26 May Expert says network security is about people, not just computers
MILWAUKEE — Good computer security requires careful attention not just to infrastructure but also to the practices of computer users, according to Debbie Christofferson, president of Sapphire Security Services.
“Who’s coming in your door, and do you have it open a crack, or are all your windows open?” she asked in a presentation Wednesday at the ITEC conference in Milwaukee.
Referring to the title of her talk, “How much security is enough?,” she said many of the security providers she has worked with want maximum security in every application, but that budgets often make this impractical.
“It’s how much you really need, not how much you really want … base it on the benefits to your company,” she said.
Nevertheless, security in many companies is poor, she said, and valuable data such as social-security numbers are vulnerable if even one company that uses them for identification does not secure their systems.
Christofferson’s approach is based on risk management: how much security risk does a system have, and how much can it afford, given the value of the information it contains? She also advocated looking at the human side of security, rather than treating it purely as a technology problem.
She challenged the security professionals who attended her talk to try a security experiment at their own companies by trying to get a help-desk employee to divulge or reset the password for an account without authorization, predicting that most would do so. That, she said, was how security consultant Kevin Mitnick, who was convicted for computer and security fraud in 1995 and served five years in prison, carried off his exploits.
“Most of Kevin’s exploits had nothing to do with technology,” she said. “They had to do with social engineering.”
Christofferson advocated internal auditing for other practices as well. In particular, she said that managers should check whether their employees are really using their own user accounts, rather than leaving systems running and never logging out. In that situation, she said, there is no accountability. In addition, she predicted half or more of companies do not always deactivate user accounts when employees leave.
In strategic terms, security should report to business managers rather than IT departments, she said, since it is a human problem.
Nevertheless, she did not advocate neglecting technical measure entirely. Firewalls and passwords, she said, are becoming insufficient for security, since brute-force methods can now break most or all passwords given time. Biometrics can help, but can also create bottlenecks when biometric authentication procedures are awkward, intrusive or time-consuming. Another suggestion was public-key authentication, which is growing in popularity.
But if security violations can be tracked back to their source, Christofferson said, new laws and regulations, especially since Sept. 11, 2001, allow large punishments for people who have broken into networks or defrauded companies.
“There’s greater punishments for hackers than murderers these days, believe it or not,” she said.
Jason Stitt is a staff writer for the Wisconsin Technology Network and can be reached at firstname.lastname@example.org.