Insider threats from employees and trading partners, interconnected networks with no clear boundaries, and the potential for terrorist cyberattacks against corporate networks are among the top worries for technology managers, according to those attending the Gartner IT Security Summit this week.
"One of the largest threats facing us today is the interconnectivity of business associates," said Cythnia Stoller, CIO at US$5 billion global shipping giant APL, which has its US headquarters in Oakland, California. She spoke during a panel discussion with colleagues from the transportation industry.
"Internal users, contractors, trading partners, outsourcers and agents are needed in this logistics supply chain, but supply-chain systems are very open," Stoller said. "We don't have an isolated infrastructure."
To gain confidence that these business partners are applying satisfactory identity checks and authentication measures, Stoller said APL asks for periodic "infrastructure audits" in which business partners prove how they handle security procedures.
Chief architect for the American Airlines business division that operates the Sabre travel-information network, Bob Offutt, said he also has growing concern about interconnected networks, especially because Sabre is migrating from an older proprietary system to an IP-based network with access to the Internet. There are 374,000 Sabre terminals used by airlines, car companies and hotels.
"This new open system (based on Web services) is starting to make our infrastructure very porous," Offutt said.
Sabre is using Netegrity's SiteMinder access-control to centralise security controls, as part of what Offutt called a "universal services gateway" that includes Kerberos-based tokens for authorising online sessions.
Jim Flynn, CIO at United Parcel Service, told attendees that "attacks to break into our network are growing in complexity." UPS is having employees and business partners shift from using single, reusable passwords to double passwords or RSA Security Inc.'s SecurID tokens for dynamic passwords.
Bill Spernow, chief information security officer at the Georgia Student Finance Commission, said he was brought in to improve security after a major online breach a few years ago found students' personal data posted on the Web. Among his strategies is to "treat everyone as outsiders," adding that he now requires use of public-key infrastructure tokens for authentication. "I also create a duplicate image of every hard drive, whether it's an appliance or a server," so that the organisation can access a copy of any hard drive in about 15 minutes if one were to be ruined during a network attack, he said.
David Zanka, chief information security officer at FedEx, said computer worms such as Code Red — which two years ago disrupted the company's internal network so badly that it couldn't even file flight plans — have compelled FedEx to improve patch management and network segmentation.
"We empowered the officer running the response team to make any decision necessary to keep the business running," Zanka says. "(It) means you can unplug anyone from the network or purchase any kind of equipment (you) want."