Network and data security are the responsibility of everyonewithin the enterprise, but ultimately CIOs, or their designees,have to take charge. The task today is twofold: First, ensure noone is breaking into the companys most valuable assets, and second,assure the company itself is not breaking any regulatory lawsdesigned to protect policyholders and stockholders.

By Robert Regis Hyle

It is every IT executives worst nightmare: The technology thatpowers the company has been rendered useless, either by a man-madeor a natural disaster. Its enough to make a CIO wake up at nightwith cold sweats because the CIO is the one who is going to have toface the CEO or the board of directors and explain what went wrong.One of the biggest challenges at the CIO level is CIOs first needto understand their organizational dependency on technology, saysCarol Woody, a senior researcher with the CERT Coordination Center.Which of their business functions has to have technology to existor to be complete? And what would be the impact to theirorganization if [the technology] wasnt available for whateverreason? You need an effective backup plan to deal with those typesof natural disasters.

Whos the Boss?

When it comes to security issues on his turf, Glenn Headley, CIOat The Republic Group, a regional property/casualty carrier in theSouthwest, has to take the credit or the blame. The CIO ultimatelyis accountable for security in the corporation, ensuring there isappropriate data ownership, he affirms. Still, those using thatdata or dealing with the corporate Web site have to know theirplace in the world of security. We have a policy where we pass someof that responsibility back to the [business] departments, he says.We require each department to have a designated owner of its data.Those folks are the ones who must authorize access to theinformation. That [authorization] passes through ourquality-assurance folks. They validate it with appropriateauthorization to sign off access to various systems.

Headley likes this policy, which originally came down fromRepublics former owners, Credit Suisse. Its very reasonable, hemaintains. We embraced it and moved forward. It was much easier tosell back then [in the late 1990s]. It probably would have receivedsome resistance if we had done it without the support of CreditSuisse group. Weve continued to follow the same policies andprocedures since weve taken our company private [in 2003].

Ira Winkler, a security consultant and author (his book SpiesAmong Us will be published in March by John Wiley & Sons,Inc.), believes because the insurance industry is made up ofdivergent companies, the best thing for a CIO to do is to lookwithin the operation. Clearly, a midsize company is not going tohave the same resources to put to security that a company such asPrudential might, he notes. What I recommend is everybody startwith what they already have. A lot of what people need is free;they just dont know its actually there. As examples, Winkler citestools to update computers automatically that are included in thesystems, turning on firewall options that are built into thesystems, and controlling physical access to data centers. Regularbackups are critical to all companies, and thats freely available,he points out. Its really just a matter of knowing whats there andimplementing whats there and [companies] exponentially can decreasetheir risk. CIOs have to realize most break-ins come not fromsuper-advanced attacks but just from basic attacks that can beprevented with basic countermeasures.

First Steps

The first thing to do, Woody advises, is for carriers to examinewhere technology affects their business functions. What are theircritical business functions? she asks. If e-commerce and a Web siteto communicate with customers are key pieces of your strategy,then, obviously, technology is a key component that is important toyou. You need to think about what would happen if it goes out forfour hours, if it goes out for a day, or if you cant get to it fora week. What would each level of catastrophe mean to yourbusiness?

Most businesses dont recognize their dependency on technology,she contends, because its grown slowly over time. You also aredealing with an existing population that is heading thesebusinesses that has not seen how technology can and is being used,says Woody. So, you have things such as instant messaging suddenlybecoming a major communication vehicle in your environment, and itjust happened overnight. Nobody really planned it. You have peopleworking on BlackBerrys all over the place. You didnt plan that, butnow your business environment is dependent on it.

Recognizing and understanding these situations are the firststeps in the process, claims Woody. Once you recognize yourdependency, you can start looking at how important it is ifsomething should happen, she says. What you do might vary dependingon what you view as a threat. Is it natural disasters? Do you havewidely dispersed resources that are relying on public networks, soyou have potential risks of snooping? Do you have high turnover inyour employee population or a lot of contractors? Who is looking atdata and how they are looking at it could be a major threat.

Once they understand the dependency of the business, CIOs canstudy what can hurt the company and establish their tolerance forpain. Its a balancing act between how much pain you can toleratevs. how much money or effort or energy you have to throw at doingsomething that will help you avoid that pain, says Woody. Itsalmost like going to the doctor and deciding how much preventivemedication you want to take.

