The Road to Security Aug 10, 2006 URL: http://www.financetech.com/showArticle.jhtml?articleID=191901624
There are different ways to approach information security, and many of them are wrong, in the view of David MacLeod, director of security and chief information security officer of Portland, Ore.-based regional Blue Cross Blue Shield insurer The Regence Group ($6.7 billion in revenue), which has operations in Oregon, Washington, Utah and Idaho. Some look at security as a project -- something that you implement, something that you get done. Others focus on the technological aspect of security, dwelling on firewalls and intrusion-detection systems, to the exclusion of administrative safeguards and the human side of security. Still others take what MacLeod calls an "academic purist" approach whereby security executives make security an end in itself and become something like the corporate police. And some even see security as what you hire a consultant to do for you and, says MacLeod, "When they're done, you're done -- you've got security!"
All those approaches fail, according to MacLeod. "Though it may sound like a cliché, security really is a journey -- it is a constant and evolving discipline," he insists. "As the outside world changes, threats change; also, business needs change and business technology changes, and so must the things you do to protect it." If, as MacLeod suggests, the observation is obvious, it nonetheless is crucial in a world where information technology is evolving so quickly and -- in pursuit of providing greater service to internal clients, distributors, business partners and customers -- insurers have deliberately exposed their internal functionality through Web-based technology (as well as involuntarily through wireless technologies). >>
Further, financial services companies also face more-sophisticated external attacks, as the typical hacker profile has evolved from the teenaged, joy-riding "script kiddie" to organized criminals and even hostile foreign government operatives. In the early days of e-commerce, it was enough for many hackers simply to embarrass companies, notes Jonathan Gossels, president, SystemExperts, a Sudbury, Mass.-based provider of network security services. Today, he says, "Attacks are much more oriented to actual gain or physical or intellectual property loss."
Understanding the Criminal Mind
Defense against such attacks are, one might reasonably observe, the bread and butter of security professionals. And yet, high-profile security breaches continue to happen. One cause is narrow thinking on the part of security executives, experts agree. For example, in mid-June, New York-based AIG ($109 billion in revenue) acknowledged the theft of the personal data of almost a million people. Firewalls and intrusion were not an issue -- thieves simply broke into a midwestern regional office and physically carried off a server, along with a laptop.
Such opportunities are keeping security consultants -- such as David Taylor, VP, data security, for data security management consulting firm Protegrity (Stamford, Conn.) -- busy. Taylor relates that he recently was brought in to help a large financial institution that has about 10,000 small servers -- often containing very sensitive information -- scattered around the globe. "Stealing a server is more difficult than, say, stealing a laptop, but the reward for doing so is substantially greater," he remarks. Such hardware items, he adds, "are treasure troves of information, and particularly in certain countries around the world, we've found that they're not very well protected. In many cases they are not even in locked rooms."
Taylor says he studies organizations not just from a policy standpoint, but from a day-to-day procedural standpoint. "That's where things fall down -- there are huge gaps in policies as they're written and day-to-day practices," he contends. "And the further from corporate you are, the more variation we tend to find."
Lack of appreciation of the motives of cyber criminals also can result in vulnerability. For example, The Regence Group's MacLeod says business executives who might doubt the interest of organized criminals in a health insurer's information may need further education. Identity theft is only one of its attractions, MacLeod explains. "Let's assume for a moment they didn't care about identity theft; they still might care about the free computing services they can steal from us to access other sites that may have information of direct value to them, so they can obfuscate where they've come from while enjoying free computer services," he says. "There isn't a computing platform with public connectivity to the Internet that isn't at risk for that exact same kind of theft."
Nevertheless, security officers remain more confident about defending against external cyber attacks than internally caused attacks and data/information breaches. Deloitte's (New York) "2006 Global Security Survey" -- whose respondents were major global financial institutions, including 31 percent of the top 50 global insurance companies -- found that 74 percent of respondents said they were either very confident or extremely confident in their ability to defend against external threats, an increase of 5 percent over 2005. When it came to internal threats, however, only 41 percent were either very confident or extremely confident compared to 50 percent last year.
Unfortunately, bad guys can lurk within a company as well as outside it, and there is a malicious element, affirms Protegrity's Taylor. "But I'm more concerned about what the careless individual could accidentally do to expose his or her organization to substantial risk," he says. "We trust people a bit too much."
'White-Hat Hacking'
Larger organizations are especially vulnerable to what Taylor calls "white-hat hacking," meaning working around impossibly complex and cumbersome policies and procedures. Taylor says, "If access controls exist, I always ask, 'Well, what do people have to do?'" He then interviews the rank-and-file employees as to their awareness of the policies and often finds that awareness somewhat vague. And even where awareness of policy and procedure prevails, it's not necessarily the case that compliance matches it. "I'll ask, 'How can you possibly get your job done when you have to observe all these access controls?'" Taylor relates. "Probably eight out of 10 people will say, 'Oh, I figured out a way around that.'"
