Security controls

[InfoSec News <isn () c4i org>]

http://www.infoworld.com/articles/ct/xml/02/09/23/020923ctinsider.xml

[Its a little stale for ISN, but the mention of TruSecure's covert ops 
perked my ears. - WK]


September 20, 2002 1:01 pm PT

SECURITY IS ON every CTO's mind these days, but what's the best way to
evaluate security threats? TruSecure, a Herndon, Va.-based company,
has come up with a risk assessment philosophy that it says focuses on
real-world threats. Using a subscription business model, TruSecure
sells its services to some 700 corporate customers. InfoWorld spoke
with TruSecure CTO Peter Tippett.


What is the overall mission of TruSecure?

We're really trying to change the way people do security. TruSecure is
organized around defining risk in a way that's measurable. ... Instead
of measuring [risk] in a company, we measure it in the world, an
actuarial sort of thing. So we generally don't believe in things like
doing a risk assessment at a company or doing vulnerability testing.  
... What we've set out to do is figure out what percent of
vulnerabilities represents real risk and how we could go about
figuring [the risk] out. We set up a pretty large organization that
includes ICSA [International Computer Security Association] Labs,
which is a certification and testing facility, like Underwriters Labs.  
All the firewalls, all the anti-virus products and all those things
are there. ... We don't do any consulting; we don't sell any software
or any hardware. Instead we sell a service that measures where a
company is in relation to things we call "the essential practices."  
... Most companies buy a three-year subscription, and during that
time, we give them a very, very broad array of security services. ...  
They get testing, they get alerts, [and] they get decision support.  
They get what amounts to a help desk.


While everybody else is sitting at home fretting about the crime rate,
you're out patrolling the neighborhood?

We are actually out fixing things. ... [We test] every anti-virus
product every day against every virus that's ever happened in the
entire world. ... [We do this] by making market-driven mechanisms
where people give us -- and want to give us -- the knowledge we need
to figure out what's really going on in the world. [For example,]
because Cisco hates Check Point, Cisco would be glad to give us an
attack that they think Check Point will fail. If we run it and Check
Point fails it (or any of the other firewall vendors), then [the
vendors] have 10 days to fix it and ship it, or they lose the ICSA Lab
certification. That same sort of dynamic model gives us all kinds of
inroads to figure out what really is going on in the computer security
space.


It sounds like you also have some covert operations going on.

That's true, we call it "IS Recon" and it very much is a covert
operation. It's not a hacking group; it's a mole operation. And this
group has been operating now for almost six years. And it's had dozens
of team members come and go over the time. We don't believe in hiring
hackers, we think that's a really bad idea. But we do believe in
talking and engaging and figuring out what they're saying to each
other. So we have a really neat set of databases. One that we call
"The Brain," and one that we call "The Trough," [and] one that we call
"The Trench." And these [ databases] are the results of our listening
to or engaging people in what they're doing. For example, The Brain
database tracks relationships between hacker groups. And currently we
track 3,000 or 4,000 individuals in about 800 different groups. And of
course, the names change and the groups change pretty constantly, but
at any given point in time that's about the number of people whom we
track. We track which attacks that they've attacked, [and] which sites
they've hacked.


So when you find out who did what, do you then go work with law
enforcement?

We have nothing to do with law enforcement. We have no interest in
prosecuting anybody, although it has happened many times that [law
enforcement] comes to us. For example, the FBI came to us and asked us
who wrote Melissa, and we told them. It took us a day and a half to
gather 300 or 400 documents together and give [them] to the FBI to
show [the agents] who wrote Melissa. They arrested the guy. We didn't
know his real name -- we just knew his e-mail address and his Internet
address and his IP and the service provider. ... We know his cat's
name and his girlfriend's name, what city he lived in in which time
frames, and what his browser was and what other aliases he used.


To hear Intel and Microsoft tell it, very long instruction words and
Palladium will solve all these problems in a couple of years.

I don't think so. Risk is based on people. Technology helps, but
whatever the technology is, this is a complex world. And the more
complex it gets, the more vulnerable it gets.



Profile

Peter Tippett, TruSecure

* Job title: CTO

* Biggest success: Creating a pragmatic, dynamic, and up-to-date
  corporate information risk model and tracking network

* Key challenge: Getting people to open up to the power and
  cost-savings of modeled, dynamic, outsourced risk management

* Favorite escape: Flying
 
 

-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.