CIO Focus Security Black Book



Presented in association with:

Knowledge Partners

Mumbai Chapter

Associate Sponsors Executive Partner



Copyright © 005-006 IDG Media India Pvt Ltd

With security issues and risk mitigation increasingly dominating technology management, CIOs are being called upon to oversee the safety of their organization’s assets, intellectual property and computer systems, and identify protection goals, objectives and metrics consistent with corporate strategic plans. We at CIO felt this was an opportune moment to create the Security Blackbook -- a compendium of the most essential reading on infosecurity, corporate security, business continuity, and related topics.

This initiative has been made possible with the support of our sponsors Microsoft, Syntax Soft-Tech and Interface Connectronics and our knowledge partners ISACA and Pricewaterhouse Coopers.

I trust you will find the contents of this book of value.

fe

at

u

re

s

2.

Intellectual Property Protection. pg: 13

3.

Business Continuity and Disaster Recovery Planning pg: 20

4.

Phishing and Pharming pg: 25

5

. Physical and IT Security Convergence pg: 33

6.

Video Surveillance and Data Monitoring pg: 44

w

h

it

e

pa

pe

r

7.

Momentum and Commitment: Trustworthy Computing After Four Years pg: 55

8.

SecureTransport in Enterprise Application Integration pg: 60

OUT: FUD

IN: Metrics and ROSI

OUT: Blame games and fall guys

IN: Risk management and shared accountability OUT: Tech talk and copspeak

IN: Business language and communication skills OUT: Silos

IN: Holistic security

Related articles from CSO magazine

OUT: FUD

FUD stands for fear, uncertainty and doubt, and

it’s long been a crutch that security leaders lean on to get the budgets they need. Whether the Board seemed reluctant to spend money on firewalls or on surveillance cameras, the convenient solution was to scare them into funding everything by pulling out an anecdote about What Happened to the Company Down the Road.

In the long run, however, the tactic of exploiting FUD almost always does more damage than good. Security executives and management experts agree that FUD ultimately destroys the security team’s credibility. “That [approach] may work once or twice in a true

6

September 2001 profoundly changed the perception of national security; the

Enron accounting scandal and a rash of similar scams alerted us to widespread

deficiencies in corporate governance, accountability and ethics. But every

security leader knows that as time passes after any incident - no matter how

demonstrative - corporate concern for the issues brought to light by that

incident tends to wane. Maintaining the right level of boardroom and employee

awareness is a consequence of leadership. And more effective ideas and tactics

are replacing the old, reactive security leadership paradigm. Below, we look at

what’s Out and what’s In.

crisis situation where the bad guys have come over the back fence,” says Jim Mecsics, vice president of corporate security for Equifax. “But when you approach corporate officers with the tactics of fear, you’re walking into a trap. Somebody will eventually say, ‘OK, show me where the real [emergency] is,’ and then your credibility is shot.” FUD is a particularly common tactic in the lower ranks of a security organization, especially among those who haven’t learned how to make a data-driven risk management argument. A CSO who doesn’t stamp out FUD in his team creates as much of a problem as the CSO who uses it in personal conversations with senior executives.

Mecsics has the stories that prove the point. Just after 9/11, he was working with a government organization that decided it needed to radically increase its manpower to cope with the concerns over terrorist threats. The organization set up a conference, and hastily gathered input from all its field agents to take to the senior leadership. Instead of research and risk analysis, many of the agents’ arguments were based on guesswork and were rooted in the fear and uncertainty of Sept. 11. Mecsics says the organization’s management started asking questions and quickly saw through the panic the security personnel were creating. The net result was that the security team lost its credibility. In another organization, Mecsics says, senior executives were so frightened by the security group’s use of scare tactics that they became obsessed with concerns that the company would be irreparably harmed by a security event. In this case, they lost the ability to look at the issue rationally. “They got worked into such a frenzy that it was like a runaway train,” says Mecsics.

FUD also wastes money by not spending it well. When CSOs buy and implement a security initiative based

on fear, they’ll have a much harder time managing and assessing it based on merit and actual results.

IN: Metrics and ROSI

Like it or not, the corporation is generally managed by the numbers.

Eventually, security will be almost completely metrics-driven. A reliance on metrics is, after all, the mark of a mature corporate function. Most security executives already need to develop, cull and otherwise employ risk analysis metrics and benchmarks. And experts say those leaders should devote considerably more financial resources to developing benchmarks than they do already.

“The ISO is going to the CEO saying there’s a chance something bad, and possibly something embarrassing, could happen,” says Alan Paller, director of research at SANS Institute. “But how much of a chance, the ISO doesn’t know. And if he spends this kind of money, he can reduce the risk, but by how much he doesn’t know. There is simply not enough data. Every other C-level executive does better than that and takes on the responsibility for defining the risk. Here, the CISO is putting the responsibility on the CEO. The CEO doesn’t want it, and eventually he won’t take it.”

So forget FUD, and start learning how to demonstrate the value of your ideas using metrics and, especially, ROSI (return on security investments). This is an approach that infosecurity pros have been slow to adopt, although it is clearly valuable. Economist Frank Bernhard’s research, for example, shows about six cents of every revenue dollar is at risk because of a lack of information security, but many companies spend barely a dime of their IT dollar on security.



September 2001 profoundly changed the perception of national security; the

Enron accounting scandal and a rash of similar scams alerted us to widespread

deficiencies in corporate governance, accountability and ethics. But every

security leader knows that as time passes after any incident - no matter how

demonstrative - corporate concern for the issues brought to light by that

incident tends to wane. Maintaining the right level of boardroom and employee

awareness is a consequence of leadership. And more effective ideas and tactics

are replacing the old, reactive security leadership paradigm. Below, we look at

what’s Out and what’s In.

FOCUS

SECURITY



“I’m not sure why IT tends to disregard these tools,” says Bob Jacobson, president of International Security Technology (IST), a private company that consults on matters of security risk assessment. “It’s a bit frustrating to keep hearing that you can’t do it accurately. That is not true. The tools are there. Nuclear uses them. Pharma uses them. The whole world has used ROI in security for a long time. [CSOs] have an opportunity to make a major contribution in their organization if they have the willingness to learn this.”