Security policies need to include explicit and rigorous enforcement procedures, Taylor stresses. "If all they're doing is management oversight and they don't have any more-detailed enforcement procedures than that, they're not serious," he pronounces.
Some of the best security policies and procedures are the ones for which nobody has to do anything in order to follow. "Sometimes you need a mandatory technical security control that can't be subverted," says Brian Serra, senior security consultant, Forsythe Solutions Group (Skokie, Ill.), a technology consulting and reselling firm. Such controls have long existed in perimeter security solutions, but recent breaches -- such as the AIG server theft or the theft of a Veterans Administration laptop in May 2006 containing the personal information of 2.2 million service personnel -- demonstrate the importance of another type of control that has been underutilized: data encryption.
"The current state of many companies, even some of the larger institutions, is that their data is currently not encrypted," Serra says. "If someone were able to compromise a database or application, they would have free access to its contents."
Companies have put off encryption because of the cost and time required to pull it off, as well as misunderstandings about the degree of vulnerability they face, according to Serra. "Previously, it was thought that if your front-end application, such as a Web site, was secured, then the data itself would be secured," he explains. "It turns out that's not necessarily the case because sometimes applications don't function as planned." Some applications, Serra adds, can be manipulated into gathering information from a database, which, if unencrypted, can be examined freely by the hacker.
Wi-Fi Threats
Widespread use of Wi-Fi adds another dimension of underappreciated vulnerability, according to Bob Egan, research director, emerging technologies, TowerGroup (Needham, Mass.). "There's almost no end to what can be done when people use unsecured Wi-Fi with the cooperation of ignorant IT professionals failing to establish a security perimeter beyond the company's physical border," he says.
Simply imposing a no-Wi-Fi policy is worse than ineffectual, since more than 90 percent of laptops are now issued with wireless capability, to say nothing of a host of handheld devices, according to Egan. To protect against Wi-Fi-related vulnerability, he recommends, companies need to deploy wireless intrusion detection systems (IDSs) and intrusion prevention systems (IPSs). "At the very minimum, the security provided for people sitting at their desks on the corporate campus should be mirrored by the security you provide remote workers," Egan comments. Unfortunately, "In the case of Wi-Fi, that's almost never the case," he adds.
UnumProvident (Chattanooga, Tenn.; $7.8 billion in premium income) had a no-Wi-Fi policy in place for several years, but also took measures to detect the use of rogue devices, according to Chris Bursch, the carrier's vice president of IT risk management. However, both visitors to the corporate campuses and internal staff pressed for wireless Internet capability. The solution, he relates, was to install Wi-Fi capabilities along with a variety of controls.
"We implemented a Wi-Fi network that connects to the Internet but not to our network, and in the areas where we do have Wi-Fi and other wireless internally, we put a significant private key encryption structure on it," Bursch says. Thus, even if an unauthorized person were somehow able to tunnel into UnumProvident's VPN, and even if the intruder managed to get a legitimate user's ID and hacked the password, "They also have to figure out the physical encryption key," Bursch explains. "That's very difficult to do."
Five-Layer Program
UnumProvident's Wi-Fi solution is one small part of a five-layer security program modeled on an approach developed by the SANS Institute (Bethesda, Md.), an information security training and certification cooperative. According to Bursch, layer one addresses front-line perimeter threats with tools such as a Check Point (Redwood City, Calif.) firewall, SurfControl (Scotts Valley, Calif.) Web and e-mail controls, and network and application security solutions from Cisco (San Jose, Calif.) and Symantec (Cupertino, Calif.). Layer two blocks attacks on servers and workstations using host intrusion and other solutions. Layer three deals with patch management and related issues. Layer four focuses on access management. And layer five takes an overarching look at information management, including antifraud measures.
"We have organized around significant risks, and as the challenge relates to a merged company with a lot of units coming together, we have horizontal capability to ensure that we're looking at these risks across the enterprise," Bursch comments.
UnumProvident's major security audit partner, New York-based PricewaterhouseCoopers, helps the carrier with the ongoing task of readiness. The consultant conducts a periodic penetration assessment that includes perimeter probing -- including trying to crack wireless networks from outside UnumProvident's physical locations -- and testing of identity management provisions. "They try to hit us from every angle," Bursch explains. "We haven't had any significant issue over the last three years, and we've been able to remediate quickly anything approaching that threshold," he says.
