|Corporate Information Security: Is Our Information More Secure Since September 11th?
One might think that years after September 11th, 2001 there would be dramatic differences and improvements in the way businesses strive to protect their employees, assets, and data. However, changes have been more gradual than many had expected. A look at some of the trends that have been developing over the years since September 11th reveals signs of change for the better--although the need for more information security advancement is abundantly clear.
The morning of September 11th, 2001 started like any other for employees of the law firm Turner & Owen, located on the 21st floor of One Liberty Plaza directly across the street from the North World Trade Center Tower. Then everyone heard a huge explosion and their building shook as if in an earthquake. Debris rained from the sky.
Not knowing what was happening, they immediately left the building in an orderly fashion--thanks to systematic practice of evacuation drills--taking whatever files they could on the way out. File cabinets and computer systems all had to be left behind. In the disaster that ensued, One Liberty Plaza was wrecked and leaning with the top ten floors twisted--the offices of Turner & Owen were decimated.
Although Turner & Owen IT staff made regular backup tapes of their computer systems, those tapes had been sent to a division of the company located in the South World Trade Center Tower and they were completely lost when the South Tower was destroyed. Knowing they had to recover their case databases or likely go out of business, Frank Turner and Ed Owen risked their lives and crawled through the structurally-unstable One Liberty Plaza and retrieved two file servers with their most critical records. With this information, the law firm of Owen & Turner was able to resume work less than two weeks later.
Many other companies were never able to recover the information lost in this disaster.
What Has Changed?
One might think that years after such a devastating loss of lives, property and information there would be dramatic differences and improvements in the way businesses strive to protect their employees, assets, and data. However, changes have been more gradual than many had expected. "Some organizations that should have received a wakeup call seemed to have ignored the message," says one information security professional who prefers to remain anonymous.
A look at some of the trends that have been developing over the years since September 11th reveals signs of change for the better--although the need for more information security advancement is abundantly clear.
The most noticeable changes in information security since September 11th, 2001 happened at the federal government level. An assortment of Executive Orders, acts, strategies and new departments, divisions, and directorates has focused on protecting America’s infrastructure with a heavy emphasis on information protection.
Just one month after 9/11, President Bush signed Executive Order 13231 "Critical Infrastructure Protection in the Information Age" which established the President's Critical Infrastructure Protection Board (PCIPB). In July 2002, President Bush released the National Strategy for Homeland Security that called for the creation of the Department of Homeland Security (DHS), which would lead initiatives to prevent, detect, and respond to attacks of chemical, biological, radiological, and nuclear (CBRN) weapons. The Homeland Security Act, signed into law in November 2002, made the DHS a reality.
In February 2003, Tom Ridge, Secretary of Homeland Security released two strategies: "The National Strategy to Secure Cyberspace," which was designed to "engage and empower Americans to secure the portions of cyberspace that they own, operate, control, or with which they interact" and the "The National Strategy for the Physical Protection of Critical Infrastructures and Key Assets" which "outlines the guiding principles that will underpin our efforts to secure the infrastructures and assets vital to our national security, governance, public health and safety, economy and public confidence".
Additionally, under the Department of Homeland Security's Information Analysis and Infrastructure Protection (IAIP) Directorate, the Critical Infrastructure Assurance Office (CIAO), and the National Cyber Security Division (NCSD) were created. One of the top priorities of the NCSD was to create a consolidated Cyber Security Tracking, Analysis and Response Center following through on a key recommendation of the National Strategy to Secure Cyberspace.
With all this activity in the federal government related to securing infrastructures including key information systems, one might think there would be a noticable impact on information security practices in the private sector. But response to the National Strategy to Secure Cyberspace in particular has been tepid, with criticisms centering on its lack of regulations, incentives, funding and enforcement. The sentiment among information security professionals seems to be that without strong information security laws and leadership at the federal level, practices to protect our nation's critical information, in the private sector at least, will not significantly change for the better.
One trend that appears to be gaining ground in the private sector, though, is the increased emphasis on the need to share security-related information among other companies and organizations yet do it in an anonymous way. To do this, an organization can participate in one of dozen or so industry-specific Information Sharing and Analysis Centers (ISACs). ISACs gather alerts and perform analyses and notification of both physical and cyber threats, vulnerabilities, and warnings. They alert public and private sectors of security information necessary to protect critical information technology infrastructures, businesses, and individuals. ISAC members also have access to information and analysis relating to information provided by other members and obtained from other sources, such as US Government, law enforcement agencies, technology providers and security associations, such as CERT.
Encouraged by President Clinton’s Presidential Decision Directive (PDD) 63 on critical infrastructure protection, ISACs first started forming a couple of years before 9/11; the Bush administration has continued
to support the formation of ISACs to cooperate with the PCIPB and DHS.
