Make staff education a security priority

The IT world has been turned upside down in the past three years. When the Y2K terror died down, the economy tanked and chief technologists re-evaluated their priorities. To jockey for a place near the top of IT’s short list, software vendors and service providers took advantage of customers’ fear and insecurity, literally, to boost sales of everything from desktop anti-virus software to integrated security appliances. But don’t demonize security innovators — IT leaders are justifiably grateful to the vendors that helped cut their enterprise security burdens down to size, an effort that has seen rousing success.

The 2003 InfoWorld Security Survey of more than 500 IT executives and strategists found that almost half — 49 per cent – of reader respondents are very confident that the solutions they have in place are doing their job effectively. Some exposure is an inevitable cost of operation, but the frightening predictions of the past three to four years have not panned out — neither thrill-seeking hackers nor terrorists have inflicted significant damage on businesses and infrastructure. To the contrary, survey respondents report experiencing a small number of break-ins. Fifty-two per cent saw fewer than 100 attempts against their networks in the past year, and another majority — 63 per cent — said that fewer than 10 attacks breached their defences over the previous 12 months. Also, old myths about the role operating systems play in security have died out. The survey shows that OS vendors Microsoft Corp., IBM Corp., Sun Microsystems Inc., Red Hat Inc., and other Linux suppliers are trusted throughout the network, suggesting that IT has learned that security isn’t a feature of an operating system. The consensus of readers is that security is a combination of technology, policies, and education. It does not require major investment year after year.

Computer crime doesn’t pay

IT’s recent concentration on security certainly helped stem the tide of intrusions, but corporate technical staffs can’t take all the credit. Destructive hacking is quickly going out of style — the superheroes of the black-hat movement either have respectable jobs or are on their way to prison. The ones who are working are annoyed to be the local gunfighters, enduring time-wasting duels with would-be tough guys who want to take down a celebrity. Renowned cyber-criminal Kevin Mitnick got caught, did his time, and upon his release counselled youngsters that the rush from breaking and entering does not compensate for years spent in the can. Law enforcement now takes computer crime seriously, and agencies are loaded with stellar talent who will doggedly pursue and prosecute cyber-criminals. Perhaps most persuasive is that success as a black-hat hacker now earns far less respect than having your name on a successful open source software project; the latter will eventually score you a job, while the former is more likely to land you in jail than get you hired.

Also, security consulting, the lucrative position that was once assured by an impressive record of break-ins, has almost disappeared. Fifty-one per cent of respondents now report that their firms exclusively handle security internally, and only two per cent have their security operations fully outsourced; three per cent include outsourcing in their mixture of point solutions. Good business sense is winning over attempted shortcuts.

A key part of any security solution rests with employees, who, according to 79 per cent of survey respondents, underestimate the importance of adhering to their company’s security policy.

Employees create main gap

Because they shape the need for services, they are responsible for making sure they use them properly; it’s time for users to finally start logging out from their workstations and attaching complex passwords to their sensitive accounts. Users, including management, must be informed of security requirements and be made to uphold them. However, policy is nothing without enforcement, and companies clearly lack sufficient staff to police their networks. When asked what they’d do with a larger security budget, the most fervent desire — with 43 per cent of respondents behind it — is to hire more security-related workers.

Each year, our security survey asks respondents to rank the top five security threats (for more on the challenges readers also face, see chart above). With 84 per cent of respondents complaining about them, viruses and worms again held onto the top spot in the hit parade — not because they do much damage, but because they are the most annoying. Unlike spot attacks that can be thwarted by changing a setting in an intrusion-response system, a virus, Trojan, or worm can make a mess of your whole network. Prepare for this with system management software, adaptive edge protection, and effective group policies. If a large number of clients is affected, you’ll be able to fix them and lock them down from one location. But some of IT’s worst nightmares are inflicted by people who have no intention to do harm; it’s no surprise that survey respondents’ top-rated internal threat is unintentional employee error. Confidential data tends to leak out by accident: Printouts are routed to the wrong printer (that’s a tough one to track down); users inadvertently save secret files on others’ hard drives or in shared folders; or someone might mistype one letter of an instant messaging address, sharing a whole paragraph about his boss’s affair with a reporter before realizing what he’s done.

It’s always wise to stay on the lookout for creeps and snoops outside and inside the company. As budget dollars start flowing into IT again, focus more on qualified security staff than on new hardware and software — those employees will use policies and education to reduce the number of unwitting security breaches. What seems obvious to wonks who understand security is not so plain to users, even the ones who are otherwise technically knowledgeable. And staff education has the fringe benefit of turning your entire workforce into an intrusion-detection system. Savvy staffers will help each other, and they’ll help IT pinpoint security problems before they get out of hand.

Wireless hacking plagues IT staff

Enterprise security is also being challenged by technically knowledgeable users, who tend to push new technology into their organizations more rapidly than a staid, traditional structure would permit. Technologies such as on-campus wireless networks, mobile connectivity, and broadband home-office access visit a unique set of problems on already-strained IT staff. It takes some effort to keep 802.11 wireless networks convenient, providing roaming and quick activation of new devices, while preventing external and internal misuse. Considering that 802.11 started crossing over from residential to business use within the past two years, it’s surprising that 58 per cent of respondents of the 2003 InfoWorld Security Survey already identify wireless networks as a challenge they’ll face over the next 12 months.

Wireless is a unique concern for several reasons. Lazy configuration by uninformed or overburdened administrators addresses the requirement for convenience; anyone within radio range can log on. A wireless network even approaching secure status generates mountains of calls to the help desk because users can’t get connected, so the impatient ones with no hacking intentions will try to solve the problem themselves. Using publicly-available software, a PC or PDA can automatically sniff out and attach to an open WLAN. Once security is activated, every client device has its own special and often arcane method of configuring 802.11 access, which often requires the attention of tech support. Because tech support was often one of the first victims of cutbacks, it’s now easier to open up the WLAN so that the same simple password lets everyone in.

WLANs need to be secured regardless of the inconvenience. Gaining popularity is one type of hacking called wardriving, which involves searching for open WLANs and sharing their locations — even if private — with others. Wardriving and warchalking (pavement marks pointing to WLANs) are generally not considered illicit, an attitude stemming from the fact that 802.11 signals are broadcast on the same unlicensed frequency band used for baby monitors and cordless phones.

Without considerable care invested in its design, a WLAN can be a major point of vulnerability for a network. The misplacement of an access point’s bridge to the wired network can permit wireless users — the ones you know and the ones you don’t — direct access to systems inside the firewall. When that access point goes on the air, every client device within range will alert their users to the presence of the new WLAN. It’s a nearly irresistible target even for honest users, so take the time to plan and test before you take your wireless network live.