[ISN] Clarke Touts Broad Approach To IT Security

Mon Aug 30 03:03:06 EDT 2004

http://www.informationweek.com/story/showArticle.jhtml;jsessionid=DJ0LKLR4Y2FTYQSNDBCSKHY?articleID=45400035

By W. David Gardner
TechWeb News 
Aug. 27, 2004

Richard Clarke, best known as the former counterterrorism czar for
presidents Bill Clinton and George W. Bush, ended his government
career as the White House adviser to the President on Cyberspace
Security. He's now bringing that expertise to the IT world.

In an Internet presentation sponsored by RSA Security Inc., Clarke on
Thursday sounded the alarm on some possible threats, but also unveiled
a list of 10 steps, or checkpoints, to help secure IT installations.  
Clarke, now chairman of Good Harbor Consulting, advocates a broad
approach to IT security, employing what he terms "a holistic view of
risk."

Clarke noted that the broad area of IT security is growing has
traditionally been slighted by top management in large corporations.  
He said management--including CEOs, board directors, CIOs, CFOs, HR
heads, and internal auditors--should meet regularly to discuss
security issues. "This whole group needs to get together once a
month," he suggested.

Security issues are rapidly growing in importance to business, he
said, noting that not only do top executives have to pay attention to
legislation like Sarbanes-Oxley and HIPAA, but also that there is much
pending legislation--on both the national and state levels--that could
benefit from input from informed IT managers and from involved top
management. "This [can be] about showing the Congress that you don't
need to be regulated, because you're doing it yourself," he said.

He ticked off a list of proposed legislation that could become law.  
The SEC is considering supporting legislation that would require an
IT-security readiness statement to be filed with the SEC annually. The
FCC is examining regulations that would require ISPs to beef-up their
security. Also under consideration, he noted, is legislation aimed at
improving security at chemical and electric-power plants.

Clarke listed 10 steps for businesses to follow: 

* Establish automatic monitoring of compliance and auditing 
  capabilities of networks. "Every day you can see if you're secure," 
  he said. 

* Acquire a patch-management system and service. Noting that 50 or 60 
  patches are issued each week by software providers, Clarke called 
  patching "the No. 1 headache of CIOs." 

* Set up an identity-access-management system, preferably a two-factor 
  password-ID system. "Almost any password can be broken" by programs 
  easily available on the Internet, he noted. 

* Data should be encrypted in sensitive areas. He said proposed 
  California legislation calls for many IT organizations to encrypt 
  data. 

* Participate in an early-warning system, preferably with an 
  organization with a set of detect sensors. 

* Establish rigorous security-oriented service-level agreements with 
  ISPs. Clarke indicated that the FCC is considering making this 
  provision mandatory for certain IT users. 

* Institute an IT security-awareness program, a sort of catch-all 
  program that would educate staff on widespread security aspects of 
  their networks. 

* All software--not just products from Microsoft--should be 
  systematically tested. Clarke noted that buffer-overflow problems 
  have been cited for years but little has been done to correct the 
  problem. He said there is a need for "software products that test 
  software." 

* Secure the physical part the IT organization to make sure that 
  intruders can't just walk in and violate security. 

* Address "the road-warrior problem," as illustrated by network users 
  logging in from remote locations who unknowingly have infected 
  software, typically on laptops. 

Clarke also addressed the possible security threat posed by the
offshore outsourcing of IT operations. "I don't think it's a problem,"  
Clarke said. "Some Indian companies do a better job than U.S.  
companies."