SOX It to Em

The Sarbanes-Oxley Act (SOX) has been a major force in thesecurity world, requiring publicly traded companies to meet certainrequirements in the area of security and privacy. SOX has helpedCIOs, Headley asserts, because they no longer have to do battlewith CEOs to get more security money in the budget. Being aregulated industry and subject to regulatory audit, [SOX] leads toa great deal of cooperation within the company, he says. TheSarbanes-Oxley Act forces compliance with technical securitypractices. So, it is much easier today than it was 10 years ago. Ihavent seen any of the regulatory requirements or even compliancewith SOX that would be unreasonable. They all support reasonablebusiness practices.
Regulatory compliance has forced carriers to enhance the way theylook at and focus on the security area, particularly in securingdata and their systems access control, according to Mike Lang,chief technology officer at GE Insurance Solutions. Within GE, wevealways been very aware of those needs and requirements, but itsnice now that from a business level, everybodys aware, he says. Itsnot just the security guys or the IT guys worried about who hasaccess to your systems and your data. Its now a corporateinitiative, which makes it easier for folks in our roles.

SOX has helped GE in the carriers test plans, Lang believes. Itsalways great to have an external auditor come in and look at thosecontrol plans to validate you so you can see whether you actuallyare as good as you were hoping you were, he says. As much work as[SOX] has been, its probably been a very good exercise for us here,and Im sure its been a good exercise for everyone involved.

Kevin Yeamans, IT security officer with GE Insurance Solutions,suggests constant reminders to users about their responsibilitiesare invaluable. The SOX stuff has helped us get in front of[users], so when we start talking about segregation of duties,access controls, access based on rules and a need to know, theyunderstand it, he says. [Users] now really are part of our securityteam. Its not just the IT people who manage the controls; its thedata owners and the users. It makes the team bigger and enhancesthe business focus.

Dave Powell, senior Web technical engineer for Applied Systems,agrees SOX has been helpful for IT departments. In the past,security and privacy always took the back seat, he says. They neverreceived funding. Companies didnt think [security] was important.It helps the companies be secure and everybody do the right thing.Most of the legislation is there for a reason. Has some of it goneoverboard? Yes. But there are tools out there to help everybodycomply. At times it does become expensive, but it still is withinreach of companies.

Keep Them Out

There are only two basic ways to hack into a computer system,Winkler claims, no matter what the technologies are. The firstbasic way is to take advantage of problems built into the operatingsystem, he explains. Problems built into operating systems can becountered by updating. All software has bugs, he says. Some bugscreate elevated privileges or information leakage. Those bugs aresecurity vulnerabilities. When they are found, vendors put outupdates for them. People just have to remember to stay on top ofthe dates. Not that thats overly simple, but its relativelyfree.

Winkler understands some people have a problem with installingupgrades, but he doesnt believe upgrades should create problems.There is fear if you install something, it is going to break thesystem, but for 90 percent of the systems inside an organization,there is little risk in just blindly uploading [upgrades], he says.Its not perfect, but for non-mission-critical systems, people haveto consider implementing these fixes as quickly as possible.

One hundred percent of Republics personal lines business comesin over the Web, Headley states. Its a secure site, he says. Wehave written our own access security within that site. Its user-IDand password protected. One problem carriers face is gettingindependent agents to do things such as changing passwords. They donot have direct access into our systems, he notes. All theinformation they are entering is pre-edited before it hits ourproduction systems for both new business and changes. They havedirect access on a query basis for billing and claims. Weve sentnotices out to our principals and our agencies highlighting theimportance of security and the implications if they allow anex-employee to access [the systems]. They are independentbusinessmen, though, so it can be hard to enforce.

The second way people break in is by taking advantage of the wayusers and administrators configure and maintain the system,according to Winkler. Just by changing a permission setting ordeleting some demo files that tend to sit on systems, those simplethings really help to increase security. For example, Winkler brokeinto a large financial company because the password on theadministrator account was administrator. Im talking about reallysimple things. Changing passwords, changing account names off thedefaultthe little things make a huge difference, he advises. Im notsaying its going to create perfect security, but its definitelygoing to cut 95 percent of the problems by doing the simplethings.

