LINUXWORLD - Speakers talk security, regulatory compliance

Intel security manager advises attendees to learn how to destroy their companies

The first step in protecting your enterprise is figuring out how to destroy it.

That's the approach to security taken by Jonathan Clemens, manager of enterprise security oversight at Intel. He recommends that companies conduct wargames to find their biggest weaknesses.

"By a wargame, I mean a tabletop exercise," Clemens said at IDG's LinuxWorld OpenSolutions Summit in New York City last week. "Sit down and be your biggest competitor, be an attacker, put yourself in the criminal mindset. ... Until you know how you could destroy your company you can't understand how you can prevent someone else from doing that."

Although identifying vulnerabilities to attacks may seem like an obvious step, when Clemens asked the audience whether they knew how to destroy their companies, just a few people out of several dozen raised their hands.

Clemens was wary of revealing specifics about wargames conducted at Intel. But he noted that Intel makes chips, and it would be damaging if the company made chips that could not perform mathematical calculations properly.

"What would happen if I was a competitor of Intel and I wanted to discredit them? Would that be a way to do it?" Clemens asked. "So you look at your core product (and) you look at who would want you to fail in that area. ... You go through these mental exercises and say 'what's the worst case scenario?'"

The worst-case scenario could involve the threat of physical harm, he told the audience, making note of a bank robbery in England last year that involved the family of a bank manager being taken hostage.

In a follow-up exchange with Network World, Clemens noted that IT managers handle data, rather than cash, but that attacks involving hostages are not unthinkable in the IT industry.

"If the financial industry, which has had centuries of armed robberies to deal with, can't defend against such an attack, how can the IT industry, where system administrators are in positions of similar responsibility, but over data rather than cash?" he questioned.

In his talk at the LinuxWorld event, Clemens also discussed emerging threats such as viruses aimed at mobile devices and custom attacks aimed at specific corporations.

"Being on the Internet is like sharing your toothbrush with 1 billion of your closest neighbors," he said. "There are people on the Internet who are smarter than you. .... There are people who are less ethical than us."

Clemens recommended that enterprises develop security policies, which should be high-level statements, not an attempt to address every conceivable problem. He discussed various layers of data protection, including risk assessments, training, physical security such as guards and surveillance cameras and network security measures.

"Does every device in your network have the ability to talk to every other device? If it does, why?" he said.

Page Break

Open-source compliance

Making sure a network is secure also means complying with various regulations such as the Payment Card Industry data security standard, the Sarbanes-Oxley Act, and the Gramm-Leach-Bliley Act to protect consumers' financial information.

There are many reliable open source tools to comply with these regulations, although it can be hard to convince auditors that these programs are credible, said Jeremiah Cruit-Salzberg, a security architect for Fair Isaac .

"A lot of times, auditors don't like open source [because] it's a free thing, something you download," said Cruit-Salzberg in a session titled "Using open source tools for regulatory compliance and how to make your auditors accept it."

Documentation is critical, he noted. "Everything needs to be documented. If you don't document things, you will run into trouble, especially with open source."

The most valuable open source tool for compliance is Open Office , because it offers great ways to organize documents, Cruit-Salzberg said.

To convince an auditor that your open source tool is reliable, you should make sure it has a good commercial support system behind it, he said. If your open source tool can effectively keep track of data, but an auditor is still skeptical, it might be time to hire a new auditor.

"If they are not going to work with you, it is vital for you to go find another auditing company. Because to change everything you're doing costs you a lot more money and a lot more grief," Cruit-Salzberg said.

Collecting system logs is another vital part of compliance, and this task can be handled by open source tools such as SNARE and Zenoss , Cruit-Salzberg said. Some open source tools are not organized well and should be avoided, but overall open source is gaining acceptance, he said.

"There are very few issues that can't be resolved with an open source tool today," he said.

Page Break

Security conflicts

Bruce Schneier, founder and CTO of Counterpane Internet Security, tackled the economics of information security in his LinuxWorld keynote.

The rise of the Internet has taken us to the point where some companies would go bankrupt if the Internet disappeared, Schneier said. For individuals, the reach of the Web means we no longer control most of our personal information, he said.

Schneier also described a fundamental conflict between personal and corporate security.

Most security we think of protects individuals from bad things in the outside world -- hackers, criminals, malicious Web sites, worms and viruses. But more and more, security is being built to protect someone else from the end user, who is viewed as a potential attacker.

"You can't do both," Schneier said. "Either I can design security to protect you or to protect from you. They are very much in opposition those two things. Which is why the Sony DRM rootkit, because it is protecting from you, made you more vulnerable, and your security software, which protects you, annoys the DRM systems and makes them less effective. You can't do both."