Author: Donna Johnson Edwards
Source: articleage.com
This week I'm an entirely different kind of road warrior. Usually I'm the type that lugs my laptop from city to city telecommuting my way across the nation. This month I've had a few weeks in the office - my real office in downtown Richmond, not my virtual office. The complaint I have is the treacherous commute from the West End into the city via I-64 West and I-195 South. The roads are atrocious! One day recently I thought my entire tire would be swallowed by a pothole - let me rephrase that - a pot crater!
I've been so distracted by trying to avoid the gaping holes in the road I forgot to be a good defensive driver - keeping alert to what other cars around me are doing. In the few decades that I have been driving, I've become quite adept at avoiding road obstacles the likes of branches, traffic cones, the occasional lost shoe and most important - road kill. However, the vast quantity of craters lately has made it impossible to navigate the roads without falling into a few holes during my daily commute. I haven't even been able to enjoy my new 100% Funk CD because of the irritating and damaging potholes.
Last weekend, I made the trek to my mother's house and finally hit a nice patch of road (Route 17) and was able to let my mind wander a bit while humming along to War's "Low Rider." It occurred to me that maintaining a highway system is a lot like running an IT department. Seriously, think about it - what do they call roads and bridges - infrastructure. What are our computer systems running on - the infrastructure. I'm like a little IP packet on the network! Do you see what direction I'm headed (pun intended)?
Much like a highway, our IT systems need constant care to allow optimum efficiency for our users. Ah ha! - Potholes are bad and must be patched. Think of security patches as the asphalt used to fill potholes! Just think if we never patched our roads - it would be a nightmare; our vehicles (and lives) would be in constant jeopardy. The health of our IT systems is likewise in jeopardy when we fail to provide appropriate care.
There are more similarities, for example, capacity planning, ensuring quality materials are used, evaluating vendors, establishing service level agreements, and so forth. In fact, I listened to the remainder of my new CD on that part of the ride just thinking of the parallels. It is important to focus on some of the basics of security planning and practices to keep our systems safe, secure and optimized.
The Computer Security Institute (CSI) released its annual Computer Crime and Security Survey recently. The results of that report and others have prompted me to focus on some security basics this week. Of nearly 500 IT and security managers surveyed, 53% have experienced an attack within the past 12 months. The cost of such security breaches was estimated at $141 million. The number one type of attack was denial-of-service (DoS) accounting for about 18% of the total cost of these invasions.
Another study, conducted by Deloitte & Touche, indicated that 83% of financial services companies acknowledge an outside break-in within the past year. OUCH! About 40% of the companies polled indicated they had suffered financial losses due to the attacks. Ironically, more than 25% of the firms said that their security budgets had stayed flat over the past 12 months and nearly 10% actually had their budgets cut!
On top of that swell news, the General Accounting Office reported that the Federal Deposit Insurance Corporation's (FDIC) IT systems place critical financial information at risk of unauthorized disclosure, disruption of operations and loss of assets. Maybe Grandma knew what she was doing when she stuffed her money in the cookie jar; at least if some was missing from it, she could narrow the culprits down to family members.
Let's face it, cyberpredators are part of life and we must be diligent in our efforts to fight them! Many experts agree that most home computer users as well as small and medium businesses (SMB) are typically not proactively addressing security issues. The experts have outlined the basics to addressing security risks as follows:
Develop a risk management plan for IT assets. There should be a process in place for the identification, analysis, control and communication of risks. Managing risk is critical to the success of any business. A plan will allow for proper allocation of staff and financial resources to address issues.
In some organizations, such as financial institutions, health care organizations, etc., regulatory compliance issues must top the worry list. In your business there may be other high-risk areas, such as remote access for mobile workers, electronic transactions, retention of data and the like.
Document your infrastructure - map it out in a graphics package such as Microsoftฎ Visioฎ. Then imagine a series of ever-expanding circles around your critical data stores. Each of the circles will represent a layer of technology and risk. Remember that attacks can, and do, come from both inside the infrastructure and externally.
Starting with some of the basics, ask yourself if you are keeping track of users on your network(s). Are you auditing to ensure that unneeded accounts are promptly removed? Have you checked lately to determine if some staff members have been granted authorities they shouldn't have? If you have found anomalies, have these been properly addressed? Have password policies been followed properly?
Are you checking for rogue applications on the network? Instant messaging and peer-to-peer applications are the kiss of death! Do you have remote users on the network? How do these users access the network and from where - a home computer can be the open door for hackers to help themselves to your data.
Invest in a perimeter firewall; consider one that includes antivirus and antispam features. Don't forget about e-mail content filtering - we don't want rogue executables and other inappropriate material entering our systems from attachments in user e-mail. Consider using an expert to install and set up the device or software, as they can be tricky even for an experienced network administrator to configure.
Make sure that mobile devices are configured with desktop firewalls and antivirus software. Think about all the places you plug in your own laptop; your perimeter devices will not stop any malicious code that enters the infrastructure from the office front door!
Consider software that will automatically look for vendor updates upon connection to the Internet or on a regular basis to keep pattern files fresh.
Moving in closer to your data, take a look at operating systems. Have you applied all of the recommended patches to servers, desktops and applications? Remember the MSBlast worm? The vulnerability it exploited had been known for nearly a month before it infected at least 8 million machines! The Slammer worm infected tens of thousands of systems in less than ten minutes! Proactive patch management is essential, and, folks, it really must be automated in your environment to make deployment fast and economical. Before deploying mobile PCs to staff, configure them to perform automated updates with OS, firewall and antivirus vendors.
While this list is quite obviously not all-encompassing, following it will be a good start on the road to developing a risk-management approach to security. Set your baseline, identify your vulnerabilities, prioritize the risks, establish written controls and set repeatable, widely understood, broadly distributed policies and procedures for all users to follow. Once this phase is complete, it is essential to comprehensively test and audit the processes regularly to ensure continued success.
Let's see - what might I share with the Virginia Department of Transportation, last minute weekend breaks, to help them mitigate risk on our roadways? Since I've been reading about an ongoing problem VDOT has with office cyberslackers, I would say "reassign that office staff to pothole patrol! This will keep them from idling away business hours and make our roads safer to traverse." Be safe out there!
Donna Johnson Edwards is the Director of Consulting for Tenax, Inc. Established in the U.S. in 2002, Tenax provides IT compliance certifications, training and targeted consulting services. For further information on security software management please visit the Tenax Corporation website.
