Return-Path: <sentto-279987-3276-1003812683-fc=all.net@returns.onelist.com> Delivered-To: fc@all.net Received: from 204.181.12.215 [204.181.12.215] by localhost with POP3 (fetchmail-5.7.4) for fc@localhost (single-drop); Mon, 22 Oct 2001 21:53:12 -0700 (PDT) Received: (qmail 28654 invoked by uid 510); 23 Oct 2001 04:50:54 -0000 Received: from n14.groups.yahoo.com (216.115.96.64) by 204.181.12.215 with SMTP; 23 Oct 2001 04:50:54 -0000 X-eGroups-Return: sentto-279987-3276-1003812683-fc=all.net@returns.onelist.com Received: from [10.1.1.220] by n14.groups.yahoo.com with NNFMP; 23 Oct 2001 04:52:20 -0000 X-Sender: fc@red.all.net X-Apparently-To: iwar@onelist.com Received: (EGP: mail-8_0_0_1); 23 Oct 2001 04:51:23 -0000 Received: (qmail 65185 invoked from network); 23 Oct 2001 04:51:23 -0000 Received: from unknown (10.1.10.27) by 10.1.1.220 with QMQP; 23 Oct 2001 04:51:23 -0000 Received: from unknown (HELO red.all.net) (65.0.156.78) by mta2 with SMTP; 23 Oct 2001 04:51:22 -0000 Received: (from fc@localhost) by red.all.net (8.11.2/8.11.2) id f9N4pgq14422 for iwar@onelist.com; Mon, 22 Oct 2001 21:51:42 -0700 Message-Id: <200110230451.f9N4pgq14422@red.all.net> To: iwar@onelist.com (Information Warfare Mailing List) Organization: I'm not allowed to say X-Mailer: don't even ask X-Mailer: ELM [version 2.5 PL3] From: Fred Cohen <fc@all.net> X-Yahoo-Profile: fcallnet Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com Delivered-To: mailing list iwar@yahoogroups.com Precedence: bulk List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com> Date: Mon, 22 Oct 2001 21:51:42 -0700 (PDT) Reply-To: iwar@yahoogroups.com Subject: [iwar] [fc:Managing.IT.security.in.tightly.controlled.nations] Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Volatile States: Managing IT security in tightly controlled nations or turbulent regions can be vexing for IT leaders charged with orchestrating operations overseas. By Deborah Radcliff, ComputerWorld, 10/22/2001 <a href="http://www.computerworld.com/storyba/0,4125,NAV47_STO64920,00.html">http://www.computerworld.com/storyba/0,4125,NAV47_STO64920,00.html> If you've got a network in Russia, you must register your encryption methods and programs with the government. All data and voice traffic in China goes through government-owned switching centers. Cyberactivism, internal espionage and embezzlement are rampant in South America. And in volatile areas like the Middle East, terrorism poses great physical risk to both networks and personnel. If you're asked to set up a network overseas, would you even know where to start? If not, your company could lose valuable intellectual property, be fined or even be expelled for not following the rules, says Perry Luzwick, director of information assurance architectures at Northrop Grumman Corp.'s IT sector in Herndon, Va.. More than 35,000 branches of 2,600 U.S. firms operate overseas today, according to the 2001 edition of the Directory of American Firms Operating in Foreign Countries. And if the Fortune 500 client base of Exodus Communications Inc. in Santa Clara, Calif., is any indication, most businesses don't have staffers with the knowledge IT managers need to set up secure networks overseas, says Bill Hancock, senior vice president of security at Exodus. For example, Hancock cites a client (a "very large bank") that asked Exodus to set up free exchange of information among its sites in Germany, London, New Jersey, Tokyo, Hong Kong and Sydney, Australia. The client's CIO had no idea about the rules governing data security and privacy in the countries involved. Hancock's team started by asking the CIO what type of information the bank wanted to share. The CIO said it wanted international customer access to account information. When the Exodus team started checking the laws in those countries, "it became a very large snowball," Hancock says. For starters, under the U.K.'s Regulatory Investigative Powers Act, authorities conducting criminal investigations can compel an Internet service provider to turn over encryption keys, client data and any additional investigative support they request, Hancock explains. In Japan, private information must be stored in separate systems or files with strict access controls. And in China, encryption is strongly regulated, and all Internet and telephone traffic must pass through specific government connection points. "You have to decide if you even want to park data in some of these locations," Hancock says, "because it may be intercepted and scanned by the government." Who You Know If your organization is moving into one of these regions, a good place to gather background information is among your peers at companies that have already set up networks there, says John Hartmann, vice president of security at Cardinal Health Inc., a $49 billion pharmaceutical and medical services company in Dublin, Ohio, with operations in 23 countries. "If you're in pharmaceuticals, talk to someone who's doing the same business