“The convergence between physical and cyber security affects not just our daily

lives but also our nation’s security. In their new book, Bill Crowell, Dan Dunkel,

Brian Contos, and Colby DeRodeff tap into their wealth of public and private

sector experience to explain how we should manage risk in an ever converging

world.—Roger Cressey, former Chief of Staff, White House Critical Infrastructure

Protection Board, and NBC News terrorism analyst

“Take advantage of the years in the government and commercial arenas that the

authors have, their knowledge of current and emerging technologies, and their

insight on other’s successes and failures. There is no other text available which

packs such comprehensive and useful knowledge into a single volume – this book

will be on your desk, not your bookshelf.”—Dr. Jim Jones, CISSP, Senior Scientist,

SAIC, and Assistant Professor, Ferris State University

“In my opinion the authors do an exceptional job explaining the need for more

comprehensive approaches to achieving operational risk management within

business and governmental organizations. The authors clearly demonstrate why

convergence of physical and logical security is a natural evolution with significant

advantages to all participants… I believe that the book is a must read for anyone

responsible for enabling security solutions in complex organizations.”–Dr. Larry

Ponemon, Chairman and Founder of the Ponemon Institute

“The consistent and persistent message in this book is needed and well presented

• - Corporate executives must understand and implement converged security or

  get left behind.This message is presented using a nice balance of historical exam-

  ples and contemporary business issues and case studies. The authors make their

  points by presenting information from the public, private, and government per-

  spectives. Thus, this book is appropriate for any leader in the field of security

  (physical or IT). It is also an appropriate read for those in the legal, HR, and PR

  worlds.”—Dr.Terry Gudaitis, Cyber Intelligence Director, Cyveillance

  i

  

“Physical & Logical Security Convergence takes an in-depth look at how the

issue of convergence is impacting enterprise security, particularly from the insider

threat perspective. Solutions are commonly a reaction that lag behind evolving

threats, be they technology or management focused. In the new world, we need

bottom up approaches that converge solutions that keep up with evolution. This

book is a primer for convergence in an evolving risk environment.”—Dr. Bruce

Gabrielson, NCE, Associate, Booz Allen Hamilton

“The convergence of physical and information security is a vital development in

the corporate world and a critical success factor for all organizations.The authors

do an outstanding job exploring the roots of convergence, as well as the techno-

logical, political and logistical issues involved in successfully merging the silos of

security. More important, they explore the very real opportunities and advantages

that arise from security convergence, and illustrate their concepts and prescrip-

tions with practical advice from the real world. This book will be an invaluable

guide to anyone involved in guiding security convergence or simply wanting to

understand the power and benefits of convergence.”—John Gallant, Editorial

Director, Network World

“Filled with historical anecdotes and interesting facts, “Physical & Logical

Convergence” is a comprehensive definition of converged security threats and

considerations. In this day and age, convergence has become a business reality

requiring organizations to realign their security and compliance remediation

efforts. The authors capture the key aspects of planning for, design and addressing

security aspects of this new technology landscape. As expected from an ESM per-

spective, also provided is a conceptual overview of addressing compliance audit

and monitoring requirements of converged components.”—Mark Fernandes,

Senior Manager, Deloitte

  ii and Physical Logical Security

  

P O W E R E D B Y E N T E R P R I S E S E C U R I T Y M A N A G E M E N T

CISSP Brian T. Contos Former Deputy Director, NSA William P. Crowell GCIA, GCNA Colby DeRodeff

  FOREWORD New Era Associates Dan Dunkel

  

Elsevier, Inc., the author(s), and any person or firm involved in the writing, editing, or production (collec-

tively “Makers”) of this book (“the Work”) do not guarantee or warrant the results to be obtained from

the Work.

  

There is no guarantee of any kind, expressed or implied, regarding the Work or its contents.The Work is

sold AS IS and WITHOUT WARRANTY.You may have other legal rights, which vary from state to state. In no event will Makers be liable to you for damages, including any loss of profits, lost savings, or other

incidental or consequential damages arising out from the Work or its contents. Because some states do not

allow the exclusion or limitation of liability for consequential or incidental damages, the above limitation

may not apply to you.

