Making security make sense: A conversation with Merike Kaeo

Merike Kaeo is a network security consultant and author of the book “Designing Network Security,” which was just published in its second edition by Cisco Press, a division of Cisco Systems. She worked for Cisco from 1993 to 2000, during which time she was a lead member of the company’s network security initiative. She also previously worked at the National Institutes of Health, where she designed and implemented an FDDI backbone at the NIH campus in Bethesda, Md. Telephony chief correspondent Dan O’Shea talks to Kaeo about the purpose of her book, increasing interest in network security and why companies still need to better educate their users about security issues.

Q: Why did you write the book, and who should be reading it?

A: In about 1996, I started looking very seriously at security standards, and realized that network security means different things to different people. To one person, it’s a firewall; to another, it’s practices and policies. The book tries to reach all kinds of network operators--corporations as well as telecom operators. Some companies know what they need in terms of network security and some don’t even know where to start, and the book is intended to help them get through the hard work of doing a risk analysis and putting together that initial security policy and document. The initial aspects of creating that document can take up to two or three months.

Q: Are companies still not taking network security seriously—even after 9/11?

A: Nobody wants to pay for security. It used to be the thing companies always were struggling to budget for--an intangible, like insurance. Security is definitely not going by the wayside anymore. There has been much more attention paid to it, with 9/11 raising the bar. It helped corporations realize they are at risk for almost anything happening, and that they should do some kind of risk assessment to figure out how significant that risk is and what’s at stake. Will you just be embarrassed if there’s a breach, or could you go bankrupt? It comes down to quantifying the risk.

The kind of stuff that’s still not being done is the simple stuff: People don’t use passwords, aren’t careful with them and don’t change them as often as they should. I was just on an elevator in a hotel and someone riding the elevator gave one of his passwords to his co-worker, who was also on the elevator. They were both wearing badges that said the name of their company. There is an awful lot that I could do with that information if I wanted. I think passwords should only be used once.

Q: Isn’t there a trend toward the hiring of chief security officers to manage the policy and employee adherence to it?

A: CSO positions started getting created a couple of years ago, and part of the role of that person should be the social engineering aspect of network security. Many corporate workers simply don’t understand how critical it is to follow the policy, and do the simple things, like creating a network password that doesn’t have their name in it. All employees should go through security training. Someone should be making sure that telecommuters who aren’t in the office are following the policy. Companies need awareness training. Even small companies that can’t necessarily afford to hire a CSO or a security expert should try to send at least one employee to a network security conference where they can get some information. It’s training the trainer. Then, that person can come back from the conference and spread the information throughout the company.

Q: What role can telecom service providers play in helping their corporate customers design network security plans?

A: Telcos and ISPs can provide the awareness campaigns for their customers. They can also provide intrusion detection solutions. The awareness is something some of them will provide for free, as a necessary part of serving the customer. Most telcos, except for the smallest ones, are really picking up on network security at this point.

Having the awareness is very critical with the growth of wireless networking. Wireless networks traditionally have been built the way the Internet was built, with no security in mind. It was only later that security became important as companies looked to control access to the Internet. For wireless and Wi-Fi, the security protocols are still being defined. Wireless networks are easier to access and more stringent criteria should be required for access.

Many small companies might not address security in the first place because they don’t know where to get started, or who to ask for help. Putting together that initial policy is the hard work, but you really do need something.