October 13, 2008, 3:59 PM — Think your security staffers are trustworthy? Competent? Knowledgeable? Listen to a security professional's horror stories, and you might think again.
A construction company client of his had a senior IT person who was also in charge of security. Somehow, this head of security convinced the firm's owner that it would be cheaper to store various company databases at his own home, where he already had fiber-optic lines installed, rather than elsewhere off-site.
You can see this one coming a mile away: A conflict arose between the employee and his employer. Before you could say "internal threat," the security worker was sending threatening e-mails to the construction firm's customers, telling them that he had their private information.
The action "fundamentally put this guy out of business," McDonald says. It took six months to shut down the rogue employee, since -- of course -- he was an authorized user. Only when the employee publicly threatened, online, to use the data in an illicit manner was the FBI able to enter his home and end the standoff.
This is a worst-case scenario, but the security sector is plagued with problems, from bad guys to bad buys, weak budgets to weak workers. Here are some common trouble spots, along with tactics for dealing with them.
At this moment, somewhere in corporate America, security staffers are cursing their C-level execs for foisting bundled junk on them. Here's how it works: Salespeople from the big security vendors convince the execs that it makes sense to buy a package that does desktop antivirus, e-mail security, intrusion detection and Web filtering, all for $38 per seat.
What's wrong with that picture? "You've commoditized those critical parts of the security infrastructure," says the head of a security software vendor who requested anonymity. "The problem is, the perception of C-level execs is that security is a commodity -- one [application] is the same as the other."
But no vendor is good at everything. Organizations whose executives buy bundles do save money. Unfortunately, they often get "really subpar security, sometimes dangerously so," says the head of security.
So how do you convince a boss who's sold on a bundle? By getting security personnel in on the decision-making process early, well before there's money on the table.
Good communication and good relationships are key. "I recommend that security get users to buy into them as people," advises McDonald. "Do 'lunch and learn' internally. Bring staff in, bring management in, and have them understand why the things you're saying are being said."
That helps security pros combat the perception that they're "just in the way," McDonald says. "Ask the employees and management, 'So, I have these things I'm being told I have to do -- say, to secure PCI information, or to protect assets of the organization, and do other things mandated by government. What would you do if you were in my seat?' "
Another approach is to take personalities out of the equation. That's what the Pennsylvania state government did. Before Bob Maley took on the job of chief information security officer there in late 2005, the state had adopted a clear set of standards for selecting security products.
But Maley had other problems. Not being able to afford qualified security professionals has been one of his biggest challenges in heading up cybersecurity for state government. In fact, he estimates that there's a pay differential of 20% to 100% between the public and private sectors.
"I lost a gentleman who doubled his salary when he went to the private sector," Maley says. "For me to get a security expert in, even if I would take them up to the highest step in their pay category, it doesn't come close to what they could get in the private sector." So even if Maley snags a good hire, he knows he probably won't be able to keep him for the long haul.
Lure of Experience
Maley's solution: Hire promising newbies who are "a little wet behind the ears." The lure for them is an environment where security staffers have the chance to spot cyberattacks as they hatch. In the past six months, for example, his team has seen three variants of the Storm Trojan horse that hadn't been spotted elsewhere. That's not surprising, because Symantec Corp.'s recent Internet Security Threat Report cited a shift toward attacks aimed at trusted Web sites, such as social networking or governmental sites.
"I've got a team that has the opportunity to fight that kind of stuff, analyze it and be on the leading edge in the fight between the bad guys and us," Maley says.
Recruits get hands-on experience on projects that are both significant and exciting, Maley adds. For example, in order to halt repeated virus outbreaks, a penetration-testing rollout was partially automated with tools from Core Security Technologies .
Maley also coaches his green recruits in building their r??sum??s. He knows that eventually they'll leave, but if they're bolstering their credentials, having fun and learning in the meantime, chances are they'll stay that much longer. That's a trick that any revenue-challenged organization can employ to good effect.
Many security shops are stuck with an underskilled employee or a security newbie. If you're in that situation, you've got to limit the staffer's potential to blow everything up. Do that by having him work on less-critical systems, suggests Anthony Scalzitti, a security engineer at a major security software company that he did not want identified. For example, you could have the staffer investigate suspicious log activity or intrusion-detection system reports.
Another useful security role that won't get a skill-challenged employee into trouble is attending business meetings to keep the security group apprised of upcoming projects. Sitting in will be educational for him, and his presence at the meetings will remind business people to build security in from the design phase instead of shoehorning it in later.
"Even if they don't contribute a lot, if they're in the meeting, [the other] people say, 'Oh, we have security here,' and they feel obliged to think about security," Scalzitti says. "These are useful roles, and mistakes generally don't impact business."
Another sad fact of life is that there are security prima donnas who regard certain tasks as unworthy of their time, such as reviewing logs or activity alerts, doing simple configuration reviews or meeting with other business groups.
Scalzitti says he has had success putting prima donnas to work researching security incidents that appear in the media. The point, he says, is to get the security elitist to discover that 80% of incidents are the result of simple opportunistic attacks.
"In information security, there are so many opportunities for an attacking hacker," Scalzitti says. Unless they have a grudge against a particular company, he notes, "they're going to go for low-hanging fruit."
Have your prima donnas research that low-hanging fruit. "It may take some time, but they come to realize the basics of how [bad] things happen," Scalzitti says.
The Bad Seed
Finally, back to our rogue employee. You can coach the security newbie, tutor the underskilled and challenge the underpaid, but dealing with a true bad apple is another story entirely. The only sure way to handle him successfully is to not hire him in the first place.
Luckily, many organizations have a 90-day probation period for new hires. Watch your new security employee closely during that time to determine whether you really want him on your team. Most states make it difficult to dismiss an employee after those 90 days are over. So do your due diligence before extending a job offer, and if your weirdometer begins to click, pay attention.
This version of the story originally appeared in Computerworld 's print edition.