  

You should always use reasonable care, including backup and other appropriate precautions, when working

with computers, networks, data, and files. Syngress Media®, Syngress®, “Career Advancement Through Skill Enhancement®,” “Ask the Author

UPDATE®,” and “Hack Proofing®,” are registered trademarks of Elsevier, Inc. “Syngress:The Definition

of a Serious Security Library” ™, “Mission Critical™,” and “The Only Way to Stop a Hacker is to Think Like One ™” are trademarks of Elsevier, Inc. Brands and product names mentioned in this book are trade- marks or service marks of their respective companies.

KEY SERIAL NUMBER

  001 HJIRTCV764 002 PO9873D5FG 003 829KM8NJH2 004 BPOQ48722D 005 CVPLQ6WQ23 006

  VBP965T5T5 007 HJJJ863WD3E 008 2987GVTWMK 009 629MP5SDJT 010

  IMWQ295T6T PUBLISHED BY Syngress Publishing, Inc. Elsevier, Inc.

  30 Corporate Drive Burlington, MA 01803 Physical and Logical Security Convergence: Powered By Enterprise Security Management

Copyright © 2007 by Elsevier, Inc. All rights reserved. Printed in the United States of America. Except as

permitted under the Copyright Act of 1976, no part of this publication may be reproduced or distributed

in any form or by any means, or stored in a database or retrieval system, without the prior written per-

mission of the publisher, with the exception that the program listings may be entered, stored, and executed

in a computer system, but they may not be reproduced for publication. Printed in the United States of America 1 2 3 4 5 6 7 8 9 0

  ISBN: 978-1-59749-122-8 Publisher: Amorette Pedersen Managing Editor: Andrew Williams Production Manager: Brandy Lilly Page Layout and Art: Patricia Lupien Technical Editor: Dr. Eric Cole Copy Editor: Audrey Doyle Cover Designer: Michael Kavish Indexer: Nara Wood

For information on rights, translations, and bulk sales, contact Matt Pedersen, Commercial Sales Director

and Rights, at Syngress Publishing; email m.pedersen@elsevier.com.

  Acknowledgments Brian Contos Dedications To the beautiful women in my life who gave me the inspiration to author yet

another book: my amazing wife Monica-Tiffany, our incredible daughters Zoey

and Athena, my patient mother Marie and supportive sisters Karrie and Tracy. And to my father Tom who instilled in me commitment and tenacity.

  

Illegitimis nil carborundum

Acknowledgements

It’s always hard to single people out for thanks when you write a book. Most of

my knowledge over the last decade comes from combined experiences with var-

ious individuals and organizations. Even the concept of physical and logical con-

vergence itself was a culmination of conversations with dozens of brilliant minds

in the private and public sector, academia, and the media. Only after conver-

gence displayed such obvious and extensive support from these individuals did I

finally convince myself that a book had to be written. While I can’t possibly mention everyone, some individuals went well beyond an exchange of ideas in their contribution. Some actually reviewed sundry versions of the manuscript

and provided expert insight. For their outstanding commitment I would like to

thank all the book reviewers.Their input was invaluable and helped shape this book. I would also like to give special thanks to Dr. Eric Cole for providing world-class feedback, technical analysis, sanity checks and comic relief.

  

To all the individuals at ArcSight that in one way or another helped make

this book a reality: Robert Shaw,Tom Reilly, Kevin Mosher, Larry Lunetta, Jill

Kyte, Cynthia Hulton, and Dave Anderson.To be fair, the entire ArcSight team

throughout the Americas, Europe and Asia Pacific should be thanked.

  v

  

I would like to give special thanks to ArcSight’s CTO and Executive Vice

President of Research and Development Hugh Njemanze. Hugh has not only

provided valuable feedback for both of my books to date but has become a mentor and confidant over the years.

