Securing the network: Don't let a cyber-faceoff push your career offline

Sep 1, 1998 12:00 PM, JOEL KONICEK and KAREN LITTLE

           

Try creating a partnership with the management information systems department. It will help you manage the interface of security and the network. Start with understanding the technology. A new layer of information technology (IT) is gradually being added to physical security's list of things to interface. This layer involves the integration of electronic access control, CCTV and intrusion detection systems into corporate-wide computer networks. Managing and securing this new layer requires an intelligent partnership between those in charge of physical security and those in charge of management information systems (MIS). Unfortunately, network-related issues are often overwhelming to many security managers. Failure to understand networking, however, can lead to physical security breaches and, equally bad, loss of a job, simply because the security manager cannot keep up with technological demands. To understand the problems imposed by networking, we interviewed seven experts, each of whom plays an important role in network and physical security. Their advice and insights about how to learn this important technology quickly are woven into this article. If you are new to networking or in the process of having your centralized access control system tied into a corporate network, use this article as a checklist of things to learn. If you are a MIS professional, use this article as a way to better understand what physical security managers need to know, then consider organizing your information around the key points presented here.

The past: physical security almost meets cyberspace In the past, user-friendly meant that software hid the complexities of computer operating systems. With greater connectivity on the rise, it now means that the friendly user must be very well informed. Security professionals are trained to watch physical resources - buildings, interior rooms and assets (people, products and property). They do not commonly have a computer background, but this is changing as people coming up the ranks are learning about network management. To date, computerization has provided security departments with the means to monitor, program and control remote hardware, such as access control and CCTV. In many large organizations, these security systems can be categorized as centralized, meaning that no matter how many workstations are present, all are under the direct control of security management. If someone tried to break into such a system, they would have to shove a guard out of the way to do it. Limited knowledge of MS-DOS and/or Windows was usually all that was required to run a centralized security system. This is because software was designed to minimize operating system issues and maximize user-friendliness in performing tasks. Once a system was programmed and everyone was trained, security managers could ignore background processes and get on with their work.

The future: everyone's doing IT (information technology) Enter decentralized IT systems in the form of local area networks (LANs), wide area networks (WANs), Intranets and the Internet. As the economy has prospered and corporations have spread well beyond neighborhood, city, state and continental borders, computer connectivity has become critical. Now before we get too deeply into the subject of networks, let us consider that we expect flawless, global telephone connectivity, even though we know little or nothing about telephone technology. We have grown to expect the same type of flawless performance with information connectivity (networking), except now, we are building the transmission links ourselves through corporate networks, with many novices on the cutting edge of learning how this is done. Networking issues are becoming so important that many security managers must often consider connectivity over and above security hardware features. Even though a security manager may never directly run a network server, he or she must understand it like a pro. Here is an example of why: Much attention is given to virus protection and firewalls as a means of defeating vandals and hackers. Yet, unsecured networks inside the organization pose an even greater threat potential. In an unsecured network, anyone using Windows Explorer or a similar program can select a number of critical files, press DELETE, then leave the building without anyone being the wiser. Fear not! Even though expertise in computer networking may seem impossible to acquire, anyone who has ever set up an orderly physical access control system will catch on quickly. You may not know exactly how to program a network server, but you will be able to ask probing questions based on the tips in this article, gain critical information, establish clear policies and communicate intelligently with other decision-makers. You must understand: - the needs of MIS or IS (information services) departments that administer networks; - the needs of individual network managers, who control divisional or department network servers; and - how critical computer systems are physically secured. This includes knowing how privileges are granted, what constitutes folder and file control, what boot-up restrictions are in place, whether auditing and alerting systems are being used and establishing the proper procedures for securing backup media.

How to learn IT - advice from our panel 1. Marvin Shadow Herman, security director for National Gas Clearinghouse, Houston, follows a strict, self-imposed educational path. He is active in ASIS, being the chairman of the local chapter in Houston, and is pursuing CPP certification which he hopes to achieve this October.

