James Cupps, a former network engineer and information security officer for the U.S. Navy, is now on his second tour of duty with Sappi Fine Paper North America, a division of a $4.7 billion South African manufacturing company. Cupps, the North American division's information security officer and Sappi's global security lead, recently shared his thoughts with Network World Executive News Editor Bob Brown.
Give us a feel for your job responsibilities and the company's network.
Overall, we have 20,000 employees but only about 10,000 systems that are spread over several hundred subnets. In North America, we have about 3,000 systems and about 4,000 employees. We have offices on six continents, with large-scale manufacturing presence on four. I am responsible for network and application security including segregation of duty in our ERP system, anti-virus, edge protection, disaster recovery, policy creation and enforcement, regulatory compliance/[Sarbanes-Oxley] and business continuity.
What's the most underappreciated aspect of your job?
Building interregional and interdepartmental consensus.
How is overseeing IT security at a corporation different than in the military?
Believe it or not, you can make decisions more quickly and get them enacted faster in a company. There is more focus on disaster recovery/business continuity in a business and more focus on edge security and general data classification/protection in the military. Other than that, there are a lot of overlaps.
On one hand more threats, from viruses to phishing to spyware, are hitting networks. On the other hand, more money is being sunk into security companies and more tools are coming out. Is it getting any easier to sleep at night?
Actually, yes. The bad guys are definitely getting better, but so are the vendors. Some of the newer [intrusion- prevention system (IPS)] mechanisms are quite easy to deploy and manage and are remarkably resilient. If you implement them in a smart-layered architecture the cost isn't much higher than what we have seen over the last several years. Add to that the fact that executive management is giving the area substantially more attention, and it is finally possible to get real problems fixed. There are a lot of tools, strategies and mechanisms for dealing with rights issues such as [separation of duties] now that had to be performed manually - or more likely not at all - just a few years ago. There are still a few things that worry me. Process-control security is getting a lot more attention but still needs more work from manufacturing companies and the makers of the equipment. This is the infrastructure that allows actual physical control of machinery and plant equipment.
Network security consultants and vendors are fond of painting a frightening picture of network security threats - viruses that result in planes crashing or patients getting the wrong medicine. How real are such threats to you?
I don't know about planes or hospitals. In factory settings, there are fail-safe settings that help avoid safety issues. It is possible to interrupt manufacturing, though, and poor facility design might allow for worse events. People need to realize two things: First, it is always possible for good operators to manually step in and interrupt a problem, so the worst case scenarios are not as bad as what you see on prime time TV. Second, more equipment is being connected directly to IP networks so even if manual operations can stop problems, it is still getting much easier for hackers, viruses and worms to cause problems for modern facilities whether they are power companies, oil producers or paper manufacturers.
There's a lot of talk these days about the borderless perimeter - the idea that it's getting more difficult to define your network's perimeter. What are you seeing here?
Whether we like it or not, the increasing ease of communications and the need to provide access to outside vendors, contractors and partners is slowly eroding what has traditionally been the primary line of defense. This doesn't mean you don't need edge protection; it means you need to redefine what an edge is. You still need the firewall and/or a network IPS, DMZ and extranets, but now the DMZ and extranets might be distributed over multiple points. You need to have layered defense.
What's the smartest thing your company has done to ensure network security?
The deployment of host-based IPS and a comprehensive intrusion prevention/anti-virus monitoring and control environment. We have caught and cleaned many viruses that we couldn't even see with our old system, and we have been able to better coordinate our patch process instead of just reacting.
What role, if any, should government play in helping companies out with their IT security?
As little as possible and only informational. They just aren't the real experts. Well,most of them.
What impact has Sarbanes-Oxley had on your IT department?
It's had a very large impact, and we have devoted a significant amount of resources to ensuring we are compliant both in spirit and in the letter of the law. We are cooperating with our outside accountants and meticulously identifying our controls and system security settings.
How much attention are you paying to identity management?
To have an adequate control infrastructure you need good identity management. Our primary early focus is on segregation of duty within financial systems, but we also have adopted solutions and policies for other aspects of ID controls and management.
It can be hard to get companies to talk publicly about their IT security strategies and challenges for obvious reasons. But what can corporations do to warn each other of new threats and generally help each other out?
It is important to participate in external forums and discussions. There are pieces of information that are best kept private, but security by obscurity doesn't work.
What's your take on Microsoft's security efforts these days?
They are making an honest effort, but they still often miss the big picture. The fact is they are in a no-win situation. Their phenomenal success has made them effectively the only target worth pursuing. I don't think it is fair to compare them to other [operating systems] in many ways.
How does your company handle software patching?
We use the Windows system for our desktops and Tivoli, Altiris or manual patching for the servers. We are increasingly relying on host-based IPS and Determina memory firewalls to help cover the gap times.
You've adopted intrusion-prevention technology. Why, and how much of an issue are false positives these days?
For the McAfee stuff I am getting some, but it is manageable. Most of it is coming from the firewall portion, and to be honest, I can't blame it on the [McAfee] Entercept piece. For the Determina stuff I haven't seen any false positives yet.
You've mentioned Determina a couple of times. What's your general take on buying from start-ups?
I don't have a problem buying from start-ups. First, you have to test any product you buy thoroughly, regardless of what it is to ensure it works in the way you want it within your environment. You can have a product failure from the largest, most established companies, as well as the smaller ones.
Second, most tech purchases now last only a few years anyway, whether they are [operating systems] or apps. There seems to be a two- to three-year cycle, and most upgrades require a lot of rework and learning even within a single named app.
Third, there are often price benefits, both initially and with total cost of ownership, when dealing with more aggressive companies. I have found service and support to be much more favorable in many smaller companies.
What are the most exciting products you've come across of late?
There are actually three, all in different areas:
Core Impact by Core Security is amazing. It removes the guesswork and false positives from vulnerability scans. It provides a concrete accounting and documentation path that makes both your auditors and administrators happy at the same time.
BizRights by Approva greatly simplifies segregation of duty analysis in SAP and other ERP systems, and provides clear reports in a timely manner. I don't see how a large SAP customer can claim to adequately control end-user security - and therefore related financial controls - without something like it.
Finally, there is Determina SecureCore, an application that stops all memory-type attacks with very little system overhead and almost no ongoing administration. It seems to be a unique approach the buffer and heap overflow attacks that is effective regardless of patching process or what application is vulnerable. It will have an enormous effect on the ability of worms to propagate if it is widely deployed.
Any advice about things to avoid?
Avoid trying to deal with SAP segregation of duty issues manually. Think about it this way: There are 80,000 or so SAP transactions, any two of which can cause [a segregation of duty] issue. Usually, there are dozens that conflict individually with dozens of others at the object level. The number of possible combinations is enormous and it is different for every company. Anyone who thinks they can do this by downloading tables and analyzing them in spreadsheets without outside help needs to seriously consider what they are putting at risk in their company.
Microsoft and The SCO Group have offered bounties to help track down virus writers. What do you think about using bounties to nail these people?
Interesting that these two are cooperating in so many ways. I don't think that bounties will help but anything that keeps virus writers from plying their trade is good even if it doesn't help much.
How much trust can companies put in wireless network security?
If you don't have some form of asymmetric key authentication [or other two-factor authentication], then you shouldn't be doing wireless on your internal networks. As for network admission control schemes, I haven't fully developed an opinion yet. We are testing it some but I am concerned about its manageability.
Your company recently moved a data center and ditched a mainframe. Why and what was involved?
There were a lot of reasons, including that we got better real-estate prices. There was synergy from combining geographically separate groups. We are saving on the mainframe by reducing software, hardware and personnel costs. Eliminating the mainframe greatly reduced the technical complexity of the move. We managed to get it done in less than two months from project go-live but the project planning took several months before that. We got rid of an S/390.