EidenReport - Computing Security - Two Views

[InfoSec News <isn () c4i org>]

[Of all the newsletters I get, (both unsolicited and subscribed) I try
to make the time to read The Eiden Report. Jim is a font of
information on various subjects of business, and with the Internet,
how it to relates busines today. Jim's newsletter is free and if you
are interested in another viewpoint, I recommend mailing Jim and ask
him to subscribe to his newsletter.   - WK]


---------- Forwarded message ----------
Date: Wed,  5 Jun 2002 00:43:02 -0500
From: Jim Eiden <Jim () eidenreport com>
To: William Knowles <wk () c4i org>
Subject: EidenReport - Computing Security - Two Views


Computing Security, Two views.

In this issue, we have 2 separate views of business and computing
security.  Jan Hertzberg is a Principal of Axiom Security.  Jan has
extensive IT, security and business process experience.  The overall
goal of Axiom is to bridge the gap between IT and Business functions
and processes as it applies to security.

We then have a featured interview with Richard Forno, author of
InfoWarrior, and former executive of Verisign.


GUEST COMMENTARY - Aligning Security Initiatives and Business Goals,
Jan Hertzberg of Axiom Security LLC

Many security professionals want to know "how can I increase senior
management's support for new digital, physical and employee security
initiatives?" To be sure, there are many good reasons for companies to
consider increasing their attention to security in the aftermath of
the 9/11 tragedy including the growing prevalence of workplace
violence, unrelenting hacker attacks and virus threats. Ironically,
while internal and external threats still show no sign of abating,
enterprise spending for security is expected to increase only modestly
in the next few years.

What is the most effective approach for creating awareness of the
importance of security? Above all, security professionals need to
resist the temptation to create a "hyper-awareness" of security issues
that quickly burns itself out. While the use of fear, uncertainty and
doubt may temporarily serve to convince an executive that more needs
to be done to protect the company and manage risk, this approach does
not succeed in creating long-term partnerships between security
professionals and management. For instance, in the aftermath of Y2K,
many non-IT executives lamented that they were "railroaded" into
expensive and often unnecessary system changes/upgrades, based on a
predicted cataclysm that never occurred. Many of these executives will
think twice before approving new proposals based on perceived "scare
tactics".

Today's executive is faced with an increasingly competitive
marketplace in which reduced margins, competing priorities and a
steadily shrinking budget take their toll.  While executives
acknowledge that security threats are real, they may find it difficult
to justify a sizable increase in spending to manage risk. They may
also be unable to devote time and resources necessary to review and
test the company's business continuity, disaster recovery and other
security strategies.

The key to creating a win-win situation with senior management lies in
identifying opportunities to align with the company's established
business goals and objectives as well as to find collateral benefit
with other parts of the organization. These opportunities will help
the executive understand how security can complement and facilitate
the enterprise's current priorities. Rather than require the
implementation of a "one-off" solution, security can actually be an
enabler of other business goals.

Here are some traditional business goals that may be enhanced by
security solutions:


1. Promote Cost-Efficiency - Executives often strive to increase
cost-efficiencies throughout the organization and there is constant
pressure to "get lean and mean". Security solutions, e.g. biometrics
or smart cards, may be used to reduce the overall volume of password
resets thereby allowing help desks to reduce their costs. Also, a
fully-equipped, alternate data center can help ensure business
continuity and improve operational performance by providing auxiliary
computing power during peak processing times. While capital
expenditures are required initially to establish a robust computing
environment with full-redundancy, significant savings in
infrastructure and facilities may be realized over time. If
high-availability is important to the objectives and goals of the
business, not having it can mean the difference between profit and
bankruptcy.

2. Protect Market Share - The Bank of America, Northern Trust and
other financial institutions have taken highly-visible positions in
promoting increased privacy for their customers. Many insurance
companies now offer "eSecurity" products intended to protect the
enterprise from hacking and other break-ins. As society's concern
about security and privacy grows, interest in these companies and
their products will inevitably grow.

3. Improve Customer Service - Consumers are regularly inundated with
requests for userids, passwords and Personal Identification Numbers
(PINs) from web sites, help desks and Interactive Voice-Response (IVR)
systems. Responding to these repetitious requests can be a frustrating
experience. Use of biometrics may offer a less stressful customer
experience with improved authentication and non-repudiation.

