Keeping up to date with your security patches has got so out of control that vendors actually make patch management software. The more sophisticated solutions keep an inventory of devices on the network and their patch levels. If you have enough time you could probably do that job with a pen and paper and a copy of Microsoft's Windows Update Services (WUS) to handle patching the zillions of desktops you no doubt maintain, assuming of course that you run Windows on the desktop.
Patch management it vital. Whether you use a vendor solution or not, you should have a good patching process in place. It will protect you against the vast majority of attacks you're likely to encounter.
Antivirus software
Yes, you still need it. Preferably on your servers, your desktops, and your mail server to inspect incoming e-mail. Even the humble handheld is no longer safe (see sidebar on page 86). As with a firewall, there's really no excuse for not using antivirus software.
Authorised Execution
This is a really neat idea that's finally getting some traction. Instead of letting your users execute any e-mail attachment that hits their inbox, this software lets you restrict what can and can't be run on a given system.
Most, if not all, viruses and worms will load their own process into memory in order to infect the host system and propagate further. If you remove the user's ability to be tricked into executing an attachment, you're covering a remarkable number of threats. Let's face it, even if you have a "do not open executable attachments" policy and tell your users, at the end of the day they'll still open anything that promises a movie of dancing dogs or the latest picture of Paris Hilton with her kit off.
And, if you're a fascist network maintainer from hell you can have oodles of fun disabling the telemarketers' ability to run Solitaire. Hell, you could even set up a side business accepting bribes for games execution rights. Could be a nice little earner.
Honeypots and Honeynets
Honeypots, are one technology for which the future doesn't look that bright. Many in the industry expect the systems to find themselves on death row some time before 2006.
Described by Greg Shipley, chief technology officer at security consultancy Neohapsis as the "security guy's pet rock", the general consensus is that honeypots and honeynets are useless.
As the name suggests, a honeypot is a vulnerable system that sort of waves about to the world at large saying "Hack me! Hack me!" Their use is two-fold: research and diversion.
The Honeynet Project (project.honeynet.org) is headed by security architect and former US Army tank commander Lance Spitzner. Along with his cohorts, Spitzner places vulnerable computers all over the Internet and allows malicious hackers to break in. By doing this, the Honeynet Project was able to study new types of attacks, and capture hacker toolkits for analysis.
The problem is, the bad guys out there hold on to their best tools like grim death. They are hardly likely to waste them on an anonymous, insecure system located nowhere interesting in particular. There was talk among vendors of using honeypots to act as a diversion to attackers. Once you've detected suspicious activity, divert them to an environment that looks like your production environment, but is in fact a virtualised duplicate. How cunning.
Unix security guru Rik Farrow doesn't place much stock in honeypots. They're "luxuries for the under-utilised security administrator," he says. "If you have budget for honeypots, and haven't done everything else, something is seriously wrong with your organisation's priorities," he adds.
Biometrics, tokens and smartcards
With passwords often dismissed as poor protection by security analyst houses, many companies are moving to extra layers of authentication. Biometrics, such as fingerprint scanners, smart-cards encoded with an encryption keys, one-time authentication codes, and authentication tokens are all show-ing promise.
One-time authentication codes can be generated at the authentication server and sent via SMS to the user, for example. This is already being used by banks in New Zealand to authenticate customers. Smart cards require the user to insert the card into a reader when they authenticate to the network -- if someone wants to access the network they need the card, not just information.
Security tokens rate pretty highly on the cool-o-meter. Usually carried as a keyring, the token's LCD readout changes regularly, providing the user with a pseudo-random code to be used in conjunction with their password.
Gluing it all together
Some vendors offer a wide range of security technologies that will seamlessly integrate. The problem is, it's unlikely the company's solutions will be best-of-breed in every single area.
Integration can also pose a risk. The guy who brags about having one console to control all of his security also brags about every hacker's prime target. It's a case-by-case basis; caution is urged.
Contents
Introduction
Authentication and Single Sign-On
Patch Management
Case study: When security software goes wrong
14%
7%
