At the Frontline with Honeybaked Ham’s IT Systems/Security Manager Erik Goldoff

Feb. 24, 2006
Goldoff discusses what keeps him up at night, plus working through convergence issues

[Editor’s Note: SIW’s “At the Frontline” shares an interview with Security Technology & Design’s “Back Page” interview. This month’s issue features an interview with Erik Goldoff, the IT systems and security manager for food retail specialty franchised store Honeybaked Ham. The interview appeared in the February 2006 issue of ST&D on page 60.]

Name: Erik Goldoff
Title: IT Systems & Security Manager
Company: Honeybaked Ham
HQ: Norcross, GA
Years at Company: 7
Previous Position: 8 years as Computer Specialist with Centers for Disease Control

ST&D: What keeps you up at night?

What keeps me up at night is what I don't know. We've taken a lot of security measures-we are an ethical company and we do always try to do the right thing. There's a lot of stuff that's done in terms of bastion. We're not what they call a bagel network-hard on the outside and soft on the inside-but there are still issues on the inside to make sure things are done properly. So beyond the technology there's still the user education. We keep trying to push that security is not an event, it's a process. And it's tough to keep security in everybody's mind because in a lot of cases security is seen as an impediment to performance. They want to know, "Why can't I keep my password on a Post-It note on the monitor?"

ST&D: So what do you do to educate users about security requirements?

We've got some training that goes with HR in new hire packets. We have an intranet available for employees only-it's not a publicly accessible site-that has a lot of educational material, a lot of what we call tips and tricks. There's a lot of stuff I've learned to bring down to layman's terms out of technology speak, because most people kind of glaze over (when you try to explain things in technology terms). So as an example, way back in 2001 we were trying to tell people how much data we were backing up in gigabytes. And to a lot of people gigabytes is just a word. So we told them that if you copy all the data to floppy diskettes and make a stack out of them, that stack is taller than the Westin Peachtree Plaza Hotel.

Also, we try to explain to people not what to do but why. If you go into a store and you see a video camera directly over your head, you may think you're being spied on, up until the day somebody comes to the store that wants to rob you. Now that impediment has just become a safety protection. I think education is an ongoing process, because even for the IT side, the threat vector always changes. Anti-virus isn't as much an issue now as spyware is. Who knows; in another year it may be everyone's little smart telephones.

ST&D: Your intranet tips and tricks page-is it regularly visited?

It's regularly visited by a specific group, and there are some things that we do to play a little psychology. For instance, we put up a general-purpose terminal server. We didn't announce it with instructions about how to use it. It has great benefit, but for this one, we leaked it to a couple of people on the inside and said, "You know what? We're not going to give you a VPN connection because of security. But why don't you try this thing instead?" And somebody comes into the office the next day and tells the person next to them, "You know what? I used this terminal server and it was great!" And all of a sudden we've got a lot of people wanting to know how to get on the terminal server, and we put the instructions on the tips and tricks page. We don't make them use it; we kind of put the availability out there.

ST&D: You're responsible for protecting your company's and employees' information and the information of your customers online, correct?

If it's data, it falls under our role, regardless of the source. That's one of the things that complicates the issue. Because it comes in from each retail location there are a number of different sources there, as well as franchises, as well as the Web and call center. So instead of having data from one spot that's easy to guard, there are a large number of locations with a variety of topological connections.

ST&D: What are some of your recent security technology purchases, and why did you choose them?

We have installed the TopLayer IPS 5500 intrusion prevention device. We didn't have intrusion prevention or detection in place. The funding became available with the CISP, the cardholder information security program, which is now known as PCI. Part of the compliance plan stipulates an IDS. And an intrusion detection program is little more than something that tells you, "Hey, you just got bit." Well, it may also tell you all during the day, "You could have got bit, you could have got bit, you could have got bit." So there's an issue with false positives as well.

There's a couple of options available in the IDS world, some of which are open source, so very low cost, but you'd use them on general desktop OS or server type hardware. Depending on throughput capabilities, one of the concerns was not having a device that would cause our own denial of service. We didn't want to choke-again, security could affect performance; that's an ongoing theme.

The device we use chugs along at about a 2-3% CPU utilization. We've never seen it go higher than 6%. And we actually have it in front of our firewall, so it's catching some of the things that were taxing our firewall in the past. The other benefit is on the outbound side, one of the additional capabilities of the IPS5500 is a pseudo spyware blocker. So it may not prevent someone from downloading a spyware component from a malicious Web site, but most spyware components like that download the stub, then they activate and they try to talk to the mothership to get the malicious payload. The IPS5500 maintains a table of known malicious motherships, so even if the get the stub of the spyware they don't get the payload.

ST&D: Are there other new security solutions you've implemented within the past year?

We've used a DSL VPN connection, so we have a certain secure connection from the retail store back to us. We also encrypt our data before it goes to the VPN. So there are firewalls in place at each DSL location. It's no longer just a software firewall, but there is a hardware firewall out there. We've noticed there are some malicious Web sites that will attempt to turn off firewall services for software firewalls, so we wanted to avoid that by a hardware firewall.

