Security experts urge a ‘say yes’ mindset

NEW YORK – Being an IT security specialist requires a close understanding of business goals, a dose of salesmanship and a willingness to say yes to projects even if it means dealing with new risks, top network security professionals told attendees at last week’s inaugural Interop New York.

Security as an enabler of business was a major theme at the show, which represented an attempt by event organizers to revive an East Coast version of Interop to supplement the flagship Las Vegas edition. Organizers had anticipated only 5,000 attendees and could supply no firm attendance figures last week, but the show seemed lightly attended.

“If security is the only thing that drives innovations in your company, you are certainly headed down the road to disintegration,” said Dave Girouard, general manager of Google Enterprise, who delivered a keynote address. Security policy setters have to get past the knee-jerk reaction, “When in doubt, restrict access,” he says. “You need to think, ‘Who can have access to what?’ and enable that. It is fundamental to a company’s competitiveness.”

Some IT security executives at the event said they are already taking to heart the advice from Google’s Girouard.

“We take the position that security should enable business processes,” said Dave Vandernaalt, director of the strategic technology division for the City of New York. “The question is: How do you prove to the business side that you’ve shifted from being the police to being an enabler?”

The answer involves approaching network security with an understanding that finding new uses for data is essential to successful businesses. Security professionals must help these new uses happen while minimizing the threat that data will be compromised, said Sunil Misra, chief security adviser for Unisys.

Part of the problem is the way security people phrase their advice, said Thomas Dunbar, global IT CSO for XL Capital, a re-insurance firm in Bermuda. If business leaders in the company want to make data more widely accessible, his first step is to see if that can be done without putting the company at risk. “So we say yes. There may be a lot of buts along with it, but we say yes,” he said.

Tighter alignment with business leaders is being hampered by the reputation security specialists have for just saying no to any proposal that expands access to data, regardless of its potential business benefits, Misra said. As one of his clients put it, “It’s not all about cost and risk avoidance. Figure out what we can do.”

Security executives can help themselves by sharing data they already have with business executives in a context they can relate to, Vandernaalt said. For instance, his department knew the percentage of city government computers that had anti-virus software properly configured and updated. He converted that department-by-department data into a pass-fail rate and distributed it to department heads.

When a virus hit and prevented departments from working, he referred to those numbers to demonstrate the importance of anti-virus compliance. “There’s an awful lot of stuff we measure that can be converted into numbers business executives understand,” he said.

This effort to appear more business-friendly is complicated by the ever-increasing demands of regulators that corporations guard certain data tightly and be able to prove they’re doing it, said Steven Suther, director of information security management for American Express in New York.

At the same time, in order to do business, that data must be shared with outside vendors over whose security policies corporations have little control, he said. American Express asks its vendors to self-assess their security; if it is not sufficient, American Express visits to evaluate it. “We’re testing their controls so we can tell regulators we’re comfortable with what they are doing,” Suther said.

Beyond government regulations, the number and variety of threats is ever-increasing, particularly for VoIP as it grows in popularity. So far the biggest threats to VoIP have been network-based attacks such as denial of service, worms and exploits against badly patched operating systems, said David Endler, president of the VoIP Security Association, a multi-vendor consortium.

But attacks unique to VoIP are emerging, Endler said. Many VoIP phones use a less-secure version of FTP called trivial FTP (TFTP) to download configuration files. Attackers could trick phones into downloading malicious code via TFTP that could monitor conversations or track calls, he said.

Attackers also use new methods to probe VoIP networks for weaknesses in their implementation of Session Initiation Protocol ( ), a signaling and control protocol used in many VoIP products. One method called fuzzing involves sending VoIP devices doctored SIP packets that contain random data meant to push the protocol to the point of failure. Attackers then monitor how targeted devices react, which may reveal weaknesses that can be exploited, Endler said.

Attackers can glean information useful for potential attacks from acknowledgment packets from SIP devices, he said.

Endler spoke at a session dedicated to VoIP security, which was part of the VoIP educational track at the conference. Applications, infrastructure and services, security, and wireless and mobility were four other education topics. About 150 exhibitors occupied show floor booths. Conversations with a sampling of attendees indicated access to vendors and the educational programs were worth the price of admission.

“I got a lot of good information,” said Joseph Craig, a principal consultant for CS Technology in New York. Like many other New York-based IT professionals, Craig attended because of his office’s proximity to the show.