Eighteen months ago, my company, a large financial services organization, suffered a number of attacks that were stopped mostly by luck. With the awareness of security raised, management hired me as information security manager to secure their infrastructure and operations.
I manage a team of five people, with an annual budget of just under US$750,000. With these resources, I protect 4,315 IP-connected devices and 617 staffers from the real and imaginary threats of the New Economy - and keep our regulators and customers convinced that we're a safe and trustworthy organization.
How do I know we have 4,315 connected devices? We have a vulnerability scanning system. That sounds terribly impressive, but really it consists of a ping sweep followed by the use of nmap freeware port scanner software and Internet Scanner software from Internet Security Systems Inc. in Atlanta. This would be easier if my company maintained an accurate inventory of the equipment it bought and deployed, but with the organization split between development and operations, there's no central tracking of computers.
I highly recommend checking the connected operating systems on your network. We mostly use Windows NT Workstation 4 on the desktop, some Windows NT 4 servers, Sun Solaris systems and a healthy wedge of back-office servers running OpenVMS. All these operating systems are linked by Cisco Systems Inc. routers and switches.
But we knew that before we ran the tests. The useful data is the strange other network stacks we detected:the printers, the developers trying out betas of Windows 2000 and Linux without permission, and even partner organizations, like those that manage the phone system, connecting firewalls and some non-Y2k-compliant versions of Windows 3.1.
And those 617 people? I wish I could say I knew them all. Like other financial services companies, we have many contractors and high staff turnover. Nonetheless, I must educate them all in the basics of information security.
To keep control of the staff changes, we've set up a system that takes a feed from the human resources database and matches it to all the user accounts across our infrastructure. For the past three months, we've been clearing up the discrepancies. With 28,652 accounts in our environment, that was a lot of work. I'm not convinced of the real value of this cleanup, because most of the accounts were expired before we deleted them. But this kind of work really delights internal and external audit, so that alone makes it worthwhile. This would be easier if the human resources database were correct, but at least we have eradicated some of the errors.
Having an inventory of accounts and systems gives us a feel for what we have to protect. That protection consists of two firewalls: FireWall-1 from Checkpoint Software Technologies Ltd., and the Secure Pix Firewall from Cisco. Like the best-designed oil tankers, we have a double-walled hull protecting us from the harsh outside world.
And just as such tankers can sink, we expect our firewalls to fail despite our best efforts, and therefore, we have host and network intrusion-detection systems. These also protect us from insider threats, if the attack is a well-known script-kiddie-style one. If a more competent attack occurs, we'll still catch it because we use integrity assessment tools and honeypots.
The integrity assessment tools maintain an off-line, more-difficult-to-hack database of file details. If any file is changed, we can tell when we compare the live and stored records on a daily basis. We also do random spot-checks in case someone is smart enough to figure out when we're going to do it. This also tells us when developers or support staff have made a quick fix to a live server without going through testing or change control.
The Virus Threat
Our protection from external hackers and malicious insiders is fairly thorough. However, despite all the wonderful hype on security vendor Web sites, the highest risk we face in terms of downtime and lost revenue is virus infection.
Our strategy includes VirusScan from Network Associates on the desktops; Sophos Anti-Virus from Sophos PLC on the file servers; MIMEsweeper from Content Technologies Inc. at the e-mail gateway; and WebManager fromTrend Micro Inc. at the Web proxy server.
We have associated .vbs extensions with a notepad at the desktop to stop the threat of new Love Bug variants like the Anna Kournikova worm. And we are rolling out Microsoft Corp.'s patch to stop the sending of various file types from the desktop.
Despite all this, we still get virus outbreaks. Not many, but it doesn't take much to ruin our careful public relations image. We expend a huge overhead managing this multivendor multilayer protection.
All this lets us know when the bad guys or malicious code or foolish insider does something wrong, but in today's increasingly litigious world, how can we prove it?
We use the EnCase forensics system from Guidance Software Inc. for Windows NT desktops and are looking at ForensiX from Fred Cohen & Associates for the Unix world. These products let you take a cryptographically sound copy of a disk and search it to find deleted files, naughty images or whatever dirt a user has been getting his hands into (and, yes, it's always a he in these cases). I suppose I could see a point to downloading pornography in the privacy of one's own home, but I still don't understand why anyone would download it at work.
So, all I have to do in the next three weeks is deploy a method to provide secure e-mail to our board members at their companies for minutes of their meetings and provide our critical internal monitoring data to an outsourced partner.
I'm out of the office for the next week to complete certification and training on some of our security infrastructure, and my manager is out of the country for two weeks, so I'm also acting head of infrastructure.
As I try to keep all the plates spinning, if you have any advice or insights, the Security Manager's Journal forum is always open for discussion.