Security is becoming a keyword throughout the channel. It doesn’t matter at what level you operate, security is vitally important. This week, ARN features an interview with two security giants. Bill Boni is vice-president and CISO of Motorola. Ira Winkler is chief security strategist for HP. In separate interviews, Derek Slater discussed with them their respective visions of what’s needed to get the security practice in shape. Both advocated paying attention to the little things.
You’ve both mentioned “the death of a thousand cuts” as a description of what security faces today. What does that mean?
Ira Winkler: Let me give you a recent example. I was talking to somebody at a large Canadian railroad company. She said, “I’m trying to convince my boss of the need for computer security. And he has this attitude that, first of all, we’re a railroad company, we’re not that high-tech. And, on top of that, we’re not an American company, so we’re not a target that anybody really cares about.”
In other words, the boss doesn’t believe (his company is) going to be the target of a devastating attack. OK, let’s accept that — because, quite frankly, I think all these claims of terrorism and all the FUD work against us anyway. Still, I asked if she was hit by Code Red? She said, Yes. Nimda? Yes. Slammer? Yes. Other viruses? Yes. I asked, “Do you have insiders doing things that cost you a lot of money?” She said, “Yes, we have a lot of incidents we have to investigate. We’re a large company.”
So I said, “Did you ever add up the costs from all of that?” She said, “No, but it would easily be in the tens of millions of dollars.”
Bill (Boni) used the term “the death of a thousand cuts” a long time ago. There’s a lot of little things that, when added up, would be devastating if it happened all at once. And if you would do the basic, simple things on an ongoing basis — to protect yourself against the small things that add up to a major loss in total — you’d also be preventing the mythical terrorist attacks and other large-scale events.
Bill Boni: The way I look at it is that most organisations don’t have a framework for keeping track of loss, particularly intellectual property-related loss. As information protection (IP) has become digital, you now face the possibility of it being misappropriated without having the loss detected. It doesn’t become manifest until an engineer in your company realises that your biggest competitors have what you were expecting to have, at the same time — and you thought you were a year ahead of them. Plus, they have lower price points because they didn’t have to spend the money to develop it.
So you (should try to) capture and synthesise a significant portion of those loss events, using HR, the physical security groups and other branches of the company as sensing mechanisms.
A lot of talk right now in information security (IS) is about the software consoles that do event analysis and correlation. I’m talking about creating an analog of that at the corporate level that correlates the technical aspects of security with everything else — HR, legal, all these different areas. Now management can make better-informed decisions with data, not just anecdotes.
A lot of practitioners will take advantage of a breach to say, “Aha, see, we need to protect our IP.” But the counterargument is, “This was a one-time event.” But if you have a process in place that allows you to prove that, no, it happened three times in the last quarter alone ...
The next important question is, What’s the source (of the vulnerability)? Is it technology? A legal loophole? A cultural blind spot in employees or management?
Even if you know your intellectual property is leaking out, how do you make that connection between what’s been lost and where the loophole is?
Boni: This is where you go back to the fundamentals of counter-intelligence. Information security can make its best contributions when you use the whole suite of tools and techniques with a counterintelligence mind-set.
Another example. If someone is scanning the internal network, your internal intrusion detection system goes off, and typically somebody from IT calls the employee who’s doing the scanning and says, “Stop doing that.” And he replies, “Oh, I was just testing this thing for my college class on IT management. I won’t do that again.”
He offers you a plausible explanation, and that’s the end of it. Throughout the history of IP theft, this is how it always goes. HR sees one thing, physical security sees the guy “accidentally” carrying out documents (“Oops...I didn’t realise that got into my briefcase”), and the IT people see the scanning incident. But nobody puts them all together to realise it’s the same guy.
With IP theft, you can’t always determine that it was Professor Plum in the library with the lead pipe. But (by adopting) a counter-intelligence mind-set you can identify gaps in your protection scheme. Sometimes it (really) is accidental; I’ve worked cases where they did high-level internal product announcements at a ritzy offsite and left copies of printouts lying around. Sometimes it’s not accidental. People in other countries — Ira has seen this — send in “dummies” who get jobs in the payroll department, and (once) they’re there for several months there’s very good likelihood they’ll be able to access valuable documents.
