ClearStory Systems, Extensis, hummingbird, MDy, oracle, Xerox.

PeRsUAsIve conTenT: this is information that is meant to be shared with the outside world. It can be something that an employee puts in a blog or the marketing material that the company distributes. Forrester says the following vendors specialize in managing this kind of content: broadVision, Ektron, FatWire, Percussion Software, Stellent.

— b.W

First, you need to know what your employees are doing.

shADow ITTools fofoRR M MAAnnAggAgA Ing

User ManagementUser Management

Vol/2 | ISSUE/093 4 m A R c h 1 5 , 2 0 0 7 | REAL CIO WORLD

Feature_ 01 Users Who Know Too M34 34Feature_ 01 Users Who Know Too M34 34Feature_ 01 Users Who Know Too M34 34 3/13/2007 9:19:26 AM3/13/2007 9:19:26 AM3/13/2007 9:19:26 AM3/13/2007 9:19:26 AM3/13/2007 9:19:26 AM3/13/2007 9:19:26 AM3/13/2007 9:19:26 AM3/13/2007 9:19:26 AM3/13/2007 9:19:26 AM3/13/2007 9:19:26 AM3/13/2007 9:19:26 AM

Corporate IT is highly structured, with one individual or a small group controlling the nodes in a network and their relationships to one another. The shadow IT department, on the other hand, has no central authority and at best an ill-defined hierarchy; nodes join on their own and develop their own relationships. Marty Anderson, a professor at the Olin Graduate School of Business at Babson College, calls corporate IT a command architecture and shadow IT an emergent architecture. Command architectures are set up to make

them easy to manage and, as a result, they respond to top-down orders. Emergent architectures contain no dominant node and therefore provide no lever by which to manage them. That’s why it is impossible to kill the shadow IT department or keep it out of your company. It has no head to cut off or single channel to dam.

It’s natural for corporate IT to feel threatened by the shadow IT department, but the truth is that they already co-exist everywhere. “The two have always been present,” says Anderson. “The management skill is noticing where they intersect and coming up with a strategy for dealing with it.”

For example, a similar dynamic has long played out in HR. A company’s employees have titles and reporting relationships that give their work a formal structure. But at the same time, every company has an informal structure determined by expertise, interpersonal relationships, work ethic, and so on. Companies suffer when HR is out of phase with the informal structure. Employees are demoralized when the formal architecture elevates someone at the bottom of the informal architecture, and people who occupy the top spots in the informal architecture leave when they aren’t recognized by the formal one. Good HR departments know where employees stand in both the formal and informal architectures and balance the two.

IT needs to learn how to strike a similar balance. Corporate IT isn’t going to go away, and neither are the systems that IT has put in place over the years. But a CIO who doesn’t develop a strategy to accommodate the shadow IT department will be employing an outdated and (more important) an inefficient business model. And, like the HR department that ignores the informal relationships in a company, the CIO might lose sight of how his users actually work. Corporate IT thereby loses its authority and, eventually, the CIO loses his job. It won’t happen quickly, but it will happen. As Anderson puts it, “It will be like getting nibbled to death by ducks.”

how to make Peace With shadow ItTechniques will differ for each company depending upon its business, the degree of regulation to which it’s subject, its risk tolerance and so on, but some principles are universally applicable. Here are some starting points.

1. Find out how people really work.Whether you know it or not, your company’s employees are using technology of their choosing, or using technology of your choosing in ways you never intended. Brian Flynn, senior VP of IT at BCD Travel, found this out when he deployed software that monitored the content moving across his network. Not only were employees using consumer IT tools (like IM) but they were using IT-provided applications to do things that were clearly security risks (such as sending sensitive information back and forth).

“I am convinced that most companies are flying blind,” says Flynn. “This is going on everywhere and IT just doesn’t know.”Fight your instinct to discourage these behaviors by legislating against them. Yes, there may be security and compliance risks, but declaring open war on the shadow IT department will turn it into an insurgency, driving it underground where it will be harder to harder to negotiate. Instead, consider this an opportunity to find out where the IT you’ve provided is out of sync with your users’ needs.

Vol/2 | ISSUE/093 6 m A R c h 1 5 , 2 0 0 7 | REAL CIO WORLD

Maria Anzilotti, cIO of camden Property Trust,

says she to allows Im even if most people use it

for non-work purposes — to create a reputation of being

approachable.

User ManagementUser Management

Feature_ 01 Users Who Know Too M36 36Feature_ 01 Users Who Know Too M36 36Feature_ 01 Users Who Know Too M36 36Feature_ 01 Users Who Know Too M36 36 3/13/2007 9:19:34 AM3/13/2007 9:19:34 AM3/13/2007 9:19:34 AM3/13/2007 9:19:34 AM3/13/2007 9:19:34 AM3/13/2007 9:19:34 AM3/13/2007 9:19:34 AM3/13/2007 9:19:34 AM3/13/2007 9:19:34 AM3/13/2007 9:19:34 AM

Trendline_Nov11.indd 19 11/16/2011 11:56:19 AM

2. say yes to evolution.CIOs need to make users feel comfortable about bringing their underground behavior into the light. The first step is a change in attitude.

“We tend to think of people who think out of the box as troublemakers,” says Flynn. “But we need to realize that maybe they know what they’re talking about and maybe we should try to meet them halfway if we can.” Always try to help users figure out a secure way to do whatever it is they’re trying to do. “People get used to [IT] telling them no, and after a while they stop telling you what they’re doing,” says Continental’s Gold. “So we try to say yes, dot dot dot.”

Rob Israel, CIO of the John C. Lincoln Health Network, has developed a policy that formalizes this mind-set. “I’m the only person in IT allowed to say no,” he says. Conversely, his IT employees have only three options: approve a request, research it, or pass it up to him. According to Gold and Israel, getting a reputation for saying yes will encourage users to come to you with

ideas. That gives you the chance to learn what it is that the user is trying to do and come up with a way to do it that won’t compromise security.

As irrelevant or irresponsible as some shadow IT projects seem on the surface, it’s important to accept the fact that users do things for reasons. If they are e-mailing critical files among themselves, it’s because they need to work on something from a different location and that’s the most direct solution that they can come up with. IT’s job shouldn’t be figuring out how to prevent the user from accessing and moving files, but rather to find a solution that lets him take that file home in a way that doesn’t make the company vulnerable and isn’t any more complex than the method that the user discovered on his own.

That last part is important. “No one,” says Flynn, “will jump through hoops.” They’ll go around them.

Most shadow IT projects, Gold says, are attempts to solve simple problems, and it’s easy for CIOs to mitigate risks if they’re willing. For example, Gold found that people were

taking files home on thumb drives. Instead of outlawing the practice, he began distributing thumb drives with encryption software on them. The users’ experience never changed.

3. Ask yourself if the threat is real.The other part of developing a say-yes reputation is realizing which shadow IT projects really represent a security threat and which just threaten IT’s position as the sole god of technology provisioning. Maria Anzilotti, CIO of Camden Property Trust, a real estate developer, says that she has continued to allow IM even though most people use it for non-work purposes. “We looked at the risk and decided it wasn’t worth [shutting it down],” she says. “A lot of people use it to communicate with their kids. It’s faster and less disruptive than phone calls.”

“We keep an eye on it.”Killing a shadow IT app without

appreciating how thoroughly it’s been integrated into a company’s workflow can have unanticipated and unfortunate consequences. When Gold shut down IM at Continental, he got an angry call from an employee in the fuel management group who was using it (successfully) to negotiate jet fuel pricing for the airline.

Oops.When a CIO prohibits people from

using a technology that doesn’t pose a real

Vol/2 | ISSUE/093 8 m A R c h 1 5 , 2 0 0 7 | REAL CIO WORLD

My name is ben Worthen. I wrote the article you’re now reading, and I turn to the shadow It department frequently.

I’m not a troublemaker. I’m not trying to harm CIo in any way. on the contrary, I’m trying to make myself more productive. I have a list of projects that just keeps growing, and I need technology that will help me get things done quickly. More often than not, I find what I need on the Internet.

about a year ago, I started forwarding all of my work e-mail to my Gmail account. our work e-mail system is lotus notes, and while it has a Web-based interface, the design is clunky and the Url is hard to remember. but that’s not the main reason I took matters into my own hands. E-mail has become my de facto document repository. People send me all sorts of information (reports, PDFs, attachments) that I constantly need to refer to. Gmail is a better document repository for two reasons. First, my It department wants me to delete messages whenever my mailbox hits 200Mb but Gmail gives me unlimited storage, so I never have to delete anything. Second, Gmail actually has search that works; I can never find anything in lotus notes even if I type in an e-mail’s subject line verbatim.

I also use shadow It for collaboration. When half my office mates moved to a building across the street, we decided that the easiest way to keep in touch with one another was through instant messaging. also, other colleagues work remotely and so we don’t have a chance to share story ideas in person. our It department doesn’t support any collaboration tools, so we turned to the Web. our first attempt was MySpace.com. It worked. there are blogging tools and automatic notifications that let us know when someone has a new idea or has commented on an old one.

yes, this puts a certain amount of our company’s intellectual property on the Internet where anyone can see it, but it’s the only way my colleagues and I can see it.

and in my humble opinion, that outweighs the potential risk.— b.W.

Confessions from the land of shadow It.t.t

I A UseR

User ManagementUser Management

Feature_ 01 Users Who Know Too M38 38Feature_ 01 Users Who Know Too M38 38Feature_ 01 Users Who Know Too M38 38 3/13/2007 9:19:35 AM3/13/2007 9:19:35 AM3/13/2007 9:19:35 AM3/13/2007 9:19:35 AM3/13/2007 9:19:35 AM3/13/2007 9:19:35 AM3/13/2007 9:19:35 AM3/13/2007 9:19:35 AM3/13/2007 9:19:35 AM3/13/2007 9:19:35 AM3/13/2007 9:19:35 AM

security threat or doesn’t adversely affect his budget, he is setting himself up as a tin idol, a moral arbiter. That’s a guaranteed way to antagonize users. And that’s never a good idea.

4. enforce rules, don’t make them.There’s a fine line b e t we e n p r ov i d i n g access to data and determining who should have access to it. And Manulife’s Harmer says IT often crosses it. “I own the infrastructure,” he says, “but the business owns the data.” IT creates artificial hurdles for employees when it makes blanket judgments about access that affect the entire company. “The key is not to paint all the users the same,” says Harmer.

Lincoln Health’s Israel deals with this challenge every day. It’s one thing, he says, for his nursing staff to search the Internet for the word breast; it’s another for someone in the accounting department. But if Israel installed a filter that prevented access to (apparently) pornographic websites, his nurses might not be able to find information that they need to treat a patient. The solution is for IT to provide tools that let an individual’s manager decide what information she needs to do the job.

“IT doesn’t know everything the business knows,” says Gold. “So it’s hard for me to make rules about who should have access to what.”

5. Be invisible.Companies have long lists of policies, with which everyone must comply. But lists don’t enforce themselves. “I wrote all the policies [here], and I only know two of them well,” says Israel. “So it’s unreasonable for an IT department to expect users to know them all. But we can put systems in place that put some automation behind our policies.”

Manulife’s Harmer says that the key is to develop an approach that secures data without depending upon how a user accesses it or what he does with it. “The way I approach it is to bring the controls closer to the data,” he says. “That means not relying on a firewall but trying to figure out what I’m actually trying to protect and then dealing with it appropriately.”

At Continental, such an approach has led to a change in the way the IT department designs systems. “Ninety percent of the applications we have that involve sensitive data are things we’ve written,” Gold explains. All that data was protected...as long as the user accessed it from

the application IT built. But when a manager tried to compare revenue for different cities by copying the data into Excel (something Gold says happens often), the information was suddenly placed at r i sk. S ub s e qu e nt l y, he encouraged the IT department to build encryption and other safeguards directly into the applications. So, when a user pastes revenue

figures into a spreadsheet, the data, not the sanctity and integrity of the application, will still be protected.

messy but Fertile Beats neat but sterileIT has a natural tendency to think about technology in a system-centric way. Systems automate workflow and control access to information. And for a long time these systems made work and workers more efficient. “But there has always been a bright line between IT systems and what people really wanted to do,” says Babson’s Anderson.

“I used to have users come to me as if I was the almighty IT god,” says Israel, who recalls those as “the good old days.” But in that sense, god is dead, and IT’s authority and sense of purpose can no longer derive from controlling how people use technology.

“IT can’t insist on doling out IT,” says Gartner’s Smith. “The demographics of the workforce are changing. Younger people who are more familiar with technology are coming in, and they will not sit still while [CIOs] dole out corporate apps. If you want to retain the best and the brightest, you can’t lock down your environment.”

Smith advises CIOs to try to stop thinking about technology as something that must always be enterprise class. There are several Web-based tools that can meet their users’ needs and not cost the company a dime. “Be open-minded and bring them in where appropriate,” he says.

Does that mean that the enterprise is going to become a messier place? Absolutely. That’s an inevitable consequence of user-centric IT. But messiness isn’t as bad as stagnation.

“Controlled chaos is always OK,” says Gold. “If you want to be an innovator and leverage IT to get a competitive advantage, there has to be some controlled chaos.” CIO

BenWorthenissenioreditor.Sendfeedbackonthisfeaturetoeditor@cio.in

enterPrIse Is gOIng tO BeCOme A messIer PlACe — An InevItABle COnseqUenCe OF User-CentrIC It. BUt messIness Isn’t As BAd As

stAgnAtIOn.

REAL CIO WORLD | m A R c h 1 5 , 2 0 0 7 3 9Vol/2 | ISSUE/09

User Management

the application IT built.

