Chapter 11. Looking Back: What s Next?

Chapter 11. Looking Back: What's Next?

Reality is that, even with the major focus on security in this country, American business are not investing in resolving security vulnerabilities. They seem to be waiting on the "significant emotional event" to occur, like the loss of customer credit card information, before they invest in security. The problem is that point in time maybe too late.

John Kirby, Director, Enterprise Protection Strategy Security and Privacy Enterprise Information and Technology for Electronic Data Systems (EDS)

Some things change so fast it is difficult to figure out how to keep them secure. That is exactly the challenge organizations face when it comes to understanding currently deployed technology and its security vulnerabilities.

Working as a contractor, the first time I audited Costa Corp, its executives were motivated because the company had been broken into and important financial information was stolen and made public. A security audit several years earlier had shown that the systems were not patched, were vulnerable to attack, and needed to be secured and monitored. However, management never carried out the audit report's recommendations to fix those security violations.

Although Costa Corp had conducted the assessment, they simply did not have people on staff who knew how to secure the systems. Therefore the systems were left unsecured and vulnerable to attack. My audit several years later showed that these systems were still at risk: security patches were not applied, passwords could be easily guessed, excessive services were enabled, and more security violations existed than in the previous assessment.

The break-in and loss of financial information raised awareness at the executive level. That kind of unauthorized access and disclosure of proprietary information is typically an eye-opener for any CEO or CFO. My assessment showed that these risks would continue and would increase without funding to correct security. Management soon funded efforts to improve security (such as software tools, head count, training, policies, and controls). More than just providing money, executive management made a commitment to carry out and maintain security.

Management put in place a strict policy to ensure that system security was configured and maintained. A real motivator for every system owner, the policy stated that if a system was tested and found to have security vulnerabilities, those vulnerabilities needed to be fixed within 48 hours or the system would be removed from the network. The CIO backed this policy and it was enforced throughout the organization. Policies need to be backed by executives; otherwise, they become useless.

When the CIO was replaced, the new CIO held different views about security. The old CIO was committed to the comply-or-die policy either you comply with the policy or your system is pulled from the network. The comply-or-die-policy was good for security, but it demands commitment from the top down. Security goals for each organization need to exist: training must be conducted so that people understand how to secure the systems; tools need to be used for testing, monitoring, and maintaining security; people must test and secure the systems, and so on. Because the new CIO did not support the policy, many systems on the network became less secure over time. In addition, the CIO never communicated a corporate goal for security. When important e-commerce initiatives ran over budget, the purchase of intrusion detection and security-testing tools were put on hold so the funds could go into the e-commerce budget. Thus, the company drained resources from its security budget to support corporate business goals.