Security Action Plans

Being smart about security is as much about commonsense practices as it is about deploying the right software tools.

Centralization, automation, problem prioritization--many IT-security professionals are embracing those concepts as they fight off the never-ending onslaught of threats. Security products can help businesses stem the flood of vulnerabilities, but IT teams also have to put in place processes to ensure that they're responding appropriately and being proactive in warding off potential dangers. Fact is, some companies spend too much on some parts of their organization and not enough on more-vulnerable areas.

Security pros are under increasing pressure to do the job right and cost-effectively as networks extend beyond firewalls to remote users, partners, and customers, and to cell phones, PDAs, and other mobile devices; regulatory requirements to safeguard data have risen; and concerns about identity theft are at an all-time high. Hackings and other unauthorized access contribute to the approximately 10 million instances of identity theft each year in this country, according to the Federal Trade Commission. "How sensitive is a company about being on the front page of the paper?" asks Pete Lindstrom, founder and analyst at Spire Security. InformationWeek and others have reported on a rash of cases involving inadequate security and poor handling of customer data. "If the value of assets is high, companies should follow security best practices," Lindstrom says.

To understand how companies are managing it all, InformationWeek interviewed business-technology professionals on the front lines to see how they're handling some common security issues. From the higher-level picture of risk management to the nitty-gritty details of patching, here's how they do it.

Start With A Master Plan
It doesn't make sense to spend $10,000 to protect a $10 asset. That's the way Christofer Hoff, chief information security officer at Western Corporate Federal Credit Union, sees it. Every security-remediation plan requires knowing how important a specific asset is to the company before time and money are spent securing it. For example, an E-commerce server that brings in millions of dollars in sales is more important than a print server, so it's higher on the fix and secure lists.

CISO Hoff worked with business-unit managers to set security priorities.

It's all about intelligently managing risk, rather than knee-jerk reactions to the multitudes of threats, Hoff says. Instead of looking for "some Holy Grail security-management product," he set priorities with business-unit managers. Some of the questions they discussed: What would the impact to the business be if the main E-commerce server were compromised? And what exposure would the business suffer if it couldn't process millions of dollars in transactions? "Our business units define what's needed to stay online," he says.

For many businesses, implementing a risk-management plan should be at the top of their security to-do list, says Jon Oltsik, an analyst at Enterprise Strategy Group. But few have taken that step, he says. Instead, the most common reaction to a new threat is to buy more technology. "It's like you're sick, but you just buy medicine instead of going to the doctor," he says.

SECURITY SITES Stay up to date on vulnerabilities, research, and more: » www.sans.org IT security research and education organization the SANS Institute offers research about security best practices, vulnerabilities, training information, and Webcasts. » www.securityfocus.com A vendor-neutral security information Web site owned by Symantec Corp. that provides information about the latest security threats and best practices, job postings, free security tools, and listings of upcoming security-related events. The Web site also contains links to some of the best security-related mailing lists, such as BugTraq. » www.cert.org The CERT Coordination Center, a federally funded security research and development center, posts information about vulnerabilities, attacks, defenses, and various security stats. » www.Cybercrime.gov Computer-crime Web site run by the Computer Crime and Intellectual Property division of the U.S. Department of Justice. This site links to recent computer-crime cases, cyberlaw, and federal laws and policies regarding hacking and intellectual-property crime. » www.patchmanagement.org The PatchManagement mailing list is aimed at security pros and network administrators to help them build solid software-patching procedures and policies. The list is maintained by patch-management experts from vendor companies such as Shavlik Technologies and Microsoft.

Western Corporate Federal uses a number of point products, including software from Skybox Security Inc. for threat exposure and analysis, PatchLink Corp. for patches, and open-source software for intrusion detection. All are integrated with risk-management software from Qualys Inc. called VM, which lets Hoff set and enforce security policies and prioritize responses to threats.

"With vulnerability assessment before, we'd sift through hundreds of pages for the E-commerce server or the print server," Hoff says. "Now Qualys shows us where we're vulnerable in business terms." For example, when Microsoft issues patches for its Windows operating system, the credit union uses Qualys VM to identify the first servers to patch. Other security risk-management vendors include Consul, eEye Digital Security, and Trusecure.

Manage Access
As far as security technology has come, passwords may still be the weakest link in the security chain. "Passwords are the easiest way in," says Andy Jaquith an analyst at the Yankee Group. "Bad guys get into accounts and try to escalate to a higher level." There's also potential for rogue employees to attempt to access sensitive data. That leads to an endless cycle where passwords are regularly changed to avoid trouble.

It all adds up to the need to deploy smart identity-management tools and establish savvy practices. At Vitas Healthcare Corp., with a workforce of 6,000 and operations across 15 states, authorized employees enter as many as a half-dozen passwords a day to access multiple databases. While it's important to maintain password discipline to secure customers' health-care data, maintaining and managing the situation creates a drag on the IT department. "Our help desk spends 30% of their time on password management and provisioning," says John Sandbrook, senior IT director at Vitas. The company is changing that using Fischer International Corp.'s Fischer Identity Management Suite 2.0 to manage passwords and comply with data-access regulations such as the Sarbanes-Oxley Act. Vitas implemented the suite last fall, and it expects to cut help-desk time spent on passwords by 25%.

The ID-management product includes automated audit, reporting, and compliance capabilities, and a common platform for password management, provisioning, and self-service. "Any company must have unique user IDs and passwords that change frequently," Sandbrook says. With the software, Vitas can enforce strong passwords that some legacy systems won't require on their own, such as those with seven, eight, or nine characters, numbers, and capital letters. And when Sandbrook does an audit, "I see who changed [password] information with good practices, and I feel assured."