User Management

Feature_ 01 Users Who Know Too M39 39Feature_ 01 Users Who Know Too M39 39Feature_ 01 Users Who Know Too M39 39Feature_ 01 Users Who Know Too M39 39Feature_ 01 Users Who Know Too M39 39Feature_ 01 Users Who Know Too M39 39

GooGle is

the security World

5shakinG

Ways

Feature_ 02 5 Ways Google is Sha40 40 3/12/2007 8:26:03 PM

Ask Google anything — what’s happening to GE’s stock price, how to get to 881 Seventh Avenue in New York, where Mission Impossible 3 is showing, whatever happened to Brian after he moved away in the ninth grade — and you’ll get an answer. That’s the power of this Rs 27,000-crore search engine sensation, which is so good at what it does that the company name has become a verb.

That kind of power keeps Google on the front page of the news — and sometimes under unfavorable scrutiny, as demonstrated by Google’s recent clashes with the US Department of Justice and also with critics displeased by the search giant’s stance on Chinese government censorship.

The CIO has a different reason to think carefully about Google and the implications of having so much information online, instantly accessible by almost anyone. Although these issues relate to all search engine companies, Google gets most of the attention — not only because of its Il

lU

St

ra

tIo

n b

y U

nn

Ikr

ISh

na

n a

.V

By Sarah D. Scalet

REAL CIO WORLD | m a r c h 1 5 , 2 0 0 7 4 1Vol/2 | ISSUE/09

Whether you’re charged with preventing hacks, protecting assets, stopping fraud or defending trademarks, Google and other search engines present a new mix of risks for everybody in the security game.

Intrusion Vigilance

3/12/2007 8:26:06 PM3/12/2007 8:26:06 PM3/12/2007 8:26:06 PM3/12/2007 8:26:06 PM3/12/2007 8:26:06 PM

huge share of the Web search market but because of its unabashed ambitions to catalog everything from images and libraries to Earth, the moon and Mars.

“We always get enamored of a new technology, and it takes us a while to understand the price of that technology,” says Robert Garigue, vice president of information integrity and chief security executive of Bell Canada Enterprises in Montreal. For security pros, the price is that Google can be used to dig up network vulnerabilities and locations of sensitive facilities, to enable fraud and cause other sorts of mayhem against the enterprise. Look how Google is shaking the security world, and what companies can do about them.

1Google hacking (strictly defined)What it is: Using search engines to find systems vulnerabilities. Hackers can use

carefully crafted searches to find things like open ports, overly revealing error messages or even (egads!) password files on a target organization’s computer systems. Any search engine can do this; blame the popularity of the somewhat imprecise phrase ‘Google hacking’ on Johnny Long. The author of the well-read book Google Hacking for Penetration Testers, Long hosts a virtual swap meet (http://johnny.ihackstuff.com) whe re members exchange and rate intricately written Google searches.How it works: The way Google works is by ‘crawling’ the Web, indexing everything it finds, caching the index information and using it to create the answers when someone runs a Web search. Unfortunately, sometimes organizations set up their systems in a way that allows Google to index and save a lot more information than they intended. To look for open ports on CIO’s Web servers, for instance, a hacker could search Google.com for INURL:WWW.CIOONLINE.COM:1, then INURL:WWW.CIOONLINE.COM:2, and so on, to see if Google has indexed port 1, port 2 and others. The researcher also might search for phrases such as ‘Apache test page’ or ‘error message’, which can reveal configuration details that are like hacker cheat sheets. Carefully crafted Google searches sometimes can even unearth links to sloppily installed surveillance cameras or webcams that are not meant to be public.

Why it matters: Suppose someone is scanning all your ports. Normally, this activity would show up in system logs and possibly set off an intrusion detection system. But search engines like Google have Web crawlers that are supposed to regularly read and index everything on your Web servers. (If they didn’t, let’s face it — no one would ever visit your website.) By searching those indices instead of the systems themselves, “you can do penetration testing without actually touching the victims’ sites,” points out consultant Nish Bhalla, founder of Security Compass.

What to do: Beat hackers at their own game: hold your own Google hacking party (pizzas optional). Make Google and other search engines part of your company’s routine penetration testing process. Bhalla recommends having techies focus on two things: which ports are open, and which error messages are available.

When you find a problem, your first instinct may be to chase Google off those parts of your property. There is a way to do this — sort of — by using a commonly agreed-upon protocol called a ‘robots.txt’ file. This file, which is placed in the root directory of a website, contains instructions about files or folders that should not be indexed by search engines. (For a notoriously long example, view the White House’s file at www.whitehouse.gov/robots.txt.) Many companies that run search engines heed the instructions in this file.

Notice we said ‘many’? Some search engines ignore robots.txt requests and simply index everything anyway. What’s more, the robots.txt file tips off hackers about which public parts of your Web servers you’d prefer to keep quiet. Meanwhile, the information that your pen testers found through Google is already out there. Sure, you can contact search engines individually and ask them, pretty please, to remove the information from their caches. (Visit www.google.com/webmasters for instructions.) But you’re better off making the information useless.

“The persistence of these caches is impossible to manage, so you have to assume that if it’s there, it’s going to be there forever,” says Ed Amoroso, CISO of AT&T. His solution? Simple. “Let’s say you found a file with a bunch of passwords. Change those passwords.”

Then, fix the underlying problem. Eliminate or hide information that shouldn’t be publicly available. Long term, you’ll have to do the heavy lifting too, by closing unnecessary ports or fixing poorly written applications.

Vol/2 | ISSUE/094 2 m a r c h 1 5 , 2 0 0 7 | REAL CIO WORLD

hackers can use searches to find open ports, overly revealinG error messaGes or even passWord files on an enterprise’s computers systems.

Intrusion Vigilance

Feature_ 02 5 Ways Google is Sha42 42Feature_ 02 5 Ways Google is Sha42 42Feature_ 02 5 Ways Google is Sha42 42Feature_ 02 5 Ways Google is Sha42 42

Shock waves: 4 (highest). It’s up to you to make sure your company isn’t accidentally publishing instructions on how to hack its systems.

2Google hacking (loosely defined)

What it is: Using search engines to find intellectual property. It’s Google intel: the researcher uses targeted Web searches to find bits and pieces of information that, when put together, form a picture of an organization’s strategy. Unlike, say, launching a SQL injection attack, doing competitive intelligence using public sources is quite legal (and may in fact be good business).

How it works: The researcher scours the Web for information that might include research presented at academic conferences, comments made in chat rooms, résumés or job openings. “Companies leave bread crumb trails all over the place on the Web,” says Leonard Fuld, founder of Fuld & Co. and author of the forthcoming book The Secret Language of Competitive Intelligence. One common tactic is using search queries that reveal only specific file types, such as Microsoft Excel spreadsheets (filetype:xls), Microsoft Word documents (filetype:doc) or Adobe PDFs (filetype:pdf). This kind of search filters out a lot of noise. Say you want information about General Motors. Searching for “GENERAL MOTORS” “FINANCIAL ANALYSIS” one day in February yielded 56,400 results. Searching for “GENERAL MOTORS” “FINANCIAL ANALYSIS” FILETYPE:XLS brought up only 34 documents. One of those documents was a spreadsheet from a recruiting agency that contains the current jobs and work history (though not the names) of executives at numerous companies (including GM) who may be on the job market.

Another common approach is searching for phrases that may indicate information that wasn’t intended to be public. For this, keywords such as ‘personal’, ‘confidential’ or ‘not for distribution’ are invaluable. These targeted searches don’t always hit pay dirt, but they can be fascinating. For instance, on that same day in February, the top hit on a search for

“GENERAL MOTORS” “NOT FOR DISTRIBUTION” was a PDF from a credit-rating company with poorly redacted information that could be easily viewed by pasting the text into another document. (Oops!)

A final tactic is to target the organization’s site itself for information, such as phone lists, that could be useful for social engineering scams. Researchers might use the site search function and look for the phrase ‘phone list’ or ‘contact list’. (An actual search might be SITE:CSOONLINE.COM “PHONE LIST”, and if you run that particular search, you’ll find stories CSO has published about why your company’s phone directory is better kept under wraps.)

Why it matters: “If it’s on Google, it’s all legal,” says Ira Winkler, information security consultant and author of Spies Among Us. Competitive intelligence of this sort is illegal espionage only when it involves a trade secret — and

REAL CIO WORLD | m a r c h 1 5 , 2 0 0 7 4 3Vol/2 | ISSUE/09

Google has fixed a security flaw in their desktop search that could have let hackers take control of a personal computer, but the security company that discovered the flaw says the design of the Google application could lead to similar threats in the future.

Google Desktop is a free application that searches a computer for e-mails, Web history and various files. Watchfire, a company that provides security analysis software, notified Google last month that the desktop application was vulnerable to a cross-site scripting attack, which places malicious code on a user’s computer.

a computer running Google Desktop could have been exploited if a user clicked on an infected e-mail file or a Web site or rSS feed loaded with the attack, says Mike Weider, Cto of Watchfire. the flaw was serious because it could have allowed hackers to access all the personal documents on a computer.

Google fixed the error by early February, Weider says. Google says there have been no reports of the vulnerability being exploited. It developed a patch to fix the security flaw and says each user’s version of Google Desktop is being updated automatically.

“Google claims it happens automatically. It didn’t for me and other people at Watchfire when we tried it,” Weider says. “It definitely seems as though there are cases where it doesn’t automatically update.” Weider added that users could be made vulnerable again in the event another cross-site scripting method of attack is identified, because there is a connection between the Google Web site and desktop application.

according to Weider, Google could prevent these vulnerabilities in the future by giving users the ability to disconnect the desktop application from the Google Web site.

“you have offline applications like a search tool that will search your index, and you have online sites like Google.com. What this application does is create a linkage between the two, where you could search on Google.com and get results from your desktop,” Weider says.

When asked whether it plans to give users the option of disconnecting the Web site and desktop application, Google did not answer and instead referred to a statement that does not mention the issue.

— by Jon brodkin

Desktop FlAwGooGle

enDAnGers pC

Intrusion Vigilance

Feature_ 02 5 Ways Google is Sha43 43Feature_ 02 5 Ways Google is Sha43 43Feature_ 02 5 Ways Google is Sha43 43Feature_ 02 5 Ways Google is Sha43 43

if something is public enough to appear in Google, can you really argue that it was protected like a trade secret?

What to do: That Google hacking party we mentioned earlier should involve a few site searches for sensitive files, such as financial records and documents labeled ‘not for distribution’. Beyond your own borders, it’s a good idea to know what people are saying about your organization, even if there’s little you can do about it. “Using search engines to figure out what your public-facing view looks like has become a de facto element in any corporate security program,” Amoroso says.

Brand protection companies such as MarkMonitor and Cyveillance will work the beat for you, if you’d prefer. Creating (and enforcing) good policies about employee blogging or the use of message boards and chat rooms can also limit your exposure.

Shock waves: 3 (significant). This kind of competitive intelligence has been going on forever, and it is damaging. The Web means more information gets out, and it’s easier to find.

3Google earthWhat it is: A software download that provides highly navigable satellite and aerial photography of the entire globe. (The same

images are also available through Google Maps at http://maps.google.com.) The scope and resolution of the photos are eye-popping enough that Google Earth drew ire even as a beta product in 2005. Some people feel threatened that a photo of, say, their backyard is only a few clicks away, and others fear that terrorists will use the images of landmarks or pieces of the critical infrastructure to plot attacks.

How it works: After the user installs the software (the basic version is free at http://earth.google.com), she can zoom to any spot on the planet, often with enough detail to see driveways, if not cars. The virtual globe can be overlaid with information on roads, train tracks, coffee shops, hotels and more. Enterprising researchers are also overlaying Google Maps with everything from locations of murders to public rest rooms that have baby-changing tables. Images are up to three years old and come from commercial and public sources, with widely varying resolution.

Why it matters: The privacy implications of having this information so readily available are certainly worth discussing as a society, but the security risks to US-based companies are low. Much of the information was already available anyway. For instance, Microsoft stitched together images from the US Geological Survey a decade ago with its Terraserver project (http://terraserver.microsoft.com). It just doesn’t work as smoothly.

Not only have these types of images long been available online, but they can also be easily purchased from government and private sources, says John Pike, director of the military think tank Globalsecurity.org. There are only

Vol/2 | ISSUE/094 4 m a r c h 1 5 , 2 0 0 7 | REAL CIO WORLD

Google will provide more data and tools to help its advertisers assess and combat click fraud, a controversial practice that is the biggest enemy of the otherwise highly popular and profitable

online advertising model known as pay per click.With most of its escalating revenue coming from pay per click ads,

Google has a vested interest in addressing click fraud, which happens when someone clicks on these ads with malicious purposes.

because in this format advertisers pay every time someone clicks on their ads, companies sometimes click on competitors’ ads to drive up their ad spending. another common click-fraud practice is for Web publishers to click on their sites’ ads to increase their commissions.

“We’re trying to provide advertisers as much transparency, understanding and control around this issue as we can,” said Shuman Ghosemajumder, Google’s business product manager for trust and safety.

Google plans to allow its advertisers to ‘blacklist’ certain IP addresses for whatever reason, such as suspicion of click fraud or simply because their clicks never lead to a sale, he said.

also this month, Google intends to launch a Web site ‘resource center’ devoted to click fraud, where the company will post information and tutorials to educate its advertisers about this issue, which Google prefers to call invalid clicks.

Since July, Google has reported to advertisers the number of invalid clicks to their campaigns, as well as what percentage they comprise of all clicks. later this month, Google plans to beef up these reports with another figure: the amount of money Google didn’t bill the advertiser by detecting and discarding invalid clicks, he said.

Finally, in the second quarter, Google will provide advertisers with a standardized interface for reporting click fraud complaints that lead to an investigation, he said.

Estimates about the incidence of click fraud vary widely, with some people saying it affects a negligible amount of ads and others suggesting that upwards of 40 percent of all clicks are malicious.

less than 10 percent of clicks on Google ads are deemed invalid, Ghosemajumder said, declining to be more specific. Most of those are proactively detected by Google, and only 0.02 percent are declared invalid as a result of advertisers’ complaints, he said.