  

Finally, I’d be remiss if I didn’t acknowledge my co-authors Bill, Dan and

Colby for all their hard work and dedication.

  William P. Crowell Dedication To my wonderful wife, Judy, who endures all of my endeavors with love and

support, and who fills all of my days with fun and the inspiration to do more.

  Acknowledgements Many people have contributed to the developing knowledge base on the con-

vergence of physical and logical security and to my own understanding of where

convergence is going and why. In 1998, shortly after being named CEO of Cylink Corp., Regis McKenna, one of Cylink’s Directors began talking to me

about the move to IP based video services and the role that TCP/IP would play

as the basic infrastructure for moving security information from video cameras

to users. He envisioned a whole new way in which retail stores and enterprise

facilities would monitor video security services and a way for the cost of secu-

rity to be reduced. He had just done a restart of a small streaming video soft-

ware company that he had named Broadware Technologies. Regis asked me to

join the board of Broadware and my trek into the world of video surveillance

and physical security began. Interestingly, the Chairman of Cylink Corporation,

Leo Guthart, was the Vice Chairman of Pittway Corporation and President of Ademco as well as having been a Director at Cylink for 18 years. One of his dreams was that physical access cards would merge with smart cards and con- verge management of identities within large corporations. Cylink had a sub-

sidiary that designed smart cards so Leo encouraged me to embark on a project

to build the dual purpose identity cards for Cylink’s facilities in Silicon Valley.

  

Broadware also installed its infrastructure in the Cylink facilities to manage cam-

eras on each of the doors and to trigger viewing of the cameras by a mobile guard service, thereby saving us nearly a $100,000 a year for a full time guard.

  Surely we were moving in the right direction, but as we would later learn, we were well ahead of the adoption curve. We didn’t see the “bubble” that was going to burst and slow all of our dreams of converging technologies based on

internet protocol. Regis and Leo gave me their vision, but we would all have to

wait for the rest of the world to understand and adopt it.

  

The events of 9/11 began a fresh look at security and intelligence. A lot of

commissions and panels were established to review what had happened and to provide insight into new ways of protecting our critical infrastructure, most of

which is privately held. I served on a number of those groups, but none so influ-

ential as the Markle Foundation Task Force on National Security in the

Information Age, chaired by Zoe Baird and Jim Barksdale. Both of these individ-

uals knew that security would have to be improved and made more affordable,

but that the key ingredient in achieving greater security would be the institution-

alization of “information sharing.” I had the good fortune to work with them for

four years along with an incredible team of individuals who forged a new archi-

tecture for information sharing over networks using social networking concepts.

I cannot name all of the members, but two who were most influential in my

thinking about how information sharing would shape security in the future were

Gilman Louie, then CEO of In-Q-Tel and now a Partner in Alsop-Louie Partners, and Tara Lemmey, a founder and CEO of LENS Ventures. We spent

countless hours together working on the report, but talking about virtually every-

thing in the world of information technology and security.

  

The insights that these individuals brought to my thinking about security

launched me into the connecting of all of the technologies that can be part of a

converged security solution. From the basics of video surveillance, network

security, authentication, virus protection, and encryption we are now evolving a

truly integrated set of technologies that include new tools like RFID, video analytics, sophisticated sensors, that can be connected together, and the events they record can analyzed and evaluated with great speed and agility.

  vii

  Colby DeRodeff Dedication

I dedicate this, my first book, to my grandparents who have always guided and

encouraged me when faced with great challenges. I would further like to dedi-

cate this book to my mom, dad, brother, and girlfriend for putting up with me

and providing inspiration while working on this monumental project.

• I taught them everything they know, but not everything I know. James Brown

  Acknowledgements

I will start by acknowledging the people who contributed directly to my work.

