This week, Stephen
Ibaraki, I.S.P., has an exclusive interview with noted security authority and
editor, Mike Fratto.
Mike Fratto is Editor of
Secure Enterprise. He previously was a Senior Technology Editor with Network
Computing and Executive Editor for Secure Enterprise. He had been with Network
Computing for 7 years and has been following the security beat for the last 5
1/2 years. He has spoken at several conferences including NetWorld+Interop,
MISTI, the Internet Security Conference, as well as to local groups. He also
teaches a network security graduate course at Syracuse University. Prior to
Network Computing, Mike was an independent consultant. Mike can be reached at mfratto@nwc.com.
Discussion:
Q: Mike, with your long history of accomplishment in information
technology and in the security arena, we are very fortunate to have you do this
interview. Thank you!
A: Thanks Stephen.
Q: Describe the events that led to your work as an independent
consultant.
A: I was majoring in
philosophy at Towson State University when I picked up my first 8088 clone to
write papers. I eventually started programming and learning about remote
communications. I ended up talking with a few organizations that had remote
offices and were paying people to save data onto diskettes and mail them back
to a central office. I figured I could do it cheaper and faster. I developed
some custom programs using a communications package called CrossTalk Mark 4
where I could launch programs remotely on computers via modem, and retrieve the
output. I spent a lot of time hacking DOS programs (hacking in the fun and
creative sense, not the criminal sense), talking to developers, and building
screen scrape routines. It was pretty rare knowledge and there weren�t a lot of
people who could do it.
Q: What important lessons can you share from that period?
A: That I could bill out big
dollars for having fun! Seriously, I found that people will pay for specialized
knowledge and skills but even in a technological field, you need to put people
first. The work I was doing was pretty rare, but it wasn�t rocket science.
Anyone who ran a BBS system at the time (the late 80�s) could have done the
same thing. I kept getting business because I was good at what I did. I was
fair to my customers, and I didn�t nickel and dime them to death.
Q: How did you get into writing for Network Computing?
A: I moved to Central New
York to be with my wife and started going to Syracuse University�s School of
Information Science and Technology. I took a course with Dave Molta, who is now
a Senior Technology Editor, with Network Computing. He introduced me to Bruce
Boardman, Executive Editor for Network
Computing, and he was testing remote access servers. We got to talking about
modems and my experience and he asked me if I wanted to freelance. I liked the
work and the people, so I freelanced through my last two years of college and
then went full time.
Q: How would you differentiate your work as Editor and Senior
Technical Editor?
A: As Technology Editor, I
was pretty focused on understanding the market space I followed, first remote
access, then security, and understanding the products within that market, and
understanding what the products claimed to do. Then I had to figure out how to
test them. I had to look at products not from a feature standpoint, but from a
solution standpoint. I had spent quite a few years consulting so I naturally
evaluated products as if I were going to have to live with them for the next
few years. So I evaluate products according to their utility. I also had to
keep in touch with readers, people who were my peers, to understand what issues
they deal with.
As Editor, I still do
testing, but I also drive the content of the magazine, the articles, and other
external events that help us reach our readers, for instance, working with CSI
to run presentations. I also monitor the overall quality of articles, and
generally oversee the big picture.
Q: Why should our audience faithfully read Secure Enterprise? How
does Secure Enterprise provide competitive advantage? You reach 45,000
professionals; how will you drive growth over the next two years?
A: You should read Secure
Enterprise because we are good at what we do. The people who write for Secure
Enterprise are former or current IT and security administrators who understand
the problems that readers face. While I haven�t been in IT administration for
years, I do keep in touch with peers. Joanne VanAuken, who started in October
of 2004 has several years experience in IT operations and security. Nearly all
of our freelance writers are in senior level security and IT positions and have
a great deal of hands-on experience at solving problems. Secure Enterprise is
tightly focused on delivering the information that security professionals need
to do their jobs. We try to help readers understand their role in the
organization and how they can add value to projects. We also help them understand
how technologies solve problems and, through our reviews, help them select a
short list of products that solve those problems. We provide practical advice
on leveraging existing and future products through out the enterprise.� That�s a pretty tall order, but we have the
people who can speak to the issues.
I can�t get into details
about future plans, but in general, I hope to be doing more with key shows and
groups and really just figuring out how to reach readers. CMP is behind Secure
Enterprise, and we�re ready to rise to the challenge.