Google prefers to use the term invalid clicks because it maintains that not all incidents of click fraud are malicious in nature, but can also come about from innocent user behavior, such as some people’s tendency to always click twice on a link.

ClickForensics llC, which provides technology and services to combat click fraud, estimates that in last year’s fourth quarter 14.2 percent of clicks were fraudulent.

—by Juan Carlos Perez

ClICk FrAuDFIGht AGAInst

Gets sMArter

Intrusion Vigilance

Feature_ 02 5 Ways Google is Sha44 44Feature_ 02 5 Ways Google is Sha44 44Feature_ 02 5 Ways Google is Sha44 44

a couple of legal restrictions. First, the images must be at least 24 hours old. Second, the US military has what Pike calls ‘shutter control’: the ability to tell commercial satellite companies not to release imagery that might compromise US military operations. To the best of Pike’s knowledge, the US military has never invoked this power, nor have the regulations governing satellite imagery changed during the Bush administration’s war on terrorism.

“If Rummy’s not worried about it,” Pike says, referring to Secretary of State Donald Rumsfeld, “it’s hard for me to see how anyone can lose much sleep over it.”

What to do: If your organization’s security plan is based on no one being able to obtain aerial or satellite photography of a facility, then it probably ain’t much of a plan. “Anybody who has the capacity to constitute a threat that rises much above graffiti is going to have it in their power to get imagery of a facility,” Pike says. “If security managers have something that they don’t want to be seen, they need to put a roof on it.”

Beyond that, be prepared for cocktail party banter about the risks and rewards of Google Earth and Google Maps. At the US Food and Drug Administration, for instance, CISO Kevin Stine finds Google Earth personally fascinating, and he likes to muse about its potential for use in, say, disaster planning. “From a CISO perspective, I think we need to be aware of these kinds of tools,” he says. But for his security group, the only impact he thinks Google Earth might eventually have, if it begins to encompass more business applications, is a drain on bandwidth. In other words, it’s a concern about as big as your lawn chairs seen from space.

Shock waves: 1 (minimal). Security by obscurity is so 20th century. Google Earth just illustrates why.

4click fraudWhat it is: The act of manipulating pay-per-click advertising. Perpetrators inflate the number of people who have legitimately

clicked an online ad, either to make money for themselves or to bleed a competitor’s advertising budget.

How it works: With pay-per-click advertising, an advertiser pays each time someone clicks an ad hosted on a website. Google, Yahoo and other search engine companies make their money by selling advertisers the right to have their text-only ads appear when someone searches for a particular keyword. There are two ways to manipulate pay-per-click advertising: competitor click fraud and network click fraud.First, the competitor variety: Let’s suppose a company that sells life insurance wants to advertise on Google. The company might bid for and win rights to the phrase ‘life insurance’. Then, when someone runs a Google search for that exact phrase, the company’s ad appears next to the search results as a sponsored link. (How close to the top of the list depends on both the price per click and the superpowered algorithms that constitute Google’s secret

sauce.) Each time someone clicks the sponsored link, Life Insurance Co. pays the agreed-upon price to Google — say Rs 225. With competitor click fraud, an unscrupulous competitor tries to run up Life Insurance Co.’s advertising bill by clicking the link. A lot.

Network click fraud, on the other hand, cashes in on the fact that Google isn’t the only company that hosts Google advertising. Suppose someone has a blog about insurance. She can sign up as a Google advertising affiliate and have ads for insurance run on her site. If Life Insurance Co. is paying Google Rs 225 per click, Ms. Insurance Blogger might pocket Rs 45 for each click her site generates. Network click fraud is when an affiliate generates fraudulent traffic in order to boost its revenue.

Google insists it is trying to keep the problem in check. Shuman Ghosmajumder, product manager for trust

and safety at Google, says the company monitors for all kinds of what it dubs ‘invalid clicks’, and that it routinely issues refunds to advertisers and closes down fraudulent affiliates. In 2005, Google even won a lawsuit against an affiliate it charged with click fraud. But some advertisers say that Google isn’t doing enough to prevent and monitor for fraud because it profits from the fraud. Google faces a class-action lawsuit led by AIT, a Web-hosting company, and is in the midst of reaching a Rs 405-crore settlement with Lane’s Gifts & Collectibles, a mail-order store. (At press time, the proposed settlement was before a judge.)

Why it matters: Click fraud is a telling example of how sophisticated and profitable electronic crime has become. First, the good guys started looking at server logs to find IP addresses in patterns that indicated fraud. The bad guys responded by creating automated bots that simulated different IP addresses and had varying time stamps. Then, the good guys improved their click-fraud detection tools, with a cottage industry sprouting up that specializes in helping online advertisers monitor for fraud. Queue up ‘click farms’, where the bad guys hire people in other countries to do the clicking in a way that looks more

REAL CIO WORLD | m a r c h 1 5 , 2 0 0 7 4 5Vol/2 | ISSUE/09

netWork click frauds cash in on GooGle not beinG the only company to host its advertisinG, as affiliates Generate fraudulent traffic.

Intrusion Vigilance

Feature_ 02 5 Ways Google is Sha45 45Feature_ 02 5 Ways Google is Sha45 45Feature_ 02 5 Ways Google is Sha45 45Feature_ 02 5 Ways Google is Sha45 45

realistic. “It’s a cat-and-mouse game,” says Chris Sherman, executive editor of SearchEngine-Watch.com.

What to do: The first step is to put tracking measures in place. In a recent survey done by the Search Engine Marketing Professional Organization (Sempo), a trade group, 42 percent of respondents said they had been victims of click fraud, but nearly one-third of respondents said they weren’t actively tracking fraud. “The way you monitor it is you look for something that doesn’t make sense,” explains Kevin Lee, chair of the group’s research committee. “If you spent $ 100 every day last week, and then this week you spent $ 130 every day and didn’t get any more conversions, or whatever your success metrics are,” then you might have a problem, he says.

“Usually the engines will catch the obvious fraud, and they won’t even bill you for it,” Lee continues. But if you have a larger problem, you may need to gather information about why you believe some of the clicks are fraudulent and ask the company hosting the ads for a refund. Ghosmajumder says Google devotes significant resources to a team of investigators who proactively monitor for fraud and also do research about possible fraud reported by advertisers. Google also has engineers working on technical means to identify invalid clicks. According to the Sempo survey, 78 percent of advertisers that have been victims of click fraud have received credit from a paid search provider, and 40 percent of the time it was based on their request.

The question, of course, is whether to bother making a request. Who better than the CSO to help the advertising department figure out whether it would cost more for the company to tamp down on the problem or simply to pay for the fraud?

Shock waves: 2 (moderate). For companies using pay-per-click, this is one to watch. Click fraud has the potential to dramatically reduce the effectiveness of online advertising. But with more than 90 percent of Google’s revenue coming from advertising, the company has a serious incentive to keep the problem in check so that advertisers don’t lose faith in the pay-per-click model.

5Google desktopWhat it is: A free tool offered by Google that

allows users to quickly search the contents of their hard drives. (Similar tools are offered by MSN,

Yahoo and others.) The latest version can also be used to share files between computers.

How it works: After the user downloads the tool, it works in the background to index everything on his hard drive, much like Google indexes the Web. All fixed drives are indexed by default, but the user can specify folders to exclude or extra drives to add. The software can be set to return results on text files, spreadsheets, PDFs, Web history, e-mail and more. Once the indexing is done, when the user runs a Google search, items from his own computer appear at the top of the results. Alternately, he can use the tool by itself by opening it on his desktop; he doesn’t even need to be connected to the Web.

A new version also has a controversial feature that allows a user to share files between computers. With this setting enabled, Google indexes the files on one computer, pulls them up on its servers, then pushes them down onto another computer (which is similarly configured with the software). Then, a search done on one computer returns results from both.

Why it matters: It’s easy to see why people get all prickly about this one. Once the tool is installed and files are indexed, a snoop needs only a coffee break, rather than a lunch hour, to search someone’s hard drive for files about, say, Bob Jones’s salary. To make matters worse, freewheeling users may not pay attention or understand how to make sure that sensitive documents aren’t indexed.

To its credit, Google has tried to improve the standard configuration of the tool. An early version automatically returned results with password-protected files and secure HTTP pages; now, those types of files aren’t indexed unless the user changes a setting. “People screamed about that, and Google changed it very quickly,” SearchEngineWatch.com’s Sherman says. Even so, setting up appropriate

exclusions can get complicated. Some companies — as well as many individuals who are concerned about their personal privacy — are also leery of making so much information available to Google.

The new Search Across Computers feature only heightens these concerns. With this feature, Google says, copies of users’ personal files can sit on Google’s servers for up to 30 days. Google downplays this time frame. Says Matthew Glotzbach, product manager for Google Enterprise, “If both of your computers are on and syncing, [the files are on Google’s servers] only a matter of minutes”—the time it takes for Google to pull up the information and push it back down onto the second computer.

Vol/2 | ISSUE/094 6 m A R c h 1 5 , 2 0 0 7 | REAL CIO WORLD

Gather evidence

on Why you believe some of the clicks are

fraudulent and ask the

company hostinG the

ads for a refund.

Intrusion Vigilance

Feature_ 02 5 Ways Google is Sha46 46Feature_ 02 5 Ways Google is Sha46 46Feature_ 02 5 Ways Google is Sha46 46Feature_ 02 5 Ways Google is Sha46 46

But having the information saved on Google’s servers at all is troubling, given that search engine companies are routinely subpoenaed by prosecutors. (Google’s privacy policy states: “We may also share information with third parties in limited circumstances, including when complying with legal process, preventing fraud or imminent harm, and ensuring the security of our network and services.”) In one especially charged case, Google fought a subpoena from the US Department of Justice, which wanted search results to help analyze its enforcement of the Children’s Online Privacy Protection Act. A judge reduced the amount of information Google must turn over, and the ensuing debate raised awareness about the amount (and nature) of information that Google has in its stores.

The fact that the software is relatively untested raises additional questions. Last November, an Israeli researcher reported that he had found a vulnerability in Microsoft Internet Explorer that allowed him to illicitly access information in Google Desktop. Google fixed the problem, but legitimate concerns linger. “Anytime you install software from a third party directly on a hard drive of a particular machine, you’re potentially opening up holes in the security of that machine,” says Matt Brown, a Forrester senior analyst.

What to do: It’s time to catch up — something that Brown says is especially important given the fact that Sarbanes-Oxley requires companies to keep tabs on where and how long their information is retained. Consider whether your users actually need desktop search for their jobs. If they do, you’ll want to have a hand in how it’s configured and used. (Bonus points go to the CSO who makes sure that users understand the privacy implications of all these tools, beyond just telling them to read the privacy policy.)

At the FDA, Stine is in the early stages of looking at the tool. “There have been some requests [for desktop search] here and there, but there hasn’t been a user outcry,” he says. If (or when) there comes a point when a lot of users have a legitimate need for desktop search, Stine says he’ll look carefully at how the technology identifies, indexes and presents information. “We’d have to ensure that we still maintain complete control — at least as complete as possible — over the information,” he says.

Fortunately, he’d have plenty of options. Several companies have enterprise desktop search tools that help CISOs keep tabs on the information. Google Desktop 3 for Enterprise, currently in beta, allows administrators to completely disable features such as the Search Across Computers feature. Google says it is working make future versions of this tool easier to manage. “I don’t think we anticipated such a concerned or negative response,” Glotzbach says. “We’ve taken to heart the feedback on the Search Across Computers feature, especially in the enterprise context, and we’re actively working on making it even easier for the companies to use” in a secure manner, he says.

X1 Technologies, which has partnered with Yahoo, offers a competing enterprise search tool that Brown says is more

manageable from an IT perspective. “Part of the problem with these technologies is they get announced and people immediately start downloading,” Brown says. “It takes companies a little while to catch on to what’s happening.”

Shock waves: 4 (highest). Desktop search is an untested technology with a wide potential for misuse. If your users don’t need it, don’t let them use it; if they do need it, consider enterprise tools that can be centrally managed and controlled.

future shocksGoogle has shaken us, by holding up a mirror and forcing us to look at what we’ve put online. “Google provides a lot of capability that can do you harm as well as providing you search capabilities,” says Winkler. The future will make search technology only more dangerous. Bell Canada’s Garigue points out that it is still in its infancy, barely scratching the surface of what he calls the shallow Web. “The shallow Web is everything that’s public on Web servers,” he says. “The deep Web is what’s hidden inside databases.” Google is the first generation of tools, he says. As the tools get more sophisticated, the shock waves will only grow stronger. CIO

reprinted with permission. copyright 2007. cSO. Send your feedback on this

feature to editor@cio.in

REAL CIO WORLD | m A R c h 1 5 , 2 0 0 7 4 7Vol/2 | ISSUE/09

GooGle has held up a mirror and forced us to look at What We’ve put online. the future Will make search technoloGy only more danGerous.

Feature_ 02 5 Ways Google is Sha47 47 3/12/2007 8:26:17 PM

Security practices, rather than mere tools, form a more holistic method of managing compliance issues. Here are seven best practices for network security.

Feature_ 03 Homing In on the Sto48 48 3/13/2007 9:26:58 AM

We all face it — the daily barrage of spam, now infested with zero-day malware attacks, not to mention the risks of malicious insiders, infected laptops coming and going behind our deep packet-inspecting firewalls and intrusion-prevention systems. Some even have to worry about how to prove steps of due care and due diligence towards a growing roster of regulatory compliance pressures.