At Republic, upgrades are controlled through the carriersdevelopment methodology, which requires the user to accept and signoff on any change or new implementation from a systems perspective.We require the users to approve everything we move, says Headley.They are part of the approval process. The quality assurance groupwill not make a production migration without the appropriateauthorization, and that authorization must come from the user andthe IT organization.

As for passwords, Headley claims the Republic system forcespassword change every 30 days. We send reminders out the passwordmust be so long and there are certain restrictions, but you cantpolice them all, he says. We force them to change, but you cantstop them from using their dogs name [as a password].

Carrier Options

In the process of its research, Woody reports CERT got a goodsense of two effective areas that are being addressed. One of themis basically outsourcing the security function, but outsourcing itwith security people who are familiar with that size of business,she says. There are two ways because there are two strategies fordoing it. One of them is the business itself retains theequipmentthe software and the technology controlunder its umbrella,but it hires someone else to help make [the equipment] secure.

The second strategy is to outsource everything so carriersremotely connect to some application servers or some support groupthat handles not only security but all business needs. There arepros and cons to both of them, but they can be effective if theyare well managed, says Woody. [Security outsourcing] has the sameproblems outsourcing has in large organizations. Its not justsomething [for which] you pick somebody out from the Yellow Pagesand feel comfortable. [Carriers] really need to make thisassessment before they make a contract with the outsourcer so theyunderstand how much value they will gain or what risks thisparticular strategy will help them address. This really is amitigation approach. You dont want to hire all the expensiveresources and manage them all yourself. You are going to findsomebody with the expertise to do that for you.

Reaction to an incident is an important part of the process, aswell. GEs Yeamans says with any incident, whether its a securitybreach or a vulnerability, its important to take responsibility anddo some form of root-cause analysis. Based on that analysis, takesome irrevocable corrective action, whether its patching a hole,cleaning up access, installing server patcheswhatever the casemight be, he says. You have to have that ability to pull together atiger team and come look at the problem. People need to understandwhen incidents occur and the team is called together that you canttake the various IT leaders and give them the ability to say theydont think it involved them and they are not going to participate.You get the input from anybody and everybody who could have actionsthat possibly need to be taken.

GE has tied a tremendous amount of change control into itssystems, and security personnel can look at specific times orapplications that may have caused hiccups. We can correlate thoseback to intentional changes or unintentional outages, says Yeamans.We can find out whether that event was within our control or out ofour control.
Its Out There

Woody points out people choose to ignore potential securityproblems, even in the face of daily news accounts of the dangers.Some businesses felt they were less vulnerable in the past becausethey didnt have any assets people would bother with, she says. Whatthey now are recognizing is just the fact they have a computertheyhave a resource someone else might like to use and potentially useit illicitly. There certainly have been cases where, unbeknownst toindividuals, their machines have been used to store illegal copiesof music, pornography, communication with spam, and suddenly theyare a base for illegal e-mail.

Companies should first determine their vulnerabilities, Winkleradds. They should figure out potential loss resulting fromvulnerabilities, and frankly, in many cases, the losses are hugefor insurance companies, he says. And then determine which measurescounter the vulnerabilities they have and figure out how toimplement those. Security has to be looked at as an ongoingprocess, not like a couple of annual educational sessions.


Top Vulnerabilities to Windows Systems

1. Internet Information Services (IIS)

2. Microsoft Data Access Components (MDAC)Remote DataServices

3. Microsoft SQL Server

4. NETBIOSUnprotected Windows Networking Shares

5. Anonymous Log-onNull Sessions

6. LAN Manager AuthenticationWeak LM Hashing

7. General Windows AuthenticationAccounts With No Passwords or WeakPasswords

8. Internet Explorer

9. Remote Registry Access

10. Windows Scripting Host


Top Vulnerabilities to Unix Systems

1. Remote Procedure Calls (RPC)

2. Apache Web Server

3. Secure Shell (SSH)

4. Simple Network Management Protocol (SNMP)

5. File Transfer Protocol (FTP)

6. R-ServicesTrust Relationships

7. Line Printer Daemon (LPD)

8. Sendmail

9. BIND/DNS

10. General Unix AuthenticationAccounts With No Passwords or WeakPasswords