Wall Street Technology Association:
Threat Management Overview

Cultures may be very different around the world, but the role of the security professional is changing in every nation in response to threats that are evolving even faster.

by Alex Goldman ISP-Planet Managing Editor [February 14, 2008]

The Wall Street Technology Association (WSTA) seminar on Threat Management and Information Security began at 8 AM, and people were present to see an impressive roster of early speakers. Opening the event was John Pironti, Chief Information Risk Strategist of Amsterdam, The Netherlands-based information and communications technology (ICT) firm Getronics.

"Our adversaries are organized and are working together," warned Pironti. "They only need to master one attack." The corollary of this, of course, is that enterprises need to defend against every attack.

"Our adversaries only have to be right once; we have to right every time," he added.

"We obey ethics and laws; they don't. Sometimes one of our clients says, 'we know who the adversary is—let's go get them.' We cannot. We obey the law."

Anyway, you cannot solve your security problem by obtaining the arrest of one hacker.

The business of security
During the internet boom, Pironti said, people began to understand that companies had valuable assets and began to deploy strategies to defend them. Between 2001 and 2007, he added, compliance became king as laws such as Sarbanes-Oxley forced companies to have security policies. During that time, worms, bots, and malware proliferated.

And the security industry grew too. The RSA Conference grew from a small gathering to the massive event it is today.

In 2008, Pironti said, the rules change again. "It's a data problem, not a technology problem." Customers understand that bad things happen to good technology.

But they may overlook some threats. Traditional hackers have evolved from status seekers telling the world about their exploits to criminals launching secret, targeted attacks against institutions with valuable data.

Company insiders become hackers when they try to fix a problem themselves before calling the help desk.

"Everyone has the tools. The best attack tool is Google. Everyone has it. Now they just need a motive."

Those selling security are still talking about threats, trying to persuade decision makers that their data is vulnerable. But decision makers already know this. Vendors need to know the risks, not the threats, and in order to talk about risk, they need to understand the business of their customer.

"Most are still talking threat, not risk, conducting a threat and vulnerability analysis. But anything can happen. How many find the likelihood of what will happen? We want to go in to a business before, not after, an incident, but business people are afraid of us. They are afraid that security will stop them from doing things. So don't be security. Change your name to 'risk management.' Act like consultants within a business."

Deliver what your customers demand
"People at the board level want two things: a list of risks and a plan to deal with them. You get fifteen minutes to explain the plan if you're lucky. Want to catch their attention? Let them know what could put them in jail!"

"I'm sure that managers can find the physical assets, the servers, etc.," he said. "But do you know where your data is? Do you know what's on laptops and smartphones? One of our largest financial clients claims they lose fifteen phones worldwide each day. Can you open attachments on phones? Do you need to be able to do that?"

Then there's the business process. "Data flows to places you don't want it to go. We outsource to India, and we trust them, but they outsource to China, and we don't want the data to go there."

People are concerned about the technological methods that hackers can use to get passwords, but fail to consider the habits that make passwords readily obtainable. "It's easier to get a password from a Post It note than through technology," said Pironti.

Another uncontrolled element of the business process: who guards your network at 2 AM on Saturday night? "I love to check this. I go in there and find some poor college kid studying for exams, working from notes that say whom to call when an alarm goes off."

Compliance may not be enough. "The Payment Card Industry Standard people had a public hearing. Was TJ Maxx in compliance? They were compliant by the time of the hearing, but it did not address why they weren't complaint for a number of years but were still allowed to function."

Identify the valuable data
"Not all data needs to be secured the same way. Are you going to limit what an executive can take on a business trip? Try it! It won't work. You need to figure out what to worry about."

"You need to have current and accurate information. An audit once each year, with 30 days' notice, is not enough. The IT team will clean up everything and then do it again in eleven months."

Don't write off risk that doesn't affect you but does affect those around you.

Don't just focus on technology. Add the following to the OSI stack : underneath layer one, write "people" and on top of the stack write, "policies and procedures."

Security consultants are not just advising what technology to buy. They are involved in basic business processes—or should be. If you're not allowed in when decisions are being made, look to your own behavior and make sure that you're delivering what the business needs and what the operation teams want. Be a consultant, not an auditor. Be a partner, not an adversary.

Because the adversaries are out there and they are ready to pounce.

— End