Security Action Plans - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Business & Finance
News
5/27/2005
10:21 AM
50%
50%

Security Action Plans

Being smart about security is as much about commonsense practices as it is about deploying the right software tools.

Centralization, automation, problem prioritization--many IT-security professionals are embracing those concepts as they fight off the never-ending onslaught of threats. Security products can help businesses stem the flood of vulnerabilities, but IT teams also have to put in place processes to ensure that they're responding appropriately and being proactive in warding off potential dangers. Fact is, some companies spend too much on some parts of their organization and not enough on more-vulnerable areas.

Security pros are under increasing pressure to do the job right and cost-effectively as networks extend beyond firewalls to remote users, partners, and customers, and to cell phones, PDAs, and other mobile devices; regulatory requirements to safeguard data have risen; and concerns about identity theft are at an all-time high. Hackings and other unauthorized access contribute to the approximately 10 million instances of identity theft each year in this country, according to the Federal Trade Commission. "How sensitive is a company about being on the front page of the paper?" asks Pete Lindstrom, founder and analyst at Spire Security. InformationWeek and others have reported on a rash of cases involving inadequate security and poor handling of customer data. "If the value of assets is high, companies should follow security best practices," Lindstrom says.

To understand how companies are managing it all, InformationWeek interviewed business-technology professionals on the front lines to see how they're handling some common security issues. From the higher-level picture of risk management to the nitty-gritty details of patching, here's how they do it.

Start With A Master Plan
It doesn't make sense to spend $10,000 to protect a $10 asset. That's the way Christofer Hoff, chief information security officer at Western Corporate Federal Credit Union, sees it. Every security-remediation plan requires knowing how important a specific asset is to the company before time and money are spent securing it. For example, an E-commerce server that brings in millions of dollars in sales is more important than a print server, so it's higher on the fix and secure lists.

CISO Christofer Hoff worked with business-unit managers to set security priorities.

CISO Hoff worked with business-unit managers to set security priorities.

It's all about intelligently managing risk, rather than knee-jerk reactions to the multitudes of threats, Hoff says. Instead of looking for "some Holy Grail security-management product," he set priorities with business-unit managers. Some of the questions they discussed: What would the impact to the business be if the main E-commerce server were compromised? And what exposure would the business suffer if it couldn't process millions of dollars in transactions? "Our business units define what's needed to stay online," he says.

For many businesses, implementing a risk-management plan should be at the top of their security to-do list, says Jon Oltsik, an analyst at Enterprise Strategy Group. But few have taken that step, he says. Instead, the most common reaction to a new threat is to buy more technology. "It's like you're sick, but you just buy medicine instead of going to the doctor," he says.


SECURITY SITES
Stay up to date on vulnerabilities, research, and more:

»

www.sans.org

IT security research and education organization the SANS Institute offers research about security best practices, vulnerabilities, training information, and Webcasts.

»

www.securityfocus.com

A vendor-neutral security information Web site owned by Symantec Corp. that provides information about the latest security threats and best practices, job postings, free security tools, and listings of upcoming security-related events. The Web site also contains links to some of the best security-related mailing lists, such as BugTraq.

»

www.cert.org

The CERT Coordination Center, a federally funded security research and development center, posts information about vulnerabilities, attacks, defenses, and various security stats.

»

www.Cybercrime.gov

Computer-crime Web site run by the Computer Crime and Intellectual Property division of the U.S. Department of Justice. This site links to recent computer-crime cases, cyberlaw, and federal laws and policies regarding hacking and intellectual-property crime.

»

www.patchmanagement.org

The PatchManagement mailing list is aimed at security pros and network administrators to help them build solid software-patching procedures and policies. The list is maintained by patch-management experts from vendor companies such as Shavlik Technologies and Microsoft.
Western Corporate Federal uses a number of point products, including software from Skybox Security Inc. for threat exposure and analysis, PatchLink Corp. for patches, and open-source software for intrusion detection. All are integrated with risk-management software from Qualys Inc. called VM, which lets Hoff set and enforce security policies and prioritize responses to threats.

"With vulnerability assessment before, we'd sift through hundreds of pages for the E-commerce server or the print server," Hoff says. "Now Qualys shows us where we're vulnerable in business terms." For example, when Microsoft issues patches for its Windows operating system, the credit union uses Qualys VM to identify the first servers to patch. Other security risk-management vendors include Consul, eEye Digital Security, and Trusecure.

Manage Access
As far as security technology has come, passwords may still be the weakest link in the security chain. "Passwords are the easiest way in," says Andy Jaquith an analyst at the Yankee Group. "Bad guys get into accounts and try to escalate to a higher level." There's also potential for rogue employees to attempt to access sensitive data. That leads to an endless cycle where passwords are regularly changed to avoid trouble.

It all adds up to the need to deploy smart identity-management tools and establish savvy practices. At Vitas Healthcare Corp., with a workforce of 6,000 and operations across 15 states, authorized employees enter as many as a half-dozen passwords a day to access multiple databases. While it's important to maintain password discipline to secure customers' health-care data, maintaining and managing the situation creates a drag on the IT department. "Our help desk spends 30% of their time on password management and provisioning," says John Sandbrook, senior IT director at Vitas. The company is changing that using Fischer International Corp.'s Fischer Identity Management Suite 2.0 to manage passwords and comply with data-access regulations such as the Sarbanes-Oxley Act. Vitas implemented the suite last fall, and it expects to cut help-desk time spent on passwords by 25%.

The ID-management product includes automated audit, reporting, and compliance capabilities, and a common platform for password management, provisioning, and self-service. "Any company must have unique user IDs and passwords that change frequently," Sandbrook says. With the software, Vitas can enforce strong passwords that some legacy systems won't require on their own, such as those with seven, eight, or nine characters, numbers, and capital letters. And when Sandbrook does an audit, "I see who changed [password] information with good practices, and I feel assured."

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
State of the Cloud
State of the Cloud
Cloud has drastically changed how IT organizations consume and deploy services in the digital age. This research report will delve into public, private and hybrid cloud adoption trends, with a special focus on infrastructure as a service and its role in the enterprise. Find out the challenges organizations are experiencing, and the technologies and strategies they are using to manage and mitigate those challenges today.
Slideshows
What Digital Transformation Is (And Isn't)
Cynthia Harvey, Freelance Journalist, InformationWeek,  12/4/2019
Commentary
Watch Out for New Barriers to Faster Software Development
Lisa Morgan, Freelance Writer,  12/3/2019
Commentary
If DevOps Is So Awesome, Why Is Your Initiative Failing?
Guest Commentary, Guest Commentary,  12/2/2019
Register for InformationWeek Newsletters
Video
Current Issue
Getting Started With Emerging Technologies
Looking to help your enterprise IT team ease the stress of putting new/emerging technologies such as AI, machine learning and IoT to work for their organizations? There are a few ways to get off on the right foot. In this report we share some expert advice on how to approach some of these seemingly daunting tech challenges.
White Papers
Slideshows
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll