| One might think that years after September 11th, 2001 | | | | access to information and analysis relating to |
| there would be dramatic differences and | | | | information provided by other members and obtained |
| improvements in the way businesses strive to protect | | | | from other sources, such as US Government, law |
| their employees, assets, and data. However, changes | | | | enforcement agencies, technology providers and |
| have been more gradual than many had expected. A | | | | security associations, such as CERT. |
| look at some of the trends that have been developing | | | | Encouraged by President Clinton's Presidential Decision |
| over the years since September 11th reveals signs of | | | | Directive (PDD) 63 on critical infrastructure protection, |
| change for the better--although the need for more | | | | ISACs first started forming a couple of years before 9 |
| information security advancement is abundantly clear. | | | | 11; the Bush administration has continued to support the |
| The morning of September 11th, 2001 started like any | | | | formation of ISACs to cooperate with the PCIPB and |
| other for employees of the law firm Turner & | | | | DHS. |
| Owen, located on the 21st floor of One Liberty Plaza | | | | ISACs exist for most major industries including the |
| directly across the street from the North World Trade | | | | IT-ISAC ( for information technology, the FS-ISAC ( for |
| Center Tower. Then everyone heard a huge explosion | | | | financial institutions as well as the World Wide ISAC ( |
| and their building shook as if in an earthquake. Debris | | | | for all industries worldwide. The membership of ISACs |
| rained from the sky. | | | | have grown rapidly in the last couple of years as |
| Not knowing what was happening, they immediately | | | | many organizations recognize that participation in an |
| left the building in an orderly fashion--thanks to | | | | ISAC helps fulfill their due care obligations to protect |
| systematic practice of evacuation drills--taking | | | | critical information. |
| whatever files they could on the way out. File cabinets | | | | A major lesson learned from 9/11 is that business |
| and computer systems all had to be left behind. In the | | | | continuity and disaster recovery (BC/DR) plans need |
| disaster that ensued, One Liberty Plaza was wrecked | | | | to be robust and tested often. "Business continuity |
| and leaning with the top ten floors twisted--the offices | | | | planning has gone from being a discretionary item that |
| of Turner & Owen were decimated. | | | | keeps auditors happy to something that boards of |
| Although Turner & Owen IT staff made regular | | | | directors must seriously consider," said Richard Luongo, |
| backup tapes of their computer systems, those tapes | | | | Director of PricewaterhouseCoopers' Global Risk |
| had been sent to a division of the company located in | | | | Management Solutions, shortly after the attacks. BC |
| the South World Trade Center Tower and they were | | | | DR has proven its return on investment and most |
| completely lost when the South Tower was | | | | organizations have focused great attention on ensuring |
| destroyed. Knowing they had to recover their case | | | | that their business and information is recoverable in the |
| databases or likely go out of business, Frank Turner | | | | event of a disaster. |
| and Ed Owen risked their lives and crawled through | | | | There also has been a growing emphasis on risk |
| the structurally-unstable One Liberty Plaza and | | | | management solutions and how they can be applied to |
| retrieved two file servers with their most critical | | | | ROI and budgeting requirements for businesses. More |
| records. With this information, the law firm of Owen | | | | conference sessions, books, articles, and products on |
| & Turner was able to resume work less than two | | | | risk management exist than ever before. While some |
| weeks later. | | | | of the growth in this area can be attributed to |
| Many other companies were never able to recover | | | | legislation like HIPAA, GLBA, Sarbanes Oxley, Basel II, |
| the information lost in this disaster. | | | | etc., 9/11 did a lot to make people start thinking about |
| What Has Changed? | | | | threats and vulnerabilities as components of risk and |
| One might think that years after such a devastating | | | | what must be done to manage that risk. |
| loss of lives, property and information there would be | | | | Technology Trends |
| dramatic differences and improvements in the way | | | | Most companies realized the need to monitor their |
| businesses strive to protect their employees, assets, | | | | networks 24x7 prior to 9/11, but afterwards it became |
| and data. However, changes have been more gradual | | | | a top priority if such a capability wasn't already in place. |
| than many had expected. "Some organizations that | | | | More and more companies are implementing intrusion |
| should have received a wakeup call seemed to have | | | | detection systems (IDS) including network intrusion |
| ignored the message," says one information security | | | | detection systems (NIDS) and host intrusion detection |
| professional who prefers to remain anonymous. | | | | systems (HIDS) solutions. According to a 2003 Global |
| A look at some of the trends that have been | | | | Security Survey by Deloitte Touche Tohmatsu, 85 |
| developing over the years since September 11th | | | | percent of respondents have deployed intrusion |
| reveals signs of change for the better--although the | | | | detection systems. Since these systems can entail |
| need for more information security advancement is | | | | large expenses of equipment and software purchases, |
| abundantly clear. | | | | consulting fees and staff time, some companies are |
| Federal Trends | | | | turning to managed security service providers |
| The most noticeable changes in information security | | | | (MSSPs) to manage their network monitoring. Some |
| since September 11th, 2001 happened at the federal | | | | MSSPs also offer their clients advance notice of |
| government level. An assortment of Executive Orders, | | | | threats that the MSSP may have identified while |
| acts, strategies and new departments, divisions, and | | | | monitoring other networks. |
| directorates has focused on protecting America's | | | | Largely due to rampaging worms and viruses such as |
| infrastructure with a heavy emphasis on information | | | | Slammer, patch management, change management |
| protection. | | | | and configuration management technology solutions |
