Cisco: IT Struggling to Cope With Internal Security

For enterprise IT managers, key pain points are insider threats, Web 2.0, compliance, and application security. Cisco’s bi-annual threat report, released today, delivers common sense recommendations to solve these problems, which are intimately related to one another.

The most difficult to defend against might seem to be insider threats. The issue has certainly been in the news, with an energy company and the U.S. State
Department being recent high profile victims.

“There are three reasons why this problem is getting worse,” Patrick Peterson, Cisco fellow and chief security officer, told “The first is the economy. Many employees are acting out of desperation. The second is that the employer-employee relationship has changed, and people are now more willing to screw their employer and not think twice. The third is globalization and outsourcing.”

In response to this threat, Peterson said that enterprises have robust identification and auditing. But it’s possible to get it wrong. Peterson noted that the city of Bozeman, Montana recently asked job applicants for all of their passwords. “They were concerned with a real threat but the policy they implemented was probably illegal and certainly unnecessary,” he said.

Peterson said that businesses have to identify risks and apply policies to specific job functions and lines of business. “The business cannot have a one-size-fits-all policy,” he said. “We have previously emphasized the need to know your risk (less so in this report).

“It’s surprising how many businesses don’t focus on knowing their risk, and don’t have a strategy to minimize it,” he said, and admitted that the fact that security policies are often driven by compliance rather than by risk management is a huge factor.

Peterson explained that means that they have to solve issues as they crop up. Nobody should be working now on an issue that was identified two years ago, but in the real world, many are.

“CSOs need to show leadership and take a look at real world risk issues,”
he said. He noted that often in a specific vertical, such as financial services, companies will fix a problem when one of their competitors makes headlines because of it. Peterson said that when that happens, they should also try to figure out why they had not identified the problem before they read about it in the news.


Software development platforms are available to help companies manage this issue while they develop new applications. IBM has released cloud-based and licensed software to tackle the issue. Open source project TeamForge also promises to help companies handle this problem.

Verizon Business last week announced an application security service that handles the entire lifecycle and even helps companies improve their software development procedures.

Peterson said there’s a real need. “Given the rapidity of exploitation and the sophistication of exploitation, if you make a mistake, especially on the Web development side, there’s a higher risk now than every before,” he said. “The bad guys are attacking so quickly.”

SaaS and Web 2.0

Organizations fear Web 2.0 but need to recognize what it could offer them, without ignoring the risks. “Security and threats share a lot with epidemiology,” he said. “Social networks are an epidemiologist’s worst nightmare: everyone in the same room sneezing on somebody else.”

The temptation is to shut it all down. Peterson said that the most secure e-mail service he ever used was as an undergraduate student at Stanford University in 1987. “I could e-mail anyone at Stanford. It was more secure than what I use now, but it was insanely limited,” he said.

Social networking policies must be based on real data. If they are arbitrary, users will end up fighting IT.

“If the IT department is busy saying no, the organization learns that IT is to be sidestepped,” said Peterson. “Then IT is in the position of asking how a system went live, is the software package audited, etc.”

“Business managers need to be more conscientious,” he explained,” but IT at the same time needs to engage with business and find ways to say yes.”

User education

Peterson said that when he’s training staff, even highly trained staff, videos can be more powerful than text. “When I show a video of someone browsing the Web and show what happened to them behind the scenes, even security people who understand — their eyes light up and they understand differently,” he said.

“When you say, ‘don’t touch the stove, it’s hot’ or ‘beware of an exploit on a Windows Active-X control
,’ you need to communicate in real terms. Once they understand, ‘there are people who are trying to harm me and the company,’ that’s half the battle,” he said.

Guidelines need to be short enough to remember, he added. He said that many security policies were written 10 or more years ago and that items have been added to them but never removed.

One way to shorten instructions is to tailor security guidelines to a specific job function or line of business. Peterson noted that many IT departments already do this with endpoint management. “If a laptop is sitting on a desktop, then (as long as it’s not handling government work) it’s different than what a traveling salesperson will have.”

News Around the Web