What can you do under so much extreme pressure to make this a better year, not a year loaded with downtime, system cleanup and compliance headaches? Il

lU

St

ra

tIo

n b

y b

InE

Sh

Sr

EE

dh

ar

an

REAL CIO WORLD | m A R c H 1 5 , 2 0 0 7 4 9Vol/2 | ISSUE/09

Homing in on tHe

StormBy Gary S. MiliefSky

Reader ROI:

Managing the internalsecurity environment

The importance of tuninginto external changes

Factoring inthe uncontrollable

Best Practices

Feature_ 03 Homing In on the Sto49 49Feature_ 03 Homing In on the Sto49 49Feature_ 03 Homing In on the Sto49 49Feature_ 03 Homing In on the Sto49 49Feature_ 03 Homing In on the Sto49 49Feature_ 03 Homing In on the Sto49 49Feature_ 03 Homing In on the Sto49 49 3/13/2007 9:27:00 AM3/13/2007 9:27:00 AM

I’ve come up with what I would consider some of the best network security practices. Best practices are things you do — steps you take — actions and plans. Within those plans, I’m certain you will include which security countermeasures to budget for in 2007.

Although I thought about going into details about recent security concepts, such as unified threat management or network admission control, it seems more appropriate to focus on the seven best practices instead of the seven best security tools you might consider deploying. For example, I consider encryption a best practice and not a tool. I’m sure you’ll find many commercial and freely available tools out there. You can always evaluate those tools which you find most suited for your own best-practice model.

Here’s my best practice list, in order of importance: 1. roll out corporate security policies2. deliver corporate security awareness and training3. run frequent information security self-assessments4. Perform regulatory compliance self-assessments5. deploy corporate-wide encryption6. Value, protect, track and manage all corporate assets7. test business continuity and disaster recovery planningtest business continuity and disaster recovery planningt

Although I could have made this list a little bit longer, these seven make the cut because if you implement them, you should see a rapid improvement in network uptime, performance and your IT regulatory compliance posture. Let’s take a closer look.

1roll out Corporate Security PoliciesIf you don’t already have corporate security policies, now is the time. There are some excellent

models out there for free or for a minimal charge. My favorites are the powerful COBIT model, the e-tail/retail-oriented PCI model from the PCI Security Standards Council and an extremely comprehensive international model called ISO 27001/17799. Any of these models would be a great starting point. Once you start working with a model, you’ll need to create, as the US military says, a ‘simplified English’ model, one that an 8th grader can understand. Why? So every individual in your organization can understand these

policies. Most employees in any organization are not InfoSec or compliance experts, so plan out a plain-English roll-up of each section of your corporate security model for all employees to see, acknowledge and support the implementation of throughout your organization. Keep the detailed model available for IT staff, your CIO and anyone who helps you implement network security and IT support of regulatory compliance.

If these models are too overwhelming, remember that good network security always starts with a living security policy. Even if it is one page, it should be an outline of security practices that every executive in the organization agrees to live by. Basic rules should include guidelines for everything from user access and passwords to business continuity planning and disaster recovery planning (BCP and DRP). For example, you should have policies in place for backing up financials and confidential customer records as well as mirroring systems to be better prepared, proactively, in the event of a disaster. In some cases, your BCP and DRP may even require a cold or warm site where you can quickly relocate your staff to continue operations after a natural disaster or terrorist attack. Implementing a corporate security policy is the first step in achieving proactive network security.

To get some heft behind your corporate security policies, work out with the executives what happens when someone violates one or more of your policies. Was the violation intentional? Was the action criminal? For example, an employee violates one of your eyes-only access policies, copies all of the employee records out of the HR database and posts this information on a public site. If this happens, what would you do? You should let all personnel know the policies and the costs associated with violation.

Take a look at www.privacyrights.org to see how many records have been lost or stolen. Did these organizations have the best corporate security policies in place? Did any of these incidents occur because of a malicious insider?

Put some teeth into your policies by getting executive-level support not only for their implementation but also for the consequences of violations. These could include a

written reprimand, day without pay, fired with cause, civil suit, documenting the violation with the local authorities and possible criminal suit.

Sh a r i n g t h i s information with all employees will give any potential malicious insiders something to think about before they cause harm to your organization.

Vol/2 | ISSUE/095 0 m A R c H 1 5 , 2 0 0 7 | REAL CIO WORLD

your NAC policy homework

good network SeCurity alwayS

beginS witH a living PoliCy: an outline of

PraCtiCeS tHat every exeCutive in tHe organization agreeS to live by.

Best Practices

Feature_ 03 Homing In on the Sto50 50Feature_ 03 Homing In on the Sto50 50Feature_ 03 Homing In on the Sto50 50

Take a look at www.cybercrime.gov to see case law and more information on hacker cases and malicious insiders. By planning on the worst-case scenario, you’ll be better prepared for policy violations. The best way to get employees on board is through corporate security awareness and training.

2deliver Corporate Security awareness and training

How many times have you heard of a trusted insider falling for a phishing scam or taking a phone call from someone sounding important who needed ‘inside’ information? It’s happening too frequently to be ignored. Some employees love browsing Web sites they should not or gambling online or chatting using instant messenger

tools. You need to educate them about acceptable usage of corporate resources. They also usually don’t know much about password policies or why they shouldn’t open the attachment that says ‘you’ve won a million — click here and retire now.’ It’s time to start training them.

Training Sessions: Invite employees to a quarterly ‘lunch and learn’ training session. Give them bite-sized nuggets of best practice information.

For example, teach them about the do’s and don’ts of instant messaging. If you are logging e-mail for legal purposes, which in some cases is required by law, let them know that you are doing it and why you are doing it. Give them some real-world examples about what they should do in case of an emergency. Teach them why you’ve implemented a frequent-password change policy and why their password should not be on a sticky note under their keyboard.

historically, enterprise security policies have been distributed via books or e-mail, and users

are expected to comply. but compliance is hard to enforce. With network access control (naC), it’s possible to automate enforcement. but, we need to think through what enforcement means in practice.

the goal of naC is not to keep devices off the network. rather, it’s to make sure the network isn’t compromised by problem devices or unauthorized access. It boils down to the fact that naC is not a one-size-fits-all approach to policy enforcement. a well-built policy is a lot like good journalism: it must address who, what, when, where and why, or the results may not align with enterprise objectives.

from an NaC perspective, who maps to identity-based decisions for users and devices such as:

If not known/authenticated, what do I do? Is the user/device mission critical? Is the user likely to be exposed to threats?

What addresses the factors related to the nature of problems:

Is there an immediate threat to the device or network?

does the violation demand immediate remediation, or is ‘soon’ good enough?

Is this a guest?

When includes such parameters as: When must I resolve this, now or in the future? are there times of day to make certain tests or skip certain tests? does my action vary based on time of the day?

Where (conference room, lobby or other public area; test lab; repair center; remote office and data center) has a huge impact on policy. For example, devices in a data center or test labs probably should be held to different standards than PCs used for e-mail or browsing.

last, comes why. in NaC, there must be a motive to take an action. Why is going

to be highly dependent on enterprise objectives, but a few examples include:

Increasing access for guests/ vendors /contractors without compromising security. documenting enforcement of compliance mandates, such as the Sarbanes-oxley act and hIPaa. reducing endpoint remediation/help-desk costs because of exploits. Eliminating recurrent security problems caused by guests.

Pulling these ideas together, consider some sample policies:

IF location is dataCenter, thEn scan for SanS-20 every day. IF device fails, thEn notify admin. IF in field office, thEn quick-scan before allowing on network. IF passed, allow on network, ElSE quarantine and remediate.

— dan Clarkthe author is VP of marketing for lockdown

networks.

network access control is an automated means of enforcing regulatory compliance.

NAC PoliCyyouryoury

hoMeWork

Best Practices

Vol/2 | ISSUE/095 2 M A r c h 1 5 , 2 0 0 7 | REAL CIO WORLD

Feature_ 03 Homing In on the Sto52 52Feature_ 03 Homing In on the Sto52 52Feature_ 03 Homing In on the Sto52 52

Let these sessions get interactive with lots of Q&A. Give an award once per year to the best InfoSec-compliant employee who has shown an initiative to be proactive with your security policies. If you can keep them interested, they will take some of the knowledge you are imparting into their daily routines. That’s the real goal.

Campaigns: You should begin a campaign to educate all employees in your organization to join your mission to protect corporate information. Create your own ‘security broadcast channel’ via e-mail or Really Simple Syndication (RSS), and get the message out to your corporate work force. Let them know that these messages are important such as a warning about an upcoming storm and what to do in case of a disaster.

You can also give them ‘security smart’ tips or alert them to a new phishing scam or tell them that the corporation had to let go of an individual who was attempting to steal corporate information. Keeping the entire team in the loop will help bolster the corporate security posture.

Posters and other awareness tools: See if you can get some InfoSec awareness posters from one of the security-awareness training companies — usually they’ll give you some free posters with the hopes that you might hire their firm to conduct the training for you. There are other tools you can use like little postcards with do’s and don’ts of best practices for the employees that they can pin up in their offices as reminders.

The bottom line: Knowledge is power, so start empowering your fellow employees to gain a basic toehold in what they should and shouldn’t do to help you in your mission of more uptime and less compliance headaches — which all results in more productivity, possibly more revenues and job security for everyone.

3run frequent information Security Self-assessments

When did you last look at your firewall or IPS to make sure it is patched and up to date? Most IPS systems have automatic updates for their signature tests, but what if you forgot to turn on this feature? Have you checked to make sure there are no rogue wireless routers or devices attached to your network? How many laptops come and go from your enterprise on a daily basis? How many are running a firewall and have anti-virus software up to date with a full system scan?

MITRE is funded by the US Department of Homeland Security to continue to develop the Common Vulnerabilities and Exposures (CVE) system. It’s eight years old this year and accepted worldwide as the de facto international standard for vulnerability tracking on all computers and networking equipment. How many machines on your

network have one of the top 20 CVEs? You can find the list at www.sans.org/top20 and then find more details at the National Vulnerability Database hosted by NIST .

Speaking of NIST, it has best-practice guidelines for setting up servers and systems, called STIGs. The Cyber Security Research and Development Act requires NIST to develop, and revise as necessary, a checklist setting forth settings and option selections that minimize the security risks associated with each computer hardware or software system that is, or is likely to become, widely used within the federal government.

Why not take advantage of this resource? DISA now provides the public with direct access to its STIGs and Checklists. On the DISA Web page, you may sign up for the ‘STIG-News Mailing List’ to be notified when the latest STIGs are available.

Do a search for a Windows Server STIG and see if you can find some hardening tips that you never thought to apply to one of your critical Windows servers. Also, the NSA offers a best-practice guide to setting up a Windows Server, along with many other free and useful security resources. If it’s good enough for federal government network security, it should be good enough for you.

Perform your own security self-assessment against these best practices recommendations. Find all of the holes in your InfoSec environment so that you can document them and begin a workflow process and plan to harden your network. Network security is a process, not a product, so to do it right, you need to frequently self-assess against the best guidelines you can find.

4Perform regulatory Compliance Self-assessments

Boards of directors, CEOs, CFOs and CIOs are under extreme compliance pressures today. Not only are they being charged with increasing employee productivity and protecting their networks against data theft, but they are also being asked to document every aspect of IT compliance.

find all tHe HoleS in your infoSeC environment, So tHat you Can Start on a ProCeSS and Plan to Harden your network.

Best Practices

S

REAL CIO WORLD | M A r c h 1 5 , 2 0 0 7 5 3Vol/2 | ISSUE/09

Feature_ 03 Homing In on the Sto53 53Feature_ 03 Homing In on the Sto53 53Feature_ 03 Homing In on the Sto53 53

Due to all the extra work necessary, many organizations have been tempted to hire consulting firms. However, third-party groups also come with a disclaimer waiving them from any legal responsibility if the results of their audits are examined for legal purposes. Compliance requires the acceptance of legal responsibility. So why would you spend so much money on external auditors who are supposed to help you in this process, when they won’t accept responsibility for their work product or your audit?

I recommend, whether or not an outside firm is performing IT compliance audits, that you begin performing measurable compliance self-assessments. You’ll need to review those regulations which affect your organization. In the United States, these range from GLBA (Gramm-Leach-Bliley Act) for banks to HIPAA for healthcare and insurance providers to PCI for e-tail/retail to CFR-21-FDA-11 for pharma to SOX-404 for public companies.

Some states have their own regulations. In California, for example, if there has been a breach in confidentiality due to a successful hacker attack, companies are required by law to publish this information on their Web sites.

The easiest thing you can do to prove you are in compliance is to document your steps for protecting data. You should be able to prove that you have in place all the best policies

and practices as well as the right tools and InfoSec countermeasures for maintaining

confidentiality, availability and integrity of corporate data. By frequently assessing your

compliance posture, you’ll be ready to prove you ‘didn’t leave the keys to the corporate assets in the open’. If your

network is ever hijacked and data is stolen, you’ll have done your very best to protect against this event and it will be less

of a catastrophe for your organization.

5deploy Corporate-wide encryptionThere’s an old saying: ‘Loose lips sink ships’. If you take a look at all the identity theft that’s

occurred, much of it was done against systems that were not encrypted. For example, an e-commerce Web site of a public company was hackable not only because it had CVEs, but also because the company did not understand the importance of encryption. They thought that an encrypted SSL session was enough.

However, their shopping cart system took this encrypted credit card information and stored it, unencrypted in plain text on a database server that was attached to the Web server.

These two servers were like putty to the hackers — one SQL Injection attack and thousands of consumer records were grabbed, sold and used for siphoning money from the credit cards. You can buy lists of Social Security numbers, names, addresses, phone numbers, bank account records and credit cards on the black market. It’s now an industry. Don’t let your organization be one of those added to the list.

The best practice is to look at all aspects of electronic communication and data manipulation throughout your enterprise. That should include all instant messaging, file transfer, chat, e-mail, online meetings and webinars, plus all data creation, change, storage, deletion and retrieval.

How are customer records stored? How are electronic versions of other confidential information protected? Backing up the data is not enough.

You should setup a VPN for those who have access to your network from the outside. Make sure the systems that access your network through the encrypted tunnel are also not the weakest links in your infrastructure. Don’t let them in if they aren’t fully patched, up to date, scrubbed for malware and authenticated. If you let go of an employee with a laptop, get the equipment back — and in the meantime, close their VPN tunnel.