UnumProvident also conducts a semiannual review to determine that information is accessed appropriately. Access and segregation of activities has been a huge issue in the financial services industry, Bursch remarks. "We attacked that pretty strongly in the first year of Sarbanes-Oxley [promulgated July 2002] to ensure we had the right monitoring and administration of access, especially as personnel changes happen," he says.
But the carrier shares the industrywide concern about inadvertent employee mistakes and has put internal breach defenses at the top of the list for the next two years, Bursch says. The carrier is exploring a greater degree of automated, proactive monitoring of policy compliance, among other measures.
As a complement to existing policies that regulate information kept on laptops and desktops, last fall UnumProvident rolled out encryption for those hardware platforms. "If a laptop is stolen or lost, any sensitive information it may have is encrypted," Bursch comments. He relates that in a parallel effort, UnumProvident conducted a computer-based privacy and security training initiative. "We achieved 100 percent completion of the training across the company."
Incident Response Capability
As solid as he believes UnumProvident's information security has become, Bursch says his philosophy is that "Anybody who feels they have it covered is in the wrong area of responsibility." Despite one's best efforts, one needs to be prepared for the worst by instituting a significant incident response capability, he stresses. "You need to have both a cross-functional team and the processes and communications responses," he says. "The point is to be ready to respond to any incident you might have, isolate it and minimize business impact."
While the impact of HIPAA noncompliance has motivated security measures at health insurers, according to The Regence Group's MacLeod, the guidance on assessing vulnerabilities and preparing responses provided by HIPAA itself is limited. "HIPAA's final security rule requires a few things, but the larger list of things is 'addressable,'" MacLeod explains. To address them, a company needs to have in place a risk management process to methodically assess potential risks and vulnerabilities, he says.
As obvious as such an undertaking might sound in the abstract, it is fraught with opportunities for failure, according to MacLeod. "When deadlines and budgets get tight, companies too often get loose about the right way to do things," he argues.
A stringent risk management program rigorously managed could have prevented the VA laptop incident, or the recent theft of backup tapes containing information of 365,000 patients that belonged to Portland, Ore.-based healthcare provider Providence Home Systems, reported stolen from an employee's car. "It would have been cheaper in the long run to have a more robust and disciplined process, perhaps handled by someone like Iron Mountain [Boston] or some other third party," MacLeod submits. "Most breaches you read about today are the result of poor decisions along those lines."
The Regence Group's version of UnumProvident's five-layer strategy is a concept of security architecture that aims at exhaustively understanding existing technology and process, and anticipating both present and future vulnerabilities. "Probably the most important characteristic of it is that it is truly enterprisewide -- we have addressed everything that is either deployed, envisioned to be deployed or that anybody might think about deploying in terms of technology," MacLeod says. "It introduces governance to keep measures evergreened, and to make and track modifications to them."
For example, Regence had articulated how VMware (Palo Alto, Calif.) was to be used, accounting for the fact that the server virtualization software allows one physical server box to appear as many virtual boxes, which introduces a risk associated with the lack of physical separation between those virtual servers. New concerns emerged when infrastructure personnel wanted to connect remote workers to blade servers -- physical boxes with built-in multiple server capacity -- using Microsoft Virtual Server rather than VMware.
Despite other advantages to this new approach, "It introduces a Microsoft technology that's somewhat new and not as robust and mature as VMware," MacLeod contends. "We're in the midst of finalizing the architectural requirements for it to become an approved technology, applying the criteria of our enterprise security architecture to accommodate evolving needs and evolving technologies," he continues.
Balancing Risk and Cost
Regence has yet to deploy wireless technology for the simple reason that no business case has been made. But the company's security architecture already addresses it, MacLeod says, and has already laid out how that technology would be deployed if and when the time comes. By such an application of the risk management approach outlined by MacLeod, the carrier continually evaluates new uses of technology that might involve some risk.
For example, Regence has integrated supplier Boise Cascade (Boise, Idaho) into its PeopleSoft (Pleasanton, Calif.) e-procurement system. "We figured out the cost of what we had to protect and it still made financial sense to take some of the middle stuff out of the procurement process and have persistent connection," MacLeod relates. Conversely, when considering building an online nonrepudiation function for quoting and issuing individual policies, Regence decided it was not worth the investment. "We looked at a variety of mechanisms and decided that rather than go to something like a PKI [public key infrastructure], we instead would rely on immediately generating the bill and establishing nonrepudiation by the customer's payment of the bill."
The most any company can do to answer these or any information security-related questions is strike a balance between risk and cost, and arrive at some appreciation of the residual risk related to the decision, according to MacLeod. The goal, he says, "is to mitigate the risks and get them down to a level of residual risk that is acceptable and still allows the business to function."