business news in context, analysis with attitude

Technology provides enormous advantages. But at the same time, it also creates an environment of considerable risk.

To assess the current state of “corporate insecurity,” MNB engaged in an exclusive e-interview with Gordon Smith, president/CEO of Canaudit and a speaker at the upcoming Food Marketing Institute (FMI) Marketechnics conference in San Diego, scheduled for January 30-February 1.

MNB: In 2006, are we more or less vulnerable to high-tech crime than we were, say, pre-9/11?

Gordon Smith: We are far more vulnerable today than at any other time in history. In the aftermath of 9/11, the emphasis was on physical security not on securing corporate information and IT infrastructure. Sarbanes Oxley made the situation worse as executives and auditors were scrambling to comply with this legislation. Efforts were focused on traditional general controls. These controls consist of polices, procedures, application level controls and supervisory and management review. This enabled many organizations to be SOX complaint, yet major IT risks still remained. The overemphasis on the general controls came at the expense of database, operating system and network controls. IT staff, security analysts and auditors were so consumed by SOX compliance that simple procedures such as critical patches were not applied and database export files (backups) were not properly secured.

The critical flaw was the failure to link the SOX work to the preventive non-discretionary controls available in the operating systems and databases. While the debates raged over how complex a password should be, new password crackers, such as Rainbowcrack, enabled hackers to crack a Windows LanMan password in less than 30 minutes. New exploits that give an attacker complete control of a server are discovered every day. These exploits are created and passed around the Internet in a matter of hours. The vendors are hard pressed to develop, test and distribute patches before hackers take control of entire corporate domains. For examples of organizations that have had a serious information technology security issues go to ChronDataBreaches.htm.

MNB: What accounts for this change?

Gordon Smith: I believe that the lack of change is caused by shifting corporate priorities. In 2005, Sarbanes Oxley was the hot button. My quest for 2006 is to make information protection the most pressing issue in IT audit and security shops throughout America.

MNB: We asked this question of Marianne Jennings, who is speaking at Marketechnics about ethics, and we’re curious what your answer would be: Does technology create ethical lapses, or just make them easier? In other words, would the people who are ethically challenged be behaving badly even if we were typing on manual typewriters and riding horses to work?

Gordon Smith: Business ethics is a binary condition. People either have ethics or they do not. Those who want to steal will steal. Those who are honest cannot be bought. Opportunities for malfeasance will only increase as business systems become more complex and customers demand more self-driven interactivity or greater access through the Internet. Technology facilitates easier access, enabling dishonest groups and individuals to take advantage of control gaps for their own personal gain.

MNB: Are retailing companies spending the time and money they need to in order to secure their databases, especially considering how much customer data may be at risk?

Gordon Smith: Retailing companies are spending more time and effort than ever before to secure customer data. It is not how much you spend, but how effectively you deploy your information protection assets. At Canaudit, we specialize in penetration audits and vulnerability assessments. Many of our clients have spent millions on information security products only to find that these products, as installed, did not detect or prevent our efforts. In some cases, their trust in their investment and the hours invested in installing security caused them to have an unrealistic belief that they were secure. They dropped their guard and our penetration team penetrated their networks and servers like a hot knife slicing through butter.

Twenty-eight years ago when I started on the lecture circuit, one of my key themes was that you could not purchase security, rather it is a mindset. This is even truer today. It is not the investment that is important; it is the effectiveness of the protection efforts that is essential. Some of our clients are resource starved, yet their security is better than those with much deeper pockets. These resource-poor clients look after the basics: limiting administrator access, automated security alerts, eradicating service accounts with default passwords, removing trust relationships, implementing selective two-factor authentication and other inexpensive yet proven techniques to protect the environment. Let me reemphasize my point: it is not the investment in security that is important; it is the effectiveness of the installed controls.

MNB: Are there things that individuals/consumers can do in order to secure themselves and their personal information?

Gordon Smith: Consumers will be at risk as long as they provide their information to organizations that do not have a secure processing environment. One would think that your data stored at Bank of America would be secure. Yet there have been at least three incidents in 2005 where BofA customer data was exposed. Wal-Mart made the Hall of Shame on December 12, 2005 when credit card customers at their Sam’s Club / Wal Mart gas stations were exposed. I have been using gas stations as a primary example of credit card vulnerabilities for over seven years, yet the controls are still not in place. Management often does not perceive the reality of a specific threat until after it happens. Then they scramble to do damage control.

In today’s world, the customer can take all the precautions (using only secure web sites, monitoring their credit reports, etc.) but somehow still have their information stolen or abused. I believe the focus should be on the trust a customer places on the organizations they do business with. It is up to businesses to ensure that customer transactions are secure and that customer data is protected. Responsibility should be placed where it belongs, on the merchants, vendors, universities and other organizations that have a fiduciary responsibility to protect their customers.

MNB: Is the biggest threat for cyber-terrorists with political agendas, or old fashioned hackers with nothing other than mischief and/or personal/financial gain on their minds?

Gordon Smith: This is like asking if it is better to be killed in a plane crash or to get hit by an 18-wheeler. Either way you are dead. No one can predict with accuracy the threat that will be the next reality. Cyber-terrorists will go for infrastructure, power grids, nuclear plants, refineries, shipping and rail lines, cities, etc. Hackers will go after simpler targets. Our primary job today is to look at all risks and protect our clients against those that are most likely to occur. Our secondary task is to ensure that we are prepared when a cyber-event occurs so that we can contain the damage, quickly repair the networks and databases, and focus on prosecuting the perpetrators. Prevention is always best. Prosecution ensures that the message gets out to those contemplating nefarious acts: Do the crime and you will do a lot of time.

MNB: When people leave your presentation at FMI’s Marketechnics, what will their marching orders be?

Gordon Smith: Don’t believe your own staff when they say the network and databases are secure. Demand proof! Have a real vulnerability assessment completed by qualified teams to assess your initial risk. Develop a plan to mitigate the risk. Create a team empowered to correct existing issues and to identify and remediate new issues. I believe in a proactive security approach that resembles painting the San Francisco Bridge. As soon as you finish painting it, it is time to start over again. With networks, as soon as you implement a security program, it is time to go back to the beginning, analyze new threats and roll out a new security implementation that responds to real current and future threats.

Gordon Smith is scheduled to speak at FMI’s Marketechnics conference on Wednesday, February 1, from 8-9 a.m.
KC's View:
We were looking at our Marketechnics details the other day, and noticed that this year’s conference deviates from previous years in one important way – whereas past Marketechnics ran from Sunday to Tuesday, this year runs from Monday to Wednesday.

We only mention this because we’ve now spoken to a couple of people who were planning to attend the show and who were surprised by the scheduling. So we thought it worth mentioning here.