in Beijing," he says. "Or talk to someone in the tech industry who's losing their shirt in Japan." It's likely that those companies can share not only their experiences but also references to international business consulting firms. One that Cardinal relies on is Control Risks Group, a London-based firm that provides geopolitical, investigative and crisis management services in more than 130 countries. For intelligence services specific to IT infrastructure, Cardinal uses a second company, Vigilinx Inc. in Parsippany, N.J., which is staffed by former military intelligence agents. Hartmann, a former special agent with the FBI's foreign counterintelligence squad, knows firsthand the dangers of government-sponsored espionage against U.S. firms. "If you're in China with proprietary computer code or formulas that you need to protect, you should realize that these foreign governments aren't going to protect your IT infrastructure," says Hartmann. "Countries like Russia and regions in Asia openly acknowledge that they steal business information." In China, the main targets for government-sponsored espionage include pharmaceutical, manufacturing, telecommunications and technology businesses, according to intelligence reports and experts. U.S. technology is just as vulnerable in Russia, according to a recent Vigilinx report. "In Russia, when you set up a network, all your traffic - telephones, mobile phones and any electronic computer data transfers - go through points monitored by Russian agencies," says Mike Assante, Vigilinx's vice president of intelligence and a former U.S. Navy intelligence officer. And if you use encryption, you must register your methodologies and technologies to apply for a license, he adds. In some countries, a local representative may be the only way for a business to establish a presence, let alone learn the legalities of setting up network operations there. "I remember trying to get a network connection site into Santo Domingo a few years ago. We couldn't get help from anybody until one of our employees contacted a brother-in-law who worked for the phone company in Santo Domingo," Hancock says. A local tie is particularly important in South America, where business-to-business networking is growing 162% annually, says Jose Alfonsin, vice president of South American strategic alliances at Digital Defense Inc., a security consultant in San Antonio. "In South America, the business culture is such that they don't take too well to outsiders. So if you're introduced by a local, your chance of success is much higher," he explains. Alfonsin, who has had his hand in network operations for many of South America's largest cement and building equipment makers, says encryption controls aren't a problem for most of the continent. But because e-business is relatively new there, risks from underskilled technology workers running vulnerable machines is a big problem. Data protection is further compounded by the high rates of internal espionage and embezzlement. And in some countries, hactivism is rampant, he says. "Local people approach me all the time trying to get business secrets from me," he says. Once, Alfonsin's seatmate on a flight from Brazil offered him a free laptop "if I would just tell him who I was working with and what they were up to." What You Do If an IT manager is familiar with the geopolitically inspired threats in the countries their organizations are moving into, they can better design security policies and controls around these threats. For example, background checks and education, along with regular network security assessments by a tech-savvy outside consultant, will go far to mitigate risks associated with doing business in South America, Alfonsin says. And in known terrorist regions, perimeter security will be your best protection, advises John Braden, U.S. director of managed security operations at Ubizen, a Belgium-based security consulting firm. "Once you do your risk analysis, you have a list of specific things you must be concerned about in that region," Braden says. "Then look at the assets you have and build a team to address each action item." If the risk is too great, IT managers may decide to severely limit what data flows through networks in certain areas, says Luzwick. "You may have to resort to the lowest common denominator," he says. "That may mean delivering hard-copy information for scanning, carrying it out on disk or CD-ROM, or even delivering it from brain to brain, face to face." ------------------------ Yahoo! Groups Sponsor ---------------------~--> Get your FREE VeriSign guide to security solutions for your web site: encrypting transactions, securing intranets, and more! http://us.click.yahoo.com/UnN2wB/m5_CAA/yigFAA/kgFolB/TM ---------------------------------------------------------------------~-> ------------------ http://all.net/ Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
This archive was generated by hypermail 2.1.2 : 2001-12-31 20:59:56 PST