Internationally Recognized, Widely Respected Security Authority and Editor of Secure Enterprise

This week, Stephen Ibaraki has an exclusive interview with INTERVIEWEE.

This week, Stephen Ibarakihas an exclusive interview with noted security authority and editor, Mike Fratto.

Mike Fratto is Editor of Secure Enterprise. He previously was a Senior Technology Editor with Network Computing and Executive Editor for Secure Enterprise. He had been with Network Computing for 7 years and has been following the security beat for the last 5 1/2 years. He has spoken at several conferences including NetWorld+Interop, MISTI, the Internet Security Conference, as well as to local groups. He also teaches a network security graduate course at Syracuse University. Prior to Network Computing, Mike was an independent consultant. Mike can be reached at mfratto@nwc.com.

Discussion:

Q: Mike, with your long history of accomplishment in information technology and in the security arena, we are very fortunate to have you do this interview. Thank you!

A: Thanks Stephen.

Q: Describe the events that led to your work as an independent consultant.

A: I was majoring in philosophy at Towson State University when I picked up my first 8088 clone to write papers. I eventually started programming and learning about remote communications. I ended up talking with a few organizations that had remote offices and were paying people to save data onto diskettes and mail them back to a central office. I figured I could do it cheaper and faster. I developed some custom programs using a communications package called CrossTalk Mark 4 where I could launch programs remotely on computers via modem, and retrieve the output. I spent a lot of time hacking DOS programs (hacking in the fun and creative sense, not the criminal sense), talking to developers, and building screen scrape routines. It was pretty rare knowledge and there weren’t a lot of people who could do it.

Q: What important lessons can you share from that period?

A: That I could bill out big dollars for having fun! Seriously, I found that people will pay for specialized knowledge and skills but even in a technological field, you need to put people first. The work I was doing was pretty rare, but it wasn’t rocket science. Anyone who ran a BBS system at the time (the late 80’s) could have done the same thing. I kept getting business because I was good at what I did. I was fair to my customers, and I didn’t nickel and dime them to death.

Q: How did you get into writing for Network Computing?

A: I moved to Central New York to be with my wife and started going to Syracuse University’s School of Information Science and Technology. I took a course with Dave Molta, who is now a Senior Technology Editor, with Network Computing. He introduced me to Bruce Boardman, Executive Editor for Network Computing, and he was testing remote access servers. We got to talking about modems and my experience and he asked me if I wanted to freelance. I liked the work and the people, so I freelanced through my last two years of college and then went full time.

Q: How would you differentiate your work as Editor and Senior Technical Editor?

A: As Technology Editor, I was pretty focused on understanding the market space I followed, first remote access, then security, and understanding the products within that market, and understanding what the products claimed to do. Then I had to figure out how to test them. I had to look at products not from a feature standpoint, but from a solution standpoint. I had spent quite a few years consulting so I naturally evaluated products as if I were going to have to live with them for the next few years. So I evaluate products according to their utility. I also had to keep in touch with readers, people who were my peers, to understand what issues they deal with.

As Editor, I still do testing, but I also drive the content of the magazine, the articles, and other external events that help us reach our readers, for instance, working with CSI to run presentations. I also monitor the overall quality of articles, and generally oversee the big picture.

Q: Why should our audience faithfully read Secure Enterprise? How does Secure Enterprise provide competitive advantage? You reach 45,000 professionals; how will you drive growth over the next two years?

A: You should read Secure Enterprise because we are good at what we do. The people who write for Secure Enterprise are former or current IT and security administrators who understand the problems that readers face. While I haven’t been in IT administration for years, I do keep in touch with peers. Joanne VanAuken, who started in October of 2004 has several years experience in IT operations and security. Nearly all of our freelance writers are in senior level security and IT positions and have a great deal of hands-on experience at solving problems. Secure Enterprise is tightly focused on delivering the information that security professionals need to do their jobs. We try to help readers understand their role in the organization and how they can add value to projects. We also help them understand how technologies solve problems and, through our reviews, help them select a short list of products that solve those problems. We provide practical advice on leveraging existing and future products through out the enterprise.  That’s a pretty tall order, but we have the people who can speak to the issues.

I can’t get into details about future plans, but in general, I hope to be doing more with key shows and groups and really just figuring out how to reach readers. CMP is behind Secure Enterprise, and we’re ready to rise to the challenge.