  

First I would like to thank Dr. Eric Cole for spending the time to provide valu-

able feedback on my chapters. His insights were not only inspirational, but actually made me dig deeper into the subjects on which I was researching. I would like to thank the individuals who provided information regarding their companies’ specific technologies, including Craig Chambers from Cernium,

John Donovan from Vidient, Chris Gaskins from NetBotz/APC, Frank Cusack

and Mats Nahlinder both from Tri-D Systems.They were extremely helpful in

providing product information, market information as well as product screen

shots and literature. A special acknowledgement goes to Ben Cook from Sandia

National Laboratories for allowing me to consume several hours interviewing

him.. His perspective and knowledge regarding the protection of critical infras-

tructure was a tremendous help in understanding both the problems in process

control networks as well as what’s being done to correct them. I thank Gabriel

Martinez, a close personal friend, as well as a colleague, for his time and inter-

views regarding penetration testing of process control environments, his prac- tical, real world experiences were a tremendous help. (I’ll see you in Austin buddy!) Not to be forgotten is Paul Granier for his help with understanding more about project LOGIIC and SCADA networks.

  

I hate to do it, but I must also acknowledge Brian Contos one of my co-

authors for presenting me the opportunity to help write a book. At first I was

hesitant and thought he was a little crazy, but the more I thought about it and

  viii

  

talked to him it became clear this was something I had to do. Here I am nine

months later writing an acknowledgement for a book. I also would like to acknowledge my other two co-authors William Crowell and Dan Dunkel for their unique perspectives and experiences that have helped shape the final

product and for the efforts on their parts in seeing this through to completion.

I look forward to a long and successful partnership.

  

I would like to thank the individuals who took the time to review the

manuscript and for providing valuable feedback and praise.Your help in getting

the message out there and validating this work is greatly appreciated.

  

Finally I have to acknowledge the people who have been influential in my

success as a whole.These are the great people I work with everyday at ArcSight. I don’t want to leave anyone out because I love working with the whole team. In engineering there is a core group of people who have always taken the time to help me even when I had the silliest of questions: Christian Beedgen, Hector Aguilar, Kumar Saurabh, Stefan Zier, Raju Gottumukkala, Ankur Lahoti, Senthil Vaiyapuri and I guess even Raffael Marty. In the sales organization I would like to recognize Laura Tom for always supporting my

efforts, Kevin Mosher, Lars Nilsson and Rick Wescott for always letting me be a

part of. I would like to thank Cynthia Hulton and Jill Kyte for helping me

become the rock star they always said I was. Glen Sharlun I didn’t forget about

you, you are a rock star, too! I would like to end with a personal thank you to

Hugh Njemanze and Robert Shaw who have always kept an eye on me and guided my career.

  Dan Dunkel Dedication To my wife Sue for love and support and our three sons Derek, Daren, and David for our belief in their futures.

  ix

  About the Authors Brian T. Contos Brian T. Contos, CISSP—Chief Security Officer, ArcSight Inc. has over a

decade of real-world security engineering and management expertise developed

in some of the most sensitive and mission-critical environments in the world.

As ArcSight’s CSO he advises government organizations and Global 1,000s on

security strategy related to Enterprise Security Management (ESM) solutions while being an evangelist for the security space. He has delivered security-

related speeches, white papers, webcasts, podcasts and most recently published a

book on insider threats titled – Enemy at the Water Cooler. He frequently appears

in media outlets including: Forbes,The London Times, Computerworld, SC Magazine, InfoSecurity Magazine, ITDefense Magazine and the Sarbanes-Oxley Compliance Journal.

  

Mr. Contos has held management and engineering positions at Riptech,

Lucent Bell Labs, Compaq Computers and the Defense Information Systems Agency (DISA). He has worked throughout North and South America, Western Europe, and Asia and holds a B.S. from the University of Arizona in addition to a number of industry and vendor certifications.

  Dan Dunkel

Dan Dunkel brings over 22 years of successful sales, management, and executive

experience in the information technology industry to a consulting practice focused on the emerging field of security convergence. His background

includes domestic and international responsibilities for direct sales organizations,

value added reseller channels, and OEM contracts. His product knowledge spans enterprise software, server architectures, and networking technologies. Dan’s employment history includes senior roles in pre-IPO ventures, mid cap IT manufacturers, and Fortune 50 organizations.

