Systems Security - There's Evolution in the Air
Newsbytes - May 26, 1998 15:58
WASHINGTON, D.C., U.S.A., 1998 MAY 26 (NB) -- You have just
installed the latest, greatest, coolest, state-of-the-art firewall for
your bleeding-edge security system. You are encrypting every bit of
communication that moves across your global enterprise. Now you're
locked up tighter than the nuclear war code, right? Wrong, some
experts say.
"Overall systems security technology is not being embraced as fast as
one might have thought a few years ago," says Gary Van Dyke, president
of J.G. Van Dyke & Associates Inc., Bethesda, Md.
"There's a lack of understanding by many enterprise managers in the
government and the commercial sector as to what systems security is
all about," says Van Dyke, whose company promotes itself as "People
Making Information Technology Work Securely."
He and others say many people still think too narrowly about overall
systems security, although there has been some progress in terms of
implementation, particularly among government practitioners.
"Perimeter security is where most people start," says Ken Newcomer,
vice president and general manager of government systems for V-One, a
Germantown, Md.-based network security solutions provider.
"They spend all their money on firewalls, but that will never solve
their whole problem. The big challenge is plugging holes in huge
networks," he says.
"Far too many companies and government agencies believe that firewalls
and customized security devices will solve their enterprisewide
security problems," Van Dyke says. "But they don't come close. You
don't just take a device, attach it to the system and have system
security."
So what do you have? Extremely tight security for part of your system.
Or fairly tight security for most of your system. Or perhaps fairly
loose security for all of your system.
Any of those options may fool some of the hackers all of the time,
or all of the hackers some of the time. If you're looking for a
panacea, though, don't bother. There isn't a product around that stops
all of the hackers all of the time. Witness the embarrassing
intrusion April 21 by the hacker group known as the Masters of
Downloading who broke into the Defense Department's Defense
Information Systems Network.
But there's evolution in the air, particularly among government
practitioners. James Massa, director of Herndon, Va.-based federal
operations of Cisco Systems Inc. [NASDAQ:CSCO], says the gap between
thinking about systems security and implementing those applications
is shrinking.
"The closer you are to working with bad guys or finance, the faster
you're moving toward overall systems security," Massa says.
Some agencies, such as Treasury and Justice, are more aggressive than
Agriculture or Transportation, he says. However, each agency is
proactive to the level of sophistication needed to secure its network.
"Thinking about that always has been leading edge. Implementation
always has been trailing edge. But now there's an exponential surge in
implementation," he says. "Many agencies are finally addressing the
problem (of thinking maximum and acting minimum) and actually making
the leap."
The non-civilian entities, such as the intelligence community, the
military's global complex and the energy-focused, are traveling at a
fast clip. The civilian agencies for which systems security is not
life and death are moving at a more moderate pace.
But that can be a quantum leap for an organization that didn't know
how to jump.
"Before we got Cisco's NetSystem 5500, we had nothing," says Keith
Scott, network manager for the Pentagon's On Site Inspection Agency.
"We did network management on the fly and by the seat of our pants.
We could accidentally take down a port to Europe with a typo and not
know we did it until later."
That was hardly sturdy system security for a joint-service Department
of Defense organization responsible for implementing inspection,
escort and monitoring requirements under verification provisions of
U.S. international arms control treaties and confidence-building
agreements. This agency also represents the United States on U.N.
arms inspection teams.
Deciding it was way past time to really manage his network, Scott - a
die-hard Bay Networks 5000 booster - last year began a six-month,
high-speed network study among the big four equipment providers:
Cisco, Cabletron [NYSE:CS], Bay Networks [NYSE: BAY] and
[NASDAQ:COMS] 3Com. The one that best answered his big four
requirements - event notification; performance monitoring and
analysis; configuration management; and resource management - would
leave the others in its dust.
"They were (all) pretty equal on specific requirements, such as
packet throughput and manageability," Scott says. "But Cisco blew
everyone away on cost. It was easy to install. And securitywise,
I'm covered."
Well, almost. Scott gives himself a seven on a scale of 10 for overall
systems security. But as soon as he finishes installing Cisco's
NetRanger and NetSonar intrusion devices - that number will be nine.
"Until we switched to a totally switched network from a totally shared
one, I don't think we realized the network is so important to the
business process that we can't live without it," Scott says.
"Information lends a big part of our mission success. It's very, very
important to get the information to the inspectors actually doing the
work. And it's absolutely critical to keep that information secure."
So the network is supported by firewalls. And when the NetRanger and
NetSonar are installed, remote access will be more difficult than ever
for those without an invitation. Users of the ISDN- based system will
be given token-based authentication so the system knows they are who
they say they are. Users will be admitted based on something they have
and something they know.
And for those thinking about just dialing in and getting a user ID and
a password, forget it. Scott's been there and done that, and he's not
going there again.
Neither is Alan Dahl, chief of technical infrastructure affairs in the
consular systems division of the Bureau of Consular Affairs at the
State Department.