The protection mechanisms are too disjointed. Just as in infosec, we have challenges putting together the big picture. The challenge (in IP loss prevention) is how to pull together all those other sensory mechanisms: access cards, legal policies, areas where product models and mock-ups are done. You have to consider those as sensing devices or places where you can potentially detect behaviors. But they don’t (usually) get correlated in any meaningful way in most organisations.
Winkler: It’s hard to put a dollar figure on data or IP loss. When it happens and they talk about prosecuting hackers, they’ll say I’ve lost millions of dollars to this. In fact, there was the recent case (involving) Lockheed Martin and Boeing where they were talking billions of dollars. However, I don’t think Lockheed Martin took a billion-dollar loss on its balance sheet. Very rarely do they declare the loss in an accounting procedure. And if you don’t do that, your executives aren’t going to think, “We can protect ourselves against IP theft and save ourselves millions of dollars a year.”
So again, what security managers and CIOs should do is add up the little losses, which will add up to a big loss, and then put their security programs in place by adjusting for the little things.
You touch on the intersection of business or operational security issues and info security. Ira, you have a story where you were doing penetration tests at a client company and were able to walk out with critical engineering documents that you found — not in the engineering department but in the graphics department.
Winkler: Right. The CEO has the graphic arts department at his beck and call, and its responsibility is to make documents look pretty. Now, the graphic arts people think of themselves as artists; they’re not thinking about, “Hey, I have some of the most valuable documents in the company on my server.” Obviously, if you go to the financial group and say, “I want to see your financial data,” they’ll laugh you out of the office. But if you go to the graphic artists and say, “Can I take a look at your computers for a minute?”— they’ll say, “Sure, why not.” So people have to understand that there are many places where valuable data goes. And, ironically, some of the most valuable data gets sent to places where they think the data’s irrelevant.
That makes an argument for active co-operation of all security groups. It also makes a case for the concept of Defence in Depth: De-emphasise the perimeter-oriented approach to security and start thinking in terms of layers of internal defense.
Winkler: Defence in Depth is actually a US Department of Defense concept. The DoD has been using it for a long time. Most people start thinking of defence at the perimeter, but Defence in Depth (advocates) treat each piece of the network as its own. It’s not a new term, but it’s getting more publicity as more defense people end up in private industry. It’s a darn good term.
If you adopt Defence in Depth, you eliminate the debate about which constitutes the bigger threat-— internal or external breaches — which seems like a pointless question anyway.
Winkler: At one level, it’s pointless, because I’ve always said threat is irrelevant. It’s irrelevant whether they’re a teenager, an insider or an outsider — someone is going to try to get you. But different threats do have different levels of resources they can throw at you. Teen hackers may scan your website for a while, and then maybe they make a phone call to try some social engineering. But then they go away.
However, if you are a (financial sector) company, you are also potentially threatened by outsiders who want to steal money. And if you’re talking about, potentially, more organised criminals or competitors, they will get a job inside your company or, more likely, recruit someone who’s already inside to steal information for them. So you have to do Defence in Depth.
You’ve been involved in security for many years. From where you sit, what’s the state of infosec today? Better? Worse?
Boni: I think it’s getting better, but at the same time more complicated and challenging. Once upon a time, a good security program was an array of technology safeguards. Increasingly, the value add is how to enable the business by strategic application of technologies or functionality — facilitating alliances and partnerships, for example. The technical foundation is not eliminated; it’s table stakes. But now the infosec pro has to move into the realm of understanding that what (business executives) want is, of course, to be able to do the new business or the product or the approach. And the security pro can’t respond, “That’s never going to fly, never ever.” Instead, you have to start with, “OK, there are risks, and here are some approaches to managing the risks. Here’s the decision matrix, and here’s my recommendation.” It’s more like, “Here’s your menu of options, and would you like fries with that?”
Care to hazard a guess as to how many information security people understand that concept?
Boni: Well, a manager-level employee may not be personally equipped to have that dialogue or may not be organisationally well placed (for it). You can pretty much track the maturity of the security program, typically, by its placement within the company. As we see more CISOs put in place, that’s becoming part and parcel of how they interact with upper management.