Q: Congratulations on the 2004 Maggie Award. Can you comment?

A: It is great getting an award right out of the gate and the Maggie was for best supplement. In 2004, Secure Enterprise became a stand-alone magazine with our own subscribers and editorial staff. We still have a very tight relationship with Network Computing largely because we share lab space and we have similar editorial goals. Hopefully we can continue to win more, but what is really important to me is to be a value to our readers. If we are successful there, Secure Enterprise will be successful.That is the award that I want.

Q: Overview your top stories from 2004 and provide us with an editorial glimpse into the top stories for 2005.

A: A lot of our stories in 2004 centered around core issues of securing data at rest and data in transit and that is still important. In 2005, we will continue that trend with reviews of firewalls, SSL VPN gateways, and web application products. In addition we will have articles surrounding business and policy issues to help round out our readers’ arsenal.

Q: What is the future of publishing, the Web, RSS, and Blogs? What are the interrelationships between these and other technology areas?

A: I can’t say that I have given this much thought, but why should that stop me from prognosticating?  RSS is just a way to feed content—everything else around RSS is just wrapping. Since the web explosion, there have been many attempts to customize the information experience. RSS is a way to share that information portably.

Blogs are interesting, but I can’t say that I really participate in them much. Functionally, Blogs seem like really easy ways to build content. With both web and blog content, the fundamental problem is understanding the authority that a person has to make factual statements. I don’t see blogs generally replacing the authoritative content that trade magazines and the press offers. There are certainly blog authors who have set their authority just like there are some journalists who have done the same, but really, a blog is kind of like a structured cocktail party.I do see blogs as really good opinion vehicles and really good at pointing out locations for interesting information. It makes web publishing more accessible.

Q: You choose your top five most important topics areas and provide your views and forecasts in these areas:

A:  In no particular order:

Area 1: Network access control, which I define as the capability to intelligently grant access to nodes based on their condition. Typically that means that an agent compares the status of the workstation OS, patch levels, security software running like AV, firewalls, etc and their patch levels, your identification, location, and other conditions about the workstation, and then lets you on the network, quarantines the workstation, or limits access to just certain parts. To be really useful, network access control system has to handle both scannable and unscannable devices.

Ideally, the enforcement is network based and is as close to the target host as possible, such as putting a switch port into a VLAN, or blocking MAC addresses. There are lots of solutions out there from Cisco, Enterasys, Alcatel, Nortel, 3Com, and HP. They all claim to be able to manage Cisco gear primarily through SNMP. Regardless, I don’t know if the products are deployable in a large scale yet, but products are coming.

I do think that the network enforcement of access based on the condition of the host is possible in the next few years because vendors have been pushing hard developing the basic technologies. Initial enforcement technologies have been in VPN gateways, wireless AP systems, and client for at least 3 years and companies have been using them in limited deployments. The big infrastructure vendors like 3Com, Alcatel, Cisco, Enterasys, and HP have roadmaps for supporting enforcement in switches and routers. Vendors will need to make the deployment as low impact as possible, design management structures that are flexible enough to adapt to organizations while adequately enforcing access restrictions, and make them integrate with existing infrastructure as much as possible.

Area 2: Remote access is still a hot topic and all the rage is SSL VPN. While SSL VPN does solve many of the problems of IPSec, like the client issue and NAT traversal, there are still several problems that SSL VPN vendors need to iron out.

The first one is improved support for client side dynamic URL creation. Unlike IPSec VPN which routes traffic on the client based on the destination, SSL VPNs have to re-write the URL’s in a web page from how they are served from the server to point back to the SSL VPN gateway. That is not hard since HTML is well understood, but client side manipulation using Javascript or DHTML means that the URL’s are altered on the client. When that happens, the resulting URL ends up pointing to the destination server and not the SSL VPN gateway. Oops. SSL VPN gateway vendors have supported common web applications like OWA, Notes WebMail, and a few others out of the box, but custom applications typically means that the vendors engineers will have to crawl the site and figure out how to re-write the URLs. Whale Communications e-Gap SSL VPN exposes all those nitty gritty details and even a cursory glance at the processing rules shows that building those rules is not something your average administrator is going to do. You’re going to need professional services. That is a roadblock because it adds time and cost to any deployment and if you make a change to the web app, you may need to change the processing rules. One more item to track.

