Jack Sebbag is never short of war stories. The general manager for Network Associates Inc.’s Canadian division says his staff often find rogue wireless networks at client sites — much to the surprise of CIOs. In addition, clients tell his staff stories of users who disable their anti-virus
and other security software in order to make their systems run faster.
Sebbag, who joined NAI in March, 2000, has been the Canadian general manager since June.
He recently shared his views on the state of network security with CN.
CN: How much of Network Associates’ business is from the government?
JS: I’d say 15 to 17 per cent of our Canadian total revenues is from the federal government. If you factor in the provincial governments, where we’re very strong in Quebec, Ontario and out west, and health and education — that’s closer to about 28 to 30 per cent of our revenues coming from that sector.
CN: Is there any particular McAfee product that the government organizations are interested in?
JS: It’s all of them. The government has shown a lot of interest in buying our suite of products that cover the network servers, e-mail servers, Web servers, the desktop, the wireless devices such as PDAs. All of this is managed through a central console tool called ePolicy Orchestrator (EPO), which allows you to distribute updates and report on all kinds of activities on a network. They have very large facilities, very centralized facilities allow them to know who’s on the latest release, who needs to be updated and so on and so forth.
CN: Of all the non-government business that you get, are there any particular types of companies, vertical markets that stand out, such as banks?
JS: We signed a number of large contracts with banks who are looking to centralize management on the security tools. You’re talking about organizations who have upwards of 40,000 to 45,000 workstations. We’re working closely with them in order to provide them with tools to get anti-virus updates to the desktops and to be able to manage this whole process through one console. Very often we see end-users disabling their anti-virus software, or removing it. What (ePolicy Orchestrator) does is, once people log on to the network, it sees how it’s set up. If they make any changes, it will just reset it back to the way the IT department wants it set. If they try removing (software), it will re-install it on to the workstation. At the end of the day, the CIO is responsible for the network and making sure it’s secure — not the end user.
CN: CIOs have told your staff that their users are removing anti-virus software from the company’s machines?
JS: Absolutely. This is a given. We see it every day. People are taking their laptops home and making some changes because they want their systems to run faster. They’re disabling or removing their software, but the software is there to protect the environment from penetration of malicious code.
CN: Are there any other issues you’ve heard from customers in terms of the threat from users, whether it’s malicious or whether it’s just users doing stupid things?
JS: The things that we see are, a lot of organizations are not doing enough about wireless technology. Some users buy themselves a wireless card at $150 and a remote access point and they’re basically walking around with their laptops in the office and their information is in the air. It’s very easily accessible from a hacker who could be sitting in a parking lot or be driving by, 300, 500 or 1,000 feet away from the building. We met with one very large federal government organization which I can’t name, and we asked them, ‘Is wireless a big issue for you guys?’ They said, ‘No, we only have three or four wireless networks.’ So we turned on our Sniffer wireless tool, and said to them, ‘Do you mind if we turn this on, to let you know how true this is?’ We found 24 wireless networks up and running within the organization. We did the same thing in Toronto, with one of the major banks. They were just amazed at what we found and they quickly put some projects in place to deal with this. A lot of organizations just don’t know how to deal with it yet.
CN: There’s a perception among some users that a firewall is enough protection for the network. Is this something you’ve been hearing from your users?
JS: Definitely. I spend a lot of my time as well as my field reps’ time educating customers on putting in a comprehensive security solution — putting anti-virus on the servers and the desktops, putting firewalls on the desktops so that the hackers are not able to come in. Putting a firewall just at the server is not enough because there are other ways to come in — through a person working at home, for instance, through their DSL or cable modem. Hackers are able to come in through that link into the network and completely bypass the firewall.
CN: If you think back 15 to 20 years, how has the approach to security changed?
JS: We’ve seen security go from being a backroom issue to being a boardroom issue. As a matter of fact, IDC, Gartner, Giga and some of the organizations that have done studies, all show that CIOs have security as one of the top three areas of interest, and they’re putting their money where their mouth is, even though IT spending is flat or lower than last year.
CN: One of the issues that’s come up is enacting policies. Do you think there’s an issue where companies would have the technologies in place but just aren’t enacting the right policies to make sure it’s used correctly?
JS: That’s 100 per cent correct. As a matter of fact, what you see sometimes is people putting out the tools without policy and what you end up having is, without proper education and proper policies, the tools after a while become outdated and not being updated and people start doing their own thing, buying their own tools — the thing starts to take a life of its own. The first thing to do is to stand back and take a holistic approach to securing the network. Get a study done, do a vulnerability assessment, roll out the vulnerability tools and then manage it. That’s the way it should be done. It’s like a life insurance policy. Rarely do you see a life insurance or theft or fire insurance expire and you say, ‘Oh, I’ll wait a couple of weeks before I renew it.’ You always want peace of mind, and the same thing applies to security.