  

His firm, New Era Associates, is a privately held consultancy specializing in

sales strategy and business partner development between IT and physical security

vendors and integrators. NEA client’s range from Fortune 500 enterprises to pri-

  x

  

vately funded and venture backed start-ups. All share a common interest in col-

laborating on integrated security solutions deployed within the framework of an

enterprise policy.The goal is to accelerate security deployments to defend orga-

nizations against both traditional business risk and new global threats.

  

Mr. Dunkel is a frequent speaker at security trade shows and to industry

groups worldwide. He writes a twice-monthly column for Today’s System Integrator, (TSI) an online publication of Security Magazine and BNP Publishing.

  William P. Crowell William P. Crowell is an Independent Consultant specializing in Information Technology, Security and Intelligence Systems. He also is a director and Chairman of Broadware Technologies, a video surveillance networking infras- tructure company, a director of ArcSight, Inc., an enterprise security manage-

ment software company, a director of Narus, a software company specializing in

  

IP telecommunications Infrastructure software, a director at Ounce Labs, a soft-

ware company specializing in source code vulnerability assessment tools and a director of RVison, a video surveillance camera and processing company. In

July 2003 he was appointed to the Unisys Corporate Security Advisory Board

(now the Security Leadership Institute) to address emerging security issues and

best practices. In September 2003 he joined the Homeland Security Advisory

Board at ChoicePoint, a data aggregation company.

  William P. Crowell served as President and Chief Executive Officer of Santa Clara, California-based Cylink Corporation, a leading provider of e-business security solutions from November 1998 to February 2003, when Cylink was acquired by SafeNet, Inc., a Baltimore based encryption and security products company. He continues to serve as a consultant and member of the Federal Advisory Board at SafeNet.

  Crowell came to Cylink from the National Security Agency, where he held

a series of senior positions in operations, strategic planning, research and devel-

opment, and finance. In early 1994 he was appointed as the Deputy Director

of NSA and served in that post until his retirement in late 1997 From 1989 to

1990, Crowell served as a vice president at Atlantic Aerospace Electronics

Corporation, now a subsidiary of Titan Systems, leading business development

in space technology, signal processing and intelligence systems.

  xi

  

In April 1999, Crowell was appointed to the President’s Export Council

(PEC), which advised the administration on trade and export policy. He served

as chairman of the PEC Subcommittee on Encryption, which worked with the

Administration, Congress and private industry to substantially loosen restric-

tions on the export of encryption products and technology. In March 2001, the

Secretary of Defense appointed Crowell to a federal advisory committee that conducted a comprehensive review of the U. S. Nuclear Command and Control System.

  Since 9/11 he has served on the Markle Foundation Task Force on National Security in the Information Age, which published three landmark

studies on Homeland Security and information sharing and has also served on

numerous federal and private panels to investigate and improve our intelligence

and security systems.

  

Crowell is an expert on network and information security issues. He has

been quoted in many trade and business publications including the Wall Street

Journal, BusinessWeek, USA Today, Information Week, Network World, Computer World, Federal Computer Week, CIO Magazine and the San Jose Mercury News. Crowell has also appeared on CBS MarketWatch, CNET News, CNBC and KNTV’s Silicon Valley Business. He was the technical advisor to the TV series, “Threat Matrix” during its run on ABC during the 2003 season.

  Colby DeRodeff Colby DeRodeff, GCIA, GCNA, is manager of Technical Marketing at ArcSight. He has spent nearly a decade working with global organizations guiding best practices and empowering the use of ArcSight products across all

business verticals including government, finance and healthcare. In this capacity

he has been exposed to countless security and organizational challenges giving

him a unique perspective on today’s information security challenges.

