Security Innovations For The New Economy

Reliable security is crucial to online businesses. Meanwhile, flaws in software and hardware are increasingly compromising system protection as hackers refine and propagate their techniques. Jon Darbyshire, CEO of eSecurityOnline.com, an eSecurity venture of Ernst + Young, recently discussed the future of managing e-commerce and corporate security.

Q: Tell us about your new product.
Darbyshire: We created eSecurityOnline.com with the goal of becoming the Internet portal for corporate security professionals looking for answers to security-related questions as well as free access to security-related news, jobs, white papers, mailing lists, events, training, and products. We have developed innovative online service delivery and electronic management of security services and solutions–all of which we see as a major market direction.

Q: What has driven the need for online delivery and management of security services?
Darbyshire: It might surprise people to learn that when EY is hired to perform what’s called “attack and penetration” work–electronically breaking into companies to test their security–more often than not, we succeed because one of three basic security steps has weakened the system. One, the company relies on default IDs and passwords; two, there are inherent software vulnerabilities; or three, the company’s software and/or hardware contain misconfigurations. Because these problems are so common, clients can employ our technology, security research, and resources toward huge financial benefits for themselves. Ernst + Young makes these resources and services available through eSecurityOnline.com.

Q: Describe these online services.
Darbyshire: Let’s take the issue of software vulnerabilities, the documentation and repair of which are the most important aspects of organizational network-risk management. Our Online Vulnerability service addresses this. It’s available through eSecurityOnline.com as a complete, customizable database of more than 2,200 known vulnerabilities and their solutions. Once an organization inputs its various assets, our service will display every known vulnerability for that configuration. This is valuable in that it lets a company run customized reports that detail its leading vulnerabilities and how to fix them–as well as its network risk levels.

Q: How are you addressing the other concerns of risk management?
Darbyshire: eSecurityOnline.com also offers Minimum Baseline Standards, a service designed to assure an organization that specific system configurations–operating systems, databases, and devices–are implemented according to best practices. For instance, there are 106 documented control standards to properly secure Windows NT out of the box. Without these standards, an organization can open itself up to unnecessary risk. The Minimum Baseline Standards program enables users to identify, evaluate, and manage the implementation of security best practices.

Q: Aside from the online delivery model, what security consulting services does EY offer?
Darbyshire: EY offers world class e-commerce support, infrastructure, security, and IT risk management services. An organization may decide it wants an outside party to come to their company and assess the state of its security profile. Our Security Profiling Services perform a top-to-bottom assessment of an organization’s external and internal access, creating a blueprint of its vulnerabilities and giving detailed recommendations to reduce the identified security risks. Then, by developing a world class security architecture, we address the causes of systemwide vulnerabilities, taking business, operational, and IT strategies into account. EY offers companies the flexibility, resources, and experience they need to meet their e-commerce imperatives.

Case Study: USi

Known for creating the application service-provider field (business applications are outsourced over the Internet for a flat monthly fee), USi understands the potential power in leveraging other businesses’ resources. So it made sense when the company decided to subscribe to the eSecurityOnline Online Vulnerability Service in order to identify and mitigate the vulnerabilities inherent in its infrastructure and software.

Ty Gast, senior security analyst with USi’s Information Assurance Group, says, “Now, instead of having to continuously scour multiple-vulnerability websites and hacker havens, eSecurityOnline offers all of these sources in a single interface, prioritizing vulnerability data and customizing it to our security architecture.”

USi has found the ability to extract the results of this research and analysis in customized reports invaluable. Ron Freedman, VP of Information Assurance at USi, believes that “there’s no way we could possibly duplicate the research capability that eSecurityOnline has.” As for the difference the Online Vulnerability Service has made in USi resources, Freedman says it’s “just an enormous time and resource issue that we have been able to avoid in our own staffing requirements. The savings are enormous, and so is the peace of mind.”