ZIFFPAGE TITLEMaking an EndBy Deborah Gage | Posted 2004-10-01 Email Print
When insurance broker AGIA had its Web site hijacked, other vulnerabilities in its network became apparent. A marketing executive tried to close the cracks.-Run">
Making an End-Run
When Tyson asked Boswell if he would install a new security appliance that would scan AGIA's network for vulnerabilitiesand do so right awayBoswell said no; the network wasn't ready to be tested. So Tyson, who already had the appliance picked out, wound up making a corporate end-run around Boswell and appealingsuccessfully, it turned outto CEO Wigle.
Cybersecurity is a young field, and much of the technical innovation is coming from first- and second-generation products, says Jon Oltsik, an analyst with Enterprise Strategy Group. Smaller companies may use free open-source tools like Snort and Nessus, but those are notoriously difficult to manage. Nessus, for example, scans networks for flaws the way a hacker would, by shooting bad data packets at them to see if they can be exploited.
Tyson talked with his own Web developer, Jim Mannix, about using Nessus, but did a Web search and found a startup called PredatorWatch instead. PredatorWatch's strength, says Oltsik, is that it has "baked" open source modules into a package suitable for companies whose technology staff has to handle security along with everything else.
The appliance, which runs on a secured version of Linux, finds IP addresses and scans the hardware or software associated with them for Common Vulnerabilities and Exposures (CVEs), a federally funded list of flaws maintained by the Mitre Corp. When it finds flawsa Web server with an extra open port, for example, like the one that attackers probably used to take control of the hosting company's serverit can flag them. PredatorWatch also integrates with automated patch management software and issues reports classifying vulnerabilities by severity. Each is identified by IP address and can include likely scenarios of attack, suggested remedies, and any impact on a company's regulatory requirements.
Tyson had never heard of PredatorWatch, and when he called he was surprised that CEO Gary Miliefsky himself answered the phone. But PredatorWatch was an IBM business partner with three customer references, and Miliefsky was accustomed to taking calls from distressed executives.
Boswell resisted. He, too, had years of experience with cybersecurity, and wasn't convinced that PredatorWatch had the best approach. He had sent questions to Tyson: Who'd maintain PredatorWatch? How would sensitive reports be kept inside the building? How would AGIA's network handle potential traffic?
At AirTouch Cellular in the 1980s, Boswell supervised engineers who would hack the Sun operating system so they could install their favorite tools. Occasionally the network would crash. Boswell feared PredatorWatch would behave like Nessus, which is also known to crash networks, and he didn't know how much stress AGIA's network could take, particularly with the traffic already generated by the new Cisco phone system.
In retrospect, Boswell also admits he felt his job would be on the line if PredatorWatch discovered vulnerabilities in AGIA's network that should have been caught by his department.
So that's when Tyson made his end-run, bypassing Boswell and going to Wigle to make his case. Waiting until 2005 was unacceptable, Tyson argued; AGIA had to do something immediately. Wigle gave him the go-ahead.
With no choice but to go forward, Boswell negotiated the terms of PredatorWatch's installation with Tyson. They agreed that the box would run once a month on Sunday nights, when network traffic was low, so Boswell would have ample time to monitor its effects. Mannix pointed PredatorWatch at three Web servers and within a half-hour, the box was issuing reports.
As Boswell had feared, it found vulnerabilities that his department didn't know aboutopen ports, an out-of-date service pack for SQL Server, and unauthorized write permissions that would allow intruders to place files on one Web server.
But Boswell's biggest fearthat he'd lose his jobnever materialized. He thinks that's because he was able to fix everything PredatorWatch found. Also, he says, "Nothing was so bad that it kept me awake."
In fact, Boswell is now happily in charge of PredatorWatch, which he upgraded to an IBM xSeries server so it can scan the entire enterpriseso far, over 50 servers, 300 workstations and the Cisco phone system, as well as laptops brought in from outside the building. Although he declines to reveal what new security products he's adding, Boswell says PredatorWatch's reports on vulnerabilities found and fixed make it easier for him to make the case to his boss, the chief financial officer.
Tyson, meanwhile, says AGIA is ready to expand its business on the Internetwhenever the rest of the insurance industry is ready to make the leap.
Agia Base Case
Headquarters: 1155 Eugenia Place, Carpinteria, CA 93013
Phone: (805) 566-9191
Business: Sells, markets and administers insurance programs for affinity groups such as the National Rifle Association; aggregate membership of over 40 million.
Chief Marketing Officer: Bill Tyson
Financials: National, privately held company with 300 employees.
Challenge: Expand amount of business done online while protecting customer information from cybersecurity breaches, at an affordable cost.