Information Insecurity Called A Management Issue, Not Just a Technical Problem

By Len Lazarick



You hook up with a fresh contact at a meeting, and you both pull out your little grey Palm Pilots and point them at each other to swap electronic business cards using wireless technology.

"Don't do it!" advised Steve Walker, IT security guru and Howard County's best known venture capitalist. "I can plant a little piece of code in your PDA," and when you go back to your office and plunk it into its cradle to download your new data, that piece of code could be used to "take over your local area network."

Walker was keynote speaker at a symposium on Internet and network security sponsored by Howard Community College and the Johns Hopkins Information Security Institute. More than a hundred business people attended the presentation in the college's Smith Theater.

Information security is "one of the major issues" the university has identified as important areas of research over the next 25 years, said Darren Lacey, head of the one-year-old institute, and it was "the only one that didn't have bio or med" in its name. The hope is to make "Maryland a leader in a new field," Lacey said.

The state already has a heavy concentration of security and encryption specialists, due to the defense and intelligence agencies where Walker first learned the technology that he turned into a business. He sold his company, Trusted Information Systems, to Network Associates in 1998 for $350 million because of its successful Gauntlet firewall and RecoverKey encryption technology.

But information security hasn't kept pace with the threats, Walker said. "I should be very happy with the insecure state of things," but he isn't.

The insecurity has allowed him to invest in several startup companies, like BlueFire Security Technologies, developing firewalls to protect wireless hand-held computers from intrusion, and BioNetrix, building software that eases the use of biometrics (fingerprints, facial shapes) across many applications.

As everybody knows, passwords typically used for network security "really aren't very good," Walker said, and are "one of the reasons people hate computers." To be effective, passwords can't be easily figured out, which makes them hard to remember, so employees "put a little sticky" with the password on their computers, undermining any protection they may provide.

"We probably could have solved a whole bunch of these problems a long time ago," particularly with the Microsoft operating system and Internet browser. "I am really, really concerned about where we are with Microsoft. They have some real security problems."

"I stand with Steve on Microsoft," said L. Dain Gary, head of security services for RedSiren Technologies. Gary, an IT security veteran who also cut his teeth on Department of Defense R&D, said Microsoft's operating system and browser were designed with too many hidden "back doors" that can be exploited.

But the problem of information security "is not a technical problem," it's a management issue, Gary said.

Typically both corporate executives and their IT managers will focus on performance, productivity, availability and usability of technology, but "security never makes that list," Gary said. "We haven't had a corresponding investment in information security. É We have to invest in protecting these systems.

"A security program will not succeed if it's bottom up," where technicians have the main responsibility for protecting the systems, he added. "There's a lack of [management] understanding of the enormity of the problem and the risk."

Even among the technical staff, "they're reluctant to fix a system that's not broke," installing security software fixes after a major upgrade has been done, he said. In addition, "security has a negative connotation.É When you think of security, you think of things you can't do."

Among IT managers, "there's a lot of hand-wringing that goes on-ÔI can't get my boss to understand,'" Gary said. But he emphasized that it's not a matter of company executives deciding which firewall is better-a real technical issue-but getting them to appreciate how much the company's finances and proprietary information are at risk if they don't put the appropriate policies in place.

"Management sees security as a technical issue," he said, and "they're reluctant to show their ignorance" of technology.

Among the management issues he singled out was the common situation where companies put "very powerful computer equipment on the desktops of the lowest paid employees about whom you know the least," Gary said. This creates the potential for security lapses and damaging activity that are a far greater threat to a company's finances than outside hackers, Gary said after his speech.

College academic vice president Ronald Roberson said that HCC was responding to the need for increased expertise in information security with several new programs.

In addition to enhancing its existing certification programs in Oracle and Microsoft systems administration, the college will offer training in Check Point software, a leading supplier of Internet security applications. A new network security curriculum is under development, and in spring of 2003, a new series of credit courses will be offered in network intrusion detection.

Many of the courses are offered both for credit and as part of non-credit continuing education at the Business Training Center.

HCC President Mary Ellen Duncan said, "We'll do everything we can to stay on top of subjects like this."