ROSI is rarely easy. It requires legwork, and lots of it. As you begin, it’s helpful to keep in mind that precise measurements are not necessarily the goal. “This is a classic problem that technologists have,” says Kevin Soo Hoo, a researcher at the security consultancy @ Stake. “They don’t understand that you can make rough guesses to work out a problem. We dive into an ROSI study, and the engineers are focused on the minutiae and want to argue for days whether some variable should be .6 or .55. It doesn’t matter.” With ROSI, as with all risk assessment, the goal is accuracy, which is not at all the same thing as precision. The point is to provide a set of guiding principles from which you, your CEO and CFO can make more informed decisions about what’s acceptable. In other words, the CEO doesn’t (or shouldn’t) care if a return is precisely $.1 for every $1 spent or $.9. He cares that it’s accurate to suggest about a -to-1 return, and not a 1-to-1 return or, worse, a 1-to- return.

OUT: Blame games and fall guys

When a breach occurs, the CSO frequently takes the blame. Sometimes, he is fired. What’s wrong with that?

In a word, plenty. If you’re the fall guy (or if your security group is) for every incident, then chances are good that you’ve taken the wrong position in your company’s security decision-making process. Most common mistake: Setting up the CSO as the one who makes the final call.

IN: Risk management and shared accountability

Even on security matters, the final call should not be yours. The final call belongs to the CEO, president, and board of directors - those who are directly accountable for shareholder value.

The right answer to “what is security supposed to do?” (as Paller alluded to in the “Metrics and ROSI” section, above) is this: Security is supposed to educate the business leaders about the threats the organization faces, about the likelihood and consequences of those threats, and about the costs and effectiveness of possible remedies. Then the business leaders make the decisions on acceptable risk.

Craig Granger, head of multinational security for the automotive company Delphi, offers a good case study in raising an organization’s security IQ. Part of the battle is fought in the field-pressing the flesh with execs, developing an omnipresent security policy and educating every employee on process management. Granger speaks at business group meetings and consults with Delphi’s executive officers. He attends strategy meetings with top execs and governance board meetings with his vice president and regional and divisional CIOs, and he mandates that all new employees take a security course and undergo training.

9

When Granger first arrived at Delphi, he laid out a charter detailing the differences between his responsibilities and those of corporate.

Granger says his charter, which defined the global security policy at Delphi, was well received. Since then, says Granger, considerable effort has been spent spreading a “strong infosec policy that’s published everywhere. Here, people can’t say that they aren’t aware of the policy,” he says. “The charter has greatly enhanced our visibility and security awareness here. They know who we are.”

But it’s not solely about getting the word out, says Granger. It’s how you speak the word and how it’s received. Often, it comes down to developing trust with your peers, which lets them, in turn, feel more comfortable shouldering some of the accountability burden.

Process management, with a clearly defined, easy-to-follow set of guidelines for handling security matters, is another way CSOs can manage accountability. Process management can reinforce the fact that security is not a one-group function. Moreover, its linkage to a business context-its embeddedness within enterprise business processes-suggests that other players are ultimately accountable as well. At Nortel Networks, Vice President of Corporate Security and Systems Timothy Williams, tries to involve as many different functions in his security process as possible. Williams works with members from various cross-functional groups-with internal audit and the insurance group, for example. He also breaks his security process into three core elements: risk assessment, enterprise-wide collaboration and strategic planning. Williams staffs his department with people who come from a variety of areas-systems security engineers, of course, and global

thinkers, a leadership team with MBAs, and subject-matter experts who can “cut across security and think in terms of the whole organization,” he says. As part of the process, he and his team continually assess and reassess all of their client groups’ needs and vulnerabilities. They use eight matrices in looking at each operational area, whether it is a new proposal or a system overhaul. “I own the process,” Williams says confidently. “There are a number of processes here that have my team’s signature on them.” But, he and other CSOs add, all security processes should always have the business execs’ signatures on them as well. Getting past the Fall Guy Syndrome boils down to good policies, good process management and constant corporate education.

OUT: Tech talk and copspeak

A not-so-secret secret: Many executives think security chiefs have a bad attitude. And we’re not just talking about information security officers. Traditional, corporate security executives are saddled with a bad rep. It’s time to learn what it means when a CEO, after eliminating the CSO or CISO, says, “There was just something about him that didn’t fit with the organization.”

The physical security chief, according to stereotype, is a rigid and dogmatic “top cop” who has an “arrest” mentality and is a no-man as opposed to a yes-man. The information security executive comes across as an arrogant know-it-all who is whiny, defensive, uncooperative and doesn’t try to work with others because, how could anyone but he possibly understand the technical challenges he faces? Not valid? So what. Unfair? Stop whining. In fact, the

FOCUS

SECURITY

10

security executive who raises a stink because of these preconceptions actually feeds the preconceptions. “We had one CSO candidate for a Fortune 500 not get the job,” says recruiter Tracy Lenzner. “And he-I can hardly explain it, but it was so telling-lashed out about how the company didn’t know anything. He was angry. He was like a child that didn’t get his way.”

Former CISO Stephen Northcutt believes the attitude comes from the likelihood that many candidates for CISO positions are underqualified. “They are stressed out, secretive, edgy and defensive because they don’t have the understanding or mastery of tools they need,” he says.

As a result, those candidates fall back on old habits such as - always using highly obscure explanations of technology, or aways having a negative reaction to any risky or unorthodox business propositions. Those forms of communication don’t fly in the boardroom.

IN: Business language and communication skills

When James Christiansen came to GM from Visa, where he was also head of security, he found the move from financial services to manufacturing to be a jolting transition. “You speak a different language, you look different and you dress different.” So Christiansen did two things: He signed up for classes on the workings of the auto industry, and he made a point of doing a lot more listening than talking. In learning about GM, Christiansen had to glean the intricacies of four very different business areas: manufacturing, GMAC (GM’s financial services division), OnStar (the onboard satellite communications system) and the defense industry, with which GM works closely. But immersing himself in the business was a necessary step for Christiansen

to be able to communicate with the company’s business line executives. “Everything I bring them is cost additive, and that can create a natural conflict,” says Christiansen. “I need to be able to show the bang for the buck, the ROI per dollar and how I’m going to help them solve business problems.” None of that can be achieved without a keen understanding of the business and the recognition that the CSO’s role is to enable business success in an appropriately secure context. To combat the perception that security is divorced from the business world, Bill Boni, Motorola’s CISO, has even gone so far as to shun the usual moniker, “IT security” in favor of the more business-friendly title, “information protection.” The goal is to position the department as the protector of information assets in all forms, whether it’s customer data housed in a server or confidential contracts in a sheaf of papers.

