Spend big or get little on security

Julie Lucas says she once considered computer security boring. Now, with a 12-year stint in the Navy behind her, Lucas is the general manager for security solutions at Enterasys Networks Inc. of Portsmouth, N.H.Before joining Enterasys in July, she had spent a year as information assurance practice director for Global Network Technology Services of Miami. The job, overseeing the design of the company's service offerings, was her first after a naval systems career.From 1996 to 2000, she was the Naval Computer Incident Response Team officer and guided NAVCIRT's worldwide monitoring and response to attacks on Navy and Marine Corps systems.Before that, Lucas was assistant director for data communications for the Pacific Fleet, director of the fleet's largest training center and computer repair shop, and responsible for the naval communications database.Lucas holds a bachelor's degree in computer and information science from Ohio State University and a master's in IT management from the Naval Postgraduate School.GCN senior editor William Jackson interviewed Lucas at a recent Washington trade show where she was a speaker.LUCAS: I was on active duty from 1988 to 2000, and from 1994 to 1996 I was fortunate enough to go to the Naval Postgraduate School in Monterey, Calif.I had become hooked on computer security at a 1991 seminar where I sat for two-and-a-half hours listening to a lawyer talk about security and about hackers. But I felt like I sat there for only 10 minutes.The lawyer said, 'If this intrigues you, go buy The Cuckoo's Egg.' I bought the Clifford Stoll book. I was not an avid reader at the time, but I read the whole book in two days'couldn't put it down. I was hooked 100 percent on computer security. I thought it was boring before that.So I took my master's in computer security and was fortunate enough to be selected the NAVCIRT officer on leaving the postgraduate school.LUCAS: He was an assistant district attorney out of Chicago, a very dynamic speaker and one of a handful of lawyers who were actually prosecuting hackers at that time. I got to meet him again when I was a NAVCIRT officer, and I told him, 'You had a major impact on my life.' He said, 'I hope it was positive.'LUCAS: Yes, I would say it was. It was intriguing to see a payoff from the practices and procedures. I got to meet a lot of very talented, dynamic people, many of whom I still keep in contact with. It was a great job for anybody in the military looking to expand computer security. I highly recommend any of the military's information warfare centers.LUCAS: I would say we took it very seriously. I'd attribute the successes to strong teamwork between the Navy, Marine Corps and Naval Criminal Investigative Service, as well as support from upper management.That government experience gave me a good foundation to build on. It gave me a good understanding of the processes and procedures, the real critical requirements, and how a computer incident can impact more than just operations.At Enterasys Networks Inc. we were already expanding our security offerings before Sept. 11. It has been seen as a strategic play for well over a year. Our plan has been to roll out a full set of services that would complement our standing products to cover the whole range of security.The awareness level about disaster recovery is increasing. People who had been saying 'This could never happen to me' are looking at their operations and saying, 'What if this does happen again? What if the power goes off? How could I keep running?'A few years ago, there were a couple of cases of companies that did the bulk of their business online. Their systems were broken into, and they went down and were losing large numbers of dollars every hour. They had to get back up and be operational quickly. This helped to create an overall awareness level where people realized they do have to plan for these events.LUCAS: I think the biggest difference is that you have more senior managers willing to write checks. They are starting to reprioritize their budgets and realizing that this is something they have to be prepared for.You should look at security as a form of insurance. As part of an information assurance assessment, we can either write from scratch or rewrite a disaster recovery plan.I use the fire analogy a lot. There is a list of requirements you go through to protect a building against fire, including putting in smoke alarms and sprinkler systems. They are analogous to your network intrusion detection systems and your firewalls, so that you can detect and react quickly when your network is attacked.Part of the response to a fire is having a fire marshal come in and do the root-cause analysis after the fire is out, and that's what computer forensics does.The Office of Management and Budget is now requiring agencies to use best practices for security and rating each agency on its security practices. We have several customers that have implemented our security products to tighten the reins. The National Security Agency is also mandating security practices for the Defense Department, and we are working with those agencies to ensure conformance.LUCAS: I think the needs are similar across the board; it's just a focus on your priorities.Probably the biggest difference we see from the government side is that it is more difficult for agencies to get resources. They have some definite hurdles when it comes to getting the dollars to implement the great plans.They've got the regulations'you will do this'but they're not getting the dollars to back it up.LUCAS: From where I sit, there has been a change, but not enough of one.LUCAS: That's a broad question. You can look at specific sectors, such as the civilian agencies, and they are way behind. And you can look at others that are further ahead.Now that I have been out of the military for a couple of years, I would say that the military, which is the part of government I'm most familiar with, was ahead of many companies in the commercial sector when it came to computer security.That's not to say that the military has everything perfectly in place, but I've been impressed since I've been in the commercial world at how much we had in place in the Defense Department two years ago.LUCAS: I was surprised at that. I don't know why DOD got that low a grade. Maybe it's the difference between where they would like to be and where they actually are. That goes back to the dollars and how much funding is provided for security.And you have to look at the distribution of the tools. It's not enough to put the best-of-breed products at the center of the system. Everyone has to have access to them.A few years back when I was on active duty, DOD had just gotten Zenith 248 PCs. There was a study of the contracting for those systems, and it turned out that well over half of the systems that were available were right around Washington.At that time I was out in Hawaii, and it was hard for us to get the systems because we were farther from Washington. So just having a contract for a technology does not mean it is available to everyone.You've got to look at the whole enterprise to find the weaknesses. That's probably where the grade of F came in.