The second big issue with SSL VPN is supporting non-HTTP protocols. In general, non-HTTP protocol support means downloading and executing an ActiveX or Java applet on the client that acts like a local redirector. The logged in user often needs administrator rights to gain the required privs. The next issue is redirecting the destination connection over the SSL VPN. Typically this is done using DNS by modifying the local HOSTS file to point domain names to addresses on the localhost netblock. Again, you need Administrator privs to accomplish that on Windows.

Finally, third, I am not convinced that ubiquitous clientless access is really desirable for organizations outside of web mail access. I could be wrong but the idea that someone is going sit at a public kiosk and fire up some application in a browser just doesn’t make sense. But the big issue that SSL VPN gateway vendors need to address is the cache problem. Remember that web browsers cache content locally to speed up responsiveness. Directives can be added to tell the browser not to cache content, but as a security admin, you can’t really trust that the application will actually follow those directives. Do you really want to leave behind all that company email on untrusted computers with Googles desktop search? The cache problem is often being solved by creating safe desktops that delete cached files once the session is closed. So if clientless access is such a big driver, then vendors need to figure out how to provide a protected environment on untrusted computers that doesn’t require elevated privileges to create.

Area 3: The role of the CSO and security administrator is changing, or should be changing. As you move up through the organization, many more of your duties concern people more than technology. You have to spend more time building bridges between your self and others. You can’t simply fight and push projects through. Everything becomes a negotiation and successful negotiators know how to give and get so that everyone comes out better for the deal.  

Area 4: Figuring out value of security purchases is always difficult because the metrics that folks think they are familiar with, like ROI, are pretty difficult to calculate and predict for products that don’t really have a return. Some security purchases do have pretty well-defined returns. A patch management system saves system maintenance time or an identity management system streamlines user management and reduces helpdesk calls. But what is the return of a firewall? Or an IDS? Or a token authentication system? You can articulate the benefit, but what about the value? Doing so requires knowing how to sell the benefit of security purchases to the organization and how to show ways that purchases add value. Compliance to the regulation which lessens the likelihood of a fine is one way. Leveraging a token authentication system across multiple applications can spread the cost. There are lots of ways to show the value of security purchases.

Area 5: The core issue is understanding the problem you are trying to solve, and that is difficult. You have to do the analysis, figure out what the weaknesses are, and figure out how best to remediate the weaknesses without negatively impacting the process. But if you pinpoint the wrong problem to start with, you’re screwed.

Q: What are your top tips to sustain accomplishment based upon your considerable career successes?

A: My mother and grandmother ran a pre-school and until I was maybe 10 or 11 years old, I thought everyone worked 6 days a week. So I work hard. But I also know that I need downtime away from work, so I make sure that I do that as well. I know the expectation is to be connected 24 hours a day and ready to jump in at the drop of a hat, but that leads to burn-out and ineffectiveness.

Be willing to say yes. IT and security are services to the organization, so we should always be willing to look at how we can enable new projects. If you have a problem, there is probably a COTS product out there or an alternative. Say yes, figure out how later.

Be willing to say no. This is often harder to do, but sometimes you just have to say it and give your reasons. “No mister line manager, you can not source your own web application. But, you can source it through us, and we will help you spec it out and integrate it with existing systems. This will be a win for you and me.”

Ask questions and don’t let go until you understand the answers. When you’re working on a project, leverage the expertise of the people around you. People are usually willing to help, and you don’t need to go it alone. So ask questions of the people you work with. I hate to use the cliché, “The only stupid question is the one not asked,” but it’s true. Every time I got burned on a project, it’s because I didn’t fully understand the situation, and I’d moved forward with well-meant but incorrect assumptions. Asking questions can mitigate that.

Attend to the details. Seemingly minor things can have a huge impact. For example, I was recently testing an SSL VPN gateway. I integrated it with my Active Directory, but I like to have local admin accounts on the device so that in the event the device can’t talk to AD, I can at least get access. I configure every network device that supports simultaneous local and remote user accounts in this manner. So I didn’t see a way to add users to this gateway and I asked the vendor and they told me I had to SSH to the box and manage local users that way even though they had a web management UI. When I asked them why they didn’t have local user management in the UI, they said their customers use centralized user databases and they didn’t have customer demand for that feature. Now I certainly understand and advocate the power of centralized user management, but support for local user management is a couple lines of Perl, even I can do that. The lack of local user management wouldn’t be deal breaker, but it tells me that the vendor isn’t attending to details.

