Response Strategies for Dell Company - PDF

Document Sample
Response Strategies for Dell Company - PDF Powered By Docstoc

A Big Time Response to a Big Time Problem

Government and industry are engaging in frank and open talk about better
information assurance--and, not a moment too soon.

When the ink dried on the recommendations supporting Presidential Decision
Directive-63 (PDD-63) a few years ago, officials including the highly respected
Sam Nunn, the former Georgia senator, suggested that protection of America's
critical infrastructure would require an extraordinary public-private partnership.

Nothing less than the same level of close cooperation that helped NASA reach
the moon, or the United States prevail in the Cold War, is required to make
America safe from attacks on its major utility and technological platforms, officials

Just the thought of power plants or major transportation systems disabled by
foreign opponents is enough to give one pause. But of all critical utilities,
telecommunications might be the most vulnerable because it can be attacked
from great distances and with virtual anonymity.

If we thought otherwise, we certainly confronted the underlying need for PDD-63
earlier this year when a virus was introduced into computer systems, via the
Internet, that wreaked havoc around the world.

The infamous I Love You bug was set loose in the Philippines, thousands of
miles away, costing global interests billions of dollars and immeasurable grief.
The virus particularly hard hit heavily computerized North America, Western
Europe and Asia.

Outside the Box

To no small extent, the recent Technology Excellence In Government (TEG)
conference in Washington, "Information Assurance: Protecting the Public," was
convened to advance the growing partnership that industry and federal agencies
are forming around the security issues these kinds of incidents have raised.

Although a long time coming, there is finally evidence that the dialogue is
opening and the key players are free to get outside the tight box federal IT
implementation too often occurs in. Also, as a panel of industry advisers noted,
the timing for a public-private security partnership has never been better.

The security requirements of federal agencies and of major e business
companies are now synchronized at the "nuts and bolts" level. A company like
Dell Computer, which transacts $50 million of business a day on the Internet, is
just as vested in IT security from the mission critical standpoint as the Defense or
State departments. Which is to say, without information assurance the
fundamental ability of many large organizations to function is jeopardized.

Presented by GCN, the Council for Excellence in Government and the Digital
Government Institute, the conference featured broad overviews of federal
requirements and security-related programs.

The conference also featured forthright presentations by seven industry
conference sponsors. Industry officials stressed that new solutions for IT security
must be applied as part of broader organizational security initiatives and stronger
policy-level actions within agencies.

Take it to the Hill

Industry offers systems and methods for dealing with the entire horizon of
security issues, noted Susan Pequigney, federal program director at Internet
Security Systems. "But if you don't implement a sound security policy then
everything else you do won't matter," she said.

Martin Gonsales, a senior executive with BMC Software, concurred and noted
that agencies must begin looking at security across their entire infrastructure and
IT architecture, not merely as an isolated discipline within a segment of IT.

All agreed that security budgets in government will have to evolve to
accommodate such an approach and that the upper reaches of government must
be engaged in the effort.

Clearly, industry has a stronger sense of the federal security agenda than ever
before, and is more confident about what it's role should be, said Maryann Hirsh,
a senior vice president at Federal Sources, Inc. The best evidence of this is that
IT companies have joined in the lobbying effort on Capitol Hill to garner more
funds for security.

"Some companies that never worked the Hill before are now spending time up
there," Hirsh noted. The basic idea, she said, is to raise security consciousness
"because many people in Congress are still not aware of it."

Common Ground

Conversely, the evidence is strong that agencies are not only more security-
conscious than ever but are also moving their focus to strengthening the
partnership with industry ASAP.
Gaurang G. Shah, a senior product manager at Axent Technologies, said he
believes PDD-63 has made the transition from a policy pronouncement to a
framework in which the upper levels of government and industry are carving out
a coherent agenda. The next step in the partnership is to get specific
implementation efforts really rolling, Shah said.

