No Security

[InfoSec News <isn () c4i org>]

http://www.fastcompany.com/online/61/security.html

by Linda Tischler
photographs by Michael Lewis 
from FC issue 61, page 42

"Are you secure? How do you know?" That's the slightly paranoid slogan
of a new training academy, run by Sondra Schneider, that's devoted to
keeping corporate data safe in an unsafe world. Now, if only her
students would talk to us ...

It's a dreary day in Georgetown, with rain lashing at the windows of
the Marriott Conference Center. Inside Salon H, a group of government
employees is paying rapt attention as Sondra Schneider, a small woman
with an arsenal of electronic gadgetry, charges through a presentation
on the technologies that will soon make computer passwords obsolete.  
The air is dense with geekspeak spiced with a dash of federalese.  
There's talk about encryption and nonrepudiation, digital signatures
and biometrics, and more acronyms than you'll find in a bowl of
alphabet soup: PKI, VPN, CHAP, TACACS. All this for the DOD and the
DOJ, the FAA and the OMB!

During the break, I do what you're supposed to do at conferences: I
mingle. Seeing me approach, Philip, a curly-haired guy in the back
row, looks anxious. I ask him where he works. He looks at my notepad
and considers bolting for the door. "I, uh, am a contractor for the
INS," he says reluctantly. "Cool!" I say. "What do you do?" Panic
creeps into his voice, as if an image of his credentials being
shredded flashes before his eyes. "Uh, I work with biometric
[censored], encrypting [censored] for [censored]," he replies. "But
you can't use that."

There's a guy in a striped sweater and glasses in the front row who
looks brave. I lean over. "Hi!" I say, trying not to sound like I'm
grilling an Al Qaeda operative. "What are you working on?" He looks at
me as if I've just asked for the PIN to his Cayman Islands bank
account. "Army. Comanche helicopters. It's classified."

Welcome to the brave new world of high-tech security, where the
unintelligible language of 21st-century computing fuses with the
once-unimaginable threats that the country faces. Before September 11,
corporate and government security experts worried primarily about
online identity theft, credit-card fraud, and rogue hackers. Now
they've put cyberterrorism at the top of the list of threats that keep
them up at night.

That's bad news for companies, but it's a business opportunity for
organizations that are looking to train security professionals to
defend their systems. One of the newest and savviest organizations to
stake a claim in this space is Security University, an outfit that
offers advanced information-security training for executives, network
professionals, and systems administrators.

The so-called dean of the university is Schneider, a diminutive
cybercommando whose mission is to train an elite corps of security
specialists -- much as the Army trains the Green Berets. "I didn't go
to war. I didn't fight for my country. But I can make a big difference
when it comes to training those people and giving them the tools they
need," says Schneider, who is Security University's founder and CEO.

A fledgling operation based in Stamford, Connecticut, Security
University is nearly as virtual as a digital signature: There is no
campus, no classrooms, and no war room. Schneider and her team of 18
instructors travel the world, holding classes on such topics as
intrusion detection, advanced firewalls, PKI ( public-key
infrastructure, a framework for the secure exchange of digital
information ), and forensics. Take eight classes and a tough test, and
you could earn AIS ( Advanced Information Security ) Certification, a
proprietary credential that the school plans to begin offering next
year.

Other organizations provide similar credentials in this field, among
them recognition as a Certified Information Systems Security
Professional ( CISSP ) from ( ISC )2 and a Global Information
Assurance Certification ( GIAC ) from the SANS Institute. But
Schneider maintains that the training at Security University offers
more hands-on experience than the others -- a process, she says, that
helps students understand how to protect the path to a network's
critical assets more effectively and to evaluate new software and
security devices before committing company resources to their
purchase.

"Lectures are valuable for managers, but they aren't as good for
practitioners," Schneider says. "We take our students through the full
life cycle of a security technology and its application, including
multiple corporate or government scenarios. We encourage people to
play with the latest toys that we get from vendors. Most people would
never have a chance to do this at work. But if they don't try them,
how can they go to management and recommend buying them?"

While Security University's courses may seem esoteric to a
nonprofessional, Schneider's tales of information-security lapses can
curl the hair of even the most naive generalist. During one security
assessment, she says, it took a team of experts just three and a half
minutes to access a nuclear power plant electronically. Even a
semiskilled hacker can change an IP address in under three seconds.  
Schneider also warns that something as simple as leaving an "out of
office" message on your computer can leave you open to cybermischief.

Frank Groneman, a network-security engineer at Gtech Corp., a Rhode
Island firm that provides high-tech services for approximately 70% of
the world's lotteries, says that Security University courses gave him
the hands-on experience that he was looking for. "I learn by doing,"  
he says. "I can watch people put up slides all day, but it doesn't
really sink in." Like many other firms with high-level security needs,
Gtech encourages staffers to keep up to speed on the latest
advancements -- or risks -- in the field. "We need to have absolute
security," Groneman says. "One transaction could be worth $200 million
to $300 million."

One year after launching the university, Schneider tried to sell it to
a New York firm ( she won't reveal the name ). When that deal didn't
work out, she took back ownership and relaunched this past March. Now,
she says, her goals are to expand her course offerings, recruit more
instructors, and roll out the first AIS Certification test by
mid-2003. But her one driving concern, she says, is to spread the word
about the urgent need for enhanced information security. "If somebody
said, 'Here's $100 million, what do you want to do with it?' I would
offer 10 times more programs, decrease the cost of classes, and make
sure that millions of people get trained."

Tell that to Congress, says Philip, our secretive friend from the INS,
whose agency has come under attack for its failures before and after
September 11. "Until recently, we've had antiquated network procedures
because improvements didn't get funded," he says. "Faulting folks at
the INS or the Border Patrol for security lapses is totally
misplaced."

Contact Sondra Schneider by email ( s0ndra () securityuniversity net ).



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.