Unless you’re self-employed, your job is a job, it’s not your life. This goes back to my first point. The world will continue to spin if you take a sick day or vacation and don’t check email. Leave work at work and you’ll be all the better for it when you get back.

Q: It helps in strategic management to perform periodic environmental scans (what is happening internally within your business and externally outside of the business). Taking your considerable experience into account, what events continue to “amaze” you?

A: I am amazed at how often vendors aren’t aware of their competitive landscape and this observation applies to vendors large and small. In briefing after briefing, many vendors are either not current on what their competition is doing or they are just not aware.

I can’t tell you how many times vendors will respond to feature requests with, “When customers ask for it, we will add it”. I am not talking about whacky stuff either. Give me a searchable log so that I can troubleshoot problems, for example. That’s the difference between a leader and a follower.

I am always amazed there are known vulnerabilities residing in clients and servers months, sometimes years after they have been announced and patches are available. I understand patching is a very complicated and non-trivial issue, but at some point you need only look in the mirror to see the problem. I have talked with a few companies, and others have related similar stories to me, that have never been disrupted by a worm because there is a good working relationship between IT, security folks, and business line managers. When something needs to get done, it gets prioritized and executed.

Q: Share with us a humorous story?

A: I went on a consulting gig with some consultants I know while at Network Computing to a company that wanted to improve their practices. We get to the site which was in a shared office building. When we got off on the clients floor, there was no reception area. Just two locked doors for the restrooms (locked with card readers) a blank metal door, and door that was blocked open into their machine room. We walked in trying to find some one and eventually found an intercom. We met and did a preliminary survey of the company. At the end of the day, we met again, and the CEO asked what our initial impressions were and what could they do to become more secure. One of the consultants suggested putting the servers in the restrooms because those were kept locked while the machine room was wide open.

Q: Explain your top 10 tips from the network security graduate courses you teach at Syracuse University.

A:
1) Some knowledge is dated, and some isn’t. Students think anything technology-based from 10 or 50 years ago is useless, but some of the most important thinking was done then. Pay attention to what people before you have done and said.

2) You can’t prepare enough for papers and presentations.

3) Ask your instructor or professor questions. That’s what they are there for.

4) You don’t need to be a network guru to succeed in the security profession, but it helps to have a pretty solid understanding.

5) The best students relate class work with other class work and work on their jobs. They are all tied together.

6) Don’t get too hung up on grades. What is important is what you learn.

7) Take chances in classes. Risk an original thought, even if it’s not what the rest of the group is saying.

8) Remember, graduate schools are not tech schools. You are probably going to need to do extra-curricular activities to gain technical knowledge.

9) Take some classes outside of your concentration. You’ll be a better thinker for it. (Recall, I started out in philosophy…)

Question everything.

Q: With so many conference choices, which ones would you recommend and why?

A: Well, I like NetSec and the fall CSI Conference not only because they are CMP events, but because the tracks are very well done and most of the presentations are given by security administrators and CSO—peers of the attendees. In the presentations that I have done at CSI, the response from the attendees has been great and I often abandon the slide show because the questions from the audience drive the direction. Also, very few of the sessions are presented by vendors and those vendors aregiven strict guidance to not pitch product. I liked MISTI when I attended a few years ago. It’s a lot like CSI. I go to RSA, but that is more of an industry show and it seems to me that more and more of the sessions are given by vendors these days.

I haven’t had the pleasure of BlackHats or DefCon, but maybe this year. I have also heard really good things about CanSecWest, but it is an uber-geek security show.

Q: Where do you see yourself in the short, medium, and long term? Can you define these time periods?

A: Hah. I haven’t thought that far. Right now I am just fitting into my role as Editor. Being an Editor of a magazine is vastly different from being a Technology Editor where I was focused on testing products. But in the coming year, I am really looking at maintaining good editorial, building up a base of freelance editors from IT, and managing the direction of the magazine. Medium term I am looking at growing the book and trying to figure out new ways to reach readers. Long term, who knows. Maybe in a few years I will chuck it all in and open a kayak shop on the Chesapeake Bay.

Q: What are the five major challenges before businesses and IT professionals and give us your perspective on their solutions?