Also, we're pretty big into an anti-spam solution. And some of the spam also carries spyware with it, so it does add to the security. Over the last 12 months this spam solution has quarantined over 1.6 million messages as spam. So even beyond security there's a productivity issue there too.

We've gone through some other things along with the PCI/CISP compliance, including record-level encryption, data aging. So even though we get customer info out in a retail store, there's really no reason for it to stay there for a long time. So it might reach back to the data store here, which has got more protection than the retail store. So there's a minimal risk of exposure at the store for a smaller amount (of data). I'd hate for even one customer's information to be breached, but that would be more palatable than having 5,000 or 10,000, like has happened to other companies.

We were actually proactive on this. Several years ago we had wireless point of sale in place. And some of those wireless POS were using the old 900MHz, which really had very little security. And we took that out and replaced it with hardwired ethernet. So that's part of the overall scheme. We pretty much don't use wireless anywhere within the enterprise at this moment.

ST&D: During big holiday seasons-Christmas, Easter, Thanksgiving-you might drive by a Honeybaked Ham store and see people lined up through the parking lot, with the cash register moved out to the sidewalk to allow more people in the shop. Is this a common practice for your stores, and what special security considerations go along with it?

There are a handful that do that, and that's one of the bigger reasons not to have wireless. Store managers hate me for that; they call me the Network Nazi. But if you put a wireless device in the parking lot, you make it easy for somebody with a laptop and a Pringles can (to tap in).

The actual POS software is our software-we wrote it. We couldn't find anyone else's POS software that really met our needs for our business model. The data that's written is encrypted, and (the register) equipment should never be left unattended out there, so it's not like somebody can just grab it and walk away or plug into the network to see what else is there. Each device that's out there has a statically assigned IP address. There is no DHCP out there, so as an example, if we have a point of sale with an IP address of 192.168.12.123, if you plug in a device with 124, it will not be recognized as a valid IP, so he doesn't get to play on the network. So there are some little obfuscations that we do. Each IP is meaningful to the system.

ST&D: Honeybaked runs both retail stores and franchises. What security challenges come along with this setup?

Well, the franchises are in the process of converting from older, standalone POS systems to our integrated system, so at the end-of-day checkout, all the data is aggregated up at corporate, where it's protected by controlled access. Part of the issue, though, is that when you have a franchisee, they're not an employee. But they have to understand what's going on with the data. To date there hasn't been a problem, it's just a matter of making sure the franchise agreement is clear, so if they want to bank on our brand name, there are certain things they have to do to live up to that, both on the security and the business side.

ST&D: When do you expect the transition to the integrated system will be completed?

It's an optional choice on their part. We'd like to see it by the end of the year. We had a significant number already prior to this Thanksgiving and Christmas holiday. Our POS software is so much more beneficial to their business planning. Basically, you let them come see it, and they want to know how quick they can get it.

ST&D: How much increased traffic do you get during the holidays?

We probably do more than 60% of our business in eight weeks out of the year, and we probably do 60 % of that in probably two days. We have stores in the off season that may have seven to 10 employees, that during the peak season have seasonal temps up to 150. That's one of the reason why the general market POS really didn't meet our needs.

There's a small number of people that actually run the cash registers, and even in the stores that don't go out to the sidewalk, we'll move the registers from the product counter out to a lobby so we can run the customers quickly through a line. This year we had a 10 or 15 minute guarantee. Part of the reason we were able to offer that is that now we've implemented our own IP credit authorization, so hopefully your credit card gets authorized in about four seconds instead of 15 to 30.

ST&D: Do you work with physical security to enable an enterprise-wide security approach?

There is a loss prevention officer, and he works alongside IT (on issues like) barcode scanning and gift certificates. Abuse of the gift certificate process changed the way we worked that. Used to be we'd get a case of gift certificates printed up and each store would have a case, and you'd sell them and note what the serial number was. Say you have one dishonest person out of 20,000, somebody who grabs a handful of gift certificates-now you've got an issue. Instead, the developers on our site have worked out a system where we do MICR printing. We actually print the gift certificate on demand. So there's a lot more control in place there.

In addition, as far as physical security is concerned, we used to have video like a bank's 24-hour VCR for security. That's now been augmented by digital video that runs from two or three regular cameras and one quad camera. So physical security of our staff is important to us. Every retail store has a digital video system. We can go across the network and retrieve those individual video files.

ST&D: How long has this been the case?

That project started over three years ago.

ST&D: Were you concerned about network video initially as far as bandwidth?

The reality is [that] it's not streaming video. We have digital video cameras with direct cable feed to the video server, and the server has digital storage on it. So we're not streaming it all the time to corporate, but we can spot-connect to any camera at any time to view the status, or we can map to the storage drive and pull down chunks of video from any camera at any time-for loss prevention or maybe a police report.

ST&D: Do you work with physical security in other areas, such as asset tracking?

Because (the food products) are barcoded, they actually go through the POS. As hams are produced in the back, they are weighed and barcoded and everything is accounted for. So the POS system is more than a POS, it's a supply chain and a replenishment system. It's actually quite a powerful system, which is why franchisees are starting to want to share in it as well.