Talking in business terms with executives can also be a tremendous asset in advancing the CSO’s agenda, which is often bogged down by the perception that it’s too technical for business executives to understand. “I’ve seen too many information security practitioners fall short in their role because what they really love is the technology,” says Boni. “They open with the technology dimension, go into technical detail, and by the time they get to the part where the executives’ insight, experience and judgment can be engaged, the executives are already disengaged. The executives conclude that security is at a level that’s inappropriate for their consideration.”

As the old saw goes: It’s not just what you say, but how you say it. So practice your delivery. As anyone who’s ever been to a security conference knows, speeches about security can be deadly dull. Faced with the challenge of having to communicate about security to large groups both inside and outside his company,

11

Bill Hancock, CSO of Exodus (which later became the US base of Cable & Wireless), took the unusual step of enrolling himself in a stand-up comedy course to improve his communication skills. The final project for the class was a performance of an actual stand-up routine at The Improv, New York City’s renowned comedy club, on a Friday night. “It was one of the most horrifying experiences I think I’ve ever been through,” says Hancock. “You get up in front of an audience, half the people there are probably inebriated in some fashion, and you’ve got to communicate what you have to say very quickly, very succinctly and to a whole bunch of people that don’t know you from nobody.” The lesson here is not that CSOs need to be honing their comic routines, but rather that life is full of tough audiences. When dealing with a weighty topic like security, it’s important to focus on how you communicate as well as what you communicate. Building and maintaining strong relationships with business executives and their groups requires the CSO to assume a number of different guises: educator, strategist, negotiator, interpreter and, sometimes, disciplinarian. Oracle’s CSO Mary Ann Davidson has one last morsel of advice for CSOs interested in smoothing their way with other executives and the company at large. “People ought to be thanked for doing their job more often,” she says, noting that CSOs will find more cooperation if they ask for it politely and show their appreciation, instead of barking out orders and throwing their weight around. “Business is personal,” Davidson says. “It’s not being manipulative, it’s just that you catch more flies with honey.”

OUT: Silos

Information security in one stovepipe, corporate in another, audit staring suspiciously from across

the hall, disaster recovery handled by the facilities group... you know the usual drill. Security functions have a history of fragmented organization. “Each of these departments’ main mission is ‘to protect company assets;’ however, each usually reports through a different hierarchy,” one privacy and IT security manager puts it. “It makes no sense.” Historically, the greatest chasm - not just organizationally, but culturally as well - laid between information security folks and their corporate security counterparts. Each side has a list of perjorative ways to describe the other’s profession and professionals (propellerheads vs. knuckledraggers, etcetera).

IN: Holistic security

Enough squabbling already. Disjointed management and lack of communication leads to a weaker security posture and wasted money due to duplicated efforts. “The truly sophisticated companies are starting to look at a coordinated approach to physical security, information security and risk management,” says Lance Wright, principal at the Boyden Global Executive Search company.

Consider these specific areas where holistic security management pays off:

-Business continuity Mike Hager, who helped get OppenheimerFunds up and running four hours after their offices and systems at the World Trade Center were destroyed on 9/11, puts it best: “Some companies have people who do information security, and people who do physical security, and people who do business continuity. The three people may come up with three separate answers about what to protect. If you have a total protection program, you can save a lot of time,

FOCUS

SECURITY

1

Your company’s intellectual property—whether that’s patents, trade secrets or

just employee know-how—may be more valuable than its physical assets. This

primer covers everything from establishing basic policies and procedures to

guarding against corporate espionage.

Intellectual

Property

Protection

money and effort. It just simplifies the whole process and makes it more effective.”

-Hiring and firing When an employee comes on board, she may need a number of assets and rights before she becomes productive… a building access card, a laptop, a network password with access to the right applications, a signed non-disclosure agreement, a business credit card, a company car. Some of these are physical and some are digital. In a company with a well-managed, holistic hiring process, that employee can be up to speed in a jiffy. Conversely, a company with disjointed access management can expect a much longer ramp-up time. That’s lost money. And if the employee is abruptly terminated, the poorly managed company stands very little chance of recovering all its assets and disabling all necessary access rights in a timely manner.

-Intellectual property protection IP (patents, ideas, classified research) is stored in many forms, from data on the corporate network, to CAD printouts in the trash can, to drawings on the whiteboard in the graphics department. Losing that proprietary information can cripple a company competitively. Bill Boni, CISO of Motorola and a former Army intelligence officer, notes that the only way to protect intellectual property from threats inside and outside the company is by interconnecting all the necessary defensive measures - logical, physical, legal and otherwise.

-Regulatory compliance Sarbanes-Oxley says the Board of Directors has a fiduciary responsibility to know what risks its business faces. Who’s going to give them an accurate picture if no one has visibility across all security domains?

-Coordinated access management It’s midnight,

and the network control center notes that the CEO just logged on to her office workstation. Problem is, the building access card system notes that the CEO left the building five hours ago. If the network and building access controls were coordinated, the night watchman would know he needs to take a stroll down the hall and see who’s sitting at the CEO’s desk and using her account.

The most obvious way to manage security holisitically is to put make one person responsible - a CSO. But even in companies where that’s impractical, creating new lines of communication and knocking down formerly adversarial relationships is a must.

‘Intellectual property’ sounds pretty fuzzy. What exactly is it?

Intellectual property (IP) can be anything from a particular manufacturing process to plans for a product launch, a chemical formula or a list of the countries in which your patents are registered. It may help to think of it as intangible proprietary information. The formal definition, according to the World Intellectual Property Organization is creations of the mind - inventions, literary and artistic works, symbols, names, images, and designs used in commerce. IP includes but is not limited to proprietary formulas and ideas, inventions (products and processes), industrial designs, and geographic indications of source, as well as literary and artistic works such as novels, films, music, architectural designs and web pages.

