Not So Secure? It's a great time to be a security expert...

[Kelley Walker <kwalker2 () gte net>]

:)  This caught my eye as I was scanning the infosec news:

http://www.networkcomputing.com/1212/1212ca.html
Not So Secure?

  June 11, 2001
  By Maria Schafer


It's a great time to be a security expert. In the wake of widely publicized 
hacker attacks and the infamous Melissa and Love Bug viruses that wreaked 
serious damage on corporate networks worldwide, network-security groups are 
getting unprecedented attention and budgets from senior management.

The risk of an attack increases as companies add more remote workers, 
electronic-commerce projects and applications, such as e-learning. About 75 
percent of U.S. organizations have experienced a significant 
information-security breach in the past year, according to Meta Group 
research. Now some big organizations have established a new high-level 
security position: the CISO (chief information security officer), who 
reports directly to the CIO and, in some cases, to the CEO.

Trouble is, while companies are building the technical infrastructure for 
creating secure systems and networks, many are doing so without instituting 
the processes, procedures and training for their IT and other employees on 
the front lines of security management. Even with enforcement centralized 
into a single group, the actual administration of security, such as the 
daily moves/adds/changes required for users to access systems, is typically 
the responsibility of the network administrator. The network administrator 
is most likely to be in charge of securing systems, including firewalls, 
VPNs, authentication servers, extranet directories and PKIs (public key 
infrastructures), for instance.

The bottom line is that the network administrator is not a security 
specialist. If a company wants to deploy its network administrator this 
way, it also needs to train him or her in security software, processes and 
procedures. It needs to develop security-management policies that are 
common across the organization and applied consistently for password 
updates and for adding or deleting user accounts, for example.

But because network security is relatively new and lacks experienced 
individuals, most groups are understaffed. So they off-load security 
administration to the network administrator. About half the network 
administrators surveyed recently by the Meta Group say they are responsible 
for security. Smaller organizations, not surprisingly, lean more heavily on 
their network administrators for security: nearly half of organizations 
with 1,000 to 5,000 employees use their network administrators as security 
staff, and more than one-third of organizations with more than 5,000 
employees use their network administrators for this role, according to Meta 
Group research.

A better solution is to add a network security administrator to handle 
day-to-day security tasks and issues instead of overloading the network 
administrator. If the network administrator isn't trained to handle 
security breaches, the result can be devastating. Take one major Northeast 
insurance firm, which had procedures for password requests and access to 
its e-mail system. Disseminating information about potential viruses was a 
standard function of the insurance company's network administrator, and he 
regularly reviewed and updated virus definitions. But the day the Love Bug 
virus hit the company, he was out of the office. Although reports about the 
Love Bug virus had appeared in newspapers before the attack, the 
administrator was unaware of it, so management and the IT staff weren't 
notified of the risk. It was too late when the virus was finally discovered 
in the company's network. Other network staffers were too busy fighting 
fires -- down servers and other network problems caused by the virus -- to 
take control of the situation. The moral is that you need a thorough 
contingency plan for when the network administrator is out of the office 
and an emergency hits.
Recipe for Disaster

Often, companies run their security operation on two levels. The senior 
security manager, such as the CISO, is responsible for collecting and 
reviewing business requirements and "selling" upper management on the types 
of security systems and processes the company needs. This security 
professional also develops security policy, in cooperation with 
representatives from the business units.

The second level is the security staff -- which is often the network 
administrator, or security managers, who work with IT groups to embed 
security standards within the technical infrastructure. The network 
administrator handles day-to-day password changes and other user account tasks.

This split in the security policy and implementation can lead to disaster. 
The security manager, not the network administrator, should oversee things 
like regular password changes across all security services at the same time 
to reduce end-user confusion and forgotten passwords. He or she also should 
ensure that password standards are maintained across the organization and 
that user accounts are added or deleted from all system resources, not just 
some. The security manager and staff should handle security reporting, 
logging and audits (firewall scans, password checks) to ensure proper 
compliance. All too often, however, the network administrator handles these 
tasks -- without adequate preparation or training.

The key is for the network side of the house to incorporate security 
elements at the start of an upgrade or other projects. That means working 
closely with the security manager.

And effective security is not the sole responsibility of the security 
domain team or the CISO, either: Companies need to ensure that all 
employees are responsible for some aspects of security. The central 
security group should develop a general strategy based on conceptual and 
technical architecture principles and then apply it to the entire IT 
infrastructure. The job of end users is to create unique user IDs/passwords 
based on the company's password policy and standards. Even end users need 
some training; all the security technology in the world won't work if users 
act carelessly, e-mailing a proprietary document over the Internet without 
encryption or creating an easily guessed password.

When you define and implement security policies, some due diligence goes 
with them -- communicating them clearly through presentations, not cryptic 
memos and publishing security policy on intranets, for instance. Security 
policy should be part of new employee orientation, too.

Close to Home

Global 2000 organizations traditionally haven't outsourced their security 
operations, because they mistrust service providers and are concerned about 
confidentiality and performance. Security's increasing clout in most IT 
organizations and the scarcity of security professionals that speak 
fluently in information security and business initiatives have prompted 
some organizations to pay CIO-level salaries to CISOs. Headhunters 
specializing in information security professionals have also started to 
appear.

The high demand for these skills has created a significant market for 
information security training and certification, as organizations look to 
educate and develop security people from within. Programs from training 
organizations such as the SANS Institute, MIS Training Institute and the 
Information Systems Security Association are proliferating.

Most organizations should not outsource the responsibility for security. 
It's important to retain ownership of these functions in-house. The 
exceptions are vulnerability assessment and infrastructure design. There's 
plenty of pressure to hire outside talent because of a lack of personnel, 
but Meta Group discourages turnkey security outsourcing.

Meanwhile, there aren't enough people in the organization with the proper 
training and knowledge about security to defend against intrusions and 
problems. This will change, however, as the technology matures with more 
proactive tools, and security experts are "grown" within the organization. 
But for now, security administration still will be delegated to the network 
administrator, and the central security group -- in charge of policy -- 
needs to step up and ensure consistent administration across all systems.

Maria Schafer directs human capital management research at Meta Group, an 
information technology research and advisory services firm based in 
Stamford, Conn. Send your comments on this article to her at careers () nwc com.

--
Kelley Walker
Organizational Researcher/Technical Writer
Interpact, Inc. Security Awareness

Interpact sponsors InfowarCon, 9/5-6, Washington, D.C.
http://www.interpactinc.com/infowarcon.html 


ISN is hosted by SecurityFocus.com
---
To unsubscribe email isn-unsubscribe () SecurityFocus com.