>From his viewpoint, the most important part of moving into a new system is pinpointing what you need to know, then patching in information wherever it can be found, because there is no one course that provides it all. Planning for an ASIS meeting on computer networking, for example, leads to valuable resources that benefit the planner beyond just listening to a guest speaker. He also advises taking advantage of corporate training programs on standard office software because standard software lets you see how networks are used from other viewpoints. Remember, knowing how people use a network is similar to observing how people approach a building on foot. You start understanding how they can get inside and move around - legally or not! 2. Melisa Sakamaki, manager of security, Qualcomm Inc., San Diego, is familiar with Mac computers, but her company is now converting to Windows NT systems, a new topic for her. In addition, the access control system she manages is being upgraded from the MS-DOS operating platform to networked Windows NT workstations. She now needs very computer-literate people to support the network. To meet the challenge, Sakamaki instituted within her group the position of systems specialist - a person charged with working closely with the manufacturer and dealer installing the new access control system as well as mastering Windows NT itself. Dedicating an employee to focus on the computer aspects of physical security is becoming more common. This type of expertise, however, was unnecessary just a few years back. 3. Rich Custer, director, Engineered Systems Group, Northern Computers, says networking issues are forcing security managers and dealers to make a tremendous jump in technological expertise within a short period of time. Conceptually and technically, networking requires highly skilled technicians at a time when there are not enough trained people to meet the demand. Custer's recommendation is that before taking on such changes, security managers should identify all available resources, both human and informational. To stay in control, ask IT professionals for advice as to where to start learning, forge good relations with manufacturers and dealers who understand networking issues, take classes on networking, and even hunt for information on the Internet. 4. Todd Gaenzle, information security manager, AAI Corp., Hunt Valley, Md., is one of those rare people who started out working in physical security, then got a degree in computer science. He is one of the pioneers in forging links between information technology departments and physical security. Gaenzle contends that security managers must be aggressive about telling information technology professionals what they need, or they can be overlooked. Information technology professionals are busy with every aspect of large corporations, of which physical security is one. The problem is, of course, that the physical security manager is in charge of keeping everyone and everything safe. Consequently, that manager must make his or her voice heard. Gaenzle strongly recommends creating policies and procedures based on input from key administrators. When committees are charged with responsibility, the result is that everyone learns faster (more on this later). He also recommends surfing the Internet to get up-to-date information on networking. When security managers find crucial information, such as, perhaps, information on a newly discovered virus, they should e-mail this information to information technology people. They should not assume computer people know everything. It takes teamwork to keep everyone on track. 5. Likewise, Larry Belkin, supervisor of security systems, Disney Studios, has worked all his life in physical security, getting his law degree along the way. It is not surprising, then, that he believes a broad background helps forge better relations between disciplines. Good communications just cannot flow between departments if one managers feels fearful of another. Many times he has seen security managers not ask the right questions of information technology professionals because they are afraid the questions might seem dumb. Belkin believes that the best way for a security manager to get guidance is go to the guide and ask him or her where learning should start. A good information technology person will pepper conversations with questions like: What do you think? What are you looking for? How do you want to work with this? Likewise, the security manager must learn to ask about information technology's needs, too, keeping an open mind and a desire to learn more. 6. Herbert Guenther, consultant, Security Exports International Inc., West Allis, Wis., owned his own security dealership before becoming involved in exporting and network implementation. The problem he sees is that most security managers simply do not know where to start learning; everything seems overwhelming. A good place to start, he recommends, is to learn about the network currently in place. What software drives the system? (Windows NT? Unix?) What communications protocol is being used? How does the corporation envision sharing database information between departments? And most important, what is currently being done to secure the system? 7. Last, Ethan Wilansky, consultant, author and trainer, Network Design Group, and owner of Atlas Online University Inc., Rockville, Md., is a network specialist who recommends that security managers use an independent network auditor who can certify that the network is secure. Why? Well, unfortunately, when networks are being developed, security is often lax in order to get the system up and running quickly. What can happen, then, is that network administrators forget to close all the holes. Double-checking their work through an independent auditor can help everyone feel more secure.