You can encrypt everything from your hard drives to your e-mail sessions to your file transfers. There are numerous free tools out there, for hard drives, for the Web, e-mail and instant messaging, plus the grand-daddy of free encryption, PGP (Pretty Good Privacy), first created by Phil Zimmermann in 1991.

enCryPtion iS not to be taken ligHtly. you need PoliCieS for key Storage and PaSSword aCCeSS, in tHe event of end uSerS loSing tHe PaSSword.

Vol/2 | ISSUE/095 4 m A R c H 1 5 , 2 0 0 7 | REAL CIO WORLD

Feature_ 03 Homing In on the Sto54 54 3/13/2007 9:27:03 AM

In recent times, companies have introduced outgoing filtering technologies to analyze the contents of the communications leaving their networks. In some cases, companies are driven by the need to comply with regulations

while, in others, they use filtering to prevent leaks of data, including Personally Identifiable Information (PII) or Intellectual Property (IP).

When companies are looking to best protect their messaging networks from insider threats, they need to do three things — on broader lines.

the first is to identify and discover all content inside the corporate environment that represents risk before it leaves the network. this content includes all files containing PII or other IP assets; these files may be located in file shares, on laptops or desktops, or in other content repositories or databases. once discovered, content is fingerprinted and registered to ensure it is not distributed in outgoing e-mails (or in other traffic, including IM, FtP, IrC, and more). typical e-mail gateway products, even those designed for outbound scanning, cannot discover and protect data at rest using a pre-populated mechanism.

Second, implement deep content analysis techniques that go beyond simple fixed-format analysis, which looks only for patterns of numbers or letters. Such techniques can look inside attachments, detect the presence of foreign-language content, and look for known content types or unique identifiers that represent risk as well as for matches to pre-registered content. the right content-analysis techniques should also be multi-channel in nature, looking for risks outside of the traditional corporate SMtP flow, including SMtP traffic directed on non-standard ports (i.e., Port 80) or e-mail activity on public webmail services such as Gmail.

the third thing companies need to do is realize that outgoing e-mail is not the only risk point. one reason multi-channel content monitoring is important is that even though many companies put in place guidelines and training that tell employees not to use certain applications at work, rogue activities can still take place. and these activities represent significant risk when it comes to data leakage.

In summary, to guard against insider threat and protect valuable digital assets, companies need tools that discover content at rest, perform deep inspection of content in motion, and look for risk beyond the obvious e-mail channel. Such a multi-faceted approach to information security will give companies the complete and adaptive security they require.

— Jeff brainardthe author, an expert on It security and messaging/collaboration, is

director of marketing at reconnex, which manufactures information

monitoring and protection appliances.

broader strokes to have a complete picture of contents in your networks.

iNsiDer threAts

tighteN the sCreWs oN

But encryption is not to be taken lightly. You’ll need policies in place for key storage and password access so if ever the keys and passwords are lost by the end users, you’ll have a way back in to decrypt the information, reset the keys or change the passwords.

You might find out that some of the servers and services you are running already offer encryption if you simply check the box and turn this feature on. If a laptop with confidential records is stolen, but the thief doesn’t have the password or key to decrypt the data, it will be useless to them. If someone is eavesdropping on your new VOIP phone system using a tool like Ethereal and the voice-over-misconfigured-internet-telephony (VOMIT) attack, they won’t get very far if all the data stream is encrypted.

I recommend you encrypt your communications and data whenever and wherever possible.

6value, Protect, track and manage all Corporate assets

You should take a close look at the value of all of your IT assets. This includes all the equipment — from your new VOIP phone system to your laptops, desktops, servers and all other networking equipment. How valuable are they to you? If someone stole a corporate laptop, what would it cost to replace? If the laptop contained all of the trade secrets of your corporation, now how valuable is that laptop?

Do an inventory assessment on all corporate assets that come within your domain. If engineers are storing code on your file server, how valuable is that code? The file server might only cost Rs 1.35 lakh to replace, but the code might take 20 man-years to re-engineer.

By placing a value on all corporate assets, you’ll be able to determine how to better protect these assets. Justifying a storage area network or a daily backup is much easier if you know where the important assets are located and how valuable they are to your organization. What if the sales team chooses a free tool like SugarCRM for their customer relationship management (CRM) system? Does SugarCRM offer a backup service for your sales team? You might find out that the salespeople placed an entire customer list on their own Web server that they are managing without telling you. Then, when the server they are using crashes, you’ll get a wake-up call to restore probably one of the most valuable assets in the corporation.

If you did a physical security and asset inspection walk-around, you might have found this ‘new’ server and taken control of it - enabling encryption, setting up a daily backup schedule and getting it on your maintenance program.You can’t protect what you don’t know about. It’s very important to have a handle on all corporate assets. You

Best Practices

REAL CIO WORLD | m A R c H 1 5 , 2 0 0 7 5 5Vol/2 | ISSUE/09

Feature_ 03 Homing In on the Sto55 55Feature_ 03 Homing In on the Sto55 55Feature_ 03 Homing In on the Sto55 55

can quickly build a spreadsheet that includes the value of each asset — from an IT standpoint, not necessarily from the CFO’s. Then, you’ll be able to consider what InfoSec countermeasures such as encryption, strong authentication, separate subnet, quality-of-service provisioning, backup plan, etcetera, you’ll need to put in place to reduce the risk of downtime, data theft or loss of a critical asset.

7test business Continuity and disaster recovery Planning

Business continuity, in layman’s terms, means ‘keeping the lights on’, while disaster recovery means ‘what do we do when the lights go out’ and we need them to stay on.

You should perform tests against your business continuity and disaster recovery plans as often as reasonably possible, no less than once per year and as frequently as four times per year.

Doing it off-hours such as on a Sunday evening might be best so that you don’t disrupt the operations of your organization. The best way to create your first BCP/DRP is to think up a list of ‘what if ’ scenarios.

You can make this fun and interesting for your IT fellows by asking them to come up with a list that’s at least 10 times longer than my sample list that follows. Whoever comes up with the longest credible ‘what if ’ list should win a prize. Some of the tests you should perform include the following:

what if:A the power went outB the router went downC the phone system went downD the Internet went downe a critical server went offlinef a hard drive became corruptg an application crashedh a malware outbreak occurred on your network

i the heating/air-conditioning system stopped workingj a natural disaster occurredk the flu spread throughout your organization

I’m sure you can think of other problems that might disrupt your organization. Write these all down. In the COBIT and ISO 27001/17799 models, you’ll find a wealth of information about BCP and DRP planning. See if there is anything you missed that you think would affect your operations.

Do you have a cold, warm or hot backup site in case of a critical emergency? If not, you should start planning one. If you can’t afford one, could you create a ‘virtual’ office telecommuting situation where your organization could continue to operate virtually until you’ve resolved your emergency situation?

making 2007 a great year for itKnowing we are under constant attack and risk, now is the best time to begin implementing these seven best practices for network security. Hackers, malicious insiders and cyber-criminals have had their field day — hijacking our corporate LANs and placing most organizations at risk of being out of compliance, tarnishing our brands, reducing our productivity and employee morale — placing most of us in the passenger seat on a runaway Internet. By taking a more proactive approach, setting measurable goals and documenting your progress along the way, you might find yourself in the drivers’ seat of IT security. CIO

reprintedwithpermission.copyright2007.csO.garys.Miliefskyisfounder

andcTOofNetclarity,andafoundingmemberoftheusDepartmentof

homelandsecurity.sendfeedbackonthisfeaturetoeditor@cio.in

Perform teStS on your buSineSS

Continuity and diSaSter reCovery

PlanS, no leSS tHen onCe Per year and

aS many aS four timeS Per year.

Best Practices

Vol/2 | ISSUE/095 6 m A R c H 1 5 , 2 0 0 7 | REAL CIO WORLD

Feature_ 03 Homing In on the Sto56 56Feature_ 03 Homing In on the Sto56 56Feature_ 03 Homing In on the Sto56 56

By Tracy Mayor

Six Sigma

ideaSYou Can Steal

from

The approach of measuring process improvement

and taking the defects out can be invaluable to the

security discipline.

Feature_ 05 Ideas You Can Steal 58 58 3/13/2007 9:29:29 AM

Ill

us

tr

at

Ion

by

an

Il t

REAL CIO WORLD | m a r c h 1 5 , 2 0 0 7 5 9Vol/2 | IssuE/09

Six Sigma — the defect-reduction methodology defect-reduction methodology

first developed in the mid-1980s at first developed in the mid-1980s at Motorola as a way to manage deviations Motorola as a way to manage deviations

and improve quality in manufacturing and improve quality in manufacturing processes — is notorious for complex processes — is notorious for complex

and arcane jargon. Six Sigma’s data-driven, and arcane jargon. Six Sigma’s data-driven, acronym-laden focus on quality improvement acronym-laden focus on quality improvement

might seem like a mismatch if the rest of your might seem like a mismatch if the rest of your company isn’t on the program. But if you listen to company isn’t on the program. But if you listen to

a few well-respected security veterans of Six Sigma a few well-respected security veterans of Six Sigma talk about its benefits, you might be ready to give talk about its benefits, you might be ready to give

some Six Sigma ideas a try.“Six Sigma is all about measuring process improvement “Six Sigma is all about measuring process improvement

and about taking defects out of a process,” explains Frank and about taking defects out of a process,” explains Frank Taylor, CSO of General Electric. “And security can be Taylor, CSO of General Electric. “And security can be viewed as a series of processes that work together to bring viewed as a series of processes that work together to bring increased safety and efficiency to the organization. So Six increased safety and efficiency to the organization. So Six Sigma is a tool we can use to measure our performance Sigma is a tool we can use to measure our performance over time. As fiscal pressures and consequences of security over time. As fiscal pressures and consequences of security grow, business leaders are going to demand that we have grow, business leaders are going to demand that we have a way to indicate how effective our programs have been,” a way to indicate how effective our programs have been,” Taylor points out.

“If we can reduce errors, save time, take the data we “If we can reduce errors, save time, take the data we gather during our investigations and turn it into business gather during our investigations and turn it into business knowledge, then we’re viewed as a true partner in the knowledge, then we’re viewed as a true partner in the business,” says Motorola’s CSO Joe Murphy. “Six Sigma is business,” says Motorola’s CSO Joe Murphy. “Six Sigma is a way to build up our own business IQ by understanding a way to build up our own business IQ by understanding the various processes that run the company.”the various processes that run the company.”

The starting point is a good control program for The starting point is a good control program for documenting and tracking security-related incidents (i.e. documenting and tracking security-related incidents (i.e. defects). Once you’ve got that in place, here are a few Six defects). Once you’ve got that in place, here are a few Six Sigma tenets that stand to deliver the biggest bang for the Sigma tenets that stand to deliver the biggest bang for the buck in terms of improving the efficiency and effectiveness buck in terms of improving the efficiency and effectiveness of both physical and information security.

Business Process Quality managementThe act of simply mapping out business process flow — defining both macro and micro processes, assigning ownership and determining responsibilities — can be invaluable to the security discipline. “Like any other

business function, security has to understand what its key business processes are, then remove defects and measure that improvement over time,” says GE’s Taylor. If you’re experiencing a particular kind of loss throughout the company that’s affecting the bottom line, he says, the first step is to identify all the elements that are involved in that process and then attack the gaps. “Business process mapping allows us to focus our efforts on specific, real defects,” Taylor says.

Taylor knows of one government organization that was able to reduce its defects — that is, its physical security violations — by 70 percent through the knowledge it gained from business process mapping. By pinpointing exactly where in the process breaches were occurring, the agency was able to see consistent patterns, related primarily to personal inattention to existing security guidelines. Once security was able to show business leaders that their employees’ lax behavior was statistically related to the violations, managers were motivated to require workers to better adhere to guidelines, which resulted in the dramatic drop in incidents.

In a similar vein, Motorola was able to dramatically reduce annual losses of new products in transit that were occurring in one of its international supply chains. With the blessing of top management, security looked at the entire supply chain and made discoveries that were not apparent to individual managers. “There were dozens of segments in the supply chain, all run by productive managers,” explains Murphy. “These were top-flight managers who had in some cases lost their peripheral vision and sometimes made decisions that inadvertently created additional risk downstream.”

By examining the supply chain end-to-end, mapping the process against historic losses and then sharing their discoveries with managers, security personnel were able to make specific, concrete changes to mitigate risk. These included limiting the number of times products changed hands; shipping goods in plain, unbranded containers; changing the metrics used for performance measurement (for example, calculating not how many items left the shipping dock on time, but how many arrived successfully at their destination); and alerting managers as to which goods are more likely to be targeted for theft on the global market at any given point.

Process Management

Feature_ 05 Ideas You Can Steal 59 59Feature_ 05 Ideas You Can Steal 59 59Feature_ 05 Ideas You Can Steal 59 59Feature_ 05 Ideas You Can Steal 59 59Feature_ 05 Ideas You Can Steal 59 59Feature_ 05 Ideas You Can Steal 59 59Feature_ 05 Ideas You Can Steal 59 59Feature_ 05 Ideas You Can Steal 59 59Feature_ 05 Ideas You Can Steal 59 59Feature_ 05 Ideas You Can Steal 59 59

Voice of the Customer (VoC)VOC is the process used to determine the needs of the customer, aimed at improving the customer experience and increasing loyalty. Those needs are captured through direct observation, interviews and focus groups, customer-supplied specifications and requests, data from customer service records and warranty claims, and more.

How does a customer-centric focus translate to the security arena? “Voice of the Customer forces you to leave the ivory tower and reach out and interface with your customers,” explains Greg Avesian, vice president of enterprise IT security at Textron. “When you look at security as a service organization, as we do, then VOC is key to understanding the requirements of the many different stakeholders in the business who are your customers,” Avesian says. Each one of those groups has its own security pressures, both internal and external, and often governmental and financial regulatory requirements as well. Following VOC’s directives to interface directly and frequently with the customer (Avesian meets formally with business unit CIOs every quarter, for example) ensures that security’s focus is on servicing the business units rather than guarding the bits and bytes, he says.

failure modes and effects analysis (fmea)The FMEA procedure aims to identify every possible way in which a process or product might fail, rank on a scale of one to 10 those possible failures and probable causes, and prioritize solutions.

