|
||
Research and retrieval of news articles by: SPECIAL NOTE TO ALL VISITORS: |
Q&A: A COMMON SENSE APPROACH TO COMPUTER SECURITYSource: BaselinePosted on August 16, 2007 William "Bill" Boni is one of America's leading computer security experts. In his role as corporate vice president of information security and protection at Motorola, he's charged with protecting the electronics giant's global network and computer systems as well as its digital proprietary information, intellectual property and trade secrets. Boni, a one-time U.S. Army counter-intelligence agent, has spent the past 30 years in the information protection field and is called a pioneer in the innovative application of technologies such as computer forensics and intrusion detection. Before joining Motorola, Boni was on the security staffs of First Interstate Bank, Hughes Aircraft and Rockwell. He is co-author of several books, including, Netspionage: The Global Threat to Information (Butterworth-Heinemann, 2000). He spoke recently with Baseline editor-in-chief John McCormick. This is an edited version of their talk. What are some of the things that you're worried about most? Well, I.T. and management have had in the 20th century the hackers-as-hobbyists and hackers-as-hooligans kinds of experience. Where hackers were either just experimenting around to see what could be done or they were basically saying, "Well, look how smart I am, I can break a lot of things and be highly visible." Certainly in the last three years we've seen something I had predicted back in the late '90s when I wrote my book I-Way Robbery: Crime on the Internet. I said, look, the criminals are going to figure out that there are ways to monetize access, to our detriment. The management and technical staffs have still not internalized the difference in the sophistication of the threat. Our challenge, as security professionals and as control professionals in fighting the threat, is how do we build the business case? How do we walk the line? You can't be paranoid and talk about the extreme examples, but neither can you be oblivious to the change in the nature of the threat actors, and therefore the types of controls that are necessary. So, what do you do? Part of what we try to do is to actually build our program with that as the focus - saying what I need my team to be focusing on are the new technologies. My team is looking at the new and emerging risks and looking at new and emerging techniques, technologies and strategies to manage that risk. Meanwhile, the basic functions of I.T. that ensure the integrity, the availability and the reliability of those platform elements, we build in, within job functions and activities, specific control functions so that it's part of their job to take actions that help ensure the protection of the enterprise I.T. environment. For example, the I.T. security team does not operate the patch management system. That is the responsibility of the operational teams. The challenge is to balance the protection of the most valued, the most critical, the most significant items with the productivity consequences of being over-controlling. That's really a different way to think about it. Where does this come from? I've been doing this for 32 years. And I've seen multiple cycles during my career. The evidence started to accumulate. Then packaging that, presenting that back both to my staff and management, saying, "OK, here's how we're going to deal with the things that we know that we have to deal with, and here's how we're going to position ourselves to be more adaptive and hopefully more resilient to the things that we don't yet know about but we can anticipate are going to become consequential in this new environment." So, what steps have you taken recently? We have totally revised our policy and process framework. The challenge for us is that we're in a very complex world. Motorola's business is to innovate rapidly, be agile, be adaptive. So, in an environment like ours, if you are not careful and you put an overabundance of security and controls in place, you inject friction and you impede the ability of the organization to be innovative because you impede its ability to communicate and collaborate. But the counterpoint to that: There are increasing legal and regulatory and contractual commitments to absolute protection and management of the access and utilization of various kinds of content that you have to rigorously adhere to. It's like trying to square the circle in some ways. Well, obviously, in trying to find the right balance point, what we're going to do is focus our program, the technical and operational controls, on the data that we must manage rigorously to ensure we have complied with laws, regulations, contractual terms and conditions and our company policies. And by definition, that's a subset of the total volume of business information and communications that flow throughout our global enterprise. So, by narrowing the focus to the data of concern, that's one area. And secondly, by defining my team's responsibility as dealing with material breakdowns and controls, we're going to manage information risks that matter with close attention. We're not going to ignore it. However, because that is a small part of I.T.'s domain, we're saying that providing basic