For many companies, such as those in the pharmaceutical business, IP is much more valuable than any physical asset. Authoritative sources report that each year, intellectual property theft costs U.S. companies about $00 billion.

From a legal standpoint, there are four types of intellectual property. IP registered in one of those categories with state and federal agencies is protected by law, and if infringed upon or otherwise abused, the infringers can be prosecuted.

The four legally-defined categories of intellectual property are:

1

Your company’s intellectual property—whether that’s patents, trade secrets or

just employee know-how—may be more valuable than its physical assets. This

primer covers everything from establishing basic policies and procedures to

guarding against corporate espionage.

Intellectual

Property

FOCUS

SECURITY

1

1. Patents When you register your invention with the

government-a process that can take more than a year-you gain the legal right to exclude anyone else from manufacturing or marketing it. Patents cover tangible things. They can also be registered in foreign countries, to help keep international competitors from finding out what your company is doing. Once you hold a patent, others can apply to license your product. Patents last for 0 years.

2. Trademarks A trademark is a name, phrase, sound

or symbol used in association with services or products. It often connects a brand with a level of quality on which companies build a reputation. Trademark protection lasts for 10 years after registration and, like patents, can be renewed. But trademarks don’t have to be registered. If a company creates a symbol or name it wishes to use exclusively, it can simply attach the TM symbol. This effectively marks the territory and gives the company room to prosecute if other companies attempt to use the same symbol for their own purposes.

3. Copyrights Copyright laws protect written or artistic

expressions fixed in a tangible medium - novels, poems, songs or movies. A copyright protects the expression of an idea, but not the idea itself. The owner of a copyrighted work has the right to reproduce it, to make derivative works from it (such as a movie based on a book), or to sell, perform or display the work to the public. You don’t need to register your material to hold a copyright, but registration is a prerequisite if you decide to sue for copyright infringement. A copyright lasts for the life of the author plus another 50 years.

4. Trade secrets A formula, pattern, device or

compilation of data that grants the user an advantage over competitors is a trade secret. It is covered by state, rather than federal, law. To protect the secret, a business must prove that it adds value to the company - that it is,

in fact, a secret - and that appropriate measures have been taken within the company to safeguard the secret, such as restricting knowledge to a select handful of executives. Coca-Cola, for example, has managed to keep its formula under wraps for more than 11 years.

But IP can also be something broader and less tangible than these four protected classes: it can simply be an idea. If the head of your R&D department has a eureka moment during his morning shower and then applies his new idea at work, that’s intellectual property too.

Sounds like protecting IP is mostly the legal department’s job.

Legal protection is definitely part of the plan, but if your IP is stolen by ne’er-do-wells, catching them is hard, prosecuting them is harder, and getting the stolen information back - putting the proverbial cat back in its bag - is usually impossible. In this area a little bit of paranoia is quite helpful, because people really are out to get you. Consider these real-life examples.

* In the week before one company released its quarterly report, employees in units that report to the CFO received 00 calls from people claiming to be with a credit reporting agency that needed information about the earnings report prior to its release. Employees were instructed to transfer all such inquiries to the security office, but the calls kept coming. It was later revealed that calls came from a research company hired by the competition.

* An engineer regularly had lunch with a former boss now working for arival, and fancied himself a hero for gathering competitive intelligence. But the information he was giving up in return caused his employer, formerly the market leader, to lose three major bids in 1 months. * Immigrant scientists from Eastern Europe who were working on an American defense project kept getting

15

unsolicited invitations from their home countries to speak at seminars or serve as paid consultants. The invitations appealed to them as scientists - they wanted to share information about their work with peers. The countries saw this kind of intelligence gathering as cheaper than research and development.

So what does the security group need to do to keep intellectual property safe?

1. Know what you’ve got If all employees understand

what needs to be protected, they can better understand how to protect it, and whom to protect it from. To do that, CSOs must communicate on an ongoing basis with the executives who oversee intellectual capital. So meet with the CEO, COO and representatives from HR, marketing, sales, legal services, production and R&D at least once a quarter. Corporate leadership must work in concert to adequately protect IP.

2. Prioritize it CSOs who have been protecting

intellectual property for years recommend doing a risk and cost-benefit analysis. Make a map of your company’s assets and determine what information, if lost, would hurt your company the most. Then consider which of those assets are most at risk of being stolen. Putting those two factors together should help you figure out where to best spend your protective efforts (and money).

3. Label it If information is confidential to your company,

put a banner or label on it that says so. If your company data is proprietary, put a note to that effect on every log-in screen. This seems trivial, but if you wind up in court trying to prove someone took information they weren’t authorized to take, your argument won’t stand up if you can’t demonstrate that you made it clear that the information was protected.

4. Lock it up Physical and digital protection is a must.

Lock the rooms where sensitive data is stored, whether it’s the server farm or the musty paper archive room. Keep track of who has the keys. Use passwords and limit employee access to important databases.

5. Educate employees Awareness training can be

effective for plugging and preventing IP leaks, but only if it’s targeted to the information that a specific group of employees needs to guard. When you talk in specific terms about something that engineers or scientists have invested a lot of time in, they’re very attentive.

As is often the case, humans are often the weakest link in the defensive chain. That’s why an IP protection effort that counts on firewalls and copyrights, but doesn’t also focus on employee awareness and training, is doomed to fail.

6. Know your tools A growing variety of software tools

(from vendors such as eMeta, Liquid Machines, Verdasys, and Vontu) are available for tracking documents and other IP stores. They not only locate sensitive documents, but also keep track of how they are being used, and by whom.

7. Think holistically Motorola’s Chief Information

Security Officer Bill Boni explains how problems can arise if you don’t take a “big picture” view of security. If someone is scanning the internal network, your internal intrusion detection system goes off, and typically somebody from IT calls the employee who’s doing the scanning and says, “Stop doing that.” The employee offers a plausible explanation, and that’s the end of it. Then later, the night watchman sees an employee carrying out protected documents, and his explanation is “Oops...I didn’t realize that got into my briefcase.” Over time, the human resources group, the audit group, the individual’s colleagues, and others all notice isolated incidents, but nobody puts them together and realizes that all these

FOCUS

SECURITY

16

breaches were perpetrated by the same person. This is why communication gaps between infosecurity and corporate security groups can be so harmful. IP protection requires connections and communication between all the corporate functions. The Legal department has to play a role in IP protection, and so does Human Resources, and Information Technology, and Research and Development, and Engineering, and Graphic Design.... Think holistically both to protect and to detect.

