| One might think that years after September | | | | also have access to information and analysis |
| 11th, 2001 there would be dramatic | | | | relating to information provided by other |
| differences and improvements in the way | | | | members and obtained from other sources, such |
| businesses strive to protect their employees, | | | | as US Government, law enforcement agencies, |
| assets, and data. However, changes have been | | | | technology providers and security |
| more gradual than many had expected. A look | | | | associations, such as CERT. |
| at some of the trends that have been | | | | |
| developing over the years since September | | | | Encouraged by President Clinton's |
| 11th reveals signs of change for the | | | | Presidential Decision Directive (PDD) 63 on |
| better--although the need for more | | | | critical infrastructure protection, ISACs |
| information security advancement is | | | | first started forming a couple of years |
| abundantly clear. | | | | before 9/11; the Bush administration has |
| | | | continued to support the formation of ISACs |
| The morning of September 11th, 2001 started | | | | to cooperate with the PCIPB and DHS. |
| like any other for employees of the law firm | | | | |
| Turner & Owen, located on the 21st floor | | | | ISACs exist for most major industries |
| of One Liberty Plaza directly across the | | | | including the IT-ISAC ( for information |
| street from the North World Trade Center | | | | technology, the FS-ISAC ( for financial |
| Tower. Then everyone heard a huge explosion | | | | institutions as well as the World Wide ISAC ( |
| and their building shook as if in an | | | | for all industries worldwide. The membership |
| earthquake. Debris rained from the sky. | | | | of ISACs have grown rapidly in the last |
| | | | couple of years as many organizations |
| Not knowing what was happening, they | | | | recognize that participation in an ISAC helps |
| immediately left the building in an orderly | | | | fulfill their due care obligations to protect |
| fashion--thanks to systematic practice of | | | | critical information. |
| evacuation drills--taking whatever files they | | | | |
| could on the way out. File cabinets and | | | | A major lesson learned from 9/11 is that |
| computer systems all had to be left behind. | | | | business continuity and disaster recovery (BC |
| In the disaster that ensued, One Liberty | | | | DR) plans need to be robust and tested often. |
| Plaza was wrecked and leaning with the top | | | | "Business continuity planning has gone from |
| ten floors twisted--the offices of Turner | | | | being a discretionary item that keeps |
| & Owen were decimated. | | | | auditors happy to something that boards of |
| | | | directors must seriously consider," said |
| Although Turner & Owen IT staff made | | | | Richard Luongo, Director of |
| regular backup tapes of their computer | | | | PricewaterhouseCoopers' Global Risk |
| systems, those tapes had been sent to a | | | | Management Solutions, shortly after the |
| division of the company located in the South | | | | attacks. BC/DR has proven its return on |
| World Trade Center Tower and they were | | | | investment and most organizations have |
| completely lost when the South Tower was | | | | focused great attention on ensuring that |
| destroyed. Knowing they had to recover their | | | | their business and information is recoverable |
| case databases or likely go out of business, | | | | in the event of a disaster. |
| Frank Turner and Ed Owen risked their lives | | | | |
| and crawled through the structurally-unstable | | | | There also has been a growing emphasis on |
| One Liberty Plaza and retrieved two file | | | | risk management solutions and how they can be |
| servers with their most critical records. | | | | applied to ROI and budgeting requirements for |
| With this information, the law firm of Owen | | | | businesses. More conference sessions, books, |
| & Turner was able to resume work less | | | | articles, and products on risk management |
| than two weeks later. | | | | exist than ever before. While some of the |
| | | | growth in this area can be attributed to |
| Many other companies were never able to | | | | legislation like HIPAA, GLBA, Sarbanes Oxley, |
| recover the information lost in this | | | | Basel II, etc., 9/11 did a lot to make people |
| disaster. | | | | start thinking about threats and |
| | | | vulnerabilities as components of risk and |
| What Has Changed? | | | | what must be done to manage that risk. |
| | | | |
| One might think that years after such a | | | | Technology Trends |
| devastating loss of lives, property and | | | | |
| information there would be dramatic | | | | Most companies realized the need to monitor |
| differences and improvements in the way | | | | their networks 24x7 prior to 9/11, but |
| businesses strive to protect their employees, | | | | afterwards it became a top priority if such a |
| assets, and data. However, changes have been | | | | capability wasn't already in place. More and |
| more gradual than many had expected. "Some | | | | more companies are implementing intrusion |
| organizations that should have received a | | | | detection systems (IDS) including network |
| wakeup call seemed to have ignored the | | | | intrusion detection systems (NIDS) and host |
| message," says one information security | | | | intrusion detection systems (HIDS) solutions. |
| professional who prefers to remain anonymous. | | | | According to a 2003 Global Security Survey |
| | | | by Deloitte Touche Tohmatsu, 85 percent of |
| A look at some of the trends that have been | | | | respondents have deployed intrusion detection |
| developing over the years since September | | | | systems. Since these systems can entail |
| 11th reveals signs of change for the | | | | large expenses of equipment and software |
| better--although the need for more | | | | purchases, consulting fees and staff time, |
| information security advancement is | | | | some companies are turning to managed |
| abundantly clear. | | | | security service providers (MSSPs) to manage |
| | | | their network monitoring. Some MSSPs also |
| Federal Trends | | | | offer their clients advance notice of threats |
| | | | that the MSSP may have identified while |
| The most noticeable changes in information | | | | monitoring other networks. |
| security since September 11th, 2001 happened | | | | |
| at the federal government level. An | | | | Largely due to rampaging worms and viruses |
| assortment of Executive Orders, acts, | | | | such as Slammer, patch management, change |
| strategies and new departments, divisions, | | | | management and configuration management |
| and directorates has focused on protecting | | | | technology solutions have been raised in |