  Recognized as an expert in the field of IT security, Colby’s primary areas of

focus are insider threat, the convergence of physical and logical security, as well

as enterprise security and information management. As the leader of ArcSight’s

Technical Marketing team, Colby drives content for customers to more easily identify and solve complex real-world issues. He has helped ArcSight grow

  xii from the earliest days as a sales consultant and implementation engineer, to joining the development organization where he was one of the founders of ArcSight’s Strategic Application Solutions team delivering content solutions to solve real world problems such as compliance and insider threat.

  Colby has held several consulting positions at companies; such as Veritas where he was responsible for deploying their global IDS infrastructure and ThinkLink Inc, where he maintained an enterprise VoIP network.

  

Colby attended San Francisco State University and holds both the SANS

Intrusion Analyst (GCIA) and Network Auditor (GCNA) certifications.

  Technical Editor and Contributor Dr. Eric Cole is an industry recognized security expert, technology visionary and scientist, with over 15 year’s hands-on experience. Dr. Cole currently per- forms leading edge security consulting and works in research and development to advance the state of the art in information systems security. Dr. Cole has over a decade of experience in information technology, with a focus on perimeter defense, secure network design, vulnerability discovery, penetration testing, and intrusion detection systems. Dr. Cole has a Masters in Computer Science from NYIT, and Ph.D. from Pace University with a concentration in Information Security. Dr. Cole is the author of several books to include Hackers Beware, Hiding in Plain Site, Network Security Bible and Insider Threat: Protecting 1597490482). the Enterprise for Sabotage, Spying and Theft (Syngress, ISBN: He is also the inventor of over 20 patents and is a researcher, writer, and speaker for SANS Institute and faculty for The SANS Technology Institute, a degree granting institution.

  xiii This Page Intentionally Left Blank

xv

  Contents

Foreword . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxiii

  

Chapter 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

Security Concepts and the Impact of Convergence . . . . . . . . . . . . . . . . . .4 Evolving Threats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5 Risk Assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6 Risk Mitigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10 Security over IP: A Double-Edged Sword . . . . . . . . . . . . . . . . . . . .12

Chapter 2 The Evolution of Physical Security . . . . . . . . . 15

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16 The History of Physical Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19 The Four Categories of Physical Security . . . . . . . . . . . . . . . . . . . . . . . .20 Physical Obstructions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20 Security Sensors:The Evolution of Surveillance Techniques . . . . . . . .26 The Burglar Alarm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .27 Codes and Ciphers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .28 Electronics Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .28 Sensor Technologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29 Experts with Information: America’s Intelligence Agencies . . . . . . . .33 The History of U.S. Intelligence . . . . . . . . . . . . . . . . . . . . . . . . .36 Guards:The Pioneers of Security Surveillance . . . . . . . . . . . . . . . . .38 The Roman Vigiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .40 From Individuals to Militia Security . . . . . . . . . . . . . . . . . . . . . .41 From Citizen Guarding to Private Security . . . . . . . . . . . . . . . . .41 From Private Security to Professional Policing . . . . . . . . . . . . . .43 Physical Security: An Industry with History . . . . . . . . . . . . . . . .44 The New Security Industry: From Policing to Military Outsourcing . . . . . . . . . . . . . . . . . . .50 Command and Control: Automating Security Responses . . . . . . . . . . . . .52 I.T.T. Corporation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .52 The Comstat System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .53 Additional Innovations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .54 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .56

Chapter 3 Security Convergence: What Is It Anyway? . . 59

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .60 Defining Security Convergence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .60 A Three-Pronged Approach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .61 Functional Convergence Drives Security Solutions . . . . . . . . . . . . . . . . .68 Mobile Malware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .70 Security Convergence Is Changing the Security Culture . . . . . . . . . . . . .72

  xvi Contents

  The Convergence Role in Accelerating Security Solutions Worldwide . . .77 Security Convergence Is Changing the Sales Channel . . . . . . . . . . . . . . .86 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .91