Pierce McMahon, a senior business manager with Computer Associates, said the
interests of government and industry where IT security is concerned has never
been closer, with perhaps only 10 percent of government requirements falling
into a "special needs" category. Each side will no longer pursue matters like R&D
and testing of new technologies separately, McMahon said.

Andrew Lehfeldt, a strategic account manager and PKI expert with RSA Security,
said, "standards efforts can now drive the partnership, and cooperation will
increase as technologies that can be used across the board are brought to

"Love" Lessons and More

Where IT security was once something of a "black box" issue, there are simply
too many interests at stake for anything but a full-bore technology and standards
effort to be made, experts have noted.

Plus, lessons are beginning to mount. For every worldwide virus or high profile
Denial of Service attack, the industry is strengthened by new knowledge. Attacks
also increase the resolve of Internet-dependent organizations to overcome what
are, admittedly, difficult problems.

The lessons have come in various areas of endeavor and have been learned on
all sides. John McIntyre, a senior account representative with Symantec, maker
of prominent anti-virus software, noted that when the I Love You bug hit, it stirred
up enough of a frenzy among the company's many customers that "our site went
down even though the virus itself was not the cause."

The lesson, of course, is that collateral damage must be considered as part of an
organization's incident response plan, he advised.

Security can also generate a plethora of unintended consequences. RSA's
Lehfeldt recalled that a beefing up of security in one federal agency was planned
around the change of user accounts from 8-character passwords to 12.

"But because people had such a hard time remembering 12 characters, they had
a tendency to start writing their passwords on yellow stickies that they just put out
in plain sight on or near their desktop computers," he said. Thus was the entire
purpose of this policy change defeated.
You Will Be Hit

Tom Burke, assistant commissioner, for the Federal Technology Service office of
information at GSA, noted that while PDD-63 and IT security budgets have
snarled on Capitol Hill this year, agencies have worked around the money

Burke said that better commercial support for federal security could be exploited.
"Federal risk management can now be performed using the same COTS
packages that are used to do pure economic risk management in the corporate
and e commerce sector," Burke said.

Most agencies have planned and perhaps even updated their plans for PDD-63.
And, though Burke acknowledged that the Office of Management and Budget
was accused of being slow on the uptake, OMB has recently shown increased

"For the first time, we are seeing the director of OMB putting out memos on IT
security," Burke noted. Agencies are also facing their own Inspector Generals,
ordered to perform PDD-63 evaluations in more than 70 critical infrastructure

Maryann Hirsh said the battle for budget support will continue but said agencies
might already have enough money to significantly meet baseline IT security
requirements. What they lack is the staff expertise and the priority, she said.

Well, almost everyone agreed that the federal know-how shortfall could be
supplemented by industry--as long as the priority is clear. Unfortunately, the
forthcoming virus, hack or DNS attack that will further galvanize this priority is
pretty much a foregone conclusion, several speakers said.

Or, as John Winfrey an online consultant with Dell Computer advised, "Don't plan
around what you will do 'if' an attack on your system occurs, plan what you'll do
'when' it happens."

Information Assurance--The Budget and Beyond

The TEG Information Assurance conference took on a plethora of security issues
and developments in the federal sector.
The recent Technology Excellence in Government conference in Washington
featured a view across some of the key issues surrounding Information
Assurance including a market summary from Maryann Hirsh, a vice president
with Federal Sources, Inc., who analyzes the federal IA market.

Hirsh noted that information assurance and IT security is increasingly linked to
the imperatives of Presidential Decision Directive-63, which is backed by a $1.7
billion Critical Infrastructure Protection (CIP) budget.

While CIP spans the universe of physical plant and electronic technology security
concerns, agencies are increasing their direct spending on IA at a faster rate
than overall IT spending, Hirsh noted.

