There are plenty of complicated documents that can guide companies through the process of designing a secure data center--from the gold-standard specs used by the federal government to build sensitive facilities like embassies, to infrastructure standards published by industry groups like the Telecommunications Industry Association, to safety requirements from the likes of the National Fire Protection Association. But what should be the CSO's high-level goals for making sure that security for the new data center is built into the designs, instead of being an expensive or ineffectual afterthought?
Stories by Sarah D. Scalet
Rick Santoro, who's in charge of security for Trump Entertainment Resorts in Atlantic City, N.J., would seem the ideal candidate for using video content analysis -- that is, technology that helps organizations draw intelligence from their surveillance video. Hotel and casino operators like Santoro's company are known for having cutting-edge surveillance, the better to prevent loss and fraud on their high-stakes gambling floors.
One quiet Monday in July 2004, at the height of the summer vacation season, a call center representative at a midsize U.S. financial institution answered a peculiar call.
At first, the ChoicePoint security breach seemed not only ordinary but almost insignificant. That same month, February, saw stories that had bigger numbers (Bank of America, 1.2 million names and Social Security numbers) and more sex appeal (T-Mobile, Paris Hilton) than the predictable details of the ChoicePoint case. Thousands of victims, compromised Social Security numbers, an arrest on charges of identity theft. Yada yada yada. But somewhere along the way, the ChoicePoint saga became the spark that caused an explosion.
Maybe I clicked "no" in a dialog box that I ought to have closed, or installed a bogus version of a browser plug-in. Maybe I just visited the wrong website on the wrong day, and with my Web browser's unwitting compliance became a victim of a drive-by downloading of rogue software. Whatever the case, my punishment was brilliant and unstoppable. The spyware hijacked my Web browser and bombarded me with pop-up ads, even when the browser was closed and the network connection was unplugged. It made dubious offers of antispyware tools that would supposedly clean my system, yet hid from three legitimate cleaning tools and my antivirus software. It resisted my attempts to close it from the Windows task manager or delete it from the startup file. Applications ran grindingly slowly, and my system crashed so often that it was rendered useless. Whenever I thought I had the monster killed, it reared its ugly head again.
Fever. Nausea. Vomiting. Diarrhea.
At first, bioterrorism--whether it's inhalation anthrax, smallpox, pneumonic plague or something else entirely--will probably feel like the flu. You'll be miserable, but you probably won't be alarmed. You'll go to your local drugstore, clinic, maybe an emergency room. Doctors in one place or another might notice a small uptick in flu-like symptoms. But no one will see the pattern. Until the dying starts.
In the five-minute morning walk from his Washington, D.C., apartment to the U.S. Federal Bureau of Investigation (FBI)'s J. Edgar Hoover building, Darwin A. John, the bureau's new CIO, thought about his upcoming interview with this reporter and made himself a promise: "I'm just going to talk specifics." Infrastructure upgrades. A virtual case management system with multimedia capabilities. A data warehousing project with advanced search functions that would help the FBI "know what it knows," and thereby prevent intelligence failures like the ones that led to 9/11.
But despite his best intentions, that's not what happens. By 9:30 a.m., John, a slightly rumpled, deeply jowled elder of the CIO profession, is talking about how the FBI needs to think "holistically," how law enforcement agencies and the Department of Homeland Security can work together to find "simplicity on the other side of complexity," and how having a philosophical bent could work to his advantage at an agency that worships action, not thought.
Of all the ineffectual e-mail disclaimers I see, one I received earlier this week takes the prize for self-defeating impotence. A public relations flak wrote me trying to get publicity for a security conference. His was the standard spiel: the whos who would be there, the whats that would be learned, the wheres and whens and whys. But at the bottom of the message, I found this disclaimer:
"CONFIDENTIALITY: The information contained in this E-mail message is intended only for the personal and confidential use of the designated recipient(s) named above. This message is intended to be a confidential communication and may involve information or material, which is protected under state or federal privacy laws."
Something had been bothering Peter Johnson ever since last November, when the announcement of security flaws in the standards used for wireless LANs boomeranged his wireless project for the U.S. Army back to the drawing board. It wasn't that the initiative was delayed several months while Johnson bought encryption technology. It was those ads in the Sunday newspaper fliers for cheap wireless LAN hardware on sale at your local electronics store.
"The average person buys it because they say, 'Hey, I can run my computers off of one network'" and one Internet connection, says Johnson, former CIO of the Army's Program Executive Office of Enterprise Information Systems in Fort Belvoir, Va. "The technology is great. It's inexpensive. But this technology that's being sold for a couple hundred dollars doesn't come with a big red sticker that says, 'Warning, this is really insecure.'"