Questions for Ben Rothke, Senior Security Analyst, Camelot, Ltd.

[InfoSec News <isn () c4i org>]

http://www.atnewyork.com/people/article/0,1471,8511_870981,00.html

By Erin Joyce
August 22, 2001

Even amid the tech and tech-spending slowdown, many information
officers across the enterprise are still scratching their heads about
what parts of their systems to throw open externally and internally.

At the same time, security experts lament that enterprise protection
issues are never given enough due in the corporate budgeting process.

But with more and more employees getting laid off, and plenty of
disgruntled staff tempted to throw a monkey wrench into the works as a
parting shot, some experts think network security may get a higher
priority.

Look at any number of surveys on network security and most of the
results cite end-users' access to systems they don't need as one of
the top issues facing network administrators.

The other major security issue: user accounts left open after an
employee has left the company.

Ben Rothke, a senior security analyst with network intelligence and
security software firm Camelot, has seen the problem from both sides.

As a network analyst with the three-year-old Camelot, his
responsibilities include helping clients address network monitoring
and management functions across the enterprise systems.

And as a 10-year veteran of network security issues, with expertise in
PKI, access control, Windows NT, firewall configuration and
cryptography to name a few, he had to face a pink slip himself from
Baltimore Technologies, where he was before joining Camelot.

These days, when he's not working on security issues for clients of
the three-year-old Camelot, Rothke also writes a column for
Information Security magazine, a monthly security book review for
Security Management magazine and articles for other periodicals.

AtNewYork.com chatted with him about what's hot in his world.


Q: What are the major issues in network security for enterprise
customers?

Two things come to mind. In the past 18 months or so, privacy issues
(have been piling up) along with internal security issues. With so
many consumers on the Internet, and so much information on the
Internet, privacy is (getting lots more attention from corporations).

There's also the legislative aspect, such as the Graham-Leach-Bliley
(financial modernization)Bill, which has resulted in many letters from
banks (to customers explaining how customer information is used and
whether customers can opt-out). There's the (Health Insurance
Portability and Accountability Act ) HIPPA legislation in healthcare,
which was meant to enable easier processing of claims; but once that
information gets on the Internet, it causes huge reverberations.

And then there are internal security issues that need to be thought
through a whole lot more. In days of old, users had dumb terminals to
an IBM mainframe and you really couldn't do anything with that. Now,
if I'm a pharmaceutical company, someone could FTP huge amounts of
proprietary information and take off with a huge investment in trade
secrets.

It can happen both maliciously and accidentally. With Windows, it's
very easy to move around files and delete them accidentally. One
delete key could wipe out huge amounts of information.


Q: With so many people getting laid off (especially in the technology
sector), what are some key issues regarding protecting the enterprise
from disgruntled employees?

If a company doesn't have pre-existing policies in place, everything
is reactive and that doesn't work that well. Many times, the
(information technology or MIS) staff gets the list of laid off
employees days after human resources releases it. If communication
isn't tighter, that's a problem.

Part of the issue is that from the get-go, all these employees have
huge amounts of information they have access to (on the network), be
it via a VPN, dial-up, kiosks. If you don't control that from the
start, you probably don't have enough policies and procedures on
shutting down these accounts.

In any large organization could be anywhere from five to 15 different
entry points (to the network). There might be internal accounts for an
NT server, UNIX server, a Web server, order systems, Customer
Relationship Management systems, numerous Web-based services,
time-keeping systems. Keeping track of all those accounts (and access
to them) is critical from the start.

There are so many platforms and environments (within an enterprise)
that it can be difficult to control.


Q: Any advice for network administrators?

You need to develop policies and procedures that address who gets
access and who monitors control. You need to make sure you're
addressing a macro problem with a macro solution.

Access control is huge. Storage is cheap, bandwidth is cheap, and
terabytes are portable. It's mind boggling how open the networks are.
To the degree you throw open the network, that's how much you need to
make sure your corporate jewels are protected. The jeweler Cartier
accounts for every jewel, every ring, every gem, They know what's in
their inventory. If one earring is missing, they know about it.

Unfortunately in corporate security, it's not like that. When a laptop
is stolen, that could be 30 gigs of information to control. They need
to create these controls from the onset (of issuing the laptop).


Q: What are examples of those policies?

When working with out-of-the-box (applications), before employees are
given access, make sure their needs are defined, that there are
methods for enforcement, open-ended reviews of data access points.

One big problem in access control is the number of users and defining
them in groups. You can start with an Excel spreadsheet and before
long, you're out to column 250 with employees and resources to
control.

You have to treat data security in much the same way you treat
physical security in the corporate world. If I have an appointment at
the World Trade Center, for example, I know I have to arrive about 25
minutes before hand in order to get through certain checkpoints.

Let's say you're a pharmaceutical company; you know the threat is not
so much from some hacker overseas. It's the guy on the inside with the
keys to the kingdom, with access to a half a billion dollars worth of
R&D, who could download it to a disk on his way to a meeting with some
guy in the Grand Caymen Islands. That's no joke.


Q: Sounds like you're saying we need more of big brother

I think it's an inappropriate term and completely misguided in its use
now. In the book "1984", the term (big brother is watching) was about
mind control and a totalitarian government. Citibank doesn't care what
employees do in their off hours. Chase doesn't care if you're a member
of the NRA or Amnesty International. It's about access inside their
own corporate house.

If want to listen to Britney at 2:00 AM at 200 watts, and the
corporate homeowner says you can't do that, that's not big brother.

So much of this client-server computing (and powerful desktop
computing) is being rolled out all over, and it's being rolled out
without any due diligence or controls.

In old days, you had to be an engineer to get the information. Now
with Windows, you can install the most complex software package on NT,
point, click and paste the entire corporate jewels.

If guy wants to download a gig of MP3 files, he can do it to his
heart's content on his own time, but he can't expect to use my
bandwidth and servers. That's not big brother, that's due diligence.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.