One of the biggest security hurdles for companies is implementing the right technology in order to comply with their own internal policies and the law of the land, according to Rosaleen Citron, chief executive officer of WhiteHat Inc.
WhiteHat, a Toronto-based IT security services firm, is the
successor firm to 4comm Inc., which Citron founded as a reseller in 1993. In May, 2001, Citron and her colleagues founded WhiteHat after deciding they wanted to focus more on services and not as much on reselling.
Citron says a good corporate network security policy is useless unless it’s enforced and the company puts the necessary technology in place to enforce it. She adds layered security, where companies have a combination of security products, is the key to keeping hackers out. She says a common misconception among small and mid-sized organizations is that a firewall is enough.
Citron spoke recently with CN.
CN: How would you rate the awareness of network security now, compared to a year ago or five years ago?
RC: I think awareness has been incredibly heightened. Obviously, (the Sept. 11 terrorist attacks) did play a role in a number of areas, but a lot of the companies that we do business with were already aware that they need to protect themselves. That just sort of pushed a few more people in. Things didn’t change that much in our world. It’s always been an ongoing battle anyway.
CN: Is there any one single issue in network security that you think is important, or are there any issues that are more important than others?
RC: I think the most important thing that you would put into a network would be layered security. We find that a number of companies feel that once they have a firewall, they’re fully protected, and that’s absolutely not correct. There are too many ways that you can get in, either from the inside or the outside. We’re actually seeing not only an external firewall to the corporation, but we’re seeing desktop firewalls. Large corporations are doing that so that everyone’s protected, no matter where they are. If a virus did get into the infrastructure, then the desktops are now protected anyway. We are seeing the medium-sized companies are definitely picking up much more security. Whereas one time they would only have a firewall, now they’re doing antivirus, they’re even doing intrusion detection tools, which is probably the hottest thing out there. One of the other trends that we’ve seen which is becoming quite prevalent is these “”honey pots,”” where people are spoofing their main server somewhere else to attract the hacker types away from their natural servers, or their production servers, so that (hackers) run to that rather than trying to attack a production server. They don’t get anything, obviously. It’s just garbage.
CN: Are there any particular problems that you’ve seen crop up with regard to policy? A lot of people still choose inappropriate passwords, don’t log off when they leave their machine and simple things like that. Do you think this is still a problem?
RC: It’s still a problem, because when you get some executives in corporations that say, “”I don’t ever want to change my password, because it’s just too difficult or they don’t have time for it,”” or they forget them very easily, then you’re going to run into problems. If you’ve got a hole somewhere, somebody will get in it. The policies are very strong these days, and I find that a lot of the vendors who are building products are starting to integrate with each other very carefully, so that you can have multiple types of vendor products working in one type of environment with one management console that pulls them altogether lets you know if policies are being broken. It’s great to have a written policy, but let’s face it: if it isn’t being enforced, it’s not going to work. That’s probably the biggest challenge that companies have today. How do we integrate all of these different flavours of products to make sure that we’re not only meeting our corporate policies, but government standards and government policies and privacy laws?
CN: Do you have any indication of whether people in general are more aware of public key infrastructure, and whether there are more implementations?
RC: Two years ago, I would have said PKI is one of the hotter things out there in security. In the last nine months, I’ve seen a real move away from that. It’s an extremely difficult technology to implement unless you have a full team and you’ve got all kinds of resources available to you. Some companies and some government agencies have deployed it, and it’s working effectively because they did it correctly up front. I think this is a technology that may not get out there and do what people claimed it would do. It’s not the be all and end all, for sure. It was fine three years ago, but now you’ve really got to be on top of, “”Where is the risk?”” Is it something that you can use PKI for, or do you need to stop intruders? Do you need to stop people from the inside? The thing that we saw over the last couple of years with the technology meltdown was, so many employees were laid off. Now you have very disgruntled employees running around out there who have access to systems. Can they do damage from the inside, or are they on the outside, where their access is still wide open? Do the companies have the resources to control that?
CN: What sort of things should administrators be keeping in mind with respect to protecting themselves from inside jobs?
RC: If someone has been given access, there’s not much you can do to stop them. However, if someone has just standard read-only access in an organization, and they start getting into areas that they shouldn’t, if the right technology has been deployed, then the alarms will go off that somebody has made an entry that they should not have.
CN: Have you seen a significant uptake in biometrics over the past few years?
RC: We’re certainly seeing a lot more of that. There are a number of companies that are deploying it now, especially for very secured areas in organizations, and we’re seeing a lot more desktops with a biometric mouse sitting next to it. For some people, that’s easier because they type in one simple password and the biometrics does all the rest for them, and they’re into whatever system they need, and you really can’t spoof that, although we’re finding now there are ways of doing that. It’s like building the best burglar alarm in the world. As soon as you build it, someone will find a way to break it.