8. Apply a counter-intelligence mindset If you were

spying on your own company, how would you do it? Thinking through such tactics will lead you to consider protecting phone lists, shredding the papers in the recycling bins, convening an internal council to approve your R&D scientists’ publications, or other ideas that may prove worthwhile for your particular business.

Phone lists? Paper shredders? Sounds a little extreme.

Security pros have to understand the dark forces that are trying to get information from your company and piece it together in a useful way. Some of these forces come in the guise of “competitive intelligence” researchers who, in theory anyway, are governed by a set of legal and ethical guidelines carefully wrought by the Society of Competitive Intelligence Professionals (SCIP). Others are outright spies hired by competitors, or even foreign governments, who’ll stop at nothing, including bribes, thievery, or even a pressure-activated tape recorder hidden in your CEO’s chair. But most threats to your information operate in a gray zone.

To build solid defenses, consider how snoops work: 1. They look for publicly available information.

Leonard Fuld, a competitive intelligence expert, says

more damage is done by a company’s lax security than by thieves. Consider these common examples: Salespeople showing off upcoming products at trade shows. Technical organizations trying to describing their R&D facilities in job listings. Suppliers bragging about sales on their websites. Publicity departments issuing press releases about new patent filings. Companies in industries targeted by regulators over-reporting information about manufacturing facilities to the Environmental Protection Agency or OSHA, which can become part of the public record. Employees posting comments on Internet bulletin boards.

All of that data tells a competitor what your company is doing. Combined, the right details might help a rival reduce your first-to-market advantage, improve the efficiency of their own manufacturing facility or refocus their research in a profitable direction.

2. They work the phones.

John Nolan, founder of the Phoenix Consulting Group, has some amazing stories of what people will tell him over the phone. This is the man who got his fingers burned in the infamous “dumpster diving” espionage case in 001 involving Procter & Gamble and Unilever. Nolan won’t comment on the case, which was settled out of court, but he insists that there’s no need for his company to break the law. “In our experience, it’s just not worth it,” he explains.

Nolan has other ways of getting people to talk. In fact, people like him are the reason that seemingly benign lists of employee names, titles and phone extensions, or internal newsletters announcing retirements or promotions, should be closely guarded. That’s because the more Nolan knows about the person who answers the phone, the better he can work that person for information.

1

“I identify myself and say, ‘I’m working on a project, and I’m told you’re the smartest person when it comes to yellow market pens. Is this a good time to talk?’” says Nolan, describing his methods. “Fifty out of a hundred people are willing to talk to us with just that kind of information.”

The other fifty? They ask what Phoenix Consulting Group is. Nolan replies (and this is true) that Phoenix is a research company working on a project for a client he can’t name because of a confidentiality agreement. Fifteen people will then usually hang up, but the other 5 start talking. Not a bad hit rate. Nolan starts taking notes that will eventually make their way into two files. The first file is information for his client, and the second is a database of 10,000 past sources, including information about their expertise, how friendly they were, and personal details such as their hobbies or where they went to graduate school.

Often business intelligence gatherers use well-practiced tactics for eliciting information without asking for it directly, or by implying that they are someone they aren’t. This is the tactic known as “social engineering.” Such scams might also include “pretext” calls from someone pretending to be a student working on a research project, an employee at a conference who needs some paperwork, or a board member’s secretary who needs an address list to mail Christmas cards.

Most of those calls are not illegal. Lawyers say that while it is against the law to pretend to be someone else, it’s not illegal to be dishonest.

3. They go into the field.

During the technology boom, one early-morning flight from Austin to San Jose earned the nickname “the nerd bird.” Shuttling businesspeople from one high-tech center to another, that flight and others like it became good

places for job recruiters. They also became great places for competitive intelligence professionals to overhear discussions among coworkers or to sneak a peek at a fellow passenger’s PowerPoint presentation or financial spreadsheet.

Any public place where employees go, snoops can also go: airports, coffee shops, restaurants, and bars near company offices and factories, and, of course, trade shows. An operative working for the competition might corner one of your researchers after a presentation, or pose as a potential customer to try to get a demo of a new product or learn about pricing from your sales team. Or that operative might simply take off his name badge before approaching a your booth at a trade show.

Employees must know not to talk about sensitive business in public places, and how to work with the marketing department to make sure the risks of revealing inside information at a trade show don’t outweigh the benefits of drumming up business.

Job interviews are another possible leak. Daring competitors may risk sending one of their own employees to a job interview, or they could hire a competitive intelligence firm to do so. Conversely, a competitor might invite one of your employees in for a job interview with no other purpose than gleaning information about your processes.

4. They put the pieces together.

In some ways, trade secrets are easy to protect. Stealing them is illegal under the 1996 Economic Espionage Act. Employees usually know that they’re valuable, and nondisclosure agreements may protect your company further. What’s more complicated is helping employees understand how seemingly innocuous details can be strung together into a bigger picture-, and how a simple

company phone list becomes a weapon in the hands of snoops like John Nolan.

Consider this scenario: Nolan once had a client who wanted him to find out whether any rivals were working on a certain technology. During his research of public records, he came across nine or 10 people who had been publishing papers on this specialized area since they were grad students together. Suddenly, they all stopped writing about the technology. Nolan did some background work and discovered that they had all moved to a certain part of the country to work for the same company. None of that constituted a trade secret or even, necessarily, strategic information. But Nolan saw a picture forming.

“What that told us was that they had stopped [publishing information about the technology] because they recognized that the technology had gotten to a point where it was probably going to be profitable,” Nolan says. Then, by calling the people on the phone, going to meetings where they were speaking on other topics, and asking them afterward about the research they were no longer speaking publicly about, Nolan’s firm was able to figure out when the technology would hit the market. This information, he says, gave his client a two-year heads up on the competition’s plans.

