Being smart about security is as much about commonsense practices as it is about deploying the right software tools.
Centralization, automation, problem prioritization--many IT-security professionals are embracing those concepts as they fight off the never-ending onslaught of threats. Security products can help businesses stem the flood of vulnerabilities, but IT teams also have to put in place processes to ensure that they're responding appropriately and being proactive in warding off potential dangers. Fact is, some companies spend too much on some parts of their organization and not enough on more-vulnerable areas.
Security pros are under increasing pressure to do the job right and cost-effectively as networks extend beyond firewalls to remote users, partners, and customers, and to cell phones, PDAs, and other mobile devices; regulatory requirements to safeguard data have risen; and concerns about identity theft are at an all-time high. Hackings and other unauthorized access contribute to the approximately 10 million instances of identity theft each year in this country, according to the Federal Trade Commission. "How sensitive is a company about being on the front page of the paper?" asks Pete Lindstrom, founder and analyst at Spire Security. InformationWeek and others have reported on a rash of cases involving inadequate security and poor handling of customer data. "If the value of assets is high, companies should follow security best practices," Lindstrom says.
To understand how companies are managing it all, InformationWeek interviewed business-technology professionals on the front lines to see how they're handling some common security issues. From the higher-level picture of risk management to the nitty-gritty details of patching, here's how they do it.
Start With A Master Plan
It doesn't make sense to spend $10,000 to protect a $10 asset. That's the way Christofer Hoff, chief information security officer at Western Corporate Federal Credit Union, sees it. Every security-remediation plan requires knowing how important a specific asset is to the company before time and money are spent securing it. For example, an E-commerce server that brings in millions of dollars in sales is more important than a print server, so it's higher on the fix and secure lists.
CISO Hoff worked with business-unit managers to set security priorities.
It's all about intelligently managing risk, rather than knee-jerk reactions to the multitudes of threats, Hoff says. Instead of looking for "some Holy Grail security-management product," he set priorities with business-unit managers. Some of the questions they discussed: What would the impact to the business be if the main E-commerce server were compromised? And what exposure would the business suffer if it couldn't process millions of dollars in transactions? "Our business units define what's needed to stay online," he says.
For many businesses, implementing a risk-management plan should be at the top of their security to-do list, says Jon Oltsik, an analyst at Enterprise Strategy Group. But few have taken that step, he says. Instead, the most common reaction to a new threat is to buy more technology. "It's like you're sick, but you just buy medicine instead of going to the doctor," he says.
Stay up to date on vulnerabilities, research, and more:
A vendor-neutral security information Web site owned by Symantec Corp. that provides information about the latest security threats and best practices, job postings, free security tools, and listings of upcoming security-related events. The Web site also contains links to some of the best security-related mailing lists, such as BugTraq.
Computer-crime Web site run by the Computer Crime and Intellectual Property division of the U.S. Department of Justice. This site links to recent computer-crime cases, cyberlaw, and federal laws and policies regarding hacking and intellectual-property crime.
The PatchManagement mailing list is aimed at security pros and network administrators to help them build solid software-patching procedures and policies. The list is maintained by patch-management experts from vendor companies such as Shavlik Technologies and Microsoft.
Western Corporate Federal uses a number of point products, including software from Skybox Security Inc. for threat exposure and analysis, PatchLink Corp. for patches, and open-source software for intrusion detection. All are integrated with risk-management software from Qualys Inc. called VM, which lets Hoff set and enforce security policies and prioritize responses to threats.
"With vulnerability assessment before, we'd sift through hundreds of pages for the E-commerce server or the print server," Hoff says. "Now Qualys shows us where we're vulnerable in business terms." For example, when Microsoft issues patches for its Windows operating system, the credit union uses Qualys VM to identify the first servers to patch. Other security risk-management vendors include Consul, eEye Digital Security, and Trusecure.
As far as security technology has come, passwords may still be the weakest link in the security chain. "Passwords are the easiest way in," says Andy Jaquith an analyst at the Yankee Group. "Bad guys get into accounts and try to escalate to a higher level." There's also potential for rogue employees to attempt to access sensitive data. That leads to an endless cycle where passwords are regularly changed to avoid trouble.
It all adds up to the need to deploy smart identity-management tools and establish savvy practices. At Vitas Healthcare Corp., with a workforce of 6,000 and operations across 15 states, authorized employees enter as many as a half-dozen passwords a day to access multiple databases. While it's important to maintain password discipline to secure customers' health-care data, maintaining and managing the situation creates a drag on the IT department. "Our help desk spends 30% of their time on password management and provisioning," says John Sandbrook, senior IT director at Vitas. The company is changing that using Fischer International Corp.'s Fischer Identity Management Suite 2.0 to manage passwords and comply with data-access regulations such as the Sarbanes-Oxley Act. Vitas implemented the suite last fall, and it expects to cut help-desk time spent on passwords by 25%.
The ID-management product includes automated audit, reporting, and compliance capabilities, and a common platform for password management, provisioning, and self-service. "Any company must have unique user IDs and passwords that change frequently," Sandbrook says. With the software, Vitas can enforce strong passwords that some legacy systems won't require on their own, such as those with seven, eight, or nine characters, numbers, and capital letters. And when Sandbrook does an audit, "I see who changed [password] information with good practices, and I feel assured."
IT's Reputation: What the Data SaysInformationWeek's IT Perception Survey seeks to quantify how IT thinks it's doing versus how the business really views IT's performance in delivering services - and, more important, powering innovation. Our results suggest IT leaders should worry less about whether they're getting enough resources and more about the relationships they have with business unit peers.
What The Business Really Thinks Of IT: 3 Hard TruthsThey say perception is reality. If so, many in-house IT departments have reason to worry. InformationWeek's IT Perception Survey seeks to quantify how IT thinks it's doing versus how the business views IT's performance in delivering services - and, more important, powering innovation. The news isn't great.
InformationWeek Must Reads Oct. 21, 2014InformationWeek's new Must Reads is a compendium of our best recent coverage of digital strategy. Learn why you should learn to embrace DevOps, how to avoid roadblocks for digital projects, what the five steps to API management are, and more.