Security spending has increased dramatically over the past couple of years in response to high-profile breaches like those affecting Microsoft, Yahoo!, and scores of other companies. But most companies still severely underinvest. Take a look at some of the new security threats, and what you should be doing to protect yourself.
Chances are you're one of the companies which have tried to justify it to yourselves. You rationalise it: You're not a $100 million company. The Internet is so vast that the odds of someone targeting your company are minuscule. According to Chris Klaus, founder and chief technology officer of Internet Security Systems (ISS), that's exactly the kind of thinking that is bound to get you into trouble.
-The reality is that in many cases the way the attackers work is not based on exactly who you are," Klaus says. -They do a scan of the entire network, and if you've got a lot of vulnerabilities, you appear as a big target. So even if you're not a big company, if you are very vulnerable, you become a much bigger target."
The key is staying out of hackers' crosshairs. And to do that you need to know the key risks facing your business. We'll show you the top threats todayââ,¬"and the surprising ones you'll face tomorrow.
Common security issues
The most common security dangers generally come from outside your company. These include hackers that want to snoop around your network, vandalise your Web site, or even steal proprietary information. Ironically, as hacking tools get better, many hackers become less skilledââ,¬"script kiddies they're called, because they simply run a script or follow a set of instructions that someone more tech-savvy wroteââ,¬"but they are no less of a danger.
Identifying the security risks posed by outsiders is the easy part. Viruses, worms, Trojan horses, denial-of-service attacks, and buffer overflows are generally well-known schemes. But knowing exactly what you're up against is also part of the challenge. These popular threats have been responsible for the most successful and highest-profile computer crime cover stories of recent lore. The distributed denial-of-service attacks against Yahoo!, eBay, Amazon.com, and E*Trade, among others; the ILOVEYOU worm; and the penetration of Microsoftââ,¬"none of these were based on insidious new technology. But that didn't prevent them from racking up huge damage: the Yankee Group estimates these highly publicised attacks will have an impact in excess of US$1.2 billion.
Managing the threat
Consider the most common security precaution taken by businesses: the firewall. It's software that sits at the perimeter of your network and provides access control. Whatever traffic is not explicitly permitted to pass through is denied entry.
And firewalls are pretty good at what they do. According to Greg Smith of firewall maker Check Point Software Technologies, -I think you have to assume that [the firewall] is 99 percent effective. It's considered the front line of defence for all companies and it's recognised that if I am going to be online, I absolutely must have a firewall."
But the widely publicised distributed denial-of-service attack launched against Yahoo! last year demonstrates that a firewall will not solve all the problems. The culprits simply flooded Yahoo!'s network with so many requests that it effectively shut the network down, firewall intact. And short of identifying the ISPs from which the attacks originated and blocking that traffic, there is almost nothing you can do to stop these assaults.
Firewalls also failed to stop the proliferation of the ILOVEYOU worm. That's because the worm entered networks as an e-mail attachment. Most firewalls are configured to allow e-mail and benign-looking attachments to reach their intended recipient. Your front line of defence isn't much good when potential dangers can easily disguise themselves as regular traffic-akin to a really good fake IDââ,¬"and cruise right into the network.
Of course, security companies can quickly write and distribute fixes, but the worms can do a lot of damage in the meantime. In the scant few hours it took to develop a patch to defeat the ILOVEYOU bug, the amorous worm had copied and distributed itself to some 10 million computers. Experts disagree on the total damages, but estimates range from US$700 million to US$15 billion.
Another serious security issue is complacency. As Smith explains, -One of the problems is believing mistakenly that by simply installing a firewall they are protected. It's very dynamic. It's not something you take out of the box, install, then walk away from. -There are always new types of attacks, new types of services, and new types of vulnerabilities."
The VPN issue
In fact, one of those new weak spots, the virtual private network (VPN), is a hot-button security issue for most companies these days. As more employees connect to their office networks from home, they expose the company to attack. A VPN lets companies use the Internet as a secure pathway into their existing network. It's a boon for far-flung offices and employees, but it's also a potential risk.
If a VPN user has an always-on Internet connection like cable or DSL, it complicates things. His or her system is connected to the Internet and if it is unprotected (read: no firewall) it becomes an easy target.
For example, a hacker could plant a Trojan horseââ,¬"a program that gets secretly installedââ,¬"on that machine. Then the hacker could have his way not only with that computer but with your network as well. -He can connect to it," Check Points Smith explains. -He can install software on it. He can rummage through the files and basically take over parts of the machine so that when you connect to the corporate network, he has wide open access into that whole network."
This is essentially what the Microsoft hacker did. He planted a Trojan horse (a fairly well-known and easily defeatable one at that) on an employee's computer and was able to infiltrate Microsoft's network.
Find the right solutions
In the face of these risks, what should you do? Start with a firewall. But don't stop there.
ISS' Klaus says, -The majority of hacking cases we see, I'vd say that over 95 percent of the ones we investigate, the attacks stem from very well-known vulnerabilities that could have easily been prevented." The key to prevention is to identify and assess the threats to your computer systems and develop a security policy to address those threats and their consequences. If you don't have the time or resources to deal with these issues, consider hiring a security consultant.
Whatever you do, be realistic. Says Schneier, -People basically want to buy magic security dust. 'Sell me the thing that I can sprinkle on my network that will magically imbue it with the property of security.' It doesn't exist."
Getting outside help
Losing sleep wondering if your business really is secure? Bring in an expert to help put your mind at ease. Security consultants perform a variety of services including network analysis, risk assessment, policy development, and security installation, as well as testing and maintaining systems.
Think of hiring a security consultant as a form of insurance. Even moderately sized businesses should consider it. Bringing in a consultant is only a starting point, though, as many security companies are moving toward what's known as managed security. Basically you outsource all of your security needs, from installation of security systems to updates and even real-time monitoring. This solution is becoming increasingly popular among large corporations that would rather concentrate on their core business than worry about some hacker overseas.
The right security consultant depends on the size of your business. This could include a large systems integrator which has a division devoted to security. You can also go with a specialty outfit which purely focuses on security. Modest-size companies have many options too, typically smaller consultancies or independent consultants. The trick is to find the right fit.
When shopping for a consultant, ask the right questions.
- What type of services does the company offer?
- Are they tech gurus who are comfortable with hands-on work only, or can they also help you roll out a suitable security policy that takes more strategic expertise?
- Do they have experience with your business's type of hardware and software?
- Will they provide ongoing support or do they specialise in one-time setups?
The best way to find out is to ask for references from current and past customers; call them for a reality check.