4. Protect Innovation - Corporations that have recently gone through
rightsizing or downsizing measures may be vulnerable to theft of their
intellectual property (IP) or even sabotage by disgruntled
ex-employees. Much can be done by the security professional to protect
corporate information assets, from creation of policies/compliance
tracking to monitoring networks and hosts with intrusion detection and
tracking fraud with computer forensics.


In summary, a true partnership between executives and security
professionals requires consideration of business objectives, company
mission and the role that security can play to enhance and add value
to the business. In short, the security professional needs to share
the executives' vision of the company and its future.

Jan Hertzberg - CISSP
Principal, Axiom Security, LLC
jhertzberg () axiomsecurity com
866-297-9997



- - - - - - - - - - - - -SPONSOR - - - - - - - - - - - - - - - - - - -

Like what you see with the Eidenreport.com?  Let Mir Internet Services
do the same for you.  From web design and database development to a
look and feel that is appropriate for your organization.

Mir features SEO LogicT which integrates consumer search behavior
analysis with search engine optimization services, driving targeted
traffic to your web site.

Contact:
Jonathan Ashton, VP of Business Development at (773) 661-1011. 
Website: http://www.seologic.com/

Or

C. J. Newton, CEO
Mir Internet, Inc.
1608 N. Milwaukee Ave., Suite 807
Chicago, Illinois  60647
p. 773.661.1011
c. 773.837.8012
f. 773.661.1012
e. cnewton () internetmadeeasy com
w. http://www.internetmadeeasy.com

- - - - - - - - - -SPONSOR - - - - - - - - - - - - - - - - - -



FEATURED INTERVIEW - 21 Questions with Richard Forno 


Hailing from a 'hands on' background in security operations, Richard
most recently served as the Chief Information Security Officer for
Network Solutions (now VeriSign), the company operating the central
servers for the Internet. In this role, he built the first information
assurance program and incident response capability for one of the
world's most critical information infrastructures, drawing on his
previous experience coordinating computer crime investigations and
information security projects for the US House of Representatives and
other government agencies. In 2001, he co-launched Whonami, an
independent whois engine with unique translation capabilities.

As an adjunct lecturer at The American University, he developed (and
delivered) the University's first courses on information security and
information warfare, and conducts recurring guest lectures at the
National Defense University. In 2000, he was an active participant in
the White House Office of Science and Technology Policy Information
Security Education Research Project. He is also co-founder of
G2-Forward and the ACCESS:INTELLIGENCE project, an innovative
information service serving the national security and emergency
preparedness communities since 1997.
 
A student of national security studies, Richard is a frequent lecturer
at government, industry, and academic symposia. He is co-author of the
popular books The Art of Information Warfare (Universal, 1999) and
Incident Response (O'Reilly, 2001). His 1998 essay on the "InfoCorps"
(appearing in the AFCEA book CYBERWAR 2.0) helped shape DoD
initiatives in developing information assurance and Internet risk
assessment capabilities during the 1990s. He also pens a recurring
column for Securityfocus.Com and his personal website,
Infowarrior.Org.

Richard holds degrees from Salve Regina University (M.A.,
International Relations), American University (B.A., International
Studies), and Valley Forge Military College (A.A., Business) -- and is
the youngest recorded graduate from the United States Naval War
College. His professional affiliations include the National Military
Intelligence Association (Past President, Potomac Chapter);
High-Technology Crime Investigations Association; and United States
Naval War College Foundation.



1. How did your military experience prepare you for a career in
   computing security?

The military experience was not IT related at all.


2. With InfoWarrior, why did you take the Chinese philosophy/military
   approach to security?

It seemed like a fun way to approach the subject. Both my coauthor and
I are avid readers of Asian military arts. We figured that Sun Tzu's
Art of War text was a logical way to discuss information security at
both the Corporate and national levels. As a result, we 'created' our
own 'philosophers' that, like in Sun Tzu's work, discuss the
philosophies of information security in an easy-to-follow, readable,
and occasionally fun manner.


3. Have you read the Cuckoo's Egg, by Clifford Stoll.  If so, what are
   your comments regarding the book, and what happened.  (Editors 
   note: The Cuckoos Egg is perhaps one of the best books on computing
   security.  It is a true story and is written like a spy novel, 
   except that it actually happened).

