Securing the Nest 

Forwarded From: Eric Budke
By Tom Young

Hackers need to be lucky only once. You need to be lucky all the time. At
least it can feel that way, especially if you are striving to manage close
to $100 billion in mutual funds. For this reason OppenheimerFunds, a New
York-based asset-management company, two years ago brought in security
specialist Jim Patterson as vice president of security and
telecommunications in an attempt to reduce the company's exposure to
potential losses resulting from attacks on its data systems. 

"Our losses are zero," Patterson says.

Although Patterson carefully differentiates "losses"  from "attacks," it's
an impressive claim. OppenheimerFunds fosters a culture of secure
computing, a legacy that Patterson happily inherited.  What he didn't
inherit were strong, flexible systems for monitoring security-policy
compliance on his midrange systems, detecting intrusions, and
authenticating mobile workers. 

The existing system used security auditors who periodically would come in
and make recommendations based on their observations of security
deficiencies, which the IT staff then would mitigate. 

"When you finished, you'd sit back and say, `Gee, I'm in pretty good
shape.' Then the next year, the audit team would come in and find more
things [wrong]," Patterson says. 

Day-to-day knowledge of the state of the system was critical given the
company's explosive rate of growth. During the past two years,
OppenheimerFunds has increased its portfolio from $54 billion to $95
billion, and the number of employees has grown from about 1,500 to more
than 2,000. 

After considering a number of options, Patterson settled on Axent
Technologies' OmniGuard, a suite of security tools that includes
Enterprise Security Manager for compliance monitoring and Intruder Alert
for intrusion detection. The company also uses Axent's Defender for
token-based remote authentication. 

Now Patterson and his team receive daily reports.

"Many companies take a snapshot of their environment based on an audit,
and they do that once a year," Patterson says.  "My snapshot is 365 days a
year ... If there was a change that degraded my security posture, I'll
know it within 24 hours of it happening, and then we can take action." 

This gives a hacker a 23 hour window to hit a system and defeat any
security software or take other information. Plenty of time.

OppenheimerFunds runs about 40 servers that handle Internet services, Web
servers, and client/server systems. The IT department embraces a diversity
of operating environments, including Windows NT, Novell NetWare, and Unix
variants from Hewlett-Packard, IBM, and Sun.  One of Patterson's main
technical requirements for a monitoring system was that it had to live
comfortably on all of his platforms. 

Compliance monitoring involves comparing the configuration of a system to
a company's security policies, for example, checking if users have enough
characters in their passwords or whether the system requires users to
regularly change their passwords.  The requirements to secure two servers
can differ, even if they run the same version of an operating system. 

"They're not always going to be exactly the same because of the
sensitivity of the data, who's accessing it, and what the server is
capable of doing," Patterson says. "I wanted a system that was tunable for
my unique environment, so that every single instance, every single server,
if I chose, could be measured differently from the others." 

OppenheimerFunds employs a "tiger team," a consulting company paid to
crack its clients' systems and report any vulnerabilities. 

"You give them a `get out of jail free card,' and you turn them loose," 
Patterson says. 

For example, OppenheimerFunds gave the tiger team physical access to the
systems with a window of three weeks, during which time the team was to
break in by any means possible. 

"They weren't able to penetrate our systems at all, but ... as part of
their nosing around, they did identify a couple of things that we could do
internally [to improve our procedures]," Patterson says.

Any penetration team who can't break into a system with physical 
access in a three week period, should re-evaluate their skill set.

OppenheimerFunds takes the recommendations seriously, and it has
implemented controls for each one. But just as important, the security
system was able to detect that the intruders were attempting to get in. 
The system not only notifies security staff that the intrusion is
happening, but also thwarts the attack while it's occurring. 

"It's important to keep people out, but it's also important to detect and
notify when someone is attempting to gain access inappropriately so that
you can take action," Patterson says. 

The last phase of installing the security system required implementing
strong, two-part authentication for mobile workers.  Two-part, or
two-factor, authentication requires a user to be in possession of a unique
physical identifier, such as a card or a thumbprint, as well as a piece of
information, such as a user ID and password. 

Much of Patterson's effort was directed at educating OppenheimerFunds

"A lot of it is just that personal one-on-one, almost handholding --
getting people to understand why it's important and getting them to buy
into the concept. For the most part, I've been successful in getting
people to dedicate the resources necessary, but it isn't something that's
done overnight, nor was it done by mandate ...  Sometimes you have to have
a heart-to-heart with people to get them to really appreciate that they
have to dedicate time to it. It's a never-ending battle," Patterson says.