| America's infrastructure with a heavy | | | | precedence within corporate risk management |
| emphasis on information protection. | | | | initiatives. A slew of applications and |
| | | | tools exist to address the needs of patch, |
| Just one month after 9/11, President Bush | | | | change, and configuration management, but the |
| signed Executive Order 13231 "Critical | | | | challenge is to find the right combination of |
| Infrastructure Protection in the Information | | | | tools that will do the job in any given |
| Age" which established the President's | | | | environment. |
| Critical Infrastructure Protection Board | | | | |
| (PCIPB). In July 2002, President Bush | | | | Information security staffs don't have time |
| released the National Strategy for Homeland | | | | to sift through the growing multitude of |
| Security that called for the creation of the | | | | threat warnings and vulnerability alerts that |
| Department of Homeland Security (DHS), which | | | | crop up for all possible platform |
| would lead initiatives to prevent, detect, | | | | combinations every day. So another |
| and respond to attacks of chemical, | | | | information security technology trend that |
| biological, radiological, and nuclear (CBRN) | | | | has developed is intelligent threat |
| weapons. The Homeland Security Act, signed | | | | analysis--a service that provides threat and |
| into law in November 2002, made the DHS a | | | | vulnerability alerts customized to a client's |
| reality. | | | | specific environment. |
| | | | |
| In February 2003, Tom Ridge, Secretary of | | | | What Still Needs to Change |
| Homeland Security released two strategies: | | | | |
| "The National Strategy to Secure Cyberspace," | | | | The information security changes in |
| which was designed to "engage and empower | | | | government, industry, and technology are |
| Americans to secure the portions of | | | | notable, but where do we still need to |
| cyberspace that they own, operate, control, | | | | improve in these areas? |
| or with which they interact" and the "The | | | | |
| National Strategy for the Physical Protection | | | | If our government is serious about protecting |
| of Critical Infrastructures and Key Assets" | | | | critical information it will have to pass |
| which "outlines the guiding principles that | | | | some sensible laws, contend information |
| will underpin our efforts to secure the | | | | security experts. "Make companies liable for |
| infrastructures and assets vital to our | | | | insecurities, and you'll be surprised how |
| national security, governance, public health | | | | quickly things get more secure," says Bruce |
| and safety, economy and public confidence". | | | | Schneier, Founder and CTO of Counterpane |
| | | | Internet Security, Inc. |
| Additionally, under the Department of | | | | |
| Homeland Security's Information Analysis and | | | | Information security managers need to do a |
| Infrastructure Protection (IAIP) Directorate, | | | | better job of conveying how a company needs |
| the Critical Infrastructure Assurance Office | | | | to protect its information to their CEOs and |
| (CIAO), and the National Cyber Security | | | | boards of directors. Siebel Systems CIO Mark |
| Division (NCSD) were created. One of the top | | | | Sunday says that although corporate boards |
| priorities of the NCSD was to create a | | | | are more aware of security issues than ever, |
| consolidated Cyber Security Tracking, | | | | they still don't fully understand them--and |
| Analysis and Response Center following | | | | most boards don't like to fund things they |
| through on a key recommendation of the | | | | don't understand. "As aware as CEOs and |
| National Strategy to Secure Cyberspace. | | | | boards have become of security issues, |
| | | | spending in that area hasn't gone up in |
| With all this activity in the federal | | | | proportion and certainly not to the levels |
| government related to securing | | | | people expected," Sunday said. |
| infrastructures including key information | | | | |
| systems, one might think there would be a | | | | Advanced information security technology |
| noticable impact on information security | | | | exists that isn't widely known or used by the |
| practices in the private sector. But | | | | mainstream. "Our technology is too |
| response to the National Strategy to Secure | | | | signature-based," says Jim Reavis, editor of |
| Cyberspace in particular has been tepid, with | | | | CSOinformer and information security industry |
| criticisms centering on its lack of | | | | analyst. "We're only prepared to fight the |
| regulations, incentives, funding and | | | | last battle. We need to get more predictive. |
| enforcement. The sentiment among information | | | | We need to use more behavioral technology." |
| security professionals seems to be that | | | | |
| without strong information security laws and | | | | Conclusion |
| leadership at the federal level, practices to | | | | |
| protect our nation's critical information, in | | | | In a survey conducted jointly by the Internet |
| the private sector at least, will not | | | | Security Alliance (ISAlliance), the National |
| significantly change for the better. | | | | Association of Manufacturers (NAM) and |
| | | | RedSiren Technologies Inc. one year after |
| Industry Trends | | | | September 11th, 2001, 40 percent of |
| | | | respondents reported that information |
| One trend that appears to be gaining ground | | | | security was considered more important than |
| in the private sector, though, is the | | | | prior to September 11th. Yet almost |
| increased emphasis on the need to share | | | | one-third said their companies were still not |
| security-related information among other | | | | adequately equipped to deal with an attack on |
| companies and organizations yet do it in an | | | | their computer networks. The survey |
| anonymous way. To do this, an organization | | | | concluded that "many organizations need to |
| can participate in one of dozen or so | | | | revise how security risks, threats and costs |
| industry-specific Information Sharing and | | | | are identified, measured and managed." |
| Analysis Centers (ISACs). ISACs gather | | | | |
| alerts and perform analyses and notification | | | | Is our information more secure two years |
| of both physical and cyber threats, | | | | after September 11th? Unfortunately, not by |
| vulnerabilities, and warnings. They alert | | | | a lot. While some trends since 9/11 |
| public and private sectors of security | | | | demonstrate progress in the field of |
| information necessary to protect critical | | | | information protection, opportunities for |
| information technology infrastructures, | | | | better information security practices clearly |
| businesses, and individuals. ISAC members | | | | remain. |