Managed Security Services

Simple Assumptions Provide False Security

Whether you're purchasing a shrink-wrapped security solution off the shelf or have built a data protection plan that relies on machines in the twin towers, simple assumptions can lead you astray.

by Drew Bird of CrossNodes, an EarthWeb site, and Amy Newman of ServerWatch [September 14, 2001]

Companies that thought their data protection solution was perfect have had to review their plans. Sonoma County, Calif. may about as far from New York City as you can get while remaining on the U.S. mainland, yet the economic impact of the World Trade Center tragedy is being felt there by Online Consultancy Network.

The consulting firm is just one of the many companies with colocation facilities in lower Manhattan. Within moments of the attack on the World Trade Center, its membership network Web site server went dark and has not come up since.

Following the attack on the World Trade Center, clients, affiliates and services throughout the world have been contacting the company's Northern California headquarters to find out what had happened to its business news and consulting exchange website, which once came up as www.ocnww.com and at this time (about noon, EST on Sept. 13) cannot be found.

"We selected New York as our server location due to the stable telecommunications infrastructure, lack of earthquake fault lines, and our alliance with the New-York-based Web development and hosting firm iXpress.com. All of our thoughts and prayers are with our New York colleagues, members and their families and friends at this time," said Director and CEO Benjamin Train.

"In light of the great personal human tragedy taking place in New York City and Washington, I feel the economic impact to the Network is negligible. However, as each day we and others are offline climbs, the financial impact will climb," stated Train.

Assumptions revealed
Let me sound a similar note of caution closer to home. I was chatting with a customer the other day when the topic of testing their firewall solution came up. During the conversation I asked who he was going to use to do the testing. When he pointed toward the systems administrator, a capable individual, but one who has had nothing to do with firewalls, I was a little taken aback. Much as I had faith in this individual to create a user account or even install an operating system, the thought of him testing the corporate firewall was as scary as my next date with the dentist.

What, I asked in the steadiest voice I could muster, made the client think that its junior administrator was capable of testing the firewall? Instead of a justification of the administrator's technical skills, the client simply reached into a cardboard box and produced a shrink-wrapped package from within it. The package contained firewall testing software, and the sticker on the box proclaimed among other things, that it was 'usable by those with only a basic understanding of firewalls'. It would seem the claim was about to be put to the test. The client informed me the software was the same as that used by an outside security consultant during his last visit. In effect, the client resented paying the fees charged by the security consultant for using the same software that he could buy and operate himself.

As the threats from outside sources have increased in their complexity, the ease with which our security systems, such as firewalls, can be tested has increased also. Packaged software now enables us to test security solutions and determine their effectiveness with ease.

But can using a packaged software solution really offer the protection that's available from a dedicated and specialized security provider? To put it another way, does this kind of software literally lure us into a false sense of security?

Competence cannot always be shrink-wrapped
In a sense, there is no reason why testing a security solution should not be as simple as point and click. Most of the other things we do on a daily basis are done the same way. Perhaps the bigger issue is that while the software to test our security solutions may be simple and easy to use, are those doing the pointing and clicking able to effectively test—and, just as important, interpret—the information produced from such a test? In addition, are they able to act on the information produced from the test to correct the problem? Given that in many cases the person conducting the test is the network or server administrator, you have to wonder whether the task is not more suited to someone who does it for a living.

In IT, as in any other field—but particularly in security—real world experience makes a difference. In a given year, a system administrator may have to deal with one or two security incidents. A security consultant will most likely deal with more than this on a single day.

Knowledge and experience gained from intensive exposure allows security consultants to develop finely honed skills in both risk assessment and identification. They are far more able to thoroughly test a security solution than someone who has just read the instruction manual for a software package.

That is not to say that using a security consultant is foolproof. Not all security consultants, or consultancies, are created equal. As much time should be invested in choosing a security consultant as choosing the security solution in the first place.

The introduction of certification programs by a number of the leading security software vendors can lead you to believe that holders of these certifications are competent and knowledgeable, but there's no foolproof guaranteel, so to speak.

Just as there are inexperienced and 'paper' holders of other certifications, security certifications are no different. The exact skills which are so important in the work environment—up-to-date knowledge and hands-on experience—are the two hardest things to incorporate into a certification test.

As mentioned earlier, that is not to say that certified individuals are not competent, but the value of the certification can only be estimated when it is backed up by practical on-the-job experience.

Understand the risks
Through this experience, security consultants are able to understand business issues as they relate to security. Understanding the risks is actually a step that comes before any kind of remedial actions, as Allen Vance, Vice President of offer management for Internet Security Systems, a leading provider of security testing software, points out.

"First, customers must understand what kind of business level risks they have," says Vance. "A bank will have different associated risks than, for example, a baker. Next, you have to determine whether you have the appropriate skills to manage the solution in house. In each case, not determining your needs or understanding the requirements fully will most likely prove to be a false economy." Vance has the luxury of providing an impartial view on the subject, as customers of ISS fall into both camps.

If, at the end of the day, you have the skills in-house and understand the risks that you are protecting against, using testing software and performing your own checks may be a valid approach. But if there is any doubt, use a suitably qualified and experienced security consultant. As one veteran security consultant puts it, you could save a few bucks and it could cost you your business.

Compelling argument, isn't it?

—End