Reporter's Notebook: NYC 'controls the software industry'

At Information Security Decisions: a security "rock star" rages against the Microsoft machine; banging the drum for enterprise security; a sour note on zero-day exploits.

NEW YORK -- Maverick security rock star and current Tenable Network Security Inc. CSO Marcus Ranum told Information Security Decisions attendees they wield a lot more power than they may realize, more than even regulators have. And it's time they used their empowerment to improve software security.

"Have you heard of any industry that got more efficient and less expensive as the result of legislation?" Ranum asked. "New York City -- along with San Francisco -- controls the software industry. You have the leverage to make Microsoft bow down and kiss your feet if you wanted to."

You say you don't use [open source] because there's no one to sue. Well, when was the last time you sued Microsoft when they sold you a piece of crap?
Marcus Ranum
CSO, Tenable Network Security
Ranum, inventor of the proxy firewall, reminded the room that the customer is always right and that the Fortune 500 could provide Microsoft with a laundry list of items that need fixing, along with a mandate for it to do so or demand will dry up.

"Somehow, where vendors are concerned, you feel you have to eat what they serve you," Ranum said. "Look at the arguments against using open source. You say you don't use it because there's no one to sue. Well, when was the last time you sued Microsoft when they sold you a piece of crap?"

Speaking of open source, Ranum admittedly danced around answering a question about Tenable's decision this month to close the source code on the plug-ins for its popular Nessus open source vulnerability scanner. The scanning engine for version 3, due soon, will be free, but the plug-ins and updates will only be available under a commercial license and not under the GNU General Public License (GPL).

Ranum echoed what Nessus creator Renaud Deraison said this week that the decision to close source on Nessus stems from the fact that many companies were taking the open source scanner, throwing a custom interface on it and profiting from their work.

"The problem with the open source ideology is that they don't produce great products, they produce great hobbies," Ranum said. "There's great community support there, but that doesn't translate into a great business model."

How to win influence and pass the buck
Those who've risen to the management ranks are sometimes slow to realize their jobs becomes less about IT security and more about understanding the company's business and how to protect it from theft, disruption, destruction and brand damage. Because of that mandate, the CISO or CSO needs to acquire power and influence to get the tools, staffing and policy acceptance.

"Their job isn't to make everything secure," said Burton Group principal analyst Fred Cohen at Thursday's keynote. "Their job is to convince and influence others."

One way to up the persuasive factor is know your audience and communicate in their language. Pitching to a former Navy officer? Use nautical terms like "this could sink the project." Army? "This could really blow up the project." Peacenik? "This could really disturb things."

Cohen also said there are several reasons to bring in consultants to help with a security project. The security team may need additional expertise or more time. Or, it may need an "independent outside opinion," which Cohen playfully defined as "someone to blame with it's all done."

Down to zero in a matter of months
The window between a patch's release and malicious code to exploit the vulnerability the patch seals has narrowed to less than two weeks. It's only a matter of time before the era of zero-day exploits dawns, and Information Security Decisions delegates believe that time will be sooner, rather than later.

For more information

See more of our exclusive coverage of Information Security Decisions:

Reporter's Notebook: Why failing an audit can lead to success

Competing regulations clog road to compliance

Analyst warns to keep tech talk out of security policies

According to the results of an attendee poll, almost half (48%) said the industry will see a true zero-day exploit in 2006. Another 23% predicted it would arrive by the end of this year. Twenty percent said it would happen in this decade. Only 9% are convinced the industry will gain ground on malware writers and such a phenomenon won't happen. Ever.

Pushing security through the paystub
MCI Inc.'s Sara Santarelli, who serves as both CSO and VP of network and information security for the $24 billion-dollar global communications provider, offered numerous ways in which she's been able to create a corporate security culture.

With 40,000 employees scattered throughout the world, security awareness can be a bit perplexing. But making everyone aware of their role in keeping networks secure is the most overlooked piece of a program, Santarelli said. So, her department now rotates security awareness messages on such high-traffic hotspots as the company's internal network login portal and internal paystub system.

These aren't bland reminders, either. An example: "A password is like a toothbrush: Use it every day. Change it periodically. And don't lend it to anyone."

Another goodie: "Don't think of a password as a way to get into your computer, think of it as a way to keep others out."

Get used to being held accountable for data leaks. After all, it's your job.
Pamela Fusco, presidential advisor at the Information Systems Security Association, has overseen corporate security for some major companies, most recently Merck & Co. Inc. During a keynote, she outlines five pillars of security: information; people and access; accountability & communication; confidence; and endurance. One way to get other executives' attention -- and true risk assessments versus a blanket 'just secure it all' -- is to make sure they share ownership of data.

"When you make them realize they're going to have to get up in the middle of the night with you, they'll go back and look at what's really critical," she said. At the same time, she acknowledged, more CSOs and CISOs will be more closely scrutinized as security's role in compliance increases. "And I think that's really fair."

She also predicted role provisioning would become a hot item. "The age of access is now upon us," she told the audience. "It's not going to change. It's going to get intense."

Other interesting tidbits from the conference
Spire Security LLC research director Pete Lindstrom has the perfect yardstick for determining a company's entrenchment with risk management: "When you reach the point when you say you don't need to do something that is control-oriented because it's just not worth it, then you are a risk-driven enterprise." Prudential Financial Inc. vice president of information systems Tom Doughty said enterprise business managers own data, therefore they own the risk. "I'm there to give them options and advise them how that risk translates to a technology solution," Doughty said. He added that security and business managers may disagree about the road to security, but if both sides want the same thing -- even if it's for different reasons -- it's time for the security manager to stop selling. "Violent agreement is preferable to passive tolerance," Doughty said. Joel Snyder of the Opus One consultancy mentioned in at least two of his four sessions -- all packed -- that the biggest security story of this year, and possibly next, will be putting endpoint security into formal security policies. Spyware expert and author of Hardening Windows Jonathan Hassell reported that there are 300,000 unique URLs on the Internet distributing spyware and adware. Regarding freeware like Spybot - Search & Destroy and Ad-Aware, Hassell said companies are using them mostly for contractors coming in from the outside and connecting to internal networks. "These are not solutions for hundreds of PCs," he said.

Information Security Decisions is produced by TechTarget, publisher of SearchSecurity.com.

This article originally appeared on SearchSecurity.com.

Read more on IT risk management