Q: Congratulations on the 2004 Maggie Award. Can you comment?
A: It is great getting an
award right out of the gate and the Maggie was for best supplement. In 2004,
Secure Enterprise became a stand-alone magazine with our own subscribers and
editorial staff. We still have a very tight relationship with Network Computing
largely because we share lab space and we have similar editorial goals. Hopefully
we can continue to win more, but what is really important to me is to be a
value to our readers. If we are successful there, Secure Enterprise will be
successful. That is the award that I want.
Q: Overview your top stories from 2004 and provide us with an
editorial glimpse into the top stories for 2005.
A: A lot of our stories in
2004 centered around core issues of securing data at rest and data in transit
and that is still important. In 2005, we will continue that trend with reviews
of firewalls, SSL VPN gateways, and web application products. In addition we
will have articles surrounding business and policy issues to help round out our
readers� arsenal.
Q: What is the future of publishing, the Web, RSS, and Blogs? What
are the interrelationships between these and other technology areas?
A: I can�t say that I have
given this much thought, but why should that stop me from prognosticating? RSS
is just a way to feed content�everything else around RSS is just wrapping.
Since the web explosion, there have been many attempts to customize the
information experience. RSS is a way to share that information portably.
Blogs are interesting, but I
can�t say that I really participate in them much. Functionally, Blogs seem like
really easy ways to build content. With both web and blog content, the fundamental
problem is understanding the authority that a person has to make factual statements.
I don�t see blogs generally replacing the authoritative content that trade
magazines and the press offers. There are certainly blog authors who have set
their authority just like there are some journalists who have done the same,
but really, a blog is kind of like a structured cocktail party. I do see blogs
as really good opinion vehicles and really good at pointing out locations for
interesting information. It makes web publishing more accessible.
Q: You choose your top five most important topics areas and
provide your views and forecasts in these areas:
A: �In no particular order:
Area 1: Network access
control, which I define as the capability to intelligently grant access to
nodes based on their condition. Typically that means that an agent compares the
status of the workstation OS, patch levels, security software running like AV,
firewalls, etc and their patch levels, your identification, location, and other
conditions about the workstation, and then lets you on the network, quarantines
the workstation, or limits access to just certain parts. To be really useful,
network access control system has to handle both scannable and unscannable
devices.
Ideally, the enforcement is
network based and is as close to the target host as possible, such as putting a
switch port into a VLAN, or blocking MAC addresses. There are lots of solutions
out there from Cisco, Enterasys, Alcatel, Nortel, 3Com, and HP. They all claim
to be able to manage Cisco gear primarily through SNMP. Regardless, I don�t
know if the products are deployable in a large scale yet, but products are
coming.
I do think that the network
enforcement of access based on the condition of the host is possible in the
next few years because vendors have been pushing hard developing the basic
technologies. Initial enforcement technologies have been in VPN gateways,
wireless AP systems, and client for at least 3 years and companies have been
using them in limited deployments. The big infrastructure vendors like 3Com,
Alcatel, Cisco, Enterasys, and HP have roadmaps for supporting enforcement in
switches and routers. Vendors will need to make the deployment as low impact as
possible, design management structures that are flexible enough to adapt to
organizations while adequately enforcing access restrictions, and make them
integrate with existing infrastructure as much as possible.
Area 2: Remote access is
still a hot topic and all the rage is SSL VPN. While SSL VPN does solve many of
the problems of IPSec, like the client issue and NAT traversal, there are still
several problems that SSL VPN vendors need to iron out.
The first one is improved
support for client side dynamic URL creation. Unlike IPSec VPN which routes
traffic on the client based on the destination, SSL VPNs have to re-write the
URL�s in a web page from how they are served from the server to point back to
the SSL VPN gateway. That is not hard since HTML is well understood, but client
side manipulation using Javascript or DHTML means that the URL�s are altered on
the client. When that happens, the resulting URL ends up pointing to the
destination server and not the SSL VPN gateway. Oops. SSL VPN gateway vendors
have supported common web applications like OWA, Notes WebMail, and a few
others out of the box, but custom applications typically means that the vendors
engineers will have to crawl the site and figure out how to re-write the URLs.
Whale Communications e-Gap SSL VPN exposes all those nitty gritty details and
even a cursory glance at the processing rules shows that building those rules
is not something your average administrator is going to do. You�re going to
need professional services. That is a roadblock because it adds time and cost
to any deployment and if you make a change to the web app, you may need to
change the processing rules. One more item to track.
The second big issue with SSL
VPN is supporting non-HTTP protocols. In general, non-HTTP protocol support
means downloading and executing an ActiveX or Java applet on the client that
acts like a local redirector. The logged in user often needs administrator
rights to gain the required privs. The next issue is redirecting the
destination connection over the SSL VPN. Typically this is done using DNS by
modifying the local HOSTS file to point domain names to addresses on the
localhost netblock. Again, you need Administrator privs to accomplish that on
Windows.
Finally, third, I am not
convinced that ubiquitous clientless access is really desirable for
organizations outside of web mail access. I could be wrong but the idea that
someone is going sit at a public kiosk and fire up some application in a
browser just doesn�t make sense. But the big issue that SSL VPN gateway vendors
need to address is the cache problem. Remember that web browsers cache content
locally to speed up responsiveness. Directives can be added to tell the browser
not to cache content, but as a security admin, you can�t really trust that the
application will actually follow those directives. Do you really want to leave
behind all that company email on untrusted computers with Googles desktop
search? The cache problem is often being solved by creating safe desktops that
delete cached files once the session is closed. So if clientless access is such
a big driver, then vendors need to figure out how to provide a protected
environment on untrusted computers that doesn�t require elevated privileges to
create.
Area 3: The role of the CSO
and security administrator is changing, or should be changing. As you move up
through the organization, many more of your duties concern people more than
technology. You have to spend more time building bridges between your self and
others. You can�t simply fight and push projects through. Everything becomes a
negotiation and successful negotiators know how to give and get so that
everyone comes out better for the deal. �
Area 4: Figuring out value of
security purchases is always difficult because the metrics that folks think
they are familiar with, like ROI, are pretty difficult to calculate and predict
for products that don�t really have a return. Some security purchases do have
pretty well-defined returns. A patch management system saves system maintenance
time or an identity management system streamlines user management and reduces
helpdesk calls. But what is the return of a firewall? Or an IDS? Or a token
authentication system? You can articulate the benefit, but what about the
value? Doing so requires knowing how to sell the benefit of security purchases to
the organization and how to show ways that purchases add value. Compliance to
the regulation which lessens the likelihood of a fine is one way. Leveraging a
token authentication system across multiple applications can spread the cost.
There are lots of ways to show the value of security purchases.
Area 5: The core issue is understanding
the problem you are trying to solve, and that is difficult. You have to do the
analysis, figure out what the weaknesses are, and figure out how best to
remediate the weaknesses without negatively impacting the process. But if you
pinpoint the wrong problem to start with, you�re screwed.
Q: What are your top tips to sustain accomplishment based upon
your considerable career successes?
A: My mother and grandmother
ran a pre-school and until I was maybe 10 or 11 years old, I thought everyone
worked 6 days a week. So I work hard. But I also know that I need downtime away
from work, so I make sure that I do that as well. I know the expectation is to be
connected 24 hours a day and ready to jump in at the drop of a hat, but that
leads to burn-out and ineffectiveness.
Be willing to say yes. IT and
security are services to the organization, so we should always be willing to
look at how we can enable new projects. If you have a problem, there is
probably a COTS product out there or an alternative. Say yes, figure out how
later.
Be willing to say no. This is
often harder to do, but sometimes you just have to say it and give your
reasons. �No mister line manager, you can not source your own web application.
But, you can source it through us, and we will help you spec it out and integrate
it with existing systems. This will be a win for you and me.�
Ask questions and don�t let
go until you understand the answers. When you�re working on a project, leverage
the expertise of the people around you. People are usually willing to help, and
you don�t need to go it alone. So ask questions of the people you work with. I
hate to use the clich�, �The only stupid question is the one not asked,� but
it�s true. Every time I got burned on a project, it�s because I didn�t fully
understand the situation, and I�d moved forward with well-meant but incorrect
assumptions. Asking questions can mitigate that.
Attend to the details.
Seemingly minor things can have a huge impact. For example, I was recently
testing an SSL VPN gateway. I integrated it with my Active Directory, but I
like to have local admin accounts on the device so that in the event the device
can�t talk to AD, I can at least get access. I configure every network device
that supports simultaneous local and remote user accounts in this manner. So I
didn�t see a way to add users to this gateway and I asked the vendor and they
told me I had to SSH to the box and manage local users that way even though they had a web management UI.
When I asked them why they didn�t have local user management in the UI, they
said their customers use centralized user databases and they didn�t have
customer demand for that feature. Now I certainly understand and advocate the
power of centralized user management, but support for local user management is
a couple lines of Perl, even I can do that. The lack of local user management
wouldn�t be deal breaker, but it tells me that the vendor isn�t attending to
details.
Unless you�re self-employed,
your job is a job, it�s not your life. This goes back to my first point. The
world will continue to spin if you take a sick day or vacation and don�t check
email. Leave work at work and you�ll be all the better for it when you get
back.
Q: It helps in strategic management to perform periodic
environmental scans (what is happening internally within your business and
externally outside of the business). Taking your considerable experience into
account, what events continue to �amaze� you?
A: I am amazed at how often
vendors aren�t aware of their competitive landscape and this observation
applies to vendors large and small. In briefing after briefing, many vendors
are either not current on what their competition is doing or they are just not
aware.
I can�t tell you how many
times vendors will respond to feature requests with, �When customers ask for
it, we will add it�. I am not talking about whacky stuff either. Give me a
searchable log so that I can troubleshoot problems, for example. That�s the
difference between a leader and a follower.
I am always amazed there are
known vulnerabilities residing in clients and servers months, sometimes years
after they have been announced and patches are available. I understand patching
is a very complicated and non-trivial issue, but at some point you need only
look in the mirror to see the problem. I have talked with a few companies, and
others have related similar stories to me, that have never been disrupted by a
worm because there is a good working relationship between IT, security folks,
and business line managers. When something needs to get done, it gets
prioritized and executed.
Q: Share with us your
a
1) Some knowledge is dated,
and some isn�t. Students think anything technology-based from 10 or 50 years
ago is useless, but some of the most important thinking was done then. Pay
attention to what people before you have done and said.
2) You can�t prepare enough for
papers and presentations.
3) Ask your instructor or
professor questions. That�s what they are there for.
4) You don�t need to be a
network guru to succeed in the security profession, but it helps to have a
pretty solid understanding.
5) The best students relate
class work with other class work and work on their jobs. They are all tied
together.
6) Don�t get too hung up on
grades. What is important is what you learn.
7) Take chances in classes.
Risk an original thought, even if it�s not what the rest of the group is
saying.
8) Remember, graduate schools
are not tech schools. You are probably going to need to do extra-curricular
activities to gain technical knowledge.
9) Take some classes outside
of your concentration. You�ll be a better thinker for it. (Recall, I started
out in philosophy�)
10) Question everything.
Q: With so many conference choices, which ones would you recommend
and why?
A: Well, I like NetSec and
the fall CSI Conference not only because they are CMP events, but because the
tracks are very well done and most of the presentations are given by security
administrators and CSO�peers of the attendees. In the presentations that I have
done at CSI, the response from the attendees has been great and I often abandon
the slide show because the questions from the audience drive the direction.
Also, very few of the sessions are presented by vendors and those vendors are
given strict guidance to not pitch product. I liked MISTI when I attended a few
years ago. It�s a lot like CSI. I go to RSA, but that is more of an industry
show and it seems to me that more and more of the sessions are given by vendors
these days.
I haven�t had the pleasure of
BlackHats or DefCon, but maybe this year. I have also heard really good things
about CanSecWest, but it is an uber-geek security show.
Q: Where do you see yourself in the short, medium, and long term?
Can you define these time periods?
A: Hah. I haven�t thought
that far. Right now I am just fitting into my role as Editor. Being an Editor
of a magazine is vastly different from being a Technology Editor where I was
focused on testing products. But in the coming year, I am really looking at
maintaining good editorial, building up a base of freelance editors from IT,
and managing the direction of the magazine. Medium term I am looking at growing
the book and trying to figure out new ways to reach readers. Long term, who
knows. Maybe in a few years I will chuck it all in and open a kayak shop on the
Chesapeake Bay.
Q: What are the five major challenges before businesses and IT
professionals and give us your perspective on their solutions?
A: The biggest challenge that
I hear from people is that they are so busy putting out fires they don�t have
the luxury to really get a view of the security needs of the organization. That
problem manifests itself in a few ways.