The bureau's central IT shop began the ALMA (A Logical Modernization
Approach) program in 1995 because its infrastructure was so old that
the vendor, Wang Global, Billerica, Mass., no longer manufactured the
products.
And since the legacy system was not Year 2000 compliant, the bureau
literally walked into its Y2K solution.
There are not many people out there building visa systems, Dahl says.
"It's not something that people really will buy out there. But we do
get inquiries from other governments, particularly the Aussies and
the Canadians, who are in the same league," he says. "And we're very
serious about security."
The Bureau of Consular Affairs doesn't have a choice. Even though its
information is sensitive but unclassified, the State Department's
Certification Advocate works closely with Dahl and his colleagues to
assuage the pain of obtaining the advocate's approval. If that
official says no, the application doesn't go.
So should there be this much blood, sweat and tears over the names of
passport applicants and those seeking U.S. citizenship? Dahl says an
average hacker would find the information dull. But, he adds, certain
criminal elements might find some of the information useful.
"If they knew the contents of the name-checking database, it might
give them ideas about identities or aliases not to use," Dahl says.
"That's always a problem in intelligence agencies, of course. But
we're doing some work on that. We think we've established a security
posture that basically tells a hacker that the data he'll get isn't
worth the effort to break down our system's security. "
Consular Affairs has accomplished that by building security into
systems as they develop and by putting the topic high on its
employees' radar screens. ALMA isn't just about upgrading boxes and
enhancing networks; it's about a new attitude.
"Security isn't an afterthought for us," Dahl says. "Between us and
the department, we spend a lot of time and energy accounting for the
security of our system. We don't want to engineer something later
because we forgot about it earlier."
Dahl isn't the only one thinking about doing it to them before
they do it to us. Even the government gets that message.
According to Input, a market research firm in Vienna, Va., the
government's security expenditures will rise to $827 million by
fiscal year 2002 from $638 million in fiscal 1997.
That's a very healthy 5.3 percent compound annual growth rate. Also,
these figures do not include spending on classified security systems.
But that rate trails the compound annual growth rate for overall
government information technology spending, which Input projects at
5.9 percent for the same period, culminating at $30.1 billion in
fiscal 2002.
The security projections did not include all expenditures by the
Pentagon, which, as spokesman Ken Bacon told the Associated Press in
April, will spend $1 billion annually for the next several years to
improve its classified and unclassified computer security.
Other security pieces of the IT market also are rising. A Volpe,
Brown and Whalen study says that by 2000, virtual private networks
will be in and firewalls will be out.
The firm projects virtual private networks spending will rise to more
than $4 billion that year from less than $1 billion in 1997. By
comparison, firewall spending in 2000 will hit $2.5 billion from
1997's $1.6 billion, which isn't exactly chopped liver.
The fuel for the spending fire is business-to-business electronic
commerce, which the Yankee Group of Boston predicts will grow to
$171 billion in 2000 from the comparatively puny $7 billion in 1997.
That's more than a 24-fold increase.
More electronic commerce means doing more business over the Internet.
Nothing could be lower in most government and commercial IT
organizations' business plans.
Mike Kearney, a security specialist in IBM's SecureWay group, says the
"tremendous wariness" about Internet business among his government
customers hinders development of state-of-the art applications because
security-conscious employees just won't go there.
"No one wants to be the first to put a national program at any security
risk," he says. "To do serious business on the Net requires a very
critical look at security."
The view is hardly spectacular. But it may brighten considerably with
the emergence of public key infrastructure (PKI), a digital
certification procedure that its growing number of proponents claim
will truly secure system security.
"You get authentication and privacy, and you can manage security across
the enterprise with PKI," says Brian O'Higgins, executive vice
president and chief technology officer of Entrust Technologies, a
Richardson, Texas-based subsidiary of Canadian telecom giant Nortel.
"Users only need a single sign-on," he says. "I think it's the future
for securely managing applications on the Net."
That future may be now. Entrust took four years for its products to
reach 1 million users; last month it had 2.5 million.
Even the most conservative Wall Streeters might appreciate a 150
percent increase.
"PKI's not widely understood yet because it's new," O'Higgins says.
"But internationally it's really cranking up. The power curve is just
starting. The real curve will come later this year."
But who will ride it? What will make the insecure feel secure?
"The government's more aware of security issues because it's vulnerable
to attack by disenfranchised parties," says Van Dyke. "Industry is
very reluctant to let the public know it has a problem."
Van Dyke claims that cultural mind-set is dissolving, but it will take
at least another year before the vulnerability appears on investment
and budget projections. Companies are gradually - if grudgingly -
admitting that security is more than a square to check off on the
daily schedule and to get the auditors off their backs.
"More and more companies and government agencies want to know why they
were attacked," he says. "They finally want some answers.
"So there's an increasing trend that security can no longer be put off.
And the more you learn about it, the more you realize that implementing
system security is a considerable undertaking."
Reported by Washington Technology: wtonline.com
o~~~ O |
