Brian McKenna

b.mckenna@elsevier.com

NetSec 2002 took place in San Francisco,amid industry reflection on the balance to bestruck between combatting cyber-terrorismand safeguarding civil liberties post-9-11.Brian McKenna reports on the punditry andthe pedagogy at the CSI’s event, focusing onsecurity in the enterprise.

“Recognize that the digital world will be one ofever-increasing complexity. Put processes inplace to deal with this and stop relying ontechnology to save you”, Bruce Schneier, ChiefTechnical Officer, Counterpane InternetSecurity, urged delegates at the CSI’s mid-JuneNetSec gathering in San Francisco.

In the libertarian city of gay rights martyrHarvey Milk, and McCarthy victim DashiellHammett – not to mention freewheelin’ JackKerouac and private investigator Sam Spade(Hammett’s fictional creation), delegatesgathered to hear security experts share theirthoughts in a post-‘9-11’ world where cyber-terrorism seems to stalk and shadow the realthing, but needs, surely, to be kept inperspective.

Three keynotes addressed this new, moresecurity-conscious, context. George Vinson,Director, Homeland Security for Californiaopened the conference; in the second keynote,John Frazzini, Special Agent, United StatesSecret Service urged the mainly Americansecurity professionals in attendance to join upwith their government’s new drive againstcyber-terrrorist hacking of financial targets; andQinetiq’s Carl Jackson gave a keynote talk onhow September 11 should ‘impact continuityplanning’.

The event

Just over 1500 information securityprofessionals from around the world gathered at

NetSec at the Hyatt Regency Embarcadero inthe city’s Financial District to learn strategiesfor combating the new and not-so-new dangersthat threaten the information on theirnetworks.

Now in its twelfth year, NetSec 2002, entitled‘Technical Dimensions in Network Security’addressed wireless security, hackers, informationwarfare, network attacks and countermeasures,secure e-business, remote access, intrusiondetection and forensics, PKI, firewalls, privacy,awareness and management issues. Speakersincluded: CSI’s wise-cracking John O’Leary,who guided newcomers to the field throughnetwork security fundamentals; Tom Peltier onsocial engineering; Marcus Ranum, NFRSecurity, on honeypots and burglar alarms; andrepresentatives from IBM, Symantec, andLumeta, among others.

Eight full tracks were offered, including anintroductory track for newcomers as well asmore advanced technical sessions for moreexperienced practitioners. Pre- and post-conference workshops also ran, offering in-depth training on specific topics, such as:practical forensics, by Peter Garza, Evidentdata;Fred Avolio’s Internet security tools andtechniques’; and Computers & Security Editor-in-Chief Eugene Schultz’s ‘Responding toincidents’ course.

Contre le courant?

In an otherwise sedate conference, HervéSchmidt, Group IT Security Director at Frenchretail giant Carrefour, gave a provocativepresentation that riled some delegates. In a talkentitled, ‘How to sell security to executives’,Schmidt emphasized that, as a security managerembarking on the conception andimplementation of a new enterprise-widesecurity strategy you should tell yourself, even if

Enterprise in focus at NetSec 2002

421

it is not true, that “you are alone, and no onelikes you”.

Speaking from his own experience of devisingand implementing a global, country-by-country,security policy at Carrefour, which he joined aspart of the 2000 merger with Promodès,Schmidt had the following advice for infosecprofessionals: stay clear of consultants, at leastto begin with; work with, but also beyond, theIT department; keep your technical expertise“in your pocket”; and, above all, don’t blow itwith board-level management when you do getyour fifteen minutes. “Three slides maximum,and don’t talk to them in technical terms”, hecounselled.

Delegates seemed to discern in Schmidt’s step-by-step and politically nuanced approach,punctuated as it was with the phrase “neverforget that you are alone” a dark, Frenchexistentialism out of keeping with a more brightand breezy ‘can-do’ American approach.

“I don’t agree that my approach is essentially‘French’”, Schmidt told Computers & Security.“The main opposition I tend to face is fromconsultants, who clearly have their own agenda,and that was the case here.”

“The best people to do a risk assessment for acompany come from the company. When youneed to implement a tool or a disaster recoveryplan then you can turn to consultants.Consultants need to learn that one day theircustomers will become intelligent!”

When asked how he gets Board level executivesto care about IT security, he said: “first, youneed to get into the room. Once you get inthere you know that they are ready to listen toyou for five minutes, and in those five minutesyou need to be very precise about the objectiveyou want to reach with their help”.

“You need to be ready to answer the question:‘so, what should we do?’ Remember that thepreoccupation of top management is thequestion of the day. It might be a virus they’ve

heard about on TV, or data privacy, or disasterrecovery. Or it could be nothing. Don’t botherthem unless you need to make them aware ofsomething that either seriously disrupts theactivity of the business or damages thecompany’s image. These two things only aretop security concerns, from a businessviewpoint”.

Asked what advice he would give aninfosecurity professional bent on a businesscareer, Schmidt said: “forget the technical side.Most security managers work as part of the ITdepartment, and this is very limiting. You canstart there, but you need to look beyond it. ITprofessionals think they are the kings, but,although they are the best people to identifysecurity risks they are the worst to present themto senior management because they alwaysspeak in technical language”. Schmidt worksalongside the CIO at Carrefour, reportingdirectly to the board.

Secrets and liabilities

Bruce Schneier confirmed the tenor ofSchmidt’s advice in his talk entitled ‘Fixingnetwork security by hacking the businessclimate’. “Security”, the creator of the Blowfishand Twofish encryption algorithms said, “is apeople problem. We need to think aboutsecurity not as an engineer or a mathematiciandoes, but as a business person does. Adequatesecurity at a reasonable cost is what companiesrequire, and CEOs won’t start to care aboutsecurity until it gets monetized”. The key tothat, in his opinion, will be the enforcement ofliability on vendors and other companies (who,say, allow themselves to be ‘the man in themiddle’ in a hacking attack), and theconsequent rise of a marketplace for insurancein security.

“Network security”, Schneier says, in thecollateral to his talk, “is no different from real-world security. There are no magicpreventive countermeasures against crime

422

Enterprise in focus at NetSec 2002

Brian McKenna

in the real world, yet we are all reasonablysafe. We need to bring that same thinking tothe Internet”.

We need, in his view, to move from a militarymodel of ‘gates, guns and guards’ to a riskmanagement model where you accept risk,mitigate it with technology and procedures,and look to transfer it to the insuranceindustry.

The latter will, in his view, augment the trendto outsourcing. “Bespoke security is not anoption for most companies. Outsourcing is theonly way to make security scale”.

Held in conjunction with the conference, theNetSec2002 Exhibition was short on the sort ofservices companies invoked by Schneier. The75 security vendors present displayed a varietyof products in the areas of firewalls, encryption,intrusion detection, authentication, single sign-on, network security management, and remoteaccess. The exhibition was indeed modest inscale, with some notable absentees – includingIT security giant Symantec.

However, as an introduction, at a variety oflevels, to the issues besetting the informationsecurity industry, it must be hard to beat.

Enterprise in focus at NetSec 2002

423

Brian McKenna