She said that Information Assurance spending will grow from $1.2 billion in 1998
to $2.5 billion in 2004. Much of the increase is attributable to civilian agencies,
Hirsh said, who are playing catch-up with military- and intelligence sector security

The spending growth trend reflects the growth in real threats to systems. Hirsh
said IA-related attacks grew from about 100 significant incidents in 1988 to more
than 8,000 in 1999.

Distributed Denial of Service (DNS) and web-spread viruses lead the threat list.
While panic-style headlines rivet attention on IT security as never before, agency
officials lobbying for more support continue to be stymied by the fact that there is
no way to measure Return on Investment for IA spending, Hirsh noted.

A "Bridge" for PKI Interoperability

Whether you are doing business online, or dealing with sensitive information, PKI
is something you need to understand.

Why? Because PKI is the technology that allows you to be sure the party at the
other end of an online transaction is who they say they are, said Denise
Silverberg, deputy to the chair of the federal Public Key Infrastructure (PKI)
steering committee.

The end product of a PKI system is a digital certificate issued by a trusted third
party. A digital "cert" authenticates and validates transactions in both the e
commerce and information exchange world. The Federal Bridge project is an
attempt to give all agencies a way of dealing with each other and non-
government organizations regardless of which vendor's PKI is in use.

Silverberg called the planned Bridge "a conduit of trust." Essentially, the Bridge
will give transactions a place where interoperability across different PKI systems
can occur. Where federal-only PKI is concerned, officials are using GSA's
recently deployed ACES digital certificate system as a baseline resource from
which to set up new trusted systems, she said.

The voluntary governmentwide Bridge project has reached various states of
prototyping and demonstration testing. It is planed for use by Veteran's Affair,
Social Security, the Treasury, Agriculture and Defense departments, supporting a
variety of applications--medical records, student loans, online payroll and thrift
plans, accounts payable, and financial regulations information sharing.

Silverberg, who is a Treasury department information official, told industry
attendees that the need for the Bridge will "eventually go away" if vendors
continue to move toward interoperable PKIs. She told agency attendees that
while PKIs are often a cause for concern about potential legal snafus,
"technology and commerce marches on regardless of legal uncertainties."

In addition to building the Bridge, the PKI steering committee can also help
agencies prepare their case for better IT security budgets.

A Mission Critical Solution

Agencies looking for better web security might follow a web e-business

Dell Computer's online enterprise architecture evokes federal
security requirements in reach and size.

People with allegiance to manual business processes want to believe that e-
business is like the weather—everyone’s talking about it but no one’s doing it.
The fact is, however, that plenty are doing it and talking about it too.

At the recent TEG Information Security conference in Washington, web giant Dell
Computer not only talked the talk but walked the walk, giving federal officials a
look-see at how the company protects its mission critical online business

Dell does a whopping $40 – 50 million PER DAY of Internet business, accounting
for more than 40 percent of all its sales. At that rate, it will do about $12 billion of
business online this year, and about $1 billion in the public sector.

John Winfrey, an online consultant with Dell, said the company launched its web
e-business platform after an enterprise planning implementation a few years ago
“failed miserably.” The company learned the hard lesson that “we needed to build
out our technology, our capabilities and infrastructure.”
To this end, Dell structured its web presence within multiple data centers, two
near its headquarters in Texas but others as far-flung as Ireland and Japan. The
redundant Texas centers operate near each other “but on completely separate
power grids,” Winfrey said.

While Dell uses the major systems and components available in today’s
technology-rich marketplace, Winfrey noted that security is ultimately not a
technology-only issue.

“We look at the policies and procedures we’ve established as more valuable than
the tools we can put in place,” he said. It requires a number of managers to tend
to security at Dell, he said, but stressed that all 35,000 company employees
participate in online security.

Dell’s security mantra is “don't protect against WHAT-IF, protect against WHEN.”
Winfrey said hacks, viruses and DNS attacks are inevitable. Security must be
focused on reality. Lines of communication within Dell regarding possible new
threats stay open on a 24/7 basis, he said.

