Interview with Ken Cutler, Vice President, Information Security, MIS Training Institute

What do you see as the biggest online security threats today?

Today’s biggest online threats come from malicious software (e.g., viruses, worms, and ad-bots), phishing scams, and direct attacks by hackers.

Malicious software typically exploit unpatched software bugs in widely used software such as operating systems, browsers, and office software. These malware agents are often propagated through email attachments, often associated with SPAM, or by leveraging unprotected file shares used like frogs jumping from one object to another. Spyware from freeware and software suppliers that plants unwanted “monitors” and system operation alterations (e.g., interfering with normal web browser operation and “homesite” selection on end-user systems is a constant headache for both end-users and desktop security software suppliers. Using built-in web browser safeguards and vigilantly keeping current anti-virus and anti-spyware software is a way of life to ensure secure web browsing and workstation software reliability.

Phishing is accomplished through the copying of prominent financial services sites (e.g., major banks, PayPal on E-Bay) to create bogus sites. The victims are lured to the bogus web sites by phony emails requesting that the customers need to update their accounts and then proceed to login to the bogus sites while their account numbers and passwords are being captured. User awareness is an important countermeasure against this sinister threat.

Direct hacking of website continues to be a problem associated with vulnerabilities created by a combination of unpatched software bugs and failure to use bundled security features in the software. Security and network software from prominent vendors, such as Cisco, Internet Security Systems (ISS), Symantec, and Zone Labs, have also come under attack during the past year. Attack objectives range from denial of service, web site defacement, and privilege escalation to direct theft of credit card information and other valuable electronic information. Being proactive with intensive web and database application coding guidelines and testing along with the use of up-to-date intrusion prevention systems is an absolute must in today’s Internet environment.

Direct attacks on recently implemented wireless LANs are also prevalent, but usually result in only the theft of high-speed Internet service or possible relaying to “interesting” targets. Use of strong authentication, encryption, firewalls, and ongoing audits, such as wired and wireless vulnerability testing, are critical safeguards to protect wireless network access points.

What are the people that come to the MIS Training Institute most worried about?

In recent years, the human resource and financial impact of trying to document internal controls and comply with regulatory security laws such as HIPAA, Graham-Leach-Bliley, and most recently Sarbanes Oxley are top priorities in most businesses. A major area of internal security controls associated with regulatory compliance issues is the “bread and butter” area of identity and access control management, in past years just simply referred to as “access control”. Accurately identifying users, their privileges or entitlements, and having an accurate record of what they did while using computerized resources is no longer just a “best practice” but a legal issue with serious non-compliance consequences to the senior management of all publicly owned businesses. All that, is in addition to dealing on a day-to-day basis with frequent software patches to address the major online threats we mentioned in response to the previous question.

Wireless insecurity is also a widespread concern, but can be more easily addressed by treating a wireless connection the same as an Internet connection by applying firewalls, intrusion detection, virtual private networks, and strong authentication.

The CSO is becoming increasingly aware of the dangers posed by mobile devices that contain confidential information and that are subject to theft or loss. What can they do to mitigate those risks? Is the education of end users within a company the only way to go?

There are three areas of security attention related to mobile devices which can range from handheld intelligent cell phones and PDAs to more robust notebook computers: protecting the information content on the mobile device, securing the interaction of that device with other computers across a network, and making sure that additional “backdoor” entry points are not introduced to accommodate “convenient” network access for mobile devices. Effective control of mobile devices begins with intelligent policies and vibrant security awareness and training. From a technical perspective, security for mobile devices includes the use of strong encryption and authentication based on a well-managed public key infrastructure. Remote access gateways, which continually convert “full size” web applications to miniature versions that can operate on the limited size and powered handhelds, must also be protected by strong physical and technical security safeguards. The major issue with theft or loss is not the device, but rather its contents; strong encryption and authentication make the device useless other than its face resale value in the black market.

What’s your take on the open source vs. closed source security debate? In your opinion, what operating system is better, when taking a look from the security perspective?

Open source software, usually with a strong Unix flavor, has proven to be a viable alternative to the world of the “install wizard”. It is often more compact and efficient and uses much fewer resources to provide equal or superior functionality to the end-user. From a purest high security standpoint, Microsoft Windows has still to prove that it is the equal of a well-tuned Unix system. Linux, a popular open source version of Unix has the potential to be very secure, but suffers from “too many fingers in the pie” unless it is stripped to the barer essentials to allow it to be more easily secured.

For the reader to draw their own unbiased conclusions about which operating system and typically associated web server has a better track record, I will refer them to the US National Institute of Standards and Technology (NIST) vulnerability tracking web site, icat.nist.gov, to make their own comparisons of publicly reported security alert bulletins to see which operating systems and web servers have the best track record in the area of fewest serious security bugs and other vulnerabilities. No system has a clean record, but there is a significant difference between the recent history (last 10 years) of open source and proprietary (“closed source”) software.

From a Chief Information Officer/Chief Technology Officer perspective, despite the clear security benefits, formal support for open source software is only available through informal channels in Internet news and discussion groups. However, formal support for closed source, commercial software, especially in light of the increased use of off-shore support that has not approached that of “good ol’ home cooking”, does not always provide a superior benefit. For example, I recently had an experience with a major handheld computer vendor’s off-shore support which involved a problem with the handheld not recognizing an inserted SDIO card. I reported the problem to the vendor via email and grew continually annoyed after three email exchanges. Each reply from the customer support was from a different technician who never responded directly to my questions and comments. Instead their responses read like a text book and did not directly address my problem.

What do you think about the full disclosure of vulnerabilities?

Vulnerabilities should be disclosed, as promptly as possible by the affected IT product vendor(s), accompanied by corrective action (e.g., software patch, additional firewall/intrusion prevention system filtering, security configuration changes or other tightening of access controls). A major concern by opponents of full disclosure is that by revealing the details of the vulnerability, it accelerates the creation of exploit scripts that can be used to attack the vulnerability. The software patches are also a resource to future attackers who can reverse engineer them to provide ideas on attack schemes. Some of the opponents of disclosure are the software authors/vendors themselves who failed to properly code and test their software that created the vulnerabilities in the first place-¦then the customer is again put back on their heels trying to keep up with all of the patches and possible side effects associated with those patches. Vulnerabilities must be disclosed in a timely fashion as long as the announcement includes a fix which may be a patch, a configuration change, or both. Consumer organizations must be able to protect themselves and test for vulnerabilities, so I don’t see any practical way to keep the vulnerabilities a big secret. What you don’t know-¦can kill you!

What is, in your opinion, the biggest challenge in protecting sensitive information at the enterprise level?

The biggest challenge is getting the full support of all levels of management and the work force in making information security a sincere top priority on a continuous basis. Senior management support, accountability “up and down the line”, relentless security awareness, and training are the key ingredients. Technical and physical security safeguards are no better than the people who administer and use them.

What are the future plans for the MIS Training Institute? Any exciting new projects?

MIS is continually in the process of securing new and industry-leading speakers and keynotes for our upcoming event schedule. For our 2005 conference schedule, several new events have been introduced including Cracking E-Fraud, The Conference on Enterprise Risk Management, The Summit on Managing Security & Privacy Compliance in the Era of Sarbanes-Oxley, as well as IT Security World in San Francisco. IT Security World is unique in that it will feature a full conference, including Sector Summits such as HealthSec, FinSec, GovernmentSec, LegalSec, EnergySec and CISO Executive Summit.

Detailed information on all of these events can be found on our Web site. I would encourage readers to visit the site for the most up-to-date information on upcoming conferences, seminars and symposiums.

Don't miss