“For security, the twist would be to say not just how could a given step fail, but how can we make it fail, how can we force it to fail?” suggests Mark Goldstein, a Six Sigma consultant. “Because that’s how your antagonist is going to look at it.”

If information security wanted to determine the impact of data loss resulting from a stolen laptop, for example, its FMEA assessment might look something like this: Severity = 10; Likelihood of Occurrence = 7; Detection = 5 (the higher the detection number, the more difficult the failure is to detect); with a total Risk Priority

Number of 350, which helps management rank that risk against other threats.

Without an objective template like FMEA, Avesian says, risk too often is in the eye of the beholder. “The IT function might say, I don’t think that risk is very important, but the business leader has a whole different perspective.”To rectify those sometimes conflicting views of risk,

Textron has adopted a standard risk-assessment template to document business risks, their potential impact to the business and the quantifiable elements by which business managers reached that assessment.For its part, Avesian’s IT risk management group then regularly delivers up to those business executives a ‘risk radar’ — an easy-to-decipher, two-dimensional graph that shows, on the

vertical axis, the severity of the risk as it relates to net operating profit and, on the horizontal, the likelihood of occurrence. Being able to show progress from quarter to quarter has helped in communicating with the business, says Avesian.

Change managementNarrowly defined, Six Sigma Change Management is the process of controlling and managing change while minimizing the risk of disruption to services. Loosely interpreted, it’s a way to get the rank and file on your side, by effectively and efficiently communicating what’s going to happen and why.

Without that critical step, says Textron’s Avesian, all your other good work will go for naught. “We do a lot of work with change management. We view it as one of the critical success factors for any given project,” he says.

At Textron specifically, change management requires that security managers introduce a new process to top-level managers — business unit CIOs, for example — and explain why it’s important and demonstrate, in clear business terms, why they need to support it. CIO

Reprinted with permission. Copyright 2007. CSO. Tracy Mayor is a freelance CSO. Tracy Mayor is a freelance CSO

writer based outside Boston. Send feedback about this feature to editor@cio.in

Vol/2 | IssuE/096 0 m a r c h 1 5 , 2 0 0 7 | REAL CIO WORLD

Six Sigma Change management

Can Be a waY to get the rank

and file on Your Side, BY

CommuniCating what’S going to

haPPen and whY.

Process Management

Feature_ 05 Ideas You Can Steal 60 60Feature_ 05 Ideas You Can Steal 60 60Feature_ 05 Ideas You Can Steal 60 60Feature_ 05 Ideas You Can Steal 60 60

In a global environment, the need to monitor business risks within a robust security framework is critical to enterprises. This was the underlying sentiment among panelists across Mumbai, Bangalore and New Delhi in the second edition of CIO Focus Security held in late February through early this month.

In keeping with these needs of modern security, CIOs and CSOs from Corporate India asserted that strategy precedes tactical security measures to deal with the changing faces of threats in addition to the growing capability of internal users.

The Answers to Managing Risk

The rate at which new technologies enter modern enterprises require IT organizations to stay aware and agile. But, tactical security measures won’t suffice. Today’s enterprise calls for strategic security, as the panelists at CIO Focus Security series pointed out.

6 1 M A r c h 1 5 , 2 0 0 7 | CIO CUSTOM PUBLISHING

Associate Sponsors Executive Partner Knowledge Partner

Event Report.indd 61 3/13/2007 9:46:20 AM

Very often, the choice between a security strategy and tactics is not all that straightforward, said Alagu Balaraman, executive VP-IT & corporate technology of Godfrey Phillips, during the panel discussion in New Delhi. “When we look at security, there is one part that has to do with technology and another that looks into everything else,” he said. However, in protecting the interests of one’s enterprise and fulfilling its business objective, information security assumes a strategic face. “So, on the technological side, there are several things that need to be run, like operations – routine matters which we need to protect – and ensure that they work properly. The other side is ‘How do you deal with business users and protect the company’s interests?’”

Satish Das, CSO of Cognizant Technology Solutions, traveled with the CIO team to each of the three cities, and elaborated on info-security strategies and tactical measures, courtesy a presentation apart from his inputs during the panel discussions. If an enterprise, he said, adopts a tactical approach to security, it would tend to delve on matters such as configuration of firewalls, setup of patch management system, efficacy of anti-virus systems, and taking precautions to handle IDS alerts. Such IT teams tend to be aligned with operations, and usually report to a CIO or security director, said Das.

On the other hand, with a strategic approach to security, IT teams tend to focus on development of a risk management team and see all security issues from a risk exposure perspective, said Das. “The questions then are likely to be ‘What risks do we have?’ and ‘What risks are we trying to manage?’” he said. The IT organization will also go into the costs and efficient methods of managing risks.

“Such IT teams tend to be aligned with corporate risk management organizations. They tend to talk about legal issues, apart from adherence with standards or laws and contractual

obligations; for instance, on handling of breach of non-disclosure agreements,” he explained. Evidently, business continuity is a business risk and constitutes a strategic issue, Das asserted before paving way for the panel discussion.

BROAD-BASING SECURITYIn each of the three cities, there was consensus among panelists on the need for strategic security as the way forward, which led moderator Sivarama Krishnan, executive director (business solutions), PricewaterhouseCoopers, to further the question: How,

then, must an IT organization and the security function, in particular, balance strategy and tactics. “It is a fundamental fact that security is indeed strategic. But the question remains as to why it is still perceived to be tactical?” probed Krishnan, addressing the panel in Mumbai.

The answer lies in between a little of each, according to Burgess Cooper, head (information security) at Hutchison Essar Cellular, and a panelist in Mumbai. “I agree that security, as an issue, is moving from server room to the boardroom. I believe it is not just a strategic or just a tactical issue. It is probably a bit of both,” he added. As per good hygiene practices, if your tactical piece is not in place, you’d not be able to reach the strategic portion of the goal, he noted. Security, like most processes, is a journey.

On the telecom front, there were anecdotal inputs during the panel discussion in Delhi too. It came from

CIO CUSTOM PUBLISHING | M A r c h 1 5 , 2 0 0 7 6 2

How do you handle IT and security on one hand and business risks on the other?

— Sivarama Krishnan, Executive Director, Business Solutions,

PricewaterhouseCoopers

Companies overlook low-frequency, high-impact risks, said Kannan S.R. (left), head-security services, Sify, at the Bangalore event. Later, Wong Joon Hoong, product marketing manager-enterprise (Asia-Pacific) of Trend Micro, traced how security threats have evolved.

Event Report.indd 62 3/13/2007 9:46:26 AM

Tamal Chakravorty, CIO of Ericsson, and emphasized the need for strategy. “We run network operation centers for service providers like Bharti and Hutch. Considering that we also handle their competitors at our network operating centers, security has to be part of our strategy to tell them the kind of security processes we have in place, certifications, and so on. Security therefore becomes a strategic issue,” he explained.

Further, Chakravorty stated that differentiation in certifying security processes and practices is a thing of the past. The focus, today, is on certifying IT security personnel. “Certified security processes is something that you assume is already in place. It’s then about putting teams in place to cater to service providers. This is for them to know that there will be no sharing of information between the teams. They must be assured about how we monitor the teams, and so on. We have certified people – that’s the differentiator we bring,” he elaborated.

The panel in Bangalore had a large representation from the IT-enabled services (ITeS), a sector wherein the onus of protecting information is paramount. The panel comprised Subramanya C., global CTO of HTMT, P.D. Mallya, head (security audit & architecture) of Infosys, and Das, apart from N. Kailasanathan, VP & CIO of Titan Industries, who provided a non-IT enterprise perspective to the discussion.

Subramanya reiterated the value of information to the ITeS: “Our business is primarily ITeS and, for me, security is clearly strategic. We are currently in a stage where we are beginning to understand the security requirements and initiatives of IT, and where we are not going to be. At

HTMT, we have an executive committee that looks at this, and the CIO definitely plays a large role in strategic security initiatives.”

Subsequently, the Bangalore panel zeroed in the nature of contracts drawn, and the obligations thereof. Said Kailasanathan: “The moment you talk about business risk, it becomes strategic. The approach changes towards contractual obligations because SEBI's Clause 49 requires a CFO and CEO to ensure that the company is taking adequate measures to protect itself from business risks. If you want to fulfill that, the whole outlook changes from security to business risk – and strategic approaches come into play.”

Subramanya concurred, stating that a CIO or CTO today would need to talk about issues on a larger scale. “He needs to talk about all the physical and logical ways to mitigate risks within the organization for the business that he’s looking at. It needs to be discussed at the pre-sales stage. It is not only about convincing the customer, but also demonstrating the processes

and practices to them, allowing them to come and do an audit, and then having a third party endorse it,” he explained. Mallya of Infosys noted that ultimately strategy drives the

6 4 M A r c h 1 5 , 2 0 0 7 | CIO CUSTOM PUBLISHING

Over time, every leader in enterprise becomes an owner of risks and must manage them, noted both Satish Das (left), CSO of Cognizant Technology Solutions, and Anwer Baghdadi, senior VP & CTO of Countrywide Financial Corporation India Services.

While security strategy is a necessity, as Pantaloon Retail's CIO Chinar Deshpande (left) asserted, Burgess Cooper, head-IT security of Hutch, believes that it is just as important to find the middle path between info-security tactics and strategy.

Event Report.indd 64 3/13/2007 9:46:30 AM

tactical approach. In effect, as Kailasanathan put it, tactical measures are a subset of strategy. Mallya explained the practical value of strategy: “As a company that provides solutions to customers in sectors such as banking and insurance, we have to be in a position to protect the data they have. That’s where tactical decisions might come into play. Still, when we work with customers who are not that concerned with security, we must ensure that secure practices are adhered to – and that’s where, perhaps, a strategy with the customer would drive the tactical decisions.”

The point emerged at the discussion in New Delhi, too, albeit in a different scenario. C.R. Narayanan, director-IT of Alstom Projects India, talked about the significance of strategic info-security to the organization, internally – and the need to balance tactics within strategy. He cited the case of an internal investigation, when a person being probed continues to work in the organization in question. “Such situations call for tactical decisions. But when the person being probed continues to come to office while the committee is investigating his case, another question arises: what is the strategy for such scenarios, considering that it has implications pertaining to access. So, strategy is important over and above the tactics,” he explained.

THE STRATEGY WATCHTOWERApart from having to define the scope of an enterprise’s processes, all three discussions also centered on the need to define the role of people and, in particular, the CIO or CSO vis-à-vis security. “In

our management strategic building exercises, when it comes to security, we stress on three aspects: how to protect our customer’s IP, how to protect our own IP and lastly, how to protect our people,” said Cognizant’s Das in Mumbai.

Chinar Deshpande, CIO of Pantaloon Retail and another panelist at the Mumbai discussion, cited a recent situation in his organization that required the IT team to come up with a plan beyond its security tactics. In January, Pantaloon Retail faced an organization-wide virus attack, an incident which, Deshpande says, proved that security must rise above the tactical standpoint. “I gave our management insights as to why security should be considered strategic by showing them how, while we were fighting it out with the virus outbreak, we maintained business continuity,” he said. In this case, Pantaloon Retail needed to buy new machines and create war-zones within the organization by deploying business applications on the ‘clean’ machines.

“This ensured that while the entire office was non-operational, we had key business people accessing mission and business critical data and applications seamlessly,” he said. After the incident, the IT organization has also made a case before its management to consider security as a critical piece of its enterprisewide risk assessment and planning exercises.

AnwerBaghdadi, senior VP & CTO of Countrywide Financial Corporation India Services, averred at the same event in Mumbai: “One of the key things happening in the boardroom is that now the term ‘security’ is being rechristened as ‘risk management’.

Every element is being talked about first as a risk parameter. Over a period of time, we, as part of leadership teams, have become owners of such risks. And we need to know how the risks will impact the business,” he said.

As an outcome of this development, Baghdadi stressed the need for IT organizations to deal with people collectively and bring together their knowledge to understand the impact of initiatives – and concerned risks – on business. “All this must be translated into a communicable entity, so that everybody in the organization is able

Define the scope of your processes and the role of users in the enterprise, concurred the Bangalore panel comprising Subramanya C. (from left), global CTO of HTMT, N. Kailasanathan, VP & CIO of Titan Industries, and P.D. Mallya, head (security audit & architecture) of Infosys.

6 6 M A r c h 1 5 , 2 0 0 7 | CIO CUSTOM PUBLISHING

Events

Event Report.indd 66 3/13/2007 9:46:36 AM

CIO CUSTOM PUBLISHING | M A r c h 1 5 , 2 0 0 7 6 7

to understand (the strategic approach to security),” he added.

In effect, the Mumbai panel discussed the value of consistency in having people with the right background, and of being tactical with head-hunters to ensure that they all follow the same pattern in producing workflow that meets the requirements of the enterprise in question. “You require consistency of flow, right communication and easily digestible s t e p s ,” s t a t e d Baghdadi, a point that was also touched upon in Bangalore and New Delhi.

As Ericsson’s CIO Tamal Chakravorty put it in the Capital City, security and its processes must ensure discipline among the people and users. “If you know you are being monitored somewhere, users take things more seriously. They know they are being monitored. Policies and processes help you bring that discipline in your enterprises,” he explained. People have to be aware – and follow processes day in and out, echoed Mallya, Infosys’ head (security audit & architecture). “We’re talking of information in the electronic and physical form. So, processes have to be followed,” he added.

Godfrey Phillips’ Balaraman extended the point to identity management: as a greater means to empower people to handle data, based on their experience and role in the organization. “Those are the issues we tend to grapple with,” he said.

