Nichols Confronts Risk Management Asymmetrically

By Robert Green, Senior Editor
 

With about 1.4 billion networked CPUs now running worldwide, the very idea of “risk management” gives us pause. In a world where a single vulnerability can translate into a global electronic catastrophe such as Sasser or MyDoom, can risk really be managed?

“When a new computer is plugged in, it is attacked or at least scanned on average in about 3 minutes,” said Izar Shay, CEO of V-Secure Technologies, speaking at last week’s IntelCon meeting in Virginia. If the new system runs 8 minutes without being probed from without, that’s a long time, Shay said.

Poorly managed risk ultimately translates into dollars and cents. Damage from worms, viruses and other forms of computer attacks in the U.S. last year alone cost $18 billion, experts estimate.

According to one longtime cybersecurity expert, the high level of risk agencies and organizations face can only be successfully managed if security officials take what is essentially an “asymmetric approach” to the problem.

Essentially, advises Randall K. Nichols, author, professor and CTO of INFOSEC Technologies LLC, IT security systems must be agile and as prepared to turn as quickly on a dime as the hackers, crackers, spies, thieves and terrorists who would assault systems are.

Today’s security must not only account for assets, threats, vulnerabilities and countermeasures, but also incorporate a “continuous assessment feature,” Nichols said during a recent interview. The security environment is a dynamic one where the “current situation” might be described by forces that are sudden and not well known and always changing.

Also, Nichols said too many organizations have not yet linked IT security to physical security and taken a “holistic approach” necessary where real risk management is concerned. And he would know.

Through his work with INFOSEC (which specializes in counter-terrorism and counter-espionage)  and the University of Maryland, University College, he has helped lead “red teams” that have hacked their way into the operational systems of a major oil company (proving they could open pipelines from afar), digitally stopped all traffic in Washington, D.C. by hacking the network of traffic lights, and exposed flaws in pharmaceutical plants, showing how data could be changed so as to “corrupt” drug formulations.

“It is not a pretty picture,” he said, noting that America is basically a nation of soft targets just waiting to be attacked through weak and often unprotected electronic systems.

Part of Nichols’ message is that risk analysis and management plans must be applied to entire environments, not just the IT back office.

Nichols Teaches Seminars May 17-19

Nichols will guide agency and organizational security professionals through the many steps leading to better risk management May 17-19 as part of a seminar presented by the U.S. Professional Development Institute (www.USPDI.org) in conjunction with the University of Maryland University College (UMUC) (www.UMUC.edu).

The 3-day seminar will approach risk management and homeland security through 8 basic modules, Nichols explained. The strictly nuts-and-bolts sessions will culminate with a Day 3 “hypothetical level 3 terrorist scenario that I call the ‘day after Thanksgiving attack,’” Nichols said, in which the biggest shopping day of the season is exploited by terrorists at the Mall of America.

By the time his student-professionals are presented the scenario, they will have honed their skills in risk assessment and management, applying countermeasures, working up mitigation strategies, hammering out workflow issues, assessing the strengths and weaknesses of cryptography, and examined Risk as it specifically applies in the asymmetric homeland security environment—among other issues.

E-MAIL A FRIEND

The Data Center Storage Pavilion Featuring Modular Computing, Network Storage and Business Continuity will feature exhibitors with Network Storage, Data Backup, and Network Storage Solutions.

The Data Center Storage Pavilion Hosted by the Blade Systems Alliance featuring Modular Computing, Network Storage, and Business Continuity.

Pavilion Premier Title Sponsor

American Power Conversion Corporation

Premier Daily Sponsors
Archivas

COPAN Systems

FORCE 3

Exhibitors

LeftHand Networks

Info-X

NSI

Spectra Logic

Inline Corporation

Selenetix Corporation

Siemon ( BladeS member)

SANRAD

Nexsan Technologies

CMS Products

The Pavilion caters to those who recognize that their critical data is a time sensitive asset. According to the Alliance, “If you are concerned about your network security and business continuity, you need to visit the Data Center Storage Pavilion. It features daily Training Sessions presented in an open theater sponsored by Archivas, Copan Systems and FORCE 3.

Training Session Schedule can be found at http://www.bladesystems.org/FOSEAttendees.aspx

General information can be found at http://www.bladesystems.org/FOSEPavilion.aspx