Dell’s online enterprise architecture evokes federal security requirements in
reach and size, encompassing hundreds of servers and 100+ terabytes of data,
with web sites in 44 nations running in 21 different languages. E-business
relationships have resulted in the creation of 40,000 extranets with customers
and their sensitive account information, Winfrey said.

Dell relies on double firewalls, multiple ISPs and routers, encryption, password
systems, secure socket layer and other state-of-the-art security methods such as
intrusion detection, vulnerability assessment, incident response and
investigations. There is no single point of failure. Every component of Dell’s
architecture is a result of an “iterative” approach to security, Winfrey said,
because threats are always changing.

“Security is an ongoing effort,” he told the conference. Certain costs are
unavoidable but the larger part of the job is related to policies and procedures
that must be maintained within an organization. Either take Internet security very
seriously, or don’t use the web, Winfrey advised.

For more information on how Dell approaches security for its mission critical
online systems, check out

State Is In The Vanguard

Perhaps there is no way to really measure ROI for computer security spending
but there IS a way of measuring the opposite condition, said Fernando Burbano,
the State Department chief information officer.
Addressing the recent TEG security conference, Burbano noted that earlier this
year the I Love You virus impacted 45 million computers worldwide at a cost of
$10- to $15 billion -- "all caused by 300 lines of code written by a kid in
Philippines," the State CIO added.

Faced with threats that range from prankish viruses to diabolical terrorist
bombings of embassies and the murder of U.S. officials abroad, State and the
U.S. Overseas Presence Advisory Board is in the vanguard of PDD-63
requirements development.

Where information technology is concerned, Burbano said 40 U.S. agencies
involved in foreign affairs will develop a common IT-secure platform for both
classified and unclassified systems. These agencies will opt for Internet and
Internet-like technologies for collaboration, and can be expected to apply
knowledge management principals/practices for all electronic lifelines--data,
telephone, email, Internet and fax.

In the meantime, State itself is working to consolidate its three types of networks
(classified; sensitive but unclassified; and, classified) into a single infrastructure
that can accommodate better security strategies and new COTS systems.
Burbano noted that effective Internet security is only now arriving on the market,
security itself having been outpaced by the web explosion.

"But federal budgets do not reflect that this [commercial security] technology is
available," Burbano said. He favors supplemental budgeting such as was used to
defeat the Y2K problem.

In the meantime, State is investing itself both within the framework of PDD-63
and the emerging IT security e commerce sector. The department is also
performing a public key infrastructure (PKI) pilot for the Federal Bridge program,
and is applying state-of-the-art risk assessment and risk management strategies
to its IA requirements.

Burbano said State will continue to cover its expertise shortfall with outsourcing,
which it already relies on for 50- to 60 percent of its IT security requirements.

Tips From The Trenches

The System Administration, Networking and Security (SANS) Institute is a front-
line organization in the worldwide effort to establish Information Assurance
strategies and tactics at all levels of IT systems management and operation.

SANS experts come from industry and government and provide counsel in
security disciplines that range from the macro policies employed by agencies to
the component technologies that best support those policies.
Tips from SANS come from the trenches of IT security implementation, and
reflect the breadth of best practices recommended by experts today. A mere
sampling of SANS guidance is valuable stuff.

Get Top-Down Support

The Institute stresses that the key elements of a security infrastructure include:

•   A strong commitment from management to provide sufficient resources to get
    the work done and to support security policies and procedures.

•   A well-defined site security policy.

•   A well-developed security awareness training program.

•   Clearly defined, implemented and documented security policies and
    procedures, which are supplied to everyone within your agency.

•   A strong flow of information to and from the appropriate groups.

•   The right people and the right tools to do the job.

And The Tools Are...

SANS notes that the following tools are essential to IT security.

