|
Sun's Chief Information Security Officer offers her advice about how to balance access and control
Inner Circle Subscriber Center
Get the content that meets your interests and needs:
Not a member?
|
Keeping the network simultaneously open to those you want in and closed to those you want out is the weighty task of most information security officers. And with a world now expecting full access to outside communities such as social networking sites, this issue rises to the forefront. Leslie Lambert, Sun's Chief Information Security Officer, offers Inner Circle readers advice on how to protect your company via strong policies and the practice of telling employees “how” rather than “no”.
Q: What is the role of Chief Information Security Officer?
A: I'm responsible for the protection of information in digital form. This includes the information assets of the company such as intellectual property, customer data, trade secrets, source code, and any confidential information on our network, servers, or storage. I don't handle physical site security, which covers buildings, badges, and lobby officers.
Q: How do you manage the paradox of keeping the network open to those you want to let in and closed to those you want to keep out?
We use standard “access control” practices that have been in place for years. We have a clear understanding of who is authorized to access Sun's wide area network, whether they be employees, or a part of a large family of Sun-associated folks, such as contractors, consultants, vendors, partners, external manufacturers, resellers, etc. We employ all of the good old methods of access control including identity management, access management, role management, and more.
Our corporate culture is fairly open — more like a university than a corporate setting — because we actively use and support Internet-based technologies and social networking. Sun is an IT provider to many of these Internet-based businesses, so we not only facilitate their growth, but support them with our actions.
Q: What are the biggest intrusion threats out there today?
A: The biggest threats continue to be various forms of mal-ware. The creation of viruses, worms and botnets used to be isolated to lone individuals working out of their garages. Now there are large “industries” in certain countries around the world believed to be very well-funded by organized crime groups, making huge profits from the havoc they wreak. If intruders are able to exploit a large list of credit card numbers and their percentage hit rate is high, then they've achieved a good return on their time investment to create the infection. Botnets can go out across a network, infect several computers, and harness all the collective processing power of those computers to do their nasty work. So my advice is to keep current your anti-virus and anti-spyware programs, not only for your company, but for your individual systems as well.
Q: What is the number one thing executives need to keep in mind when securing access to their companies?
A: You need to know who should have access and who should not. That's number one. Number two is having effective mechanisms and processes to put controls in place. You may want to follow industry frameworks such as ISO 27001 or 27002 or other standards of good practice for security. Then, you need to back that up with a level of automation. Doing things manually is simply not going to work given the magnitude and speed with which we're required to operate. Identity management and access control products are essential for managing access control services.
My advice is that if you're going to allow access to these tools, have very clear, documented guidelines for use and misuse.
Q: What is riskier for companies, letting employees have access to social networking sites or forbidding it?
A: There has been a lot of concern about allowing employees to have access to social networking sites; this was the subject of a recent security industry panel discussion I participated in. I was sharing Sun's perspective of openness and connecting via social networking, sitting right next to a CSO from a manufacturing company which doesn't permit employee access at all. Our environments are very different. But the whole aspect of social networking and people connecting, collaborating, and sharing is what we've been doing for years. In the past we used tools with other names like newsgroups, bulletin boards, or chat sessions. The advent of facile sites like Facebook, MySpace, or LinkedIn is simply an extension of those. You wouldn't think of posting your corporate secrets onto a bulletin board or newsgroup. In the same fashion, we must provide awareness and guidance to employees to behave in the same way today so that they aren't posting corporate secrets, customer data, or intellectual property onto social networking sites that anybody can access.
Forbidding access to these tools, I believe, is a no-win battle. There is no way to prevent it other than shutting down the network, turning off the electricity, and removing all computers. People have access today through their phones and PDAs and will use their creativity to get to these things. Plus, if like Sun, you're hiring college grads and Millenials, these are tools and services they expect to have access to. You need to provide them if you want to remain a relevant and competitive employer in the information technology field.
So my advice is that if you're going to allow access to these tools, have very clear, documented guidelines for use and misuse. At Sun we have guidelines and policies that are well-known to employees so that they can use these tools to their best advantage on behalf of the company. It is every employee's responsibility to be aware of and abide by the policies. Policies include information on what will happen if a violation occurs (termination, performance management, law enforcement, etc.). Presuming that employees won't access these sites is extremely risky in my opinion, because you're not out in front of it with policies and education.
Q: How should companies work with outside partners and communities that don’t apply the same level of rigor to their security practices?
You need to decide what your risk appetite is and create security policies that match that. If a partner is not using the same rigor in security practices, you may want to reevaluate them as a partner.
A: You need to decide what your risk appetite is and create security policies that match that. If a partner is not using the same rigor in security practices, you may want to reevaluate them as a partner. Because if they're taking too much risk on their own behalf, it'll affect you. We share our protection practices with partners and ask them to consider using them as well. If we do business contractually, we ask partners to meet certain guidelines. Two years ago people may have seen this requirement as arduous. Today they are much more aware. They know that they may have to pay the freight to do business with certain companies.
Q: What are some of the challenges to adoption of these concepts?
Yes. Password guessing is a common means of gaining access to systems, and poorly chosen passwords can be cracked in minutes. Here's my advice:
- Use no personal info. No part of your name, address, birthday, dog, cat, friend's or family names, personal identification numbers, or any information that is easily obtained should be used.
- Never use words that are found in a dictionary, in any language. Don't combine dictionary words, don't use repetition like aaaaaa, or simple patterns like qwerty, abcde, or 12345.
- Don't use common substitutes of numbers for letters to form words. Familiar substitutions, such as the number 1 for letter i, 3 for e, or 0 for o are so common that they are always tried in password guessing attacks.
- Think of a “pass phrase.” Take the first letters of each word from a favorite phrase (could be the title of a favorite book, song, or quote) to create a string of characters not found in a dictionary, that you can remember and reuse.
- Add different character types. Use capital letters, numerals, or special characters to create a unique prefix and suffix onto your pass phrase. Add until you have a minimum length of 8 characters. Length is very important.
- When creating password hints, don't use easy-to-guess answers. The most complex passwords are a breeze to steal if your hints are easy to figure out.
|