Wilansky further recommends that security managers know where all the computer servers (hardware) are located throughout the facility and make sure that none are vulnerable to theft or manipulation. Also, make sure that network administration privileges are properly restricted. It is not uncommon for everyone in an information technology department to be able to access everything on a network. If it seems like too many people have unrestricted access to the system, it is up to the security manager to address the issue. Our panel had many more things to say, many of which will be included in part two of this article, "How to secure IT: What security managers need to know" to be published in the October issue of this magazine. By expanding on the information to be provided, you will rise rapidly in your quest to master networking.

Want to use this article? Click here for options!
© 2008 Penton Media Inc.

SUBSCRIBE

Select an Issue April 1, 2008 March 1, 2008 February 1, 2008 January 1, 2008 December 1, 2007 November 1, 2007 October 1, 2007 September 1, 2007 August 1, 2007 July 1, 2007 June 1, 2007 IP Security Supplement May 1, 2007 April 1, 2007 March 1, 2007 February 1, 2007 January 1, 2007 School Security December 1, 2006 November 1, 2006 October 1, 2006 September 1, 2006 August 1, 2006 July 1, 2006 June 1, 2006 May 1, 2006 April 1, 2006 March 1, 2006 February 1, 2006 January 1, 2006 December 1, 2005 November 1, 2005 October 1, 2005 September 1, 2005 August 1, 2005 July 1, 2005 June 1, 2005 May 1, 2005 April 1, 2005 March 1, 2005 February 1, 2005 January 1, 2005 December 1, 2004 November 1, 2004 October 1, 2004 September 1, 2004 August 1, 2004 July 1, 2004 July 1, 2004 June 1, 2004 May 1, 2004 April 1, 2004 March 1, 2004 February 1, 2004 January 1, 2004 December 1, 2003 November 1, 2003 October 1, 2003 September 1, 2003 August 1, 2003 July 1, 2003 June 1, 2003 May 1, 2003 April 1, 2003 March 1, 2003 February 1, 2003 January 1, 2003 December 1, 2002 November 1, 2002 October 1, 2002 September 1, 2002 August 1, 2002 July 1, 2002 June 1, 2002 May 1, 2002 April 1, 2002 March 1, 2002 February 1, 2002 January 1, 2002 December 1, 2001 November 1, 2001 October 1, 2001 September 1, 2001 August 1, 2001 July 1, 2001 June 1, 2001 May 1, 2001 April 1, 2001 March 1, 2001 February 1, 2001 January 1, 2001 December 1, 2000 November 1, 2000 October 1, 2000 September 1, 2000 August 1, 2000 July 1, 2000 June 1, 2000 May 1, 2000 April 1, 2000 March 1, 2000 February 1, 2000 January 1, 2000 December 1, 1999 November 1, 1999 October 1, 1999 September 1, 1999 August 1, 1999 July 1, 1999 June 1, 1999 May 1, 1999 April 1, 1999 March 1, 1999 February 1, 1999 January 1, 1999 December 1, 1998 November 1, 1998 October 1, 1998 September 1, 1998 August 1, 1998 July 1, 1998 June 1, 1998 May 1, 1998 April 1, 1998 March 1, 1998 February 1, 1998 January 1, 1998 December 1, 1997 November 1, 1997 October 1, 1997 September 1, 1997 August 1, 1997 July 1, 1997 June 1, 1997 May 1, 1997 April 1, 1997 March 1, 1997 February 1, 1997 January 1, 1997

This month in Access Control

• Opening Up About Door Closers
• An Enterprise Approach
• The Framework For Open Systems
• On A Higher Plane
• More from April's issue