Recently, I interviewed a vice president of systems security for a small financial organization. Its environment exists of 100 users, 150 workstations, 40+ production servers, 13 routers, three large backbone switches, and three Internet connections. It's one of my clients, and so I have not included the organization's name. However, the exchange should give you a glimpse into how other groups are protecting their organizations.

Advertisement On this topic SECURITY.ITWORLD.COM security.itworld.com. Sign up Now! Gartner: Law won't deter spammers U.K. will test biometric passports in six month trial Ridge calls on business for security blueprint War of the worms Cisco warns of wireless security hole

Q. What security initiatives has your organization completed this year? What initiatives lie ahead?

A. Annual penetration tests and social engineering tests have become the norm, as well as live disaster recovery exercises. We initialized a formal Incident Response Team (IRT), held security training for the IRT, as well as educational sessions for board members. We've updated our intrusion detection systems, and formalized better patching processes utilizing more automated updates. We also replaced our external facing firewalls with newer technology. All in all, it's been a busy year, and I don't see it letting up anytime soon! Next year we will refine our incident response handling, institute file integrity checking, and continue to tweak our security processes.

Q. What do you see as the biggest challenge faced by InfoSec practitioners in the next 12 months?

A. The simple answer is keeping our systems patched. The more complex answer is the issue surrounding the arguments for and against full and open disclosure of vulnerabilities. I believe that there needs to be a consensus within the InfoSec community as to how we handle new vulnerabilities before an exploit is released into the wild. If security professionals cannot come to an agreement on how to deal with the notification of new vulnerabilities to vendors and the community, we've already lost the edge.

Q. With security being such a dynamic field, what do you do to keep yourself and your team up to date?

A. The Internet is an invaluable resource - Slashdot, The Register, Security Focus and PacketStorm are my typical morning reading material. Magazines such as Information Security are also great resources. Additionally, we involve ourselves in various security training courses, seminars and conventions, such as SANS, BlackHat and DefCon. Being able to immerse ourselves in the security arena and keep abreast of every new security vulnerability and exploit in the wild is a considerable challenge.

Q. Do you think it is getting easier or harder to protect corporate assets?

A. Both! While it's getting more difficult to protect from the daily onslaught of new exploits, the security community is getting better at earlier detection. As such, those security professionals who stay on top of the latest news are able to patch their systems quickly and avoid the exploits - unless they were part of the "0-day" group.

Q. How much management support does security have in your organization? How high in the management chain does security awareness and concern flow?

A. In my organization, security has been looked at for years as overhead. But recently, over the past 18 months, both IT and management (up to and including the CEO), have taken on a newfound awareness of the risks associated with security vulnerabilities. As such, IT is receiving more attention and resources to deal with security issues.

Q. Remote users and road warriors are a challenge for many security organizations. How does your organization protect these users?

A. Remote users are definitely the most troublesome to secure, simply due to the nature of users to work their way around any security measures, given enough time and energy to do so. One way that we've found to verify the integrity of these remote machines is to use the login process to verify that all expected patches are in place. If they are not, then access to the network is denied. Other tools we use to protect the remote machines themselves is to utilize personal firewalls, ideally administering these firewalls from a central console that will lock out users from making changes or closing out the firewall completely. Client-side anti-virus is an obvious tool as well.

Q. Has your organization experienced any attacks, outages or incidents in the last 12 months?

A. Like most organizations on the Internet, we have had our share of "events". We experience attacks each and every day, mostly from script kiddies performing scans and running scripts that they have no idea how to really use, such as running IIS exploits against a Domino server. Other attacks are more focused, and appear to be from more knowledgeable attackers. Keeping the attackers at bay and avoiding downtime is an ongoing effort.

Q. What are three risks that your organization is most concerned about? What special steps have you taken to mitigate these threats?

A. Data exposure - Being a financial institution, we are keenly protective of our customer's data. We do the very best we can, with the time, money and resources we are given, to protect this data. Layered anti-virus (e-mail gateways, servers, and clients), firewalls, intrusion detection systems, file integrity checkers, user education and more are all part of this protection that we've built and continue to refine and test on monthly basis. We also keep on top of the mundane art of patching and hardening our systems.

0-day exploits - There just isn't much we can do to directly protect against a brand-new exploit. We can have a perfectly patched and hardened system, but when a vulnerability comes out with an exploit immediately following it, or worse yet, an exploit that hasn't been released and recognized yet being used by a "professional" attacker, there just isn't much we can do except to watch for such occurrences, learn to recognize these events for what they are, and take defensive measures. Having a pre-defined process for handling such occurrences is critical.

Denial of Service - Again, there isn't much we can do to avoid becoming a victim of a coordinated DoS. There are, however, ways mitigate downtime by becoming familiar with how to detect a DoS and developing relationships with our upstream providers so we're able to quickly talk with them to create ACLs to reduce or eliminate the traffic.

Q. What is your advice to new InfoSec practitioners looking to make this their career?

A. Hack, hack, and hack some more! Going through a class and learning in a classroom setting is good for baseline knowledge, but experience is what counts in this arena. I believe it's the same for any good security engineer or sysadmin - there's no substitution for experience. So put together your home network with a few systems, and start hacking!