Sammy Spurlock, Manager of Information Security, Standard Register

Security Survival Guide

Beating the bad guys at their own game

On November 2, 1988, 23-year-old Cornell University graduate student Robert Tappan Morris startled the technology, research, and defense communities by releasing the Internet's first worm. His motive, according to testimony given during his 1990 trial at the United States Second Circuit Court of Appeals, was "[to] demonstrate the inadequacies of current security measures on computer networks by exploiting the security defects" that he had discovered.

The world has changed dramatically since then. Today, the intentions of intruders are malicious, methodical, and increasingly sophisticated. "Over the last two years, we've seen a shift from attacks based on a desire for recognition to more stealth-like threats whose primary motive is to make money through various forms of theft," says Julia Allen, senior member of the technical staff at Carnegie Mellon University's Software Engineering Institute (SEI) in Pittsburgh, Pennsylvania. Allen is also a member of the SEI's CERT Program, which was created at the request of the Defense Advanced Research Projects Agency to coordinate communication among experts and help prevent future security emergencies such as the Morris worm. "They're very patient. In the financial services sector, for example, intruders will set up 'botnet' networks where you have malicious code components sitting on thousands and thousands of computers just waiting to be called upon to launch an attack or capture some kind of information."

In such a rapidly shifting landscape, how can companies stay ahead of the curve to protect assets and ensure reputations remain intact? Experts say a new game plan is required-one that involves changing the way companies think about security.

Building a strong foundation

It all starts with a sound security plan that supports the overall business strategy (see sidebar "Steps to Stronger Security"). "If you're doing security for the sake of security, you're not going to get very far," says Kathy Orner, vice president and chief information security officer (CISO) at Minneapolis, Minnesota-based Carlson Companies, a global leader in hotel, restaurant, cruise, travel, and marketing services. "But if you're doing it to enable the business to be more productive or to reach new markets or meet demands of the client, then it will be a success."

Sammy Spurlock, manager of information security at Standard Register, a US$900 million document service firm headquartered in Dayton, Ohio, agrees. "It all starts with the business. We look at where the company is going, what's happening in the market, what kinds of technologies our competitors are using, where the technology market is headed, legislation being developed, and any regulatory compliance we must comply with. Once you understand the business from those different angles, you know what types of controls you need."

Minimizing-not eliminating-risk

With global companies running multiple networks linking thousands of users and devices across multiple time zones, there are more opportunities for security breaches. "Now, when attacks occur, it doesn't matter where you're sitting on the globe," says Orner. "If you're on a network, you're on a network." Knowing who is on your networks and what they're doing is crucial.

"In the past, security was more of a perimeter defense model where we looked at protecting ourselves from individuals, hacks, and denial of service attacks," says Chris Armstrong, vice president of enterprise information security at Wyndham Worldwide, a US$3 billion hospitality company based in Parsippany, New Jersey. "Now, it's much more of a layered model with intrusion prevention technology, multilayer firewalls, and monitoring devices. There are so many systems talking to other systems that it's important to understand where the risks are, both externally and internally."