| Just one month after 9/11, President Bush signed | | | | have been raised in precedence within corporate risk |
| Executive Order 13231 "Critical Infrastructure Protection | | | | management initiatives. A slew of applications and |
| in the Information Age" which established the | | | | tools exist to address the needs of patch, change, and |
| President's Critical Infrastructure Protection Board | | | | configuration management, but the challenge is to find |
| (PCIPB). In July 2002, President Bush released the | | | | the right combination of tools that will do the job in any |
| National Strategy for Homeland Security that called for | | | | given environment. |
| the creation of the Department of Homeland Security | | | | Information security staffs don't have time to sift |
| (DHS), which would lead initiatives to prevent, detect, | | | | through the growing multitude of threat warnings and |
| and respond to attacks of chemical, biological, | | | | vulnerability alerts that crop up for all possible platform |
| radiological, and nuclear (CBRN) weapons. The | | | | combinations every day. So another information |
| Homeland Security Act, signed into law in November | | | | security technology trend that has developed is |
| 2002, made the DHS a reality. | | | | intelligent threat analysis--a service that provides threat |
| In February 2003, Tom Ridge, Secretary of Homeland | | | | and vulnerability alerts customized to a client's specific |
| Security released two strategies: "The National | | | | environment. |
| Strategy to Secure Cyberspace," which was designed | | | | What Still Needs to Change |
| to "engage and empower Americans to secure the | | | | The information security changes in government, |
| portions of cyberspace that they own, operate, control, | | | | industry, and technology are notable, but where do we |
| or with which they interact" and the "The National | | | | still need to improve in these areas? |
| Strategy for the Physical Protection of Critical | | | | If our government is serious about protecting critical |
| Infrastructures and Key Assets" which "outlines the | | | | information it will have to pass some sensible laws, |
| guiding principles that will underpin our efforts to secure | | | | contend information security experts. "Make |
| the infrastructures and assets vital to our national | | | | companies liable for insecurities, and you'll be surprised |
| security, governance, public health and safety, | | | | how quickly things get more secure," says Bruce |
| economy and public confidence". | | | | Schneier, Founder and CTO of Counterpane Internet |
| Additionally, under the Department of Homeland | | | | Security, Inc. |
| Security's Information Analysis and Infrastructure | | | | Information security managers need to do a better job |
| Protection (IAIP) Directorate, the Critical Infrastructure | | | | of conveying how a company needs to protect its |
| Assurance Office (CIAO), and the National Cyber | | | | information to their CEOs and boards of directors. |
| Security Division (NCSD) were created. One of the top | | | | Siebel Systems CIO Mark Sunday says that although |
| priorities of the NCSD was to create a consolidated | | | | corporate boards are more aware of security issues |
| Cyber Security Tracking, Analysis and Response | | | | than ever, they still don't fully understand them--and |
| Center following through on a key recommendation of | | | | most boards don't like to fund things they don't |
| the National Strategy to Secure Cyberspace. | | | | understand. "As aware as CEOs and boards have |
| With all this activity in the federal government related | | | | become of security issues, spending in that area hasn't |
| to securing infrastructures including key information | | | | gone up in proportion and certainly not to the levels |
| systems, one might think there would be a noticable | | | | people expected," Sunday said. |
| impact on information security practices in the private | | | | Advanced information security technology exists that |
| sector. But response to the National Strategy to | | | | isn't widely known or used by the mainstream. "Our |
| Secure Cyberspace in particular has been tepid, with | | | | technology is too signature-based," says Jim Reavis, |
| criticisms centering on its lack of regulations, incentives, | | | | editor of CSOinformer and information security |
| funding and enforcement. The sentiment among | | | | industry analyst. "We're only prepared to fight the last |
| information security professionals seems to be that | | | | battle. We need to get more predictive. We need to |
| without strong information security laws and leadership | | | | use more behavioral technology." |
| at the federal level, practices to protect our nation's | | | | Conclusion |
| critical information, in the private sector at least, will not | | | | In a survey conducted jointly by the Internet Security |
| significantly change for the better. | | | | Alliance (ISAlliance), the National Association of |
| Industry Trends | | | | Manufacturers (NAM) and RedSiren Technologies Inc. |
| One trend that appears to be gaining ground in the | | | | one year after September 11th, 2001, 40 percent of |
| private sector, though, is the increased emphasis on | | | | respondents reported that information security was |
| the need to share security-related information among | | | | considered more important than prior to September |
| other companies and organizations yet do it in an | | | | 11th. Yet almost one-third said their companies were still |
| anonymous way. To do this, an organization can | | | | not adequately equipped to deal with an attack on their |
| participate in one of dozen or so industry-specific | | | | computer networks. The survey concluded that "many |
| Information Sharing and Analysis Centers (ISACs). | | | | organizations need to revise how security risks, threats |
| ISACs gather alerts and perform analyses and | | | | and costs are identified, measured and managed." |
| notification of both physical and cyber threats, | | | | Is our information more secure two years after |
| vulnerabilities, and warnings. They alert public and | | | | September 11th? Unfortunately, not by a lot. While |
| private sectors of security information necessary to | | | | some trends since 9/11 demonstrate progress in the |
| protect critical information technology infrastructures, | | | | field of information protection, opportunities for better |
| businesses, and individuals. ISAC members also have | | | | information security practices clearly remain. |