MyDoom demonstrated that with a bit of social engineering, users will always be duped into opening attachments. Once in progress, MyDoom launched an avalanche of e-mails clogging networks and servers while interrupting business productivity. It then launched denial-of-service attacks on SCO and Microsoft. And as if this wasn't enough, it opened backdoors creating a global army of zombies poised to relay spam or launch the next denial-of-service onslaught.
Obviously, MyDoom almost guarantees another big quarter for security vendors. Manic executives who couldn't send or receive e-mail for a few days are bound to read the riot act to IT and security types to fix the problem. IT managers in turn will purchase a new round of security piece parts to plug the holes and proudly proclaim, "Mission accomplished." (Of course, they can't anticipate future problems so they'll probably have to repeat this fire drill again and again.)
Do you see the cycle here? Problem defined, point solution implemented, problem addressed, new problem arises, and so on. This last 13-word sentence sums up the entire state of information security.
The authors of various Internet protocols and software systems didn't design their stuff with security in mind.
In reaction, security "bolt on" technologies became a necessity. Today enterprise companies have a complex array of firewalls, Intrusion Detection Systems, gateway appliances and antivirus software for protection. Yet they keep getting hit with additional security problems. This model is clearly unsustainable and something has to change.
Let' start with the boardroom. After so many unfulfilled technology promises, jaded executives want to understand the return on investment from every dollar spent on information technology. Since security returns are hard if not impossible to quantify, many initiatives go unfunded and companies remain unprotected.
Note to C-level folks, wake up! You all want to utilise technology to drive new revenue, increase productivity and lower costs. New systems may deliver the desired business results, but if they are connecting over the Net you are driving through one rough neighborhood along the way. In our Internet-connected world, security is a cost of doing business -- a necessary evil -- period. If you hold back on security dollars you are foolishly rolling the dice with your company -- and your career.
This is not to suggest that CEOs write blank checks. Security budgets and efforts must commensurate with business risk and value. This means that IT must abandon the security box mentality, examine the fundamental security of mission-critical applications and business processes, and come up with a reasonable budget for protection.
Start with the most important and basic security analysis; namely what are the potential threats and what would the business impact be if this system were attacked? This will help prioritise where to start. Next, dig into security risk profile. Who should have access to critical systems? Do they connect over the Internet? What are the trust relationships between systems and applications? How should systems behave?
MyDoom is the latest evidence that strong information security is a new business reality.
This may sound alarmist, but MyDoom is the latest evidence that strong information security is a new business reality. CEOs must demand and fund these efforts while IT must design and operate a security system. As innovations such as wireless, nanotechnology and IPV6 expand IT's potential and reach, security efforts will only get more complex and expensive.
There's also a bottom-line tally to contemplate. Companies that manage their information security efforts sooner, rather than later, will lower their risks. Those that delay or otherwise avoid the issue will suffer through endless cycles of business disruptions, stock price slides and inevitable lawsuits.
biography
Jon Oltsik is a senior analyst at the Enterprise Strategy Group.
4%
1%
