Users try to balance security, IT needs

As networks and digital data come under increasing attack and government regulations hold corporations to stricter standards when it comes to information security, IT managers are looking for ways to balance the need for security with the demand for IT flexibility.

That was an underlying theme at this week’s Computer Security Applications Conference, which brought together security experts from academia, government and industry to share the latest research and practices in information security. Topics covered everything from secure access technologies to vulnerability assessment to managing a secure IT environment.

While IT executives may be familiar with security conferences held by the Computer Security Institute or RSA Security, most probably aren’t familiar with the Computer Security Applications Conference, which held its 21st annual gathering in Tucson. The conference is built around selected research papers submitted primarily by the academic and government sectors.

About 200 people attended the event, mostly from government and academia, a jump from the 175 that attended last year. The number of papers submitted also grew, from 135 last year to roughly 200 in 2005, says Dan Thomsen, conference chair and a lead analyst at the Cyber Defense Agency.

“The papers come out with good innovative ideas that people are actually using to build technology that’s working,” he says. “What we do here is let other people hear about these efforts, not only other researchers, but also people in companies and in the government.” 

Marcus White, a Unix systems administrator with Bechtel-Nevada, a joint venture of Bechtel and Lockheed Martin, came to the event for the first time this year after hearing about it from a colleague.

“I’m here to see what’s out there and see the direction of where security is heading. I’m also here to hear about Linux,” says White, who is based in Washington, D.C.

Bechtel-Nevada runs Red Hat’s Linux distribution, which includes the National Security Agency-based Security Enhanced Linux. The growing threat of malicious code, Trojans and viruses coupled with an increasing demand for tighter security and control means the search for better security is ongoing, White says.

“Just in November we noticed a fivefold increase in the number of viruses we are seeing,” says White, who was listening to a session discussing the use of IPSec for access control in Linux-based networks.

“It helps to hear what people are doing. The issue with security is if you put in too much security, it’s too cumbersome and restrictive,” he says. “What I’m seeing here is people are trying to find a balance between security and usability.”

Finding that balance is the key to a successful security strategy, says Thomsen.

“The biggest skill a security person has is a finely tuned sense of paranoia,” he says. “You can’t be too paranoid so you lock everything up and get nothing done. You have to know what security technology will allow you to get your corporate mission done.”

In the past corporations weren’t as concerned about security, says Thomsen. “It used to be a hard sell,” he says. “But now people are realizing how important it is. You’ve got laws like Sarbanes-Oxley where you have got to take responsibility.”

Jim Czyzewski, senior information systems specialist at the MidMichigan Medical Center in Midland, Mich., admits that his organization “had a false sense of security” when it came to patching. Its network had never been breached.

But in October 2003, the Welchia worm hit its network of about 1,700 Windows-based desktops in facilities spread across five counties. That brought IT operations to a standstill for three days as a staff of 13 addressed the problem, spending more than a half-hour at each infected workstation.

The network was hit again the following March by the same worm, putting the search for a patch management solution into high gear, says Czyzewski, who presented a case study of his experience at the conference.

Today, MidMichigan uses patch management technology from PatchLink to manage and deploy patches and to keep track of the vulnerability status of each system in its network.

With case studies and technical papers, the conference is “trying to raise the bar on security,” says Thomsen.

“At the Cyber Defense Agency, what we’re worried about is basically the equivalent of a cyber-Chernobyl event, where you have a cascade failure of a number of critical systems,” he says.

When teenagers can hack into corporate and government systems, it’s clear that there are real vulnerabilities that could lead to a cyber-catastrophe, he says.

“So we’re trying to push the envelope and bring as much security in as fast as we can to prevent that kind of event,” he says.