I.T. security and controls is included in the job of the operational functions, what we call the "run" activities. As the corporate security team, it's our responsibility to help them understand and equip them to self-service-enable performance of the operational I.T. security tasks so that the corporate team doesn't impede their ability to be agile and responsive in their daily duties, so they can perform their assignments and make good information risk decisions. So, we're adopting, I think, the highway-patrol model of protection. We're doing a lot of driver's license training of users and of I.T. staff. We're enabling them to understand what their responsibilities are through our handbooks and so forth. For example, we had over 300 pages worth of security guidance that staff were expected to internalize and conform their behaviors and choices to. In today's fast-paced business world, that's kind of an unreasonable amount of detail to ask everybody in the company to be familiar with. So, what did you do? We simplified that down to about 20 pages. And there is still some concern about that. I pulled out a copy of the Illinois driver's license training handbook, and there's 120 pages on how to drive an automobile. I said, "OK, if we can get a 15-year-old to read 120 pages because it's the most important thing for him to get that license, I think we can get our people to understand their personal responsibilities of these 20 pages." So, we simplified the control frameworks, we simplified the message, we narrowed the focus, and we have adopted the model of, "OK, now we'll be observant to control breakdowns, breaches, failures, and analyze that." We'll determine if there's a lack of understanding and, therefore, clarity in our communications, or in our approach, or in our technical means. Or, if there is an attack, if it's deliberately malicious. And if we detect it in a timely basis - where we're effective in preventing the major consequences and so on - the root cog analysis takes on a different flavor as well. You talked about these 20 pages, but what's on those 20 pages? It provides guidance. On the user side, it says this is how you are going to operate. Your principal device will be a company-provided piece of equipment. It provides guidance on where [the equipment] can go and how it can be accessed. On the I.T. side, we have more detailed standards and specifications where it makes sense. Security for, let's say, a commercial database product that's going to have crown jewel-type information requires more detailed guidance and direction about how the database is built and specific technical safeguards required for logging over access and activity. These controls are necessary so we can have protection where it is needed to allow us to prevent, detect and respond to threats to that information. In the past, we provided lots of detailed guidance, many very specific do's and don'ts that were applicable across the board and required the I.T. staff to read and decide how and what to do. We typically required a security sign-off for many steps in systems development and operations, even for non-critical systems. That approval protocol inherently impeded the ability of people to make fast decisions and when applied to the less critical environments, injected a lot of "friction" into the I.T. deployment process. So, it's a balance. The balance is to give people as much guidance as possible so that they can make choices. My experience has been that 90% of people in an organization will do what's necessary and expected 90% of the time if they understand what it is, and how it is. The problems will come when there is a failure to adhere to the expected behavior - most of that will be a lack of understanding, and only a very small percent will be deliberate, willful and malicious acts. What I want my team focused on is whether we have the appropriate controls around critical data. And developing the metrics - the application of Six Sigma has mechanisms to identify failure modes - and the appropriate mechanisms to prevent, detect and respond quickly so that we keep the variants within an acceptable range. You seem to have a very pragmatic approach. It's a very pragmatic effort to address what must be addressed, and to take a step back from trying to be over-controlling and injecting too much friction into an engineering culture. Motorola has a lot of talent. If you become too rigorous, the engineers will either route around you or they'll opt out. You have to accept the responsibility to educate and inform the population of both management and employees about the changes in the environment, the changes in risk. The nice thing about our culture is that when you have the facts to support it, it will be supported.
E-Commerce Alerts are issued by Bennett Gold LLP, Chartered Professional Accountants as situations develop. Bookmark this site and check back often. Our e-mail address is: info@BennettGold.ca In accordance with United States Code, Title 17, Section 107 and Article 10 of The Berne Convention on Literary and Artistic Works, the news clippings on this web site are made available without profit for research and educational purposes. |
ALERT WebTrust Is Your Best Defense Against Privacy Breaches. Get WebTrust Working For Your Site. |