Software Security – Where and How to Implement

Gary Daemer is the founder and president of InfusionPoints, a company out of Wilkesboro that provides secure business solutions. Gary has vast experience in software security and has worked for the federal government as well as for big names in the private sector. He has developed the enterprise identity and access management for the United States Treasury. He has also worked for Lowe’s, AT&T, Booz Allen Hamilton and for American Management Systems where he served as Director of Information Security for Federal Services.

Software and network security is a decades-old problem. Since technology advances so fast and we know so much more than we did in the beginning, why haven’t we reached nirvana in security?

GD: Simple. Take the famous Donald Rumsfeld quote: “There are unknown unknowns!” In other words, you don’t know what you don’t know, so then how can you secure it? Security is about threats and that means Unknown Unknowns.

The problem is people. Many times, it’s the arrogance of the start-ups that don’t see the benefit of investing in security and think that it will never happen to them. They hire sys admins or programmers that are not qualified or have no real experience.

It’s about matching the skills. Having the right skills and the budget. In essence it is a people and configuration problem. Security is not a point in time but an ongoing operation. That is how we ought to look at it and how it should be implemented.

Apart from the human link, what other issues have you encountered most often in your career?

GD: Auditing and monitoring are two major issues. It’s not enough just to put security in place. Every company must undergo constant monitoring with special software and also perform yearly auditing. Take the example of The Great Wall of China. Eventually, it was breached not because it was weak but because there weren’t sufficient people on the watchtowers. In our case, that translates into monitoring. We must constantly monitor our systems, check them and fix or patch and close any weaknesses found. I’ll give you another example: Equifax suffered a massive breach just because of failure to patch a two-month-old bug. The patch was available but nobody applied it on time and so they paid the price. It can happen to anyone.

Protecting the physical side of the systems is also critically important. We had a client in Europe and one day we weren’t able to access to server over there. We’ve sent a person down to check the system and lo and behold, a hard disk was missing. Somebody went in and physically stole the hard disk from the server. For companies that have a physical server, they need to put measures in place so that access to the physical server is absolutely restricted and monitored 24/7.

Is software security a design problem or a matter of choosing the right settings?

GD: Well, it’s both, but the basis is that software must be designed with security in mind. It must be designed properly and configured properly. When we go in, we normally ask to see an inventory. A lot of businesses don’t know what systems they run. Many people don’t have a clear view of what they have. If you don’t know what systems you run and where all your data is… how can you secure it? How can you protect it?

John Chambers, the former CEO of CISCO said: “There are two types of companies: those that have been hacked and those who don’t know they have been hacked.” How would you comment that?

GD: Well, I can only speak from my experience. Unfortunately, I have to agree with Chambers. Out of all the clients that we have had so far, only one has not suffered a breach. And the reason this particular one was not breached is because they got us in at a very early stage, and we took care of their systems and security.

Let’s say young entrepreneurs or anyone that has just started a business does not have the money to invest in security and data protection. What options do they have?

GD: Security is not very expensive. This is again a matter of concept. Security is not expensive if it’s done from the beginning and you grow it with the company. You don’t have to put a Cadillac in place at the beginning. A Volkswagen may suffice, and as time goes by and the business grows, then you increase the budget for better systems and better security. It’s simple. Benefits will surely show, trust me. Later, it would cost you more if you don’t do it from the beginning. Much more in money, clients, and reputation.

Will the problem of security be gone if we move everything to the cloud? Amazon or Microsoft will take care of that, won’t they?

GD: Cloud gives people a false sense of security. So, AWS and Azure that you just mentioned, they do indeed protect their infrastructure, but clients still have to protect their applications and systems that plug in to the infrastructure. You need certified people to do it and professionals with good reputations. You wouldn’t connect your newly built house to the water system by yourself, would you? You would hire a licensed plumber to take care of that.

It’s the same principle that applies to cloud technology. You have to get professionals to do it if you want it done properly and to be secure. But there is another aspect to it. You see, for example, the USA is a secure country. The borders are secure, the airports are secure, in fact, very secure. But you still have to lock your house and your car. It’s the same with the cloud: you have to secure your data and your systems even if they are in the cloud.

This is the reason why our company is called Infusion Points. We infuse security into all points, and we monitor our clients’ systems. That is how you provide and maintain security!

May we ask you why you chose this particular location and not a fancy office in Uptown Charlotte for your business?

GD: I’m a community guy. I care about my community, so I bought and restored this building, and I hired about 25 local people. I like investing in my community, and it gives me a great sense of satisfaction.