•   Host-based Auditing tools
•   Networked Traffic Analysis tools
•   Security Management and Improvement tools
•   Firewall, Filtering and Proxying tools
•   Network-based Auditing tools
•   Encryption tools
•   One-Time Password tools
•   Secure Remote Access and Authorization tools

Pick ‘em Off With IDS

SANS experts believe intrusion detection systems (IDS) are particularly useful

•   The earlier you detect an attempted attack the better chance you have of
    preventing a serious and potentially expensive system compromise.

•   Knowing the types of attacks that are directed against your site helps you
    tune your defenses.

•   Detecting attackers and preventing them from using your site as a
    springboard to attack other sites may save your organization from
    embarrassment and/or legal costs.

Best Practices Performed

SANS recommends that a number of practices will ensure that your security
infrastructure is sound. The following tasks are well worth performing and

•   New System Installation Security Audits help ensure conformance to existing
    policies and a standard system configuration.

•   Regular Automated System Audit Checks can reveal “visitations” by intruders
    or illicit activities by insiders.

•   Random Security Audit Checks are your way to test for conformance to
    security policies and standards (by checking for illicit activity), or to check for
    the existence of a specific class of problems (e.g., the presence of a
    vulnerability reported by a vendor).

•   Night Audits of Critical Files are a way to assess the integrity of critical files
    (e.g., the password file) or databases.

•   User Account Activity Audits can help you detect dormant, invalid or misused

•   A regular practice of auditing will help an agency devote valuable resources
    to the most likely areas of system weakness.

[sub]Heed These Internet Basics

As agencies port more of their information resources to the Internet, they should
heed some basic guidance about the most common security snafus that plague
web systems. Here’s what SANS has found:

•   Sites do no dedicate sufficient resources to improve and maintain security.

•   Support personnel do not have management support or the authority to
    deploy appropriate security measures.

•   Vendors still ship systems with poor default security configurations.
    Customers still implement these systems “as is” even though they are aware
    of the security deficiencies.
•   Sites do not install vendor security patches even after receiving them.

•   Sites do not monitor or restrict network access to their internal hosts.

•   Sites do not implement or enforce procedures and standards when installing
    new devices on their networks.

The SANS Institute provides a full regimen of advanced training to IT security
managers and technicians. For more information on programs that might be of
interest to you, and more detail about the above guidance, check out

Train Them, But Don't Tell

Do you know exactly how solid your IT security infrastructure is? Do you know
where your system is most vulnerable? Money is scarce, so you need to spend it
in the right places on the right things--don't you?.

Well, lucky are the agencies eligible for the National Security Agency's free
Infosec Assessment program, in which NSA experts review agency systems and
make recommendations for mitigating uncovered vulnerabilities.

Wilbur Hildebrand Jr., NSA's chief of vulnerability assessment services, told the
recent TEG conference on Information Assurance that Infosec is a voluntary
program that affords agencies "another set of eyes" by which to gauge how
effective their current security is. Mostly, NSA is limited by manpower and budget
to examining classified military and intelligence systems.

But Infosec also offers a training program by which third parties in both industry
and other agencies can be certified as experts, and thus extend Infosec-level
evaluation services to civilian agencies and elsewhere.

Hildebrand said NSA has trained more than 600 contractors in the Infosec
Information Assurance Methodology (IAM) as part of a full "tech transfer"
program that is only stymied today by one fact. NSA is not yet allowed to refer
agencies ready for Infosec to these contractors because of legal considerations,
Hildebrand said.

Parenthetically, we might postulate that the next time the General Accounting
Office, Congress or the press lambastes an agency for faulty security, it might
want to look at the Washington legal community too. Quite possibly, the security
system under review might not have been so faulty if the critical partnerships
across agencies and industry were allowed to function at full throttle and not be
hampered by...well, let's be polite and just call it contemporary American
legalistic idiocy.

But, hey, that's our opinion. To learn more about how your agency's information
security officers can enroll in Infosec's valuable two-day IAM training program,
check out That's where the good stuff is.

Shared By:
Description: Response Strategies for Dell Company document sample