"You have to swallow the red pill" and confront IT security challenges at the highest levels of enterprise management, said Moses De Los Santos, a vice president in the SSP-Litronic unit of SSP Solutions Inc., in Irvine, Calif.
That doesnt mean throwing technology at the situation, which is costly but still politically easier than solving the real problem, De Los Santos warned. "Its about the processes around the technologies and, more important, around the people," he told the audience at a panel discussion during the Business4Site conference in Los Angeles last month.
Legislative mandates are putting new vigor into enterprise IT security efforts, said fellow panelist John Williams, chief technology officer and co-founder of Preventsys Inc., in Carlsbad, Calif., but sometimes, those efforts largely miss the point.
"I go into a big company," Williams said. "They say, We did our Sarbanes-Oxley project, we had 20 guys with clipboards in here for a week and were all set. ... Oh, by the way, we had Slammer in here last week, and it infected every machine.
"Well, Slammer affects databases; youve got databases in your accounting department," Williams said. "If your databases in accounting are susceptible to an automated attack, then how can your CEO be certain that someone didnt use that vulnerability to change your financial results? Its like a train crashed right in front of you in slow motion, and you didnt even notice."
If auditable IT security policies arent clearly visible to top management and if they arent being systematically enforced in day-to-day IT operations, Williams warned, those policies are effectively being defined by low-level IT staff who cant be expected to make the appropriate trade-offs.
From the in-the-trenches perspective of IT, its impossible to say "whether a buffer overflow on one box is more important than a buffer overflow on another box," Williams said. Documenting policies in terms of business requirements and risks, generating reports of policy noncompliance, and elevating those reports to the proper management level are the essential steps toward placing decisions at appropriate levels, Williams said.
Panelists also explored other facets of the IT security situation. As spyware grows rapidly in prevalence and sophistication, preoccupation with virus and worm threats is becoming passé, said Vincent Weafer, senior director of Symantec Corp.s Security Response Center, in Santa Monica, Calif. "As much as 20 or 30 percent of PC help desk calls involve spyware," said Weafer, describing key take-aways from a recent Federal Trade Commission conference.
"Those calls are long and difficult," said Weafer. "They begin with users complaining that their machines are running slowly, but they often turn out to be sending the same kind of data off the machine—IDs, passwords—as the worst kinds of malicious code."
Spyware may even be present because a service provider has placed it on a users machine, said Williams. "The law for cable TV is that they control any equipment connected to their system, and theyre interpreting that as including your PC," he said.
Panelist Gene Tsudik, associate dean of research and graduate studies at the University of California at Irvine, encouraged users to develop basic system awareness to identify intrusions. "If you press Control-Alt-Delete, youll see a list of processes, and if youre familiar with whats supposed to be there, you can see what doesnt belong," Tsudik said. "If you save your registry from time to time … then finding new keys added to your registry is a good clue that someone has done something you might not like."
Tsudik told the audience that user organizations such as financial services companies are doing little to advance the state of the art, even though they have much to lose—in terms of customer good will as well as fines or other penalties.
"People say, Chances are we wont be the first to go down; well see what happens to the first, so what we need from you is pricing for two years from now," Williams said.
That "you first" approach is too risky, said panelist Nelson Ramos, an eWEEK Corporate Partner and enterprise technology strategist at Sutter Health, in Sacramento, Calif. "Were high-profile targets. … If we have a security intrusion, there are fines," Ramos said.
Preventsys Williams asked, "What are your assets, what would be bad things to happen to them, what are the priorities of protections against those events?"
Those are the questions that should begin the process, the panel members agreed; technology issues should implement the answers, not substitute for those questions.
Technology Editor Peter Coffee can be contacted at firstname.lastname@example.org.