5. Some go beyond the gray zones.

Other countries may have vastly different ethical and legal guidelines for information gathering. Almost everything we’ve talked about so far is legal in the United States, or at least arguably so in the hands of a clever lawyer. But there’s another realm of corporate sleuthing, using bugs, bribes, theft, even extortion, that is widely practiced elsewhere.

In his days as a global security consultant, Motorola’s Boni saw several things happen that probably wouldn’t happen

in the U.S. A bank in South America that suspected espionage brought in a security consultancy to sweep the place of bugs. When the loss of information continued, the bank hired a different security team. “They found  different devices,” Boni recalls. “The whole executive suite was wired for motion and sound. The first team that came in to look for bugs was probably installing them.” Espionage is sometimes sanctioned - or even carried out - by foreign governments, which may view helping local companies keep tabs on foreign rivals as a way to boost the country’s economy.

That’s why no single set of guidelines for protecting intellectual property will work everywhere in the world. The CIO’s job is to evaluate the risks for every country the company does business in, and act accordingly. Some procedures, such as reminding people to protect their laptops, will always be the same. But certain countries require more precautions. Executives traveling to Pakistan, for example, might need to register under pseudonyms, have their hotel rooms or work spaces swept for bugs, or even have security guards help protect information.

Tell me more about global differences. I suspect the legal protections you’ve mentioned. won’t apply overseas.

Correct. Over the years, France, China, Latin America and the former Soviet Union have all developed reputations as places where industrial espionage is widely accepted, even encouraged, as a way of promoting the country’s economy. Many other countries are worse.

A good resource for evaluating the threat of doing business in different parts of the world is the Corruption Perceptions Index published each year by Transparency International (and made famous by The Economist).

FOCUS

SECURITY

19

In 00, the Corruption Perceptions Index ranked the following 1 countries as being “perceived as most corrupt”: Bangladesh, Nigeria, Haiti, Paraguay, Myanmar, Tajikistan, Georgia, Cameroon, Azerbaijan, Angola, Kenya, and Indonesia.

Another list ranked big countries where companies are most likely to pay bribes to win or retain business in emerging markets. The worst scores belonged to Russia, China, Taiwan and South Korea, followed by Italy, Hong Kong, Malaysia, Japan, USA and France. (To download the full results of the index, visit Transparency International at www.transparency.org.)

Here are nine practical steps for protecting IP specifically where you’re offshoring software work:

1. Send people to inspect the physical premises where the software will be written. Note whether buildings have basic security check-in procedures and the like. Find out what kind of access people have to key systems.

. Look closely at the way networks function, particularly if you plan to use virtual private networks. These are good for cross-facility communications, but make it easier for remote employees to work from home or on notebook computers, which can increase vulnerability.

. Protect important information, such as source code, with passwords and access codes, and make sure that these are not widely available, either in the United States or at the outsourcing location. Approvals do reduce flexibility, but not as much as they reduce risk.

. Demand that the outsourcer have tight human resources screening. Look for employee retention figures, find out if competitors do business with the same companies, and if so, ensure that there is no contact between teams.

5. Know what risks your own organization can take. Regulated industries such as health care and financial services need to keep closer controls over data and software development than, say, packaged goods companies. 6. Work to understand the legal system and culture of both countries. Negotiate contracts that make the offshore company responsible for the actions of its employees. . Budget for greatly increased telecom costs, as well as for regular visits to the outsourcer.

. Make sure that any test data being used does not expose real information traceable to real customers.

9. Always maintain an original copy of source code. This step seems obvious, but in one YK outsourcing case, a company was unable to prove a bug had been added to a program because it had not kept its source code. Companies that don’t have the resources to take these steps should think twice about what they are putting at risk by offshoring, whether it’s software development or some other function like call centers involving sensitive customer data.

Q: “Disaster recovery” seems pretty self-explanatory. Is there any difference between that and “business continuity planning”?

A: Disaster recovery is the process by which you

resume business after a disruptive event. The event might be something huge-like an earthquake or the terrorist attacks on the World Trade Center-or something small, like malfunctioning software caused by a computer virus.

Given the human tendency to look on the bright side, many business executives are prone to

ignoring “disaster recovery” because disaster seems an unlikely event. “Business continuity planning” suggests a more comprehensive approach to making sure you can keep making money. Often, the two terms are married under the acronym BC/DR. At any rate, DR and/or BC determines how a company will keep functioning after a disruptive event until its normal facilities are restored.

What do these plans include?

All BC/DR plans need to encompass how employees will communicate, where they will go and how

Disaster recovery and business continuity planning are processes that help

organizations prepare for disruptive events—whether an event might be a

hurricane or simply a power outage caused by a backhoe in the parking lot. The

CIO’s / CSO’s involvement in this process can range from overseeing the plan, to

providing input and support, to putting the plan into action during an emergency.

This primer explains the basic concepts of business continuity planning.

Business Continuity

and Disaster

Recovery

Planning

they will keep doing their jobs. The details can vary greatly, depending on the size and scope of a company and the way it does business. For some businesses, issues such as supply chain logistics are most crucial and are the focus on the plan. For others, information technology may play a more pivotal role, and the BC/DR plan may have more of a focus on systems recovery. For example, the plan at one global manufacturing company would restore critical mainframes with vital data at a backup site within four to six days of a disruptive event, obtain a mobile PBX unit with ,000 telephones within two days, recover the company’s 1,000-plus LANs in order of business need, and set up a temporary call center for 100 agents at a nearby training facility. But the critical point is that neither element can be ignored, and physical, IT and human resources plans cannot be developed in isolation from each other. At its heart, BC/DR is about constant communication. Business leaders and IT leaders should work together to determine what kind of plan is necessary and which systems and business units are most crucial to the company. Together, they should decide which people are responsible for declaring a disruptive event and mitigating its effects. Most importantly, the plan should establish a process for locating and communicating with employees after such an event. In a catastrophic event (Hurricane Katrina being a recent example), the plan will also need to take into account that many of those employees will have more pressing concerns than getting back to work.

Where do I start?

A good first step is a business impact analysis (BIA). This will identify the business’s most crucial systems and processes and the effect an outage would have on the business. The greater the potential

impact, the more money a company should spend to restore a system or process quickly. For instance, a stock trading company may decide to pay for completely redundant IT systems that would allow it to immediately start processing trades at another location. On the other hand, a manufacturing company may decide that it can wait  hours to resume shipping. A BIA will help companies set a restoration sequence to determine which parts of the business should be restored first.

