Security Scare

Is the job of looking after security too big for government CIOs to handle?

Sven Radavics recently agreed to help a friend of his install some new security software on a local government system. Radavics will not say which department because if he did it would seriously compromise their security. He says he has good reason for thinking that.

"I had to get the password for one of their systems," Radavics says, "so that I could install the software. I did my work and as I was walking out the door I said: 'Guys, make sure you change the password, I don't want to leave the premises knowing the password', and they turned to me and said: 'Well, we can't, it's hard-coded into our software applications.' That sort of thing is rife in smaller government departments. It's shocking and I would come across that sort of thing on a weekly basis."

Radavics knows a lot about network security. He is WatchGuard Technologies' Sales Director for Australia and NZ and has a deep technical knowledge of the security issues surrounding government, both at federal and state level. Radavics warns it is only a matter of time before an Australian government department's system is severely attacked by malicious hackers, organized criminals after personal information or even by cyberterrorists intent on bringing the system down and wreaking havoc across the government network.

Radavics is not alone in being concerned about government's action - or in some cases what he and colleagues see as inaction - on security issues.

"There's no doubt that it's politically correct to have security as a major issue," says Gartner research director Steve Bittinger. "If you went and talked to the average CEO and asked: 'What is your number one concern?', obviously there are issues around growth and downturn, but security is always going to show up there - they know that it's important. The big question is what are they really doing about it?"

Bittinger says security is increasingly a large and sometimes dangerous beast and so it needs careful handling, the sort of handling that your typical government CIO is not always capable of. "Every new technology brings new security risks along with it.

"There are some good arguments that suggest that the pace of technological change in the world today is increasing at an exponential rate. Technology is zooming along faster and faster and the reason that's happening is we use technology to invent new technology and the newer technology can invent even newer technology even faster and the problem is, each of those new technologies has security risks associated with them, every single one of them," Bittinger says.

Heading for the Trees

Bittinger says that where security is concerned, your average government CIO tends, as he puts it, to look at the trees rather than seeing the forest. "What I mean by that is they fit one piece or another piece of security hardware to try and contain specific problems, like, say, spam, but they are not always seeing the big picture and protecting their entire network and that's when problems loom.

"Security is a problem that is getting worse and worse and it shows every sign of getting worse and worse for ever. How do we deal with the complexity brought on by these exponential changes in technology? Well, we are starting to see an emergence of interest in security architecture. It's not just, well, we'll fit this security firewall or this patch, security architecture is at a much higher level; this is where we get into identity and access management, and it's not just inside our organization it's across the value chain and that's when you need to start looking at someone to handle this, aside from the CIO."

Radavics agrees. "We have to hammer home the point that security is not a product, it's a process, and it all begins and ends with the security policy. What CIOs are having to do is sell that policy and that means they're increasingly talking business or government, not technology, because the policy needs buy-in at the top; there needs to be commitment to enforcing the security policy right throughout the organization. Some CIOs are better at this than others, but not enough time has been spent on teaching CIOs how to sell this process to the hierarchy. They need to really be a manager rather than a technocrat."

Radavics says that when it comes to security it is increasingly the chief security officer (CSO) or the chief information security officer (CISO) within an organization who really runs the security show, precisely because the CIO is not fully equipped to understand all of the issues, especially when they relate to business as opposed to technology.

"The CSO in government increasingly has the portfolio of physical security, risk management and IT security under one umbrella," Radavics says. "I think that's a good move. I think we need to take security management out of the hands of the technologists."

This is a view echoed by Scott Ferguson, managing director of security specialists Check Point, who believes one of the problems is that the nature of the threat has changed. "Yes, security used to be a technology issue and the primary focus was on securing the network to ensure only authorized users could access resources and protect the environment against denial of service attacks, which could lead to a reduction in available services. CIOs were comfortable enough dealing with that. But it all changed when we saw the first attack of SQL Slammer in December 2002. The threat moved from just the network layer to the protocol, the operating system and the application.

"So the major change in landscape at a very high level is that the business of IT security has moved from being a technology one, to one that encompasses, yes, technology, but more the operational management of a company and one which requires some cultural change within the organization to address."

In common with his colleagues, Ferguson does not think that all government CIOs are up to the task of handling today's security threats, and when it comes to government he believes that could have very serious repercussions indeed.

Page Break

A Secure Culture

"The biggest security challenge to most companies and organizations is, firstly, engendering a culture of security," Ferguson says. "What I mean by this is the technology is typically the responsibility of the CIO, but the benefit the technology delivers is usually the responsibility of an operations director; for example, the sales director or production director. These folks now need to be aware that the very systems that enable their function and productivity are under threat and that they need to work with the technology folks to mitigate the results and protect against damaging attack, whether malicious or unintentional.

"Clearly, the CIO/CSO needs to drive an educational process to other directors and operational managers to create an awareness and to prioritize the importance of IT resources to a company or organization. There have to be rock solid evaluation and review processes put in place so that the business of security becomes an evolving one rather than a series of sections at a point in time."

Gartner's Bittinger says an increasing number of government agencies that are his company's clients are appointing security architects to take the security issue away from the CIO.