Cliff's book is WONDERFUL! It is THE book on what computer
Investigations are like -- although it was written in the late 1980s,
very little has changed. I use it as a required text in my INFOSEC
class, to show Students that hacker-tracking involves hours (if not
days) of sheer boredom Followed by a few minutes of sheer panic and
excitement. I firmly endorse Cliff's text to this day.


4. According to the Cuckoo's Egg, the U.S. government was very slow to
   understand the gravity of what was happening as well as slow to
   respond.  Has the U.S. Government taken computer security more
   seriously? (before Sept 11, 2001).

The USG traditionally moves slowly in any area it touches. Regarding
computer security, I'm afraid it continues to avoid taking
responsibility for it at their agencies, choosing instead to fund
research, reports, and studies -- long-term stuff -- instead of
significant funds to close the vulnerabilities and exploits we already
know about.

The problem, is that USG tends to always consider 'future problems'
Instead of the 'immediate' ones that present dangers.


5. Has there been significant changes in the way the U.S. government
   has approached computing security after Sept 11?

It's been paid increased lip-service, and it now falls under Tom
Ridge's organization, but I think the security emphasis on terrorism
in the 'real' world is more appropriate at this point. Cyberterrorism
IMO is not a major issue that we should be loosing sleep over.  So, in
general, INFOSEC has received some increased attention and funding,
but I'm skeptical of its effectiveness.

However, there has been increased bureaucracy and working groups
created to deal with computer security -- as with any tragedy, the
bureaucracy will be created to figure out how to deal with it. That's
the nature of bureaucracies in general!!  :)


6. In your opinion, what percentage of computing security is based on
   common sense people issues, and what percentage is technical?  Why?

I'd say computer security is 80% common sense and 'non-technical
stuff' - with the rest being effective security technologies.
Unfortunately, it seems folks are enamored with the glitter of
anything technical, so they spend a fortune on so-called silver-bullet
solutions instead of taking a macro look at whether or not such
procurements will actually increase their level of REAL security, or
it's just continuing the illusion of security.


7. What major trends are you seeing in hacking/cracking?  Has activity
   increased or decreased?  How much is malicious (such as 
   defacements), versus more serious crimes (such as financial 
   blackmail, code stealing, etc)?

Web defacements, DDOS, viruses, etc, are nuisance attacks that while
causing problems, aren't a significant issue for me that cause me
worry.  Rather, it's the ones I DON'T know about - folks that are on
my networks and stealing information from me -- that I'm very
concerned about. The stuff making headlines is noise.....but you
rarely hear about 'significant' security attacks or events.


8. How many security related events do you attend per year?  Which
   ones are the best?

I attend probably a dozen or so such events. The best ones are hacker
cons - such as Rubi-Con in Detroit - where you get great technical
sessions and also learn in the unofficial party sessions upstairs. :)


9. In terms of attending events where there are so called "Black Hats"
   and "White Hats" in attendance, what kind of protocols are there so
   that you don't give away secrets to each other, but can also learn
   from each other?

It's a matter of who-trusts-who. I know some black hats that trust
'feds' with information, and others that won't even be in the same
room if they know a 'fed' is present.  At such events it's almost like
a 'thieves code' if you will, about how folks relate. For example,
I've been a 'white hat' for a while, and folks know I work with law
enforcement and others on computer security matters - but I've
achieved a decent level of 'trust' among my underground friends, and
that's a wonderful thing.


10. Have there been arrests at these type of events/conventions?

Dmitry Skylarov, a Russian programmer, was arrested @ Defcon last year
in Las Vegas under the Digital Millenium Copyright Act (DMCA) for
releasing a tool that Adobe Systems thought infringed on its
intellectual property.

Every now and then, folks will get arrested for drunk and disorderly,
or small-time drug stuff, but that's par for the course in hacker
conferences.


11. Do you advise or work with Disaster Recovery issues as well?

Occasionally - but I have friends that do more than I in this area.


12. Do you advise or work with Internet Fraud in addition to Security
    issues?  If so, can you tell us about some of this work as well?