Here are 10 absolute basics your plan should cover: 1. Develop and practice a contingency plan that includes a succession plan for your CEO.

. Train backup employees to perform emergency tasks. The employees you count on to lead in an emergency will not always be available.

. Determine offsite crisis meeting places for top executives.

. Make sure that all employees-as well as executives-are involved in the exercises so that they get practice in responding to an emergency.

5. Make exercises realistic enough to tap into employees’ emotions so that you can see how they’ll react when the situation gets stressful.

6. Practice crisis communication with employees, customers and the outside world.

. Invest in an alternate means of communication in case the phone networks go down.

. Form partnerships with local emergency response groups-firefighters, police and EMTs-to establish a good working relationship. Let them become familiar with your company and site.

9. Evaluate your company’s performance during each test, and work toward constant improvement. Continuity exercises should reveal weaknesses. 10. Test your continuity plan regularly to reveal and accommodate changes. Technology, personnel

FOCUS

SECURITY



and facilities are in a constant state of flux at any company.

Hold it. Actual live-action tests would, themselves, be the “disruptive events.” If I get enough people involved in writing and examining our plans, won’t that be sufficient?

Let us give you an example of a company that thinks tabletops and paper simulations aren’t enough. And why their experience suggests they’re right.

When CIO Steve Yates joined USAA, a financial services company, business continuity exercises existed only on paper. Every year or so, top-level staffers would gather in a conference room to role-play; they would spend a day examining different scenarios, talking them out-discussing how they thought the procedures should be defined and how they thought people would respond to them. Live exercises were confined to the company’s technology assets. USAA would conduct periodic data recovery tests of different business units-like taking a piece of the life insurance department and recovering it from backup data.

Yates wondered if such passive exercises reflected reality. He also wondered if USAA’s employees would really know how to follow such a plan in a real emergency. When Sept. 11 came along, Yates realized that the company had to do more. “Sept. 11 forced us to raise the bar on ourselves,” says Yates.

Yates engaged outside consultants who suggested that the company build a second data center in the area as a backup. After weighing the costs and benefits of such a project, USAA initially concluded that it would be more efficient to rent space on the

East Coast. But after the attack on the World Trade Center and Pentagon, when air traffic came to a halt, Yates knew it was foolhardy to have a data center so far away. Ironically, USAA was set to sign the lease contract the week of Sept. 11.

Instead, USAA built a center in Texas, only 00 miles away from its offices-close enough to drive to, but far enough away to pull power from a different grid and water from a different source. The company has also made plans to deploy critical employees to other office locations around the country.

Yates made site visits to companies such as FedEx, First Union, Merrill Lynch and Wachovia to hear about their approach to contingency planning. USAA also consulted with PR firm Fleishman-Hillard about how USAA, in a crisis situation, could communicate most effectively with its customers and employees. Finally, Yates put together a series of large-scale business continuity exercises designed to test the performance of individual business units and the company at large in the event of wide-scale business disruption. When the company simulated a loss of the primary data center for its federal savings bank unit, Yates found that it was able to recover the systems, applications and all 19 of the third-party vendor connections. USAA also ran similar exercises with other business units.

For the main event, however, Yates wanted to test more than the company’s technology procedures; he wanted to incorporate the most unpredictable element in any contingency planning exercise: the people.

USAA ultimately found that employees who walked through the simulation were in a position



to observe flaws in the plans and offer suggestions. Furthermore, those who practice for emergency situations are less likely to panic and more likely to remember the plan.

Can you give me some examples of things companies have discovered through testing?

Some companies have discovered that while they back up their servers or data centers, they’ve overlooked backup plans for laptops. Many businesses fail to realize the importance of data stored locally on laptops. Because of their mobile nature, laptops can easily be lost or damaged. It doesn’t take a catastrophic event to disrupt business if employees are carting critical or irreplaceable data around on laptops.

One company reports that it is looking into buying MREs (meals ready-to-eat) from the company that sells them to the military. MREs have a long shelf life, and they don’t take up much space. If employees are stuck at your facility for a long time, this could prove a worthwhile investment.

Mike Hager, former head of information security and disaster recovery for OppenhiemerFunds, says 9/11 brought issues like these to light. Many companies, he said, were able to recover data, but had no plans for alternative work places. The World Trade Center had provided more than 0 million square feet of office space, and after Sept. 11th there was only 10 million square feet of office space available in Manhattan. The issue of where employees go immediately after a disaster and where they will be housed during recovery should be addressed before something happens, not after.

USAA discovered that while it had designated

a nearby relocation area, the setup process for computers and phones took nearly two hours. During that time, employees were left standing outside in the hot Texas sun. Seeing the plan in action raised several questions that hadn’t been fully addressed before: Was there a safer place to put those employees in the interim? How should USAA determine if or when employees could be allowed back in the building? How would thousands of people access their vehicle if their car keys were still sitting on their desk? And was there an alternate transportation plan if the company needed to send employees home?

What are the top mistakes that companies make in disaster recovery?

Hager and other experts note the following pitfalls: 1. Inadequate planning: Have you identified all critical systems, and do you have detailed plans to recover them to the current day? (Everybody thinks they know what they have on their networks, but most people don’t really know how many servers they have, or how they’re configured, or what applications reside on them-what services were running, what version of software or operating systems they were using. Asset management tools claim to do the trick here, but they often fail to capture important details about software revisions and so on.

. Failure to bring the business into the planning and testing of your recovery efforts.

. Failure to gain support from senior-level managers. The largest problems here are:

1. Not demonstrating the level of effort required for full recovery.

. Not conducting a business impact analysis and addressing all gaps in your recovery model.

. Not building adequate recovery plans that outline your recovery time objective, critical systems and

Phishing is a method of trying to gather personal information using deceptive

e-mails and websites. Pharming also aims to collect personal information from

unsuspecting victims by essentially tinkering with the road maps that computers

use to navigate the Web. You don’t want either one working its evil genius on

your customers. Here’s how to be on your guard.