  Chapter 4 The Challenges Surrounding Security Convergence . . . . . . . . . . . . . . . . . 93 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .94 Technology History: Uncontrolled Internet Growth . . . . . . . . . . . . . . . .95 The Evolution of the Internet: The Initial Transfer of Military Technology . . . . . . . . . . . . . . . . . . . .99 Internet Productivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .100 Administration, Process, and Procedures: Management in the Internet Age . . . . . . . . . . . . . . . . . . . .103 Benefits of Using Risk Management in Planning IT Security Administration . . . . . . . . . . . . . .105 The Devos Summit on Cyber Terrorism:The Botnets Have Arrived . . . . . . . . . . . . . . . . . . . . . . .107 DHS:The National Strategy to Secure Cyberspace . . . . . . . . . . . . .108 Society and Surveillance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .110 Privacy and The U.S. Constitution: A Growing Concern . . . . . .113 Security and Intelligence: The Impact of a New Surveillance Community . . . . . . . . . . . . . . . . . .115 The DNI and the Intelligence Reform Act of 2004 . . . . . . . . . . . . . . .118 The 9/11 Commission Report . . . . . . . . . . . . . . . . . . . . . . . . . . .118 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .122 Chapter 5 IT Governance and Enterprise Security Policy123 The Twenty-First-Century Business Model . . . . . . . . . . . . . . . . . . . . . .124 What Is IT Governance? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .127 IT Governance Research: MIT Sloan School of Management . . . . . . . .130 The New Management Strategy Behind IT Governance . . . . . . . . . . . .135 Security Policy: A Growing Priority for IT Governance . . . . . . . . . . . .136 Web Collaboration: A Global Communications Requirement . . . . . . . .141 Government Compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .144 HSPD-12 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .144 Sarbanes-Oxley . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .147 HIPPA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .148 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .149 Chapter 6 The Evolution of Global Security Solutions . 151 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .152 Collaboration Convergence:The Transfer of Military Technology . . . . .152 Follow the Money: Funding Sources and New Convergence Strategies .155 In–Q–Tel: Funding Dual-Use Security Solutions . . . . . . . . . . . . . .156 Paladin Capital Group: Focused on Securing the Homeland . . . . . .157 ICx Technologies:The New Holistic Security Solutions Approach . . . . . . . . . . . . . . . . . . . . . . .159

  Contents xvii

  Cisco Systems: Leading the Security Convergence Charge . . . . . . .160 The Forgotten Homeland: Securing America . . . . . . . . . . . . . . . . .163

  Crisis Management: Lessons Learned — No Playbook – 911 Judgment Calls . . . . . . . . . . . . . . . . . . . . .164

  Security Convergence: Rapidly Going Global . . . . . . . . . . . . . . . . . . . .165 The Starting Point: IdentityManagement and Access Control . . . . . . . . .169

  Market Standards for Identity Management Systems: Gartner Group . . . . . . . . . . . . . . . . . . . . . .174 Identity Management:Trends at General Motors . . . . . . . . . . . . . .175

  Hirsch Electronics: Convergence and the Intelligent Building . .178 The Challenges of Convergence: Positioning to Embrace Change . . . . .179 The Emergence of the CIO and Its Impact on Security Convergence . .183 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .187

Chapter 7 Positioning Security: Politics, Industry, and Business Value . . . . . . . . . . . . . . . 189 Twenty-First-Century Risk: Physical

  and Electronic Security Collaboration . . . . . . . . . . . . . . . . . . . . . . . . . .190 Homeland Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .193

  RAMCAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .193 Mitigating the Issue of Security . . . . . . . . . . . . . . . . . . . . . . . . . . .196 The Critical Infrastructure Protection (CIP) Program . . . . . . . . . .197 Fusion Center Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .198

  Industry Associations: Anticipating Trends in the Global Security Market . . . . . . . . . . . . . . . . . . . . . . . . . .202