"These agencies are saying to someone specifically: 'You are in charge of security architecture.' Three or four years ago you could have counted on the fingers of one hand the government organizations who had anybody they could point to and say: 'Here's our security architect', but now it's starting to move in that direction and so I'd see less of a pure security role for the CIO across government."

Bittinger points out that security is complex and that staff need lots of specialized training before they can even understand some of the issues, and that can apply to the CIO too.

"Partly because of this, the CISO role is becoming bigger. It's a role ideally suited to the true techie-type and involves a broad and deep understanding of technology issues across the board, whether it's hardware, software, networks, servers. You have to understand a fair bit of that stuff before you can begin to understand the security issues and that's not always a role CIOs feel comfortable inhabiting simply because there are CIOs who don't understand the security issues, especially when it comes to pure business issues."

Threat Assessment ...

While the complexity of security and the way it threads right through an organization is clearly making the whole topic more complicated, it is also a fact that the threat to government organizations from attack is definitely on the increase and that is presenting additional problems for all government agencies.

"Security policies in federal government might be quite tightly enforced, but if you go looking at state and local government you have the classic SME-type organization where there hasn't been any user awareness training," WatchGuard's Radavics says. "So, I think at central government level in Australia the level of security and the understanding about security is high and in fact they were often quite early adopters of that sort of technology, but when you scale down to smaller agencies, security often starts to fall apart."

Radavics is convinced that sooner or later (and he thinks it will be sooner . . .) an Australian government department is going to be targeted, hit and disabled by hackers.

"Some experts say it's not going to be terrifying if a computer network goes down - after all, there's not blood and bones everywhere. But think about 9/11 - what would have happened to the US if al Qaeda had backed that up two days later with massive denial of service attacks on government computer networks? Australia is now a target and there are reports coming out of the Middle East and North Korea about the growth of hacking schools, which are exactly like a terrorist training camp but for hackers, and I think this does present a huge risk to government."

Radavics believes that there is some currency in the fear among experts in the security industry that the recent worms and Trojan horses hitting the Internet are really test devices launched to try and find system weaknesses before major attacks are carried out.

"I think if that is true and if it happens, and I think it will eventually, then government is potentially in a precarious situation," Radavics says.

"It's a fact that the frequency and type of attacks has never been higher nor more varied," Check Point's Ferguson says, "and it's important that government organizations recognize that multiple types of technology need to be deployed to combat this: firewalling, VPN technologies, authentication, antivirus, antispam, URL and content filtering and technologies to prevent the insertion of keystroke loggers. What government needs to do across the board is to develop a security strategy that is based on user input and process, and within the organization a security culture must be developed."

Page Break

Protect and Serve?

One of the other problems that most experts agree is an issue is what actually constitutes reasonable defence against hackers and other security threats. Radavics believes one of the big problems is that there is no clear definition of the word "firewall" and no regulatory definition either. What that means, he says, is that a large number of government departments are fitting devices that they believe are firewalls that can protect against attacks but which in reality are little more than basic protection devices.

"There are absolutely no rules about how the term 'firewall' can be used," Radavics says. "As an example, our cheapest product is about $850, but we find ourselves competing against Taiwanese products for $150. So government departments often look at us, particularly the smaller ones, and say: 'Why should I pay $850 when I can get a firewall for $150?' This is a global phenomenon and I think it's one of the things that government needs to address, because medium-sized government departments are fitting these sorts of boxes and leaving themselves wide open to attack."

The answer, according to Gartner's Bittinger, is to go down the US route and start developing an Australian security culture that encompasses auditing and regulation of network and application security.

"What's behind certification is making sure people have the skills and knowledge and expertise. In the US there is a high focus on having security-certified staff. That type of culture is only now starting to come into Australia and this is one mechanism to enable a government department or agency to be able to say: 'We have some pretty qualified and mature security people working for us. We're certified and we're continuing to keep security up to date.'

"Small to medium agencies in particular, and I'm talking about state and local government departments here, need a security partner who can provide the equipment and know-how, but they also need access to independent security auditing. That is available through all of the big consulting firms as well as through smaller security organizations, and Australia is blessed with a whole range of these types of companies. What has to happen, though, is that government organizations need to recognize that they need to have their security independently assessed and audited."

A Secure Future?

So, given independent assessment and regular auditing, plus regular security updates to equipment and processes, can the war against security threats be won?

"The thing with security is it's like an ongoing arms race," Bittinger says. "It's never going to stabilize. The bad guys are always going to come up with ways to get around networks and systems and the good guys are always going to come up with ways to stop that happening. And then it all starts happening again.

"How do you position yourself to always be on the winning side? If you're a big organization you can afford to allocate resources; if you're a small organization you have to depend on alliances and then use someone else to keep the first guys honest. You really do need some independent verification about what you're doing. I think the answer is all those threats can be countered by tapping into the world's best practices.

"All the good guys on the security side are more formidable and stronger than all the bad guys. The bad guys don't collaborate as effectively as the good guys," he concludes.

Copyright © 2005 IDG Communications, Inc.

7 secrets of successful remote IT teams