Do You Know What’s Under the Hood?

Assessing IT security in a risky world

Interview with Paul Hernacki, Senior Director of IT Services, Definition 6

The cost of security breaches caused by intruders and viruses is growing. Customers will be lost either because your services were not available due to exploited vulnerabilities or because they do not believe your services or products afford them reasonable assurances of privacy and security. But how do you know if your business and technical infrastructure is secure? How do you know that you haven’t already been compromised? In hacker parlance, you may already be “owned” by sleeper viruses and Trojans that turn your servers into a legion of zombies at the bidding of a bleary-eyed hacker living in his parents’ basement half-way around the world.

As the Senior Director of IT Services for Definition 6, Paul Hernacki knows that a critical first step to providing secure and reliable services that keep your business up and running is an understanding of where you are in relation to best practices and regulatory compliance for your industry and business size. Hernacki and his teams assess three key components of security: people, processes and technology. He recommends a baseline assessment as a great place for any company to begin improving IT security in a risky world.

Start with a baseline security assessment  

Hernacki declares, “We start our security assessments by asking, ‘Do you know what’s under the hood?’” Hernacki’s group first looks at the composite maturity of their technology infrastructure. “This includes the overall technical security services, the applications, firewalls, authentication and authorization. We utilize a combination of tools and procedures to baseline the existing environment and determine if systems have already been compromised. The baseline can later be used to enable Intrusion Detection analysis to determine if a system has been compromised.”

The security processes are next. Hernacki states, “No matter how much money you spend on security technology, if you don’t have people who administer it correctly, you are still vulnerable to risk.” For example, Hernacki examines how security patches from vendors like Microsoft or anti-virus companies are managed and deployed across the enterprise. He also considers rules and group policies that are in place and enforced around software installation, password changes and employee identity management.

Hernacki also recommends thinking of smaller issues that have big impacts. He asks, “Do you have standards for application development? Newer developers—or developers unfamiliar with your standards—may leave holes in their code that leave you open to hackers or vulnerable to denial of service attacks.” Hernacki continues, “Ideally, there should be security standards around every application developed in your infrastructure.”

In this area of processes, it’s important to look at the physical safeguards that protect your networks and systems. Ask the following questions: Who has physical access to your servers? Who can enter your building?

Another critical area, perhaps the most critical, of assessing your security is to look at your people. Thinking about personnel, it’s important to look beyond IT staff to the people who can do the most damage—the end-users. Hernacki asks, “Do most people at your company even know your security standards? While many things can be done using enforced group policy, users need to be actively aware and informed about potential security threats and their role in preventing them.” Part of the baseline assessment is to evaluate how effectively security standards are communicated to the masses.

“This is the game on the ground,” Hernacki states. “You can have the most expensive infrastructure, the strictest standards and the best IT staff. But if your users don’t know the standards—or are not held accountable for violating the standards—then your systems become more vulnerable with every misstep.”

The personnel managing and administrating your technical infrastructure are where the rubber meets the road. The most powerful security products are useless in the hands of unqualified people; conversely, seemingly insecure systems managed by top notch resources can have you sleeping soundly at night. Products are not a solution in and of themselves. Take for example Microsoft products such as Windows Server (including Internet Information Server), Microsoft SQL Server, Microsoft Exchange Server and Outlook. These technologies are some of the most heavily deployed products in the enterprise today, and for years they have been under attack by all manner of security threats. Just because your business uses Microsoft products, are you more vulnerable to security breaches than your competitors? The answer comes back to the people you have managing it. Microsoft has designed these products to be easy to use and administer, but this does not mean you can assume that anyone with a Microsoft Certification knows all the ins and outs.

In the wake of catastrophic security breaches such as the “I Love You” virus and Nimbda, Microsoft realized that many businesses were shifting their priority from making system deployment as quick, cheap and easy as possible to placing an increased priority on security. Microsoft codified a new proactive approach to security in their SD3+C philosophy. Hernacki explains, “This stands for Secure by Design, Default, Deployment and Communication.” Design means that security is a primary concern from the beginning of the development process. Default signifies that many features which affect security are turned on or off appropriately as default settings when new products are released: Making a product less secure becomes a conscious decision on the end-user side. Deployment signals a new focus on helping companies release their products more effectively to large numbers of people. This is coupled with significantly more communication from Microsoft. They vowed to work more closely with admins and IT staff to keep them updated on new patches and security fixes for their products as well as enable federated security patch distribution and installation following testing in an enterprise.

This was a serious investment for Microsoft and a seismic shift in their consumer positioning. Their new focus on security "as a necessity" was based upon the realization that Microsoft e-mail, networks and databases were now business-critical applications running mission-critical software. These elements were now seen as equally integral to the everyday business environment as telephones once were.

Determine what is secure enough  

Once a baseline is established, the next questions to ask are: What are the risks and what are the costs to mitigate those risks? What is “secure enough?”

Different businesses will take this baseline in different directions. Banks, for example, have much stricter security standards due to increased government regulation. Every business, however, must weigh the risk of not spending enough and being open to attack or system failure versus spending what’s needed to be reasonably safe from risk.

That idea brings us back to Microsoft. The shift to greater consciousness of security was based upon a serious assessment of their security situation. As a dominant player in the industry and a backbone of many corporate infrastructures, security was a must and the expense was more then justified. But more then just “needing to be secure”, they also saw a new opportunity to market themselves as a security-conscious company. Hernacki believes other companies can start a security revolution internally and position themselves in a similar manner to the public.

Use security as a marketing strategy

“In a sea of look-alike companies, positioning yourself as being extra security conscious can be a savvy strategy,” Hernacki explains. “Look at the very effective campaign CitiFinancial credit cards put together regarding identity theft. Consumers now see this as a problem that threatens them and that Citi is offering a competitive differentiator. Security doesn’t have to be a cost center or necessary overhead. If married with a good marketing strategy it can become a revenue generator.”

The Citi ads put a human face on identity theft with a wicked sense of humor. “The point hit home,” Hernacki elaborates. “People understand this is a real risk, but they now know CitiFinancial has extra tools that can protect them.”

Hernacki offers two caveats to this strategy. “First, make sure your security really is at a higher level,” he explains. “If you tout your invincible security, then suffer a setback, it’s that much harder for consumers to trust you again.”

“Second, make sure your security stays on top of emerging fraud and hacking schemes. Once you declare yourself as having extra security, you make yourself an even bigger and more desirable target for hackers. Your IT staff should focus on watching out for new security risks, rather than resting on their laurels.

Because no one likes to spend money on something like security that doesn’t directly contribute to profit, Hernacki reiterates, “Leaving yourself open to risk could bring catastrophic loss, at the worst. At the least, it could lead to business losses if customers feel they cannot trust your security.”

Hernacki advises companies to start with a baseline assessment—and then form your own opinion about how safe you want to be relative to your industry and regulatory composite maturity ranking. From this baseline knowledge, you can make strategic decisions about how to best spend your money on security.

Your company may not be that large, but your customers should know that they can trust your security technology and policies. Make sure everyone knows about your policies and that the technology in place supports them.

A baseline security assessment will introduce you to what’s under the hood, and knowing what’s there will put you in a much better position. Once you’ve done your assessment, start a security revolution, use your security as a marketing tool and then let the baseline assessment continue to guide you to make more knowledgeable and strategic decisions.