Sure, I have been involved with credit card fraud investigations for
the past several years.  Usually this involves stolen credit cards, or
electronic credit card generators used to rake up fraudulent
purchases. In fact, back in 1993, I was one of the first to
demonstrate the capabilities of PC software to generate viable credit
card numbers to the Secret Service (the folks charged with these
investigations) -- they were in awe of the software I showed
them.....and no, I didn't write the code, I showed 'em how it worked.


13. How long do you think it will be before companies and governments
    view computing security as an integrated part of 
    business/operations rather than an after thought?

When Boards and Executive Management get their collective heads out of
Their collective backsides. Security is a function of business, and
serves to ensure revenue streams. Until the CSO is a direct report to
the CEO, and can brief the Board routinely, this will continue to be a
problem.

I've seen too many cases where security issues continually impacted a
company, but nobody upstairs was willing to accept knowledge about
them, or mandate problems be fixed -- choosing instead to ride wave
after wave of bad press and notoriety.


14. Are you working on any other books, if so, when can we expect a
    new book, and what will it be about?

Yup. A social commentary about technology, society, government, and
Other issues.....think of it as George Carlin meets Dennis Miller as
written by Andy Rooney.  :)  But while it will include IT, it won't be
an IT book per se.


15. What is the most important piece of advice you would like to give us?

Security is only as effective as those responsible for developing,
deploying, and participating in it. Technology can't solve the
'people' problem, and as a result, we continue to see organizations
operating under the illusion of security, instead of the reality of
effective security.


16. What is your opinion on Kevin Mittnick (sp).  Was he framed, or
    did he really do what he was convicted for?

Never followed the case closely enough to care. However I do think
he's gotten a bad rap though - he's not a "cyberterrorist" like the
media portrays him.


17. What is your opinion on the recent capture and conviction of the
    person responsible for the Melissa virus?

Good riddance. However, I'm more concerned that the company
responsible for laying the framework for Melissa, Code Red, Sircam,
and other viruses/trojans never gets punished. Microsoft's
poorly-written software has been the cause of most computer security
news in recent years, yet NOBODY seems to care about pointing fingers
at them.

The MS 'Trustworthy Computing' initiative - such that it is - is
simply too little, too late, and is probably done because folks are
now starting to realize that MS products may not be the best thing for
their companies, and to prevent a mass exodus of customers, Gates &
Co. released their Public statements about being committed to
security, etc, etc, etc.....most of the security folks I've spoken to
think this is nothing but PR spin and marketing, that security really
won't be improved much by MS.


18. Cisco recently announced better than expected earnings.  Do you
    think this is due to increased spending for computing security?

Not really, particularly since I don't think of Cisco as a 'security'
company.


19. Being a former employee of Network Solutions (Verisign), can you
    comment on what is happening in the domain name industry?  Where 
    do you think the industry will be 5 years from now?  What role do 
    you think ICANN will play in the future?

ICANN was flawed from the start, and they only recently admitted it
publicly. The domain industry is seriously flawed thanks to competing
vendors, slamming, questionable policies (enacted by ICANN and WIPO)
that almost always favor corporations over individuals, and other such
issues.  ICANN (or something like it) should remain an advisory body
for consensus, but needs to get out of its 'meddling' in areas they
have little competence or charter to deal with.

Unfortunately, ICANN consists of folks with little real-world
operational IT experience (a few exceptions exist though) and is full
of lawyers, analysts, and people that probably could have fit in very
well on the Enron Board.


20. In addition to Ancient Chinese Military philosophers what other
    influences have impacted your career and perspective?

My family, and the tenets of Valley Forge Military Academy and
College. Both taught me to seek, strive, and never settle, and to
always do so with a high degree of energy, integrity, and empathy.


21. What is next for Richard Forno?

I'm currently consulting to Department of Defense on information
warfare and critical infrastructure protection issues. With my
masters' degree completed, I've got more time to write and lecture,
and I aim to continue doing so, and teaching my adjunct class on
INFOSEC (Information Security) here in DC.  I plan to remain
consulting, since it's a flexible lifestyle that gives me variety of
environments to work in and learn from.

...and, of course to hopefully make a difference in this crazy,
mixed-up world we're trying to survive in.!!!

Richard Forno
http://www.infowarrior.org
rforno () infowarrior org



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.