ISACs exist for most major industries including the IT-ISAC (https://www.it-isac.org/) for information technology, the FS-ISAC (http://www.fsisac.com) for financial institutions as well as the World Wide ISAC (http://www.wwisac.com/) for all industries worldwide. The membership of ISACs have grown rapidly in the last couple of years as many organizations recognize that participation in an ISAC helps fulfill their due care obligations to protect critical information.
A major lesson learned from 9/11 is that business continuity and disaster recovery (BC/DR) plans need to be robust and tested often. "Business continuity planning has gone from being a discretionary item that keeps auditors happy to something that boards of directors must seriously consider," said Richard Luongo, Director of PricewaterhouseCoopers' Global Risk Management Solutions, shortly after the attacks. BC/DR has proven its return on investment and most organizations have focused great attention on ensuring that their business and information is recoverable in the event of a disaster.
There also has been a growing emphasis on risk management solutions and how they can be applied to ROI and budgeting requirements for businesses. More conference sessions, books, articles, and products on risk management exist than ever before. While some of the growth in this area can be attributed to legislation like HIPAA, GLBA, Sarbanes Oxley, Basel II, etc., 9/11 did a lot to make people start thinking about threats and vulnerabilities as components of risk and what must be done to manage that risk.
Most companies realized the need to monitor their networks 24x7 prior to 9/11, but afterwards it became a top priority if such a capability wasn't already in place. More and more companies are implementing intrusion detection systems (IDS) including network intrusion detection systems (NIDS) and host intrusion detection systems (HIDS) solutions. According to a 2003 Global Security Survey by Deloitte Touche Tohmatsu, 85 percent of respondents have deployed intrusion detection systems. Since these systems can entail large expenses of equipment and software purchases, consulting fees and staff time, some companies are turning to managed security service providers (MSSPs) to manage their network monitoring. Some MSSPs also offer their clients advance notice of threats that the MSSP may have identified while monitoring other networks.
Largely due to rampaging worms and viruses such as Slammer, patch management, change management and configuration management technology solutions have been raised in precedence within corporate risk management initiatives. A slew of applications and tools exist to address the needs of patch, change, and configuration management, but the challenge is to find the right combination of tools that will do the job in any given environment.
Information security staffs don't have time to sift through the growing multitude of threat warnings and vulnerability alerts that crop up for all possible platform combinations every day. So another information security technology trend that has developed is intelligent threat analysis--a service that provides threat and vulnerability alerts customized to a client's specific environment.
What Still Needs to Change
The information security changes in government, industry, and technology are notable, but where do we still need to improve in these areas?
If our government is serious about protecting critical information it will have to pass some sensible laws, contend information security experts. "Make companies liable for insecurities, and you'll be surprised how quickly things get more secure," says Bruce Schneier, Founder and CTO of Counterpane Internet Security, Inc.
Information security managers need to do a better job of conveying how a company needs to protect its information to their CEOs and boards of directors. Siebel Systems CIO Mark Sunday says that although corporate boards are more aware of security issues than ever, they still don’t fully understand them--and most boards don't like to fund things they don’t understand. "As aware as CEOs and boards have become of security issues, spending in that area hasn't gone up in proportion and certainly not to the levels people expected," Sunday said.
Advanced information security technology exists that isn’t widely known or used by the mainstream. "Our technology is too signature-based," says Jim Reavis, editor of CSOinformer and information security industry analyst. "We’re only prepared to fight the last battle. We need to get more predictive. We need to use more behavioral technology."
In a survey conducted jointly by the Internet Security Alliance (ISAlliance), the National Association of Manufacturers (NAM) and RedSiren Technologies Inc. one year after September 11th, 2001, 40 percent of respondents reported that information security was considered more important than prior to September 11th. Yet almost one-third said their companies were still not adequately equipped to deal with an attack on their computer networks. The survey concluded that "many organizations need to revise how security risks, threats and costs are identified, measured and managed."
Is our information more secure two years after September 11th? Unfortunately, not by a lot. While some trends since 9/11 demonstrate progress in the field of information protection, opportunities for better information security practices clearly remain.
ABOUT THE AUTHOR
Marc R. Menninger is a Certified Information Systems Security Professional (CISSP) and has been active in the security industry for more than 10 years. Marc has been a speaker at numerous conferences and seminars, has written several Cisco white papers and contributed to a published study guide for Cisco certification. He has also written articles for the ISSA Journal, a publication of the Information Systems Security Association. He is the founder and site administrator for the Open CSO Project (http://forum.OpenCSOProject.org/), a knowledge base for security professionals.