A: The biggest challenge that I hear from people is that they are so busy putting out fires they don’t have the luxury to really get a view of the security needs of the organization. That problem manifests itself in a few ways.

First, the role of the CSO really needs to be an executive position that reports to the CEO, not the CIO. The reason I say this is because in order to get the security programs pushed out to the organization, the CSO needs (1) to have the authority to make organization wide decisions, (2) to have the view of the organizational goals as other executives, and (3) to have input at a high level to ensure that adequate protection measures are in place as the organization moves forward. If the CSO reports to the CIO or CFO, then those roles have to be boardroom advocates for the CSO. That is just inefficient.

A related challenge for security professionals is to realize that security, and IT, performs a service to the organization and as such they need to think about how they can support organizational needs. If you want to call IT a profit center, then your customers are the departments that rely on you to provide IT and security services to them. The organization is not there to support IT. I know there are a lot of organizations that have antagonistic relationships with IT and I can’t hope to cover all the nuances and complications here. If you’re in the mode of thinking “I need to lock down these applications and the network and not let the bad stuff in” try changing that to “How can we deploy these applications in a secure manner?” In the former view, you’re the enforcer and that is naturally antagonistic. In the latter, you are collaborative, and naturally helpful.

One of the problems of antagonistic IT relationships that plagues security administrators is the rogue IT project which could be anything from departments and people deploying wireless access points to full blown applications sourced and deployed wholly outside of IT. Once the project is discovered, it usually falls to IT to now support them. If you have rogue IT projects in your organization, then there is a pretty fundamental problem within your organization that is not being addressed. I am not laying blame on IT at all, just pointing out an observation.

Another issue is not seeing the big picture. This leads to not solving the right problems. Technologies, such as IDS, IPS, Anti-Virus, and firewalls to some extent, are reactive measures commonly used as band-aids and not deployed as a cohesive strategy. Technology decisions should be the very last thing you think about when trying to improve security. The first thing should be an analysis of the systems, its weaknesses, and the functions and features required to strengthen the system. Then you go look for the technologies. However, that kind of analysis takes time and money to do, both rare commodities.

Now it’s seemingly easy to pass out answers and observations and I am admittedly simplifying a great deal, but the general principles I think are valid. Look at problems from a systems and solutions point of view, present your services as a service rather than a hurdle, and get the authority if the CSO as high in the organization as it can go. Those three things will really help to get security processes and programs in place.

Q: What are your top tips for our audience of IT professionals? Any pointers on the future job market?

A: Go get an MBA. Seriously. Technical certifications are good, but they are limiting in how far they can boost your career. A CISSP is good, but it’s not going to really help you get that executive position. Graduate degrees from IT schools are good at launching a career, but if you want to move up in an organizations, either for profit or non-profit, you have to understand the business issues. MBA programs are designed to teach you those fundamentals. Business, all business including for profit and non-profit, are all about making money. You can’t really expect to play in that field if you don’t have the basics. You can get that on the job, but an MBA will add depth and breadth.

Q: Any predications about the economy and future IT spending?

A: Not really. From our 2004 Strategic Deployment Survey, we see slight increases in security budgets, but they are still pretty tight, often less than 15% of the total IT budget and I don’t see much of an increase over the years. The key take away, I think, it to look for ways to leverage existing IT deployments first, then look for gaps and fill them.

Q: If you were doing this interview, what three questions would you ask of someone in your position and what would be your answers?

Q1: What is the balance of communication skills to technical skills demanded for your job?
A1: Security is a people job. Successful security leaders know how to communicate effectively through writing and speaking in addition to having technical know-how. This is true is all technical fields. You can know your technology until the cows come home, but if you can’t express your thoughts to others, forget it.

Q2: What do you think is the biggest waste of time in the security field?
A2: Vulnerability assessment and intrusion detection – if you’re servers are patched and properly configured, you won’t need either one. Yet, companies will spend tens of thousands of dollars deploying VA and IDS to tell them what they should already know from desktop and server management systems.

Q3: Of the two finalists, who should have won The Apprentice this season?
A3: Jen. She outwitted, outplayed, outlasted – oops, wrong show.

Q: Mike, with your impressive background in computing and security, we thank you for sharing your deep insights, experiences and wisdom with our audience.

A: Thanks Stephen, it’s been fun.