First, the role of the CSO
really needs to be an executive position that reports to the CEO, not the CIO.
The reason I say this is because in order to get the security programs pushed
out to the organization, the CSO needs (1) to have the authority to make organization
wide decisions, (2) to have the view of the organizational goals as other
executives, and (3) to have input at a high level to ensure that adequate
protection measures are in place as the organization moves forward. If the CSO
reports to the CIO or CFO, then those roles have to be boardroom advocates for
the CSO. That is just inefficient.
A related challenge for
security professionals is to realize that security, and IT, performs a service
to the organization and as such they need to think about how they can support
organizational needs. If you want to call IT a profit center, then your
customers are the departments that rely on you to provide IT and security
services to them. The organization is not there to support IT. I know there are
a lot of organizations that have antagonistic relationships with IT and I can�t
hope to cover all the nuances and complications here. If you�re in the mode of
thinking �I need to lock down these applications and the network and not let
the bad stuff in� try changing that to �How can we deploy these applications in
a secure manner?� In the former view, you�re the enforcer and that is naturally
antagonistic. In the latter, you are collaborative, and naturally helpful.
One of the problems of
antagonistic IT relationships that plagues security administrators is the rogue
IT project which could be anything from departments and people deploying
wireless access points to full blown applications sourced and deployed wholly
outside of IT. Once the project is discovered, it usually falls to IT to now
support them. If you have rogue IT projects in your organization, then there is
a pretty fundamental problem within your organization that is not being
addressed. I am not laying blame on IT at all, just pointing out an
observation.
Another issue is not seeing
the big picture. This leads to not solving the right problems. Technologies,
such as IDS, IPS, Anti-Virus, and firewalls to some extent, are reactive
measures commonly used as band-aids and not deployed as a cohesive strategy.
Technology decisions should be the very last thing you think about when trying
to improve security. The first thing should be an analysis of the systems, its
weaknesses, and the functions and features required to strengthen the system.
Then you go look for the technologies. However, that kind of analysis takes
time and money to do, both rare commodities.
Now it�s seemingly easy to
pass out answers and observations and I am admittedly simplifying a great deal,
but the general principles I think are valid. Look at problems from a systems
and solutions point of view, present your services as a service rather than a
hurdle, and get the authority if the CSO as high in the organization as it can
go. Those three things will really help to get security processes and programs
in place.
Q: What are your top tips for our audience of IT
professionals? Any pointers on the future job market?
A: Go get an MBA. Seriously.
Technical certifications are good, but they are limiting in how far they can
boost your career. A CISSP is good, but it�s not going to really help you get
that executive position. Graduate degrees from IT schools are good at launching
a career, but if you want to move up in an organizations, either for profit or
non-profit, you have to understand the business issues. MBA programs are
designed to teach you those fundamentals. Business, all business including for
profit and non-profit, are all about making money. You can�t really expect to
play in that field if you don�t have the basics. You can get that on the job,
but an MBA will add depth and breadth.
Q: Any predications about the economy and future IT spending?
A: Not really. From our 2004
Strategic Deployment Survey, we see slight increases in security budgets, but
they are still pretty tight, often less than 15% of the total IT budget and I
don�t see much of an increase over the years. The key take away, I think, it to
look for ways to leverage existing IT deployments first, then look for gaps and
fill them.
Q: If you were doing this interview, what three questions would
you ask of someone in your position and what would be your answers?
Q1: What is the balance of
communication skills to technical skills demanded for your job?
A1: Security is a people job.
Successful security leaders know how to communicate effectively through writing
and speaking in addition to having technical know-how. This is true is all
technical fields. You can know your technology until the cows come home, but if
you can�t express your thoughts to others, forget it.
Q2: What do you think is the
biggest waste of time in the security field?
A2: Vulnerability assessment
and intrusion detection � if you�re servers are patched and properly
configured, you won�t need either one. Yet, companies will spend tens of
thousands of dollars deploying VA and IDS to tell them what they should already
know from desktop and server management systems.
Q3: Of the two finalists, who
should have won The Apprentice this season?
A3: Jen. She outwitted,
outplayed, outlasted � oops, wrong show�.
Q: Mike, with your impressive background in computing and
security, we thank you for sharing your deep insights, experiences and wisdom
with our audience.
A: Thanks Stephen, it�s been
fun.