Prior to the panel discussion in each city, presentations from Sify and Trend Micro also proved useful in putting the spotlight on emerging challenges and threats to security. Kannan S.R., Sify’s head (security services), felt that companies don’t factor in enough for low frequency, high impact risks. Among other key trends, he observed that disruptive technologies are the order of the day. “Today, users bank without even seeing the bank – on the Internet,” he said. With this, the internal user groups pose quite a challenge to security. Kannan also delved on inter-relationships between risks, internally.

In his address to the CIO community in Bangalore, Wong Joon Hoong, product marketing manager- enterprise (Asia-Pacific), Trend Micro, traced how threats have evolved over the past 15 years. "In the past, there would be a year's gap, at least, before a virus that had hit networks in the US would hit Asia. This is a

function of the Internet that has put the networks of the world on one platform," he pointed out.

He also discussed threats in detail, including targeted attacks (viruses in a specific region or industry) and attacks that combined viruses, malware – worms, Trojans, bots – and social engineering into one. Eighty percent of the spam mail is made of botnet (network of bots), which assist hackers to carry out social engineering to compromise enterprise security, he said. Aptly, it was during the same event in Bangalore that the beats and riff of the Mission Impossible title track, playing in a neghbouring disco, made its way into the room momentarily. It was fitting, as all the presentations and the panel discussion addressed the case of protecting information, a theme that is in the heart of the film. Everyone agreed: strategy is the way forward.

Certification of people in information security is a more effective differentiator today than just processes certification, felt the Delhi panel consisting of Alagu Balaraman (from left), executive VP-IT & corporate technology of Godfrey Phillips, Tamal Chakravorty, CIO of Ericsson, and C.R. Narayanan, director-IT of Alstom Projects India.

Event Report.indd 67 3/13/2007 9:46:39 AM

IT Security Gets Physical By Paul F. RoBeRts

SECURITY | The cameras are watching when you drive up to IBM’s Watson Research Lab in Hawthorne, New York. They’re also noticing things — things such as the color of vehicle you’re driving and its license plate. When you get out of the car, another camera zooms in on your face, capturing its image and transmitting it (along with snapshots of your car and license plate) to third-party analytics systems, which then compare those bits against a database of lab employees and authorized visitors.

By the time you get to the door at Hawthorne, says Arun Hampapur, manager of IBM’s Exploratory Vision Group, the cameras have, in theory, already collected enough data to grant you access to the facility without you having to wave a key card or check in at the front desk.

This type of Minority Report scenario remains more myth than reality, but a number of factors have combined in recent years to put the merging of physical and IT security on the front burner. The advent of open, IP-based physical access systems, the appearance of new

The good news: physical and IT

security systems your company uses will merge. The bad news: it’ll probably

take a while.

technologyessential From InceptIon to ImplementatIon — I.t. that matters

Ill

us

Tr

aT

Ion

by

an

Il T

Vol/2 | IssuE/096 8 m a R c h 1 5 , 2 0 0 7 | REAL CIO WORLD

Essentisl Tec.indd 68 3/12/2007 8:35:31 PM

startups offering convergence solutions, along with an embrace of open applications platforms and Web services, may soon place true converged security solutions within reach of ordinary enterprises.

Physical ThreatsEven before the words ‘stolen laptop’ started popping up in headlines, 9/11 increased the burden and cost of physical security — especially for companies with high visibility, says William Crowell, an independent consultant and former senior official at the US National Security Agency.

But incidents such as the December theft of five laptops from the benefits consulting firm Towers Perrin, containing data on tens of thousands of retirement-plan participants, are motivating corporations to push for security integration. One company, Boeing, suffered three break-ins between November 2005 and December 2006, culminating with the theft of a laptop from an employee’s car that contained the names, salary information, Social Security Numbers, home addresses,

phone numbers, and dates of birth of 382,000 current and former employees.

Rather than hack a well-defended corporate network, smart criminals in search of sensitive information have discovered it’s often more effective to focus on gullible employees and loosely guarded offices, says Cheng Tang, a consultant with System Experts, a security consulting firm. “Crime is always about finding the weakest link. It’s a lot easier to hack the physical and person-side of the security equation,” he says.

Some attacks combine both online and offline tactics, with attackers researching

their target on the Web or rattling doors on the company’s public-facing servers before trying to compromise physical security protections to get what they want, says Dave Tyson, CSO for the City of Vancouver, who manages a joint physical and IT staff of 45 that includes 22 security guards and security contractors.

Unified operations like Tyson’s are rare. “In the past, there’s been this umbrella of security around physical security, where the building is locked down and the concerns of the security officer are taken care of,” says Peter Fehl, senior marketing manager for integrated security at Honeywell. “On the IT side, they have [anti-virus] and firewall. But in between the groups is where the cracks have developed.”

The Spitzer FactorBut the reasons to fill those cracks are mounting. The parade of new regulations, led by Sarbanes-Oxley, provides even greater motivation for organizations to consider converging their IT and physical security operations.

Crowell notes that Sarbanes-Oxley has created a thirst for bullet-proof audit capabilities and the capability to answer such questions as: How could John Q. have accessed those financial records if he never entered the building that day?

Government organizations face other, more stringent mandates. The recent implementation of Homeland Security Presidential Directive 12 (HSPD-12) has primed the pump for security convergence. The directive, which took effect in October, requires government agencies to begin issuing standard PIV (personal identity verification)-2 cards to employees. In time, HSPD-12 smart

cards will be used to tie logical and physical access together at government agencies as well as at their private sector contractors.

“HSPD-12 is an attempt to say ‘These worlds should converge. They should be managed together,’” says Brian Contos, CSO of security information management firm ArcSight.

Beyond government, crit ical infrastructure owners such as health care, telecommunications, and transportation are also standardizing on cards that meet the FIPS (Federal Information Processing Standard) 201, a set of specifications for personal ID cards issued by the National Institute of Standards and Technology (NIST) in response to HSPD-12, notes Peter Boriskin, director of product management for Tyco Fire & Security’s Access Control and Video Systems.

If nothing else, the money and regulatory weight behind HSPD-12 promises to reduce the cost of smart card deployments and focus the physical and IT security industries on a key point of intersection: the security credential.

EssEnTIaltechnologytechnology

rather than hack a well-defended network, criminals focus on gullible employees, leading corporations to push for security integration.

REAL CIO WORLD | m a R c h 1 5 , 2 0 0 7 6 9Vol/2 | IssuE/09

according to the Global state of information security survery, 40% of companies said that their physical and information security chiefs reported to the same executive leader — 9% percent more than 2005.

SOURCE: CIO-PwC

3/12/2007 8:35:32 PM3/12/2007 8:35:32 PM3/12/2007 8:35:32 PM

“HSPD-12 created a nexus around the token,” Boriskin says, noting that previous attempts at physical and IT security integration were focused on integrating security applications. “Rather than try to integrate all these complex, fragile systems, now we all just know the token.”

While smart-card readers may take years to reach the bulk of enterprises, in the interim, Fehl of Honeywell sees companies picking and choosing from FIPS 201, grabbing onto the smartcard technology and adopting government standards for card enrollment, verification, and background checks.

Emerging TechnologiesPerhaps the biggest boost to converged security originates with the security industry itself, where a generation of proprietary physical access systems is giving way to newer, network- and Web-based products, built using open architectures and with third-party integration in mind.

At Tyco, long a leading player in physical security, a next-generation access control system, the C-CURE 9000, marks a radical departure. The 9000 series was built with convergence in mind, using Microsoft’s .Net framework and Web services to connect physical security systems’ fire and door access with HR and IT systems network single sign-on and user provisioning/deprovisioning systems.

Rather than being a ‘security management’ system, Tyco thinks of C-CURE 9000 as an events-management system that can link physical security with IT-centric tools such as ERP software, Boriskin said. Previous generations of the C-CURE platform could only have accomplished that through brittle and expensive integration projects.

“XML and Web services have been the biggest enabler of convergence,” Boriskin says. “It’s a layer of abstraction that provides a common language for all these different products to talk to each other.”

Experts agree that the lack of an open, services-based approach hobbled early efforts at convergence, such as the Open Security Exchange (OSE), a joint physical-IT consortium that launched in 2003 with the backing of companies such

as Computer Associates, HID, Tyco, and Wells Fargo.

“The big problem back then was that when you started to connect systems like that, you needed direct access to the database, and that can break things,” Fehl

Although Hollywood-style converged security — with biometric identification tied in to

physical and logical access — is still years away, there’s no shortage of actual applications

of converged security that solve real enterprise problems and are possible (and affordable)

using today’s technology. Here are a few:

Single sign-on. If your CFo just swiped his badge in the front lobby, why is he trying to VPn

in from Eastern Europe? adding physical presence data to the mix when making network

admission decisions is low-hanging fruit on the security convergence tree, and solves a

big problem for enterprises that are looking for ways to confirm the identities of those who

access their networks remotely, as well as cut down on problems such as ‘tailgating’ (when

an intruder sneaks behind an authorized person into a secure area) at the office, says David

Ting, CTo of Imprivata. His company’s onesign single sign-on appliance notes whether or

not you’ve badged into the building, and blocks network access for those who have entered

the building illegally. Valid workers who tailgate in on an employee’s badge may have to

answer challenge-and-response questions before they are allowed on.

Forensics. The IT press has made a big deal about new, IP-based video surveillance

cameras, and how technology such as biometric facial recognition can distinguish friend

from foe. linking video surveillance and face scans to access control systems might be

more than most enterprises want to bite off, but the new systems can be useful in analyzing

what went wrong in security incidents, if not stopping them before they happen. Companies

such as broadware, onssI, and 3Vr — not to mention IbM — allow companies to centrally

monitor, manage, and archive IPbased video feeds enterprisewide. Those feeds can then be

analyzed to understand why security breaches occur and to improve the risk posture of the

organization in the future. “large companies like Home Depot don’t want to recover their

losses; they want to prevent or at least contain problems and risk before it gets too serious,”

says bill Crowell, a security consultant. IP-based video systems can help.

User provisioning/deprovisioning. Despite the image of IT security as ever vigilant, it often

falls short of cutting off access to former employees and other insiders. Indeed, whereas you can

expect to have your door access card confiscated and your physical access to a facility blocked on

the day you leave a company, you may well be able to log on to the company’s network or voice

system for days, weeks, or even months later, security consultants say. at the same time,

enterprises that rely on proprietary badging technology often fail to link it to IT provisioning,

says Jon Gossels of system Experts. “It’s easy to take the leap and say, ‘let’s put that on the

secure part of the network, so the IT staff can say: oh, I’ve issued 1,000 badges, but 20 are

missing, so let’s disable those’.” Doing so might also reinforce the importance of taking away

logical as well as physical access for the IT staff.

— P.F.r.

short-Term security Fixes

EssEnTIaltechnologytechnology

Vol/2 | IssuE/097 0 m a R c h 1 5 , 2 0 0 7 | REAL CIO WORLD

EEssss

Essentisl Tec.indd 70Essentisl Tec.indd 70Essentisl Tec.indd 70Essentisl Tec.indd 70Essentisl Tec.indd 70Essentisl Tec.indd 70Essentisl Tec.indd 70Essentisl Tec.indd 70Essentisl Tec.indd 70 3/12/2007 8:35:32 PM3/12/2007 8:35:32 PM3/12/2007 8:35:32 PM3/12/2007 8:35:32 PM3/12/2007 8:35:32 PM

says. “Today, XML creates an intermediate layer where you can filter the data and apply rules that process the data before it hits your database.”

Smaller security firms such as S2 and Imprivata are also taking advantage of the move to IP-based networks and Web services to create open platforms that can tie physical and IT security together.

S2’s product, NetBox, is a physical security management appliance that integrates access control, alarm monitoring, temperature monitoring, video surveillance, and intercoms, according to CEO John Moss. S2’s technology uses controllers that bolt on to existing card readers, video monitors and other physical security point devices. Those readers store access policies, and communicate with the network appliance using standard IP-based protocols, where a policy database centralizes physical security policies and then pushes them out to the devices it manages.

Similarly, Imprivata’s OneSign product is an appliance-based, single-sign-on solution that joins physical and logical

access systems. Web services standards such as SPML (Service Provisioning Markup Language) allowed the company to create interfaces for third-party user provisioning systems from Courion and others to create and manage user accounts, applications, and credentials within OneSign.

Moss, who founded the card-access company Software House before selling it to Tyco in the mid-1990s, says that’s a big departure from the “1990s’ big software model” that has dominated the physical security market until recently, in which integration happened at the

application layer, and big vendors such as Tyco extracted hefty fees for access to APIs. In contrast, S2 has published open Web services APIs that allow companies to link their IT-based user provisioning systems to S2’s NetBox, Moss says.

Culture ClashDespite such advances, the biggest obstacle to converged security has nothing to do with technology. It’s the cultural chasm between the physical and IT security professions.

“The two groups just don’t know how to talk to one another,” says Vancouver’s Tyson. “The world of technology is a very term-based environment. If you don’t understand those terms and the technology behind them, you’re on the outside looking in.”

That’s often where people with a physical security background — a group that once included Tyson himself, who started his career as a bodyguard — find themselves. “There’s no really good school for IT security, unless you go back

to school and get a CS degree, but who can afford that?” he says.

S2’s Moss agrees. “Physical security practitioners make less per hour than in the IT world. And [professional certifications] don’t always require IT training. IT security practitioners are more highly trained and have certifications for the things they do, but they don’t know much about physical security,” he says.

In other words, your IT security staff may be perfectly trained to sniff out a Trojan or keylogger on a PC, but don’t go to them if you need an unruly visitor

hustled out of the building. On the other hand, if that disorderly visitor started harassing an employee via IM, the physical security folks wouldn’t know where to start, says Tyson.

Until recently, that basic cultural difference permeated most physical security vendors, where such established vendors as ADT, Honeywell, and Tyco tailored their wares to the guys with badges.

