Securing the Nest Forwarded From: Eric Budkehttp://www.infoworld.com/cgi-bin/displayStat.pl?pageone/news/features/iw100/ 98iw100.oppenheimer.htm By Tom Young Hackers need to be lucky only once. You need to be lucky all the time. At least it can feel that way, especially if you are striving to manage close to $100 billion in mutual funds. For this reason OppenheimerFunds, a New York-based asset-management company, two years ago brought in security specialist Jim Patterson as vice president of security and telecommunications in an attempt to reduce the company's exposure to potential losses resulting from attacks on its data systems. "Our losses are zero," Patterson says. Although Patterson carefully differentiates "losses" from "attacks," it's an impressive claim. OppenheimerFunds fosters a culture of secure computing, a legacy that Patterson happily inherited. What he didn't inherit were strong, flexible systems for monitoring security-policy compliance on his midrange systems, detecting intrusions, and authenticating mobile workers. The existing system used security auditors who periodically would come in and make recommendations based on their observations of security deficiencies, which the IT staff then would mitigate. "When you finished, you'd sit back and say, `Gee, I'm in pretty good shape.' Then the next year, the audit team would come in and find more things [wrong]," Patterson says. Day-to-day knowledge of the state of the system was critical given the company's explosive rate of growth. During the past two years, OppenheimerFunds has increased its portfolio from $54 billion to $95 billion, and the number of employees has grown from about 1,500 to more than 2,000. After considering a number of options, Patterson settled on Axent Technologies' OmniGuard, a suite of security tools that includes Enterprise Security Manager for compliance monitoring and Intruder Alert for intrusion detection. The company also uses Axent's Defender for token-based remote authentication. Now Patterson and his team receive daily reports. "Many companies take a snapshot of their environment based on an audit, and they do that once a year," Patterson says. "My snapshot is 365 days a year ... If there was a change that degraded my security posture, I'll know it within 24 hours of it happening, and then we can take action." This gives a hacker a 23 hour window to hit a system and defeat any security software or take other information. Plenty of time. OppenheimerFunds runs about 40 servers that handle Internet services, Web servers, and client/server systems. The IT department embraces a diversity of operating environments, including Windows NT, Novell NetWare, and Unix variants from Hewlett-Packard, IBM, and Sun. One of Patterson's main technical requirements for a monitoring system was that it had to live comfortably on all of his platforms. Compliance monitoring involves comparing the configuration of a system to a company's security policies, for example, checking if users have enough characters in their passwords or whether the system requires users to regularly change their passwords. The requirements to secure two servers can differ, even if they run the same version of an operating system. "They're not always going to be exactly the same because of the sensitivity of the data, who's accessing it, and what the server is capable of doing," Patterson says. "I wanted a system that was tunable for my unique environment, so that every single instance, every single server, if I chose, could be measured differently from the others." OppenheimerFunds employs a "tiger team," a consulting company paid to crack its clients' systems and report any vulnerabilities. "You give them a `get out of jail free card,' and you turn them loose," Patterson says. For example, OppenheimerFunds gave the tiger team physical access to the systems with a window of three weeks, during which time the team was to break in by any means possible. "They weren't able to penetrate our systems at all, but ... as part of their nosing around, they did identify a couple of things that we could do internally [to improve our procedures]," Patterson says. Any penetration team who can't break into a system with physical access in a three week period, should re-evaluate their skill set. OppenheimerFunds takes the recommendations seriously, and it has implemented controls for each one. But just as important, the security system was able to detect that the intruders were attempting to get in. The system not only notifies security staff that the intrusion is happening, but also thwarts the attack while it's occurring. "It's important to keep people out, but it's also important to detect and notify when someone is attempting to gain access inappropriately so that you can take action," Patterson says. The last phase of installing the security system required implementing strong, two-part authentication for mobile workers. Two-part, or two-factor, authentication requires a user to be in possession of a unique physical identifier, such as a card or a thumbprint, as well as a piece of information, such as a user ID and password. Much of Patterson's effort was directed at educating OppenheimerFunds employees. "A lot of it is just that personal one-on-one, almost handholding -- getting people to understand why it's important and getting them to buy into the concept. For the most part, I've been successful in getting people to dedicate the resources necessary, but it isn't something that's done overnight, nor was it done by mandate ... Sometimes you have to have a heart-to-heart with people to get them to really appreciate that they have to dedicate time to it. It's a never-ending battle," Patterson says.