Phishing and

Pharming

applications, vital documents needed by the business, and business functions by building plans for operational activities to be continued after a disaster.

. Not having proper funding that will allow for a minimum of semiannual testing.

Can we outsource our contingency measures?

Disaster recovery services-offsite data storage, mobile phone units, remote workstations and the like-are often outsourced, simply because it makes more sense than purchasing extra equipment or space that may never be used. In the days after the Sept. 11 attacks, disaster recovery vendors restored systems and provided temporary office space, complete with telephones and Internet access for dozens of displaced companies.

What advice would you give to security executives who need to convince their CEO or board of the need for disaster recovery plans and capabilities? What arguments are most effective with an executive audience?

Hager advises chief security officers to address the need for disaster recovery through analysis and documentation of the potential financial losses. Work with your legal and financial departments to document the total losses per day that your company would face if you were not capable of quick recovery. By thoroughly reviewing your business continuance and disaster recovery plans, you can identify the gaps that may lead to a successful recovery. Remember: Disaster recovery and business continuance are nothing more than risk avoidance. Senior managers understand more clearly when you can demonstrate how much risk they are taking.”

Hager also says that smaller companies have more (and cheaper) options for disaster recovery than bigger ones. For example, the data can be taken home at night. That’s certainly a low-cost way to do offsite backup.

Some of this sounds like overkill for my company. Isn’t it a bit much?

The elaborate machinations that USAA goes through in developing and testing its contingency plans might strike the average CIO or CSO as being over the top. And for some businesses, that’s absolutely true. After all, HazMat training and an evacuation plan for 0,000 employees is not a necessity for every company.

Like many security issues, continuity planning comes down to basic risk management: How much risk can your company tolerate, and how much is it willing to spend to mitigate various risks?

In planning for the unexpected, companies have to weigh the risk versus the cost of creating such a contingency plan. That’s a trade-off that Pete Hugdahl, USAA’s assistant vice president of security, frequently confronts. “It gets really difficult when the cost factor comes into play,” he says. “Are we going to spend $100,000 to fence in the property? How do we know if it’s worth it?”

And-make no mistake-there is no absolute answer. Whether you spend the money or accept the risk is an executive decision, and it should be an informed decision. Half-hearted disaster recovery planning is a failure to perform due diligence.

FOCUS

SECURITY

Q: What is phishing?

A: Phishing is a method of trying to gather personal information using deceptive e-mails and websites. Typically, a phisher sends an e-mail disguised as a legitimate business request. For example, the phisher may pass himself off as a real bank asking its customers to verify financial data. The e-mail is often forged so that it appears to come from a real e-mail address used for legitimate company business, and it usually includes a link to a website that looks exactly like the bank’s website. However, the site is bogus, and when the victim types in passwords or other sensitive information, that data is captured by the phisher. The information may be used to commit various forms of fraud and identity theft, ranging

from compromising a single existing bank account to setting up multiple new ones.

Early phishing attempts were crude, with telltale misspellings and poor grammar. Since then, however, phishing e-mails have become remarkably sophisticated. Phishers may pull language straight from official company correspondence and take pains to avoid typos. The fake sites may be near-replicas of the sites phishers are spoofing, containing the company’s logo and other images and fake status bars that give the site the appearance of security. Phishers may register plausible-looking domains like aolaccountupdate.com, mycitibank.net or paypa1.com (using the number 1 instead of the letter L). They may even direct their victims to a well-known company’s

5

Phishing is a method of trying to gather personal information using deceptive

e-mails and websites. Pharming also aims to collect personal information from

unsuspecting victims by essentially tinkering with the road maps that computers

use to navigate the Web. You don’t want either one working its evil genius on

your customers. Here’s how to be on your guard.

Phishing and

FOCUS

SECURITY

6

actual website and then collect their personal data through a faux pop-up window.

Can we prevent phishing attacks?

Companies can reduce the odds of being targeted, and they can reduce the damage that phishers can do (more details on how below). But they can’t really prevent it. One reason phishing e-mails are so convincing is that most of them have forged “from” lines, so that the message looks like it’s from the spoofed company. There’s no way for an organization to keep someone from spoofing a “from” line and making it seem as if an e-mail came from the organization.

A technology known as sender authentication does hold some promise for limiting phishing attacks, though. The idea is that if e-mail gateways could verify that messages purporting to be from, say, Citibank did in fact originate from a legitimate Citibank server, messages from spoofed addresses could be automatically tagged as fraudulent and thus weeded out. (Before delivering a message, an ISP would compare the IP address of the server sending the message to a list of valid addresses for the sending domain, much the same way an ISP looks up the IP address of a domain to send a message. It would be sort of an Internet version of caller ID and call blocking.) Although the concept is straightforward, implementation has been slow because the major Internet players have different ideas about how to tackle the problem. It may be years before different groups iron out the details and implement a standard. Even then, there’s no way of guaranteeing that phishers won’t find ways around the system (just as some fraudsters can fake the numbers that appear in caller IDs). That’s why, in the meantime, so many organizations—and a growing marketplace of service

providers—have taken matters into their own hands.

What can my company do to reduce our chances of being targeted?

In part, the answer has to do with NOT doing silly or thoughtless things that can increase your vulnerability. Now that phishing has become a fact of life, companies need to be careful about how they use e-mail to communicate with customers. For example, in May 00, Wachovia’s phones started ringing off the hook after the bank sent customers an e-mail instructing them to update their online banking user names and passwords by clicking on a link. Although the e-mail was legitimate (the bank had to migrate customers to a new system following a merger), a quarter of the recipients questioned it.

As Wachovia learned, companies need to clearly think through their customer communication protocols. Best practices include giving all e-mails and webpages a consistent look and feel, greeting customers by first and last name in e-mails, and never asking for personal or account data through e-mail. If any time-sensitive personal information is sent through e-mail, it has to be encrypted. Marketers may wring their hands at the prospect of not sending customers links that would take them directly to targeted offers, but instructing customers to bookmark key pages or linking to special offers from the homepage is a lot more secure. That way, companies are training their customers not to be duped.

It also makes sense to revisit what customers are allowed to do on your website. They should not be able to open a new account, sign up for a credit card or change their address online with just a password. At a minimum, companies should acknowledge every online transaction through e-mail and one other