To this day, the servers and systems for managing door access and video surveillance frequently form a kind of ‘shadow IT’ within corporations, overlooked by trained IT staff who might not even know they’re there, and ignored by physical security staff who do know they exist but lack the expertise to manage them. Vulnerabilities in those systems can pose big risks, especially as they migrate from closed, proprietary networks to the same IP-based network used by mission-critical applications, Tyson says.

“When I first arrived on the job (at the City of Vancouver),” Tyson recalls, “I asked the physical security manager when was the last time the camera system servers had been patched. His response was: ‘What’s a patch?’”

On the flip side, IT security experts are often blind to physical security systems, or don’t consider them part of the overall IT picture. “We hired one of the Big Four consulting companies to come [to Vancouver] and do an IT threat and risk assessment,” Tyson recalls. “Nowhere in their report do they even discuss the physical security systems.”

Such glaring disconnects lead some to take the long view. “I don’t think real converged security is going to happen any time soon,” says Geoff Hogan, senior vice president of business development and product management at Imprivata. “When you get right down to it, physical security doesn’t want to own the network log-in, and IT doesn’t want to own the door responsibilities.”

Even at IBM, Hampapur says the Smart Surveillance System isn’t operationally

EssEnTIaltechnologytechnology

REAL CIO WORLD | m a R c h 1 5 , 2 0 0 7 7 1Vol/2 | IssuE/09

The biggest obstacle to converged security has little to do with technology. It’s the cultural chasm between the physical and IT security professions.

Essentisl Tec.indd 71Essentisl Tec.indd 71 3/12/2007 8:35:33 PM3/12/2007 8:35:33 PM3/12/2007 8:35:33 PM3/12/2007 8:35:33 PM

linked to any access control systems at any IBM site or customer, although the company has demonstrated an in-lab prototype of such a system to a major US airport.

“It’s at the stage that people see what’s possible and do-able. But you need to tie it back to the business case to support it. Is this a $5,000 problem with a $50,000 solution, or vice versa?” says Sam Docknevich, IBM’s national practice leader for security services.

So far, larger companies and early adopters are pushing vendors such as IBM and Tyco the hardest on security convergence, requesting ways to tie in employee provisioning with security management systems such as C-CURE, Boriskin says.

At IBM, the focus is more on linking video surveillance to biometrics and access control. The company is also seeing a surge in requests for proposals on RFID

and asset tagging to prevent theft from the retail sector, as well as utilities looking to protect remote sites, Docknevich says.

Converged Security TodaySo when will converged security go mainstream? To start, companies must come up with a sober assessment of their security needs based on risk management. At many firms, this has already happened.

“When you talk to large companies, you find that they’re re-examining the organization of security around risk management. Very often they talk more in terms of risk management and what are the component pieces,” Contos says.

Often, taking a risk-based approach means doing less, not more, and focusing on

a few core assets, rather than big, expensive solutions that touch everything, Ray O’Hara, SVP at Vance says. “You can have the best access control system and cameras all over the world, but is your focus on the crucial information? Maybe that camera in Beijing is necessary, but you need to study the validity of having it there first,” he says.

Rather than chasing off after facial recognition systems, Jon Gossels, president of System Experts says companies adopting a risk-based approach might focus first on telephone rooms and computer datacenters — and make the physical security around those top notch. Or they might audit basic access security at branch offices, which are often easy prey for criminals and social engineers.

As for the gap between physical and IT security cultures, changes in management — such as establishing a CSO position with

global authority — can help. At the City of Vancouver’s offices, Tyson instituted a program to train security guards about IT security, and then assigned them to look in cubes for unsecured laptops, passwords on post-it notes, and unauthorized wireless access points.

“IT security doesn’t have the feet to get out to all those desktops. So instead of just rattling doors, we’ve got [security guards] looking for all the risks in the environment,” Tyson says.

On the IT side, experts say that enterprises should focus convergence efforts on areas with a big payoff, such as data encryption, door access, and branch office security — and look for ways to realize convergence without having to

rip out existing infrastructure or disrupt existing systems and processes.

As an example, Imprivata’s OneSign product, which works with products by Tyco, Linell, and S2, integrates with legacy access card readers, but adds the ability to tie in door access with logical access to the LAN in the office, or through a VPN system, Imprivata’s Ting says. That means companies can leverage the physical access system they already have as a second factor, instead of investing in an entirely new second factor token or secure ID, he says.

Tyco plans to disclose integration with “a leading IT security vendor” when it unveils its new C-CURE 9000 platform in the first quarter of this year, whereas integration with platforms like IBM’s Tivoli are “coming soon,” Boriskin says. And Cisco is working on integrating its NAC network admission control technology with IBM’s Smart Security System, says Steve Cohen, director of marketing at Cisco’s Security Technology Group.

Although the worlds of physical and IT security are beginning to gravitate together, true convergence is still a ways off.

“The adoption curve is never as fast as people think it’s going to be, except, maybe for the iPod,” says ArcSight’s Contos.

The capability to move incrementally toward convergence, however, may be the best indication that it will eventually happen, says Fehl.

“People have talked about convergence forever, but it hasn’t come about. It was always a big leap, and it was expensive and peoples’ jobs were on the line,” Fehl says. “Now you can take baby steps. Be flexible. Change direction and evaluate.” CIO

Paul F. Roberts is senior editor for infoworld. send

feedback on this feature to editor@cio.in

EssEnTIaltechnologytechnology

Vol/2 | IssuE/097 2 m a R c h 1 5 , 2 0 0 7 | REAL CIO WORLD

often, taking a risk-based approach means doing less, not more, and focusing on a few core assets, rather than big, expensive solutions that touch everything.

EE

Essentisl Tec.indd 72Essentisl Tec.indd 72Essentisl Tec.indd 72Essentisl Tec.indd 72Essentisl Tec.indd 72Essentisl Tec.indd 72Essentisl Tec.indd 72Essentisl Tec.indd 72Essentisl Tec.indd 72 3/12/2007 8:35:33 PM3/12/2007 8:35:33 PM3/12/2007 8:35:33 PM3/12/2007 8:35:33 PM3/12/2007 8:35:33 PM

Pundit

SECURITY | Thirty seconds. That’s about how long it took for criminals to subvert both the information security and physical security precautions put in place physical security precautions put in place by a supermarket chain Stop & Shop, which by a supermarket chain Stop & Shop, which acknowledged the breach last month.

The security breach wasn’t a huge one (at least by the look of it so far), but still a doozy, in which criminals went into at least six stores and tampered with Electronic Funds Transfer units. These are the point of sale devices, more commonly known as PIN pads, where credit and debit card customers swipe their cards and enter personal identification numbers.personal identification numbers.

John Kirkwood, global information security officer for Royal Ahold, Stop & Shop’s Amsterdam-based parent company, says that it took criminals, operating late at night when the store was thinly staffed, about half a minute to replace a legitimate check-out device with a phony one that, in addition to doing what the legit device in addition to doing what the legit device was supposed to do, also captured card was supposed to do, also captured card numbers and PINs for the criminals to numbers and PINs for the criminals to retrieve later. It’s a scam similar to cash retrieve later. It’s a scam similar to cash machine ‘skimming’, in which criminals machine ‘skimming’, in which criminals tamper with automatic teller machines tamper with automatic teller machines to nab bank account information from to nab bank account information from unsuspecting users.unsuspecting users.

“They would come in and replace a machine that was a perfectly good encrypted machine with a machine that was designed to be able to harvest and store was designed to be able to harvest and store the information,” Kirkwood says. “You the information,” Kirkwood says. “You don’t think that people are going to come

in and, in a concerted, gang-like way, target PIN pad machines.”

Except that’s exactly what happened. So Stop & Shop failed, right? Well, not exactly. The whole point of risk management is to do your best and adjust as you go. When you find a problem, you fix it. That’s exactly what Stop & Shop is doing now.

For one thing, Kirkwood says, the company has completed awareness training for employees about this PIN pad threat. In fact, it was employees who noticed suspicious activity at the front of one of their stores recently contacted the local police. The police department then arrested four men who had, it seems, come back to reclaim the tampered-with machines and retrieve the information they held. (The men were from California, and the Secret Service is investigating; I can only speculate that the full extent of the damage extends far beyond six grocery stores.)

At the same time, Stop & Shop is protecting all its PIN pads from high-tech fraudsters with a decidedly low-tech device: bolts. Big bolts. Ones that make it take a lot longer than 30 seconds to swap out a PIN pad. I’d wager a guess that a month ago, had Kirkwood proposed this solution, he would have been met with howls of laughter, and perhaps some defensiveness from the physical security department.

All of which is further proof that it simply doesn’t make sense to approach physical security and information security separately. Kirkwood says that Stop & Shop is compliant

with the Payment Card Industry’s Data Security Standard, with the exception of some work it is still doing on data retention. That means that the information captured on the legitimate PIN pads was encrypted, and that certain information, including personal identification numbers, are not saved on company systems. It means, in essence, that the company was — or should have been — well protected from people looking to commit credit card fraud. In all fairness, the PCI standard does include a nod or two to physical security, including a requirement that companies restrict physical access to cardholder data. However, it is primarily an information security standard. That means it has gaps where there are physical ways to circumvent high-tech protections. Like physically swapping out devices.

“That’s why you need to do a comprehensive, uber-assessment,” says Kirkwood now — with the benefit of hindsight. “Do it from the way a hacker would think. It’s not following the rules of PCI; it’s thinking out of the box and going backward and going sideways. You don’t follow the rules when you’re trying to break into something.”

So the usual ‘rules’ for security must adapt: who knows, but maybe the CISO will need to add a few bolts to his toolbox. CIO

Send feedback on this column to editor@cio.in

Assess security from the way a

hacker sees it. It’s not about following

some rules.

Of Bolts and Data Security More evidence of why physical security and information security can’t be approached separately.by Sarah D. Scalet

essentIAltechnologytechnology

REAL CIO WORLD | m a r c h 1 5 , 2 0 0 7 7 3Vol/2 | IssUe/09

ET-Pundit - 02.indd 73ET-Pundit - 02.indd 73ET-Pundit - 02.indd 73ET-Pundit - 02.indd 73ET-Pundit - 02.indd 73ET-Pundit - 02.indd 73ET-Pundit - 02.indd 73ET-Pundit - 02.indd 73ET-Pundit - 02.indd 73ET-Pundit - 02.indd 73

It’s a battlefIeld out there.

7 4 m a r c h 1 5 , 2 0 0 7 | real CIo World

Access control (n.) In physical security, the portion of the budget dedicated to replacing lost plastic swipe cards.

ActiveX (n.) A technology for making Web vulnerabilities more engaging and fun.

BlAck hAt (n.) A bad guy doing bad things with software.

Blog (n.) A diary desired by no one and available to everyone.

chAnge control (n.)A carefully defined and measured process of self-delusion.

compliAnce solution (n.)Surveillance

and

behavior software to control behavior software to control your uers

Delete (v.) To remove from view (and archive).view (and archive).

Dirty BomB (n.) A term used to distinguish enemies’ bombs to distinguish enemies’ bombs from one’s own.from one’s own.

e-mAil (n.) A form of text A form of text communication similar to but far communication similar to but far rarer than spam.rarer than spam.

enDpoint security (n.)Security for points at, near Security for points at, near or connected to the end of a or connected to the end of a network, or that have been or will network, or that have been or will be in some way related to the end be in some way related to the end in the past, now or in the future.in the past, now or in the future.

grAy hAt (n.) A guy who’s A guy who’s kinda bad and kinda good doing kinda bad and kinda good doing kinda bad things with software.kinda bad things with software.

hAcker (n.) A cracker with A cracker with no sense of humor.no sense of humor.

hAsh tABle (n.)The place you roll The place you roll

a joint.a joint.

hipAA (n.) US Government Government

mandate that mandate that sensitive patient sensitive patient

data be equally data be equally unsafe at any unsafe at any

healthcare provider.healthcare provider.healthcare provider.

informAtion lifecycle (n.) An important An important graphical representation of the graphical representation of the various points at which data is various points at which data is lost or stolen; used to justify the lost or stolen; used to justify the Rs 67,500 price of a

white paper. isAc (n., ArchAic)A bureaucratic construct designed A bureaucratic construct designed to bring CIOs and government to bring CIOs and government representatives together so they representatives together so they can explain to each other why they can explain to each other why they can’t talk about what they’re there can’t talk about what they’re there to talk about.

keystroke loggers (n.)Men who type down trees.

outsourcing, gloBAl (n.) The process of making vulnerabilities cheaper, more efficient, and available in 37 languages and nine time zones.languages and nine time zones.

pAnDemic (n.) A threat that A threat that spreads rapidly through contact spreads rapidly through contact with daily newspapers and

talk shows.

port security (n.)In information security, proof that In information security, proof that people don’t understand risk; in physical security, proof that people don’t understand risk.

rfiD (n.) Doubleplusgood technology for monitoring cargo, chocorats or Ingsoc members

suspected of crimethink so they can be vaporized speedwise.

risk (n.) The unavoidable part of life that CEOs try to ignore, CFOs try to hide, CIOs try to understand and CSOs try to control.

sArBAnes-oXley Act (n.)Legislation requiring public companies to establish internal controls that allow them to

return their focus to reactionary, short-term, market-driven decision making.

single sign-on (n.)A process ensuring that one password gives hackers access to everything.

voip (n.) A breakthrough aimed at bringing the insecurity and inconvenience of data networks to the

phone system.

White hAt (n.) A gray hat with a better PR firm. CIo

reprinted with permission. copyright 2007. cSO. Send feedback to editor@cio.in

ILL

US

TR

AT

ION

by

UN

NIk

RIS

hN

AN

AV

Dictionary 2.0the Devil’s infosec

VOL/2 | ISSUE/09

Endlines.indd 74Endlines.indd 74Endlines.indd 74Endlines.indd 74Endlines.indd 74