CyberWatch: protecting critical infrastructures
By Judith Lamont
Your enterprise is feeling good about security. As CEO of an e-business, you have overseen development of a security policy. Data is backed up and mirrored; recovery procedures are tested regularly. The IT department has, of course, installed firewalls and virus protection, and is diligent about patching. Intrusion detection software checks for unusual behavior on the network, and your customer database is encrypted. Your company's intellectual assets are well protected. What could go wrong?
Plenty, if no one is reviewing the intrusion detection logs—and even more, if no one knows how to respond to the intrusion. Firewalls and other software are necessary for protection, but the human element is the linchpin of a good security program. With their ever-increasing dependence on the Internet, businesses are recognizing that security awareness at all levels is vital. Trained security staff are important, but so are security-savvy CEOs and alert users.
Looking back, many people realize how fortunate they were when the Internet carried their messages on Sept. 11 when cell phone circuits became swamped. And looking ahead, many would like to do whatever they can to strengthen their own security and that of the Internet infrastructure. Because the Internet is a big place, beyond the control of any single organization, it's up to everyone along the way to protect it. Organizations that prevent their servers from flooding the Internet with messages that cause denial of service (DOS) attacks are part of the solution. Those that fail to take protective measures are part of the problem.
A number of government organizations have taken on significant roles in providing alerts, information and educational resources to support computer security efforts (see sidebar). The National Infrastructure Protection Center NIPC, for example, has a broad mission that includes protection of telecommunications, finance, water systems and emergency services. In response to the growing need to protect the Internet, the NIPC announced in January 2001 a program called InfraGard. InfraGard, begun as a pilot program in 1996 and now encompassing all 56 of the FBI field offices, is a partnership between the government and private sector that is designed to benefit both.
"InfraGard was established as an information exchange," says Shawn Henry of the Federal Bureau of Investigation FBI. Henry is a supervisory special agent for the computer investigation squad in the FBI's Baltimore, MD, field office. He participates in InfraGard by speaking to groups that work together to secure networks and respond to incidents.
"Education is key to preventing incidents," says Henry. "Our goal is to deter and prevent incidents, rather than investigate them after they happen." InfraGard collects from many sources and sends alerts to its members. Also, InfraGard disseminates information about specific incidents. By providing the information anonymously, InfraGard addresses concerns that organizations have about revealing their vulnerabilities.
Indications are that the message about the importance of reporting incidents is getting out. In the "2001 Computer Crime and Security Survey" conducted by the FBI and the Computer Security Institute (CSI), 36% of companies experiencing intrusions reported them to law enforcement, up from 25% the previous year. That trend is encouraging, and points to the benefits of the InfraGard program and other efforts to educate government and private sector organizations about security.Local chapters of InfraGard hold meetings on topics related to Internet protection. In Baltimore, for example, an upcoming meeting will cover the recently passed USA Patriot Act (PL 107-56), an anti-terrorism law with numerous provisions that affect cyber security. A panel of government attorneys will explain how the new law will impact corporations, and how law enforcement agencies will interact with cyberterror victims. InfraGard now includes 2,600 organizations of all sizes, and membership is free.
"We feel strongly that a partnership between law enforcement and the private sector benefits both sides," says Don Withers, president of the Baltimore chapter and CEO of The Training Co.. "The nation's critical infrastructure, including the Internet, is owned by private companies, and it is important that private industry take a more proactive role in protecting it. Working with organizations like InfraGard can actually help prevent intrusions through the use of early warning information provided by the NIPC and other law enforcement partnership programs."
The education and training of information security staff is another key element in protecting the Internet. Shortages of experts in information security have been evident for several years, and are likely to continue despite a softer IT job market. In both government and the private sector, security positions have remained vacant for lack of qualified personnel. Companies seeking individuals for those positions can either compete for the experts or train in-house staff. A third option for covering the security function, still not widely used, is to outsource it.
Although most universities offer some computer security courses as part of their computer science programs, only a few offer a formal curriculum. However, more security-related educational resources are being developed. Over the past two years, the National Security Agency (NSA, nsa.gov) has designated 23 universities as Centers of Academic Excellence in Information Assurance under its Centers of Academic Excellence Program. Those universities must apply and qualify by meeting criteria established by the National Security Telecommunications and Information Systems Security Committee (NSTISSC).
The Center for Secure Information Systems (CSIS) in the School of Information Technology at George Mason University (gmu.edu), is recognized by the NSA as a center of excellence. CSIS conducts theoretical and applied research, and provides a range of courses, seminars and workshops in computer security. CSIS faculty also offer courses at the master's and doctoral levels in several departments at George Mason University.
Neil Johnson, associate director of CSIS, says the CSIS course work stresses security principles rather than product-specific skills. "The software is changing so rapidly," says Johnson, "that students' skills will be out of date by the time they graduate if we focus on specific products."
Another educational option is certification. Individuals with a foundation in information technology can augment their expertise and maintain credentials with the programs such as the Certification for the Information Security Professional (CISSP) offered by The International Information Systems Security Certifications Consortium. (See sidebar for other professional associations.)
Online courses in computer security are making education in the field available to a wider range of individuals. Capella University , an accredited online university, is offering a new four-week intensive course called "Cyber Threats to Enterprise Security."
"The course is geared toward executives and managers who are not technically oriented but must make technical decisions," says Richard Costello, who teaches the course, "as well as toward IT professionals who are expanding their responsibilities to include security." Capella University also offers a certificate in Web security that includes a set of longer courses. Costello points out that adding security to the Internet is a challenging task because it was originally d