News and Opinion
Articles
Editorial Resources
Company Info
Q & A with Rolando Rosas, Director, Information Security Div, Global Teck Worldwide Inc

IEN: What are the major security concerns facing industry? How can they be addressed?

Rosas: There are many challenges facing different industries. The challenges are different for each industry but several common themes keep recurring: Safeguarding critical infrastructure and information systems. The Homeland Security Department has defined critical infrastructure. Visit their website for details on this. I will focus on the information systems and cyber aspect because it is what we primarily do.

Most business will continue to struggle with cyber threats because upper level management at large corporations are not committed or misinformed. They need to be more committed to ensuring threats from within (insider jobs), externally (competitors, hackers, and foreign agents). This effort is best coordinated when all aspects of security (physical, cyber, telecom, access control, and policies) are all coordinated together. Many times the top security directors at many companies are ex-cops or military. This is good only if you are concerned about primarily defending physical assets and conducting investigative work, but given today's high tech world, information by guards, administrators, and employees is entered in computers and exchanged over the telephone. Often the links between physical and cyber are ignored and companies have a disconnect, which leaves them vulnerable. Many times the most sensitive information is disclosed on cell phones, conference calls, and regular telephone conversations, and companies leave this area easy targets.

Make no mistake about it -- there are no guarantees from the phone companies about your information being intercepted by others. Regular landline communications have no encryption at all, while some of the wireless providers have weak encryption. Conference calls are the same as regular calls and have nothing to safeguard the transmission of private or proprietary information. All you need on a conference call is to intercept one participant and you'll be able to listen to the entire group. Although intercepting information is illegal, it happens every day and not just by the feds. For example, if a U.S.-based company has operations overseas, the situation is worse because many less developed countries make a living stealing U.S. technology to implement within their own countries. Countries that have state-owned telcos are notorious for this type of operation. If you asked or polled companies about what they are doing to safeguard communications, many of them will say something like "we have a firewall" or "our computer systems are safe," but often they have no protections on the medium used most often: voice communications.

IEN: Where are strides being made: In risk management? Integrated systems design? Emergency response? Hazard controls? Computer security? Elsewhere?

Rosas: To overcome these communication challenges, federal institutions and private industry are implementing standards to validate product integrity through programs sponsored by NIAP (National Information Assurance Program) and NIST (National institute of Standards). Both of these bodies help to ensure products meet basic security standards and design. Although having a product certified through these agencies means that your product is designed to work properly, it does not guarantee that those products' security features cannot be defeated or broken.

The biggest areas of concern in electronic security are primarily over secure VoIP conversations because companies want to integrate voice over their data lines to reduce telephony costs. Many times this can produce headaches and turf battles internally within organizations due to budgets, priorities, and final outcome (who manages what). Sometimes cost cutting comes at greater risks that can outweigh the benefits of lower telephony bills.

Secondly, more people are talking about wireless security for many of the same reasons. People want to connect to the Internet from anywhere on their laptops and mobile phones. This too has dangerous pitfalls because many LAN administrators have demonstrated time and again that they ignore basic safety preventative measures. The two main questions that every organization should ask when deploying wireless technologies are:

  • What will wireless technologies enable us to do over current systems? and

  • Whom do we intend to secure ourselves from?

There are many companies that have some form of security and the security levels are not made to prevent professional hackers or intelligence gatherers from getting around the safeguards. As one co-worker told me one time, "I see a lot of elementary-grade security but not much to prevent college-level or experienced pros from doing damage."

Wireless connections for both laptops and mobile phones are very prone to attacks know as "man-in-middle" (MIM). This happens because both the access point and the device lack dual mutual authentication. Most systems in the U.S. operate on a "trust" model where the user is trusted by the access point. Short of stronger encryption and a "distrust" model, you will continue to hear about someone's private conversation posted to the Internet or computer systems being exploited. The general rule of thumb is if technology makes life easier for consumers, it also makes it easier for the bad guys.

Trying to resolve this issue should involve multiple personnel from any organization given that problems arising from vulnerabilities are more than just an IT problem. All policies that deal with remote access, employee mobility and communications should involve everyone from the corporate security directors to HR to the CEO. This can substantially reduce the risks of implementing useless technologies that can potentially expose organizations to more attacks.

IEN: What innovations are in store for users in security equipment and systems, software, training, and other areas?

Rosas: Global Teck Worldwide provides companies with an integrated system that combines several security functions into one platform. It provides security as a firewall to the PBX telephone systems while providing encryption to all communications (landline, cellular, conferencing, and fax). Most of this technology was primarily used within military commands but has been making its way to the commercial arena. We also provide the first ultra-small in-line encryption device (snapcell) for regular mobile phones. All of our competitors provide expensive special mobile phones.

You will continue to see products that will be dual-purpose equipment either used by the military and modified for commercial use or ready out of the box for both purposes. Additionally, you will see more companies that make security products integrate additional functions into their products instead of just standalone devices.

IEN: Where are other R & D hot spots?

Rosas: Wireless everything because people want to be mobile and they want their information instantly.

IEN: Is the web a significant factor? Why/Why not?

Rosas: The web will continue to grow as a medium for information exchange, transactions globally. It is one of the few media that have universal acceptance. It is the cheapest way to get information or communicate with multiple people. The major concern that continues to haunt it is privacy and security protections. Some of the concerns are unwarranted because people do ridiculous things that compromise their privacy without ever having to use a computer.

IEN: Will wireless technology play an increasing role in security? If so, how?

Rosas: As mentioned earlier, wireless is red hot but not everything that glitters is gold. Shopper, beware because not all products protect everything equally. Some of the wireless products out there don't protect anything at all. Again, every organization must balance their needs against the risks they are willing to take using wireless technologies (i.e. using wireless monitoring cameras, wireless access points for Internet, BlackBerries, mobile phones, wireless point-to-point connections). All these technologies are prey for the bad guys who want information, and in today's electronic economy, knowledge is power, and having information that can save your company millions or prevent it from losing millions is even more powerful. It's up to every organization to scrutinize each component and determine how to ensure security on each of them. For more detail concerning the problems with Wi-fi, click here.

IEN: How can companies integrate security technologies within the industrial enterprise?

Rosas: The best approach is a holistic approach involving all the players within an organization who may need to use the technologies (management, IT and security officers, HR). Systems are not on islands because everyone is affected when emails go down or a telephone system is not working. Every company must determine how much time, money, and effort they want to invest in security. Additionally, more companies should adopt security awareness policies. Obviously, not all companies have great secrets, but every company talks about marketing plans, development , financial information, new products, competitors, campaign strategies, etc. -- information that would impact them negatively if their competitors acquired it. Also, many large and small companies currently experience a certain level of economic loss from proprietary information theft and can take initial steps to reduce their loss. One of the primary ways is to ensure that their information is protected when they communicate with encryption and PKI.














Magazine Subscription | eNewsletter Sign Up | Advertise | Privacy Policy revised 10/07 | Contact Us | RSS 
Thomas Publishing | Thomas Global | ThomasNet 
Product Categories:   0-9|A|B|C|D|E|F|G|H|I|J|K|L|M|N|O|P|Q|R|S|T|U|V|W|X|Y|Z Topics
   Companies:   0-9|A|B|C|D|E|F|G|H|I|J|K|L|M|N|O|P|Q|R|S|T|U|V|W|X|Y|Z
© 2008 Thomas Publishing Company. All Rights Reserved.
EmailPrint
ienonline search EmailPrint