  The Open Security Exchange (OSE) . . . . . . . . . . . . . . . . . . . . . . .204 The American Society for Industrial Security (ASIS) . . . . . . . . . . .205 The PSA Security Network (PSA) . . . . . . . . . . . . . . . . . . . . . . . . .206 The Security 500 Ranking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .207

  A Closer Look:The Top 50 of the Security 500 . . . . . . . . . . . .207 Convergence: Creating New Security Business Value . . . . . . . . . . . . . . .209 The Collaboration of Security Responsibilities . . . . . . . . . . . . . . . . . . .210

  The Emergence of the CIO: Tracking Technical Advances to Business Productivity . . . . . . . . . .212 The Emergence of the CSO: Moving from Managing Costs to Saving Lives . . . . . . . . . . . . . . . .214 The Emergence of the CISO: Timing and Information Are Everything . . . . . . . . . . . . . . . . . . . .216

  What Is a CISO? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .216 Positioning Security with the Board . . . . . . . . . . . . . . . . . . . . .217 Video Surveillance: A Benchmark for Security ROI . . . . . . . . .219

  The Security Scorecard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .221 Positioning Security:The “I” Word . . . . . . . . . . . . . . . . . . . . . . . . .223

  xviii Contents

  Chapter 8 The New Security Model: The Trusted Enterprise. . . . . . . . . . . . . . . . . . . . . 225 How Wall Street Funded the Global Economy:Twenty-First Century Security . . . . . . . . . . . . . . . . . .226 Wall Street Still Needs a Yardstick:The Trusted Enterprise Valuation . . . .229 Identity and Verification:The Foundation of the Trusted Enterprise . . . .231 Unisys Corporation: Leading the Way to the Trusted Enterprise . . . . . . .233 Industries: Winners and Losers . . . . . . . . . . . . . . . . . . . . . . . . . . . .235 Redefining Security:Trusted Leadership . . . . . . . . . . . . . . . . . . . . .237 Principles of the Trusted Enterprise Model: An Excerpt from the Unisys SLI Treatise . . . . . . . . . . . .238 Modeling the Trusted Enterprise . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .238 The Impact of the Information Age on the Need for “Trusted” Operations . . . . . . . . . . . . . . . . . .240 Basic Elements of Building Secure Operations . . . . . . . . . . . . . . . .242 The New Achilles Heel: Assessing the Risk It Imposes . . . . . . . . .245 The Critical Imperative: Continuous Measurement of Preparedness 247 Packaging a Program to Make Risk Mitigation an Enterprise Reality . . . . . . . . . . . . . . . . . . . . .248 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .253 Chapter 9 ESM Architecture. . . . . . . . . . . . . . . . . . . . . . . 255 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .256 What Is ESM? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .256 External Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .257 Malicious Insider . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .257 Compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .258 Beyond Log Collection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .258 ESM at the Center of Physical and Logical Security Convergence . . . . .259 Common Access Cards and In-House Security Monitoring . . . . . .261 ESM Deployment Strategies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .263 Standard ESM Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .263 High-Availability and Geographically Dispersed ESM Deployments .268 The Convergence of Network Operations and Security Operations . . . .271 People and Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .272 Technology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .275 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .286 Chapter 10 Log Collection . . . . . . . . . . . . . . . . . . . . . . . . 289 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .290 National Institute ofStandards

  and Technology (NIST) Special Publication 800-92 . . . . . . . . . . . . . . . .291 Log Normalization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .292 Log Severity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .300 Log Time Correction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .302 Log Categorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .303

  Contents xix

  What to Transport . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .305 Raw Log Data and Litigation Quality . . . . . . . . . . . . . . . . . . . . . .305 Payload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .308 Data Reduction at the Log Connector . . . . . . . . . . . . . . . . . . . . . .312

  Flexible Field Collection . . . . . . . . . . . . . . . . . . . . . . . . . . . . .313 Log-Filtering an Aggregation . . . . . . . . . . . . . . . . . . . . . . . . . .313

  When to Transport . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .315 How to Transport . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .316 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .318