Security systems continue to get more sophisticated--and so do the hackers who are seeking to break through them. How can you best combine your defences to protect your company networks? And will we ever reach the stage where hackers, rather than system administrators, will constantly be on the offensive?

Talking about IT security tends to bring out many people's inner four horsemen of the Apocalypse, or at least their lurking George Bush Jr. "It's an arms race," says Neil Campbell, national security practice manager for Dimension Data. "The bad guys are always innovating and coming up with new ways of circumventing security."

"Hackers and attacks are becoming more and more sophisticated everyday and will continually challenge in-place systems," says Paul Serrano, Asia Pacific senior director marketing for NetScreen. "Security systems must adapt and grow with them."

The near-ubiquity of the Internet has also dramatically changed the nature of the security challenge. "Security is being redefined to encompass continuous availability," says Rick Seeto, director enterprise data portfolio for Nortel Networks Asia Pacific. Indeed, the need to make segments of the corporate network available in the form of a Web server has been one of the most significant changes in the typical security setup over the past decade.

The opportunity to sell some extra technology into an otherwise cautious market certainly has vendors champing at the bit. IDC estimates that by 2006, the global market for IT security systems will be worth a staggering $38 billion--no mean feat in an industry generally considered to be in the throes of a major and prolonged downturn.

Unusually for the generally mature IT space, competition also remains fierce, with dozens of small companies competing for a slice of the pie via their own highly specialised products. "You don't have to be a huge vendor to get some mind share," points out Campbell. Indeed, the proliferation of vendors is such that for many IT managers, the trickiest decision is working out whether you need all the different options on offer. Do you need an IDS and an IPS? How many firewalls are too many?

One relatively undeveloped area is in physical security, although vendors are fond of pointing out that it represents one of the most obvious ongoing threats. "If you can get physical access to a machine, there is no security," says Callum Russell, solutions marketing manager IT infrastructure at Microsoft Australia.

"Some may say that the only secure computer is one that has its power cord removed and has been buried under six foot of dirt," says Daniel Zatz, security specialist at Computer Associates ANZ. "That isn't exactly true. It is possible to dig that computer up and plug the power back in, and then it isn't so secure."

While that's undoubtedly so, IT managers aren't being kept awake at night worrying about whether someone has dug up their old computers and plugged them in. The evidence suggests they're being kept awake worrying about who is going to hack into the ones they haven't buried yet. According to a survey of chief security officers (CSOs) conducted by IDC last year, 59 percent believe that electronic attacks represent the biggest potential threat to their company. Just eight percent expressed concerns over physical attacks to their systems, and a practically insignificant three percent were worried about electronic attacks that might have physical consequences.

Though the survey also revealed that nearly 50 percent of CSOs (a job specialisation that may well ultimately go the way of the late, unlamented chief knowledge officer) are concerned about the possibility of an electronic attack by terrorists, that concern doesn't seem to have spread into the general business community. No, it's busy worrying about the most visible threat: virus writers.

Feeling viral
A steady stream of publicity has ensured that antivirus software has become virtually ubiquitous for all computer users, even if they ignore every other potential security threat. The evidence suggests they are doing just that. In a survey of Australian businesses carried out by the Australian Bureau of Statistics, only 14 percent of businesses using a computer claimed to have no IT security measures in place. However, 80 percent of those businesses which did claim to have a security solution in place were running nothing apart from antivirus software. It seems the notions of fighting viruses and security have become equivalent in the minds of many businesses.

This is both interesting and disturbing, since most security observers agree that virus writers, however much inconvenience they can cause with a successful virus, are hardly typical of the major security threats faced by companies. Because of the relative ease with which viruses, especially macro viruses, can be constructed, virus creators are generally viewed as a distinct category from other hackers.

"Viruses are not a technological phenomenon, they are a social phenomenon," says Dave Perry, global director of education at corporate antivirus vendor Trend Micro. "What drives people to write viruses is the need for notoriety."

"Research into the motivations and backgrounds of virus writers has shown that the early virus writers were not evil incarnate, but rather adolescents who were basically just like the kids next door," notes Sarah Gordon, a psychologist who has spent much time investigating the virus writing community and who has been employed by companies such as Symantec for her professional expertise. "Initially, the virus writing and hacking communities were very much two separate groups. Hacking required a totally different set of skills and mindset from virus writing. Now, with the massive connectivity available, the two skills are having some crossover."

Continuing media hysteria, and the steady rise of viruses distributed via e-mail, has ensured that most people have antivirus software in place. Fairly straightforward online upgrades mean that most such systems stay relatively up-to-date. This is useful, since the virus community shows no sign of slowing down its activities. By 2010, Trend's Perry predicts that more than 10 million viruses will be in existence.

"Antivirus is like a game of cards in which the highest card wins," says Paul Ducklin, head of technology for antivirus vendor Sophos Asia Pacific. "But not only is there no limit to the number of turns in the game, there is also no highest card in the deck." In other words, no matter what tricks virus writers come up with, antivirus companies can generally work around them in fairly short order.

I'm on firewall
After antivirus software, the next most common security solution put in place is a firewall, which should (at least in theory) keep unwanted traffic out of your internal network. "From an awareness perspective, everybody knows they need a firewall," says Dimension Data's Campbell. Firewalls enjoyed a particular boost in popularity after the glut of denial-of-service (DOS) attacks in the late 1990s, which alerted many businesses to the potentially devastating effects of a surplus of unwanted malicious traffic. Basic firewall technology has even been built into recent versions of Windows, although serious corporate implementations tend to rely on more robust offerings from specialist vendors.

Indeed, one perspective is that a single firewall is not actually enough. "One layering approach is to use one vendor's firewall, followed by another," notes Campbell. "In practice, though, it can be quite difficult to maintain two different technologies."

The usefulness of firewalls becomes less clear as network boundaries blur. "Clients generally look at their perimeter first, although there is a growing push to move security infrastructure into the internal network," says Tim Smith, national business continuity manager for systems integrator Alphawest. "In a lot of cases, the bridge between the perimeter and the internal network is a little cloudy, with partner and employee access taking place behind the traditional perimeter network." The demand for remote access to internal systems poses a major challenge for firewall implementations, requiring a balance to be struck between convenience and security.

Notably, while firewalls are a useful line of defence, they don't provide much in the way of active intelligence about possible attackers. "Firewalls do a good job of blocking traffic, but not of thinking about what it is," says Joe Magee, chief security officer for Top Layer.

By their nature, both antivirus and firewall systems are also limited in their ability to fend off internal attacks, or attacks by hackers who have successfully cracked basic company passwords. "These technologies are only effective in dealing with unauthorised access activities," says CA's Zatz.

Looking for intruders
So how do you grow beyond the firewall? One approach that is growing in popularity is to use intrusion detection systems (IDSes) or intrusion prevention systems (IPSes) to more proactively deal with potential network threats. "We now know that even the best firewalls are vulnerable to attack," says Graham Dodson, product marketing manager for SecureNet. "To provide us with notification someone has broken through the firewall, an intrusion detection system should be implemented."

As the names suggest, IDSes monitor network activity and report suspicious activity, based on pattern matching for unusual behaviour. IPSes go a step further and attempt to stop the intrusive activity, either by disallowing the connection or by diverting the attacker into a honey pot (a server with low security but containing no vital data, which acts as a decoy) or onto a fake address. As with firewalls, both can be implemented as software-only solutions or (for more effective performance at a higher cost) as separate standalone devices.

Their dependence on pattern recognition makes IDSes and IPSes subject to some of the same criticisms as antivirus and firewall software. "Intrusion prevention systems look for suspicious behaviour or system anomalies rather than specific patterns or signatures, but the behaviours they look for are still based on broad techniques that have been used by hackers in the past," says Arthur Argyropoulos, CEO of managed security provider Zento. "While there is no question they can be more effective, if someone comes up with something totally new and never seen before rather than just a variation, these systems still won't recognise it."

Monitoring all network traffic can also take its toll on the general performance of the network. "One of the pitfalls in using an IDS is performance," says Top Layer's Magee. "IDSes are generally passive," concurs NetScreen's Serrano. They identify but cannot stop an attack. In addition, they sit of the side on the network and can only perform random scanning in order not to significantly impact traffic." Again, striking a balance between performance and protection will require you to set explicit policies.

Once the data from an IDS has been collected, you also have to try and make sense of it, especially if an attack appears to be taking place. "One of the main issues with security devices is the logging," says AlphaWest's Smith. "We get too much garbage hiding the real issues, making the job of detection very difficult."

Specialised packages, falling into the broad category of security information management (SIM), can be used to help make sense of the log data collected by IDSes and other tools. "Security devices generate some 20,000 different alerts," says Smith. "What a SIM tool will do is normalise that data and aggregate it into 10 separate entities. It will also aggregate all the security alerts across disparate systems so that security alerts from our firewalls, routers, IDS, event logs, and AV software are all collated in one point. This makes management and alerting a lot more proactive."

SIM systems still don't seem to be enough for some observers. "Intrusion detection systems are a bit up in the air," says Campbell. "There is some disenchantment in the market with their benefits. It takes effort to understand IDS, tune it, and use it properly. I recommend caution [with IPSes] because any time you are automating responses that change traffic, you risk creating an unintentional denial of service." In other words, attempts to block what seems to be undesirable activity may have the side effect of blocking legitimate business tasks.

As with most security solutions, intrusion detection needs to be viewed in the correct perspective. "A lot of people thought intrusion detection would help us stop these attacks, but it's more like a video camera; it catches people in the act," says Magee. "Intrusion detection does have a role, but it doesn't completely reduce the risk."

Other, more specialised software is also now playing a role in company security planning. "Content management is something that people are taking more and more of an interest in," says Campbell. For instance, scanning e-mails for words such as "virus" may provide an additional means of detecting possible problems.

Security can enter some very unexpected areas in this way. As part of its broad security initiative, Microsoft is investing considerable effort in adding enhanced digital rights management (DRM) across its products, arguing that ensuring that content can only be viewed by appropriate individuals is just as much of a concern for corporations handling sensitive information as it is for movie studios.

Patching up
Above and beyond these individual point solutions, one constant theme emerges in discussions about IT security: the need to keep systems patched and up to date. "Ironically, one of the most effective ways of keeping your systems secure is still the simplest," says Zento's Argyropoulos. "Keep all your servers and network devices patched to the latest possible revisions."

In a world where the underlying operating systems used by all businesses consist of billions of lines of code, the requirement for better patch management is universally acknowledged. "Staying abreast of vulnerabilities and implementing a solution that automates and manages patch deployment is one of the simplest and most cost-effective methods to protect systems against hackers," says Eric Schultze, director of product research and development for security consulting firm Shavlik.

Of course, it's almost impossible to predict just when a patch is going to be needed in advance. "We have to find out there is a vulnerability," says Microsoft's Russell. "Until someone finds the exploit, we can't do much."

The inefficiency of patch management was made abundantly clear earlier this year, when the Slammer worm attacked numerous SQL Server installations worldwide, taking advantage of a vulnerability that Microsoft had identified and patched some months beforehand.

"There are a couple of ways to improve patch management," says Russell. "The first is to be more cognisant of how the patch is deployed." For instance, the first patch Microsoft released to deal with the vulnerability that Slammer exploited fixed the problem, but required significant manual intervention by administrators. After receiving numerous complaints, Microsoft issued a second patch which was much more automated. Unfortunately, it seems many managers never bothered to even seek out the first patch, let alone the second. Microsoft plans to incorporate more sophisticated patch management systems in future Windows server releases, building on the Windows Update technology included in recent versions.

OS enhancements or not, such dismissive attitudes may well change in the future, as IT managers face the wrath of higher-level executives. "We're seeing people more actively working to identify vulnerabilities," says Campbell. "Patch management is a key issue. A lot of the big worms are attacking old and known vulnerabilities. If you combine vulnerability management with patch management, that's a good approach."

One factor complicating any attempt at patch management is the huge number of systems involved. A company running a number of database and network servers, and with all the security elements discussed above deployed on top of that, faces a formidable management challenge in keeping all those systems up to date and working together.

As a result, demand for unified solutions is increasing rapidly. "We're finding an increasing awareness that a total solution is what solves the problem, not band-aid solutions for individual problems," says Russell.

It's widely recognised that security solutions must work in concert to be effective. "It is simply too easy for an intruder to get through a single line of defence," says Kim Valois, director of global information security services for CSC Australia. "No single defensive mechanism absolutely prevents a hack or attack."

Even vendors agree. "Rarely can a single product or vendor provide all possible aspects of security--there are far too many components, each changing very rapidly," says NetScreen's Serrano. "Using multiple layers is definitely more effective than just relying on a firewall," says Argyropoulos.

However, getting the different layers to work in conjunction is more difficult, and almost impossible to automate. "The only effective way to achieve any kind of correlation between these devices is through human intervention," says Argyropoulos.

The human element is likely to remain important for some time to come. "A good security system only works if a multi-layer approach underpinned by a robust set of security policies and procedures is implemented," says SecureNet's Dodson.

Can we stay ahead?

By its very nature, current security technology tends to be reactive rather than proactive. In part, this is because of inherent limitations in all security products. As the Defence Signals Directorate cheerfully points out on its Web site: "No product can be guaranteed to be ‘hacker proof' or ‘impenetrable'."

As well as technological limitations, there are also cultural factors to be considered. "Technology can only go so far--people always screw up," says Top Layer's Magee. "In the computer security field, technology can help. In fact, it can help a lot. But a little common sense goes an awful long way," says Sophos' Ducklin.

Few security industry observers believe that corporate networks will ever be able to be made truly hacker proof. "The way hackers are evolving and the technologies they have mean that we are always to have to be constantly vigilant around security," says Russell.

Some do believe, however, that we may get closer to the goal of keeping all hackers out.

"Whilst you almost certainly can't build a hacker-proof system, there is no reason why you can't get very close--close enough for all practical purposes," says Ducklin.

"It could be argued that there will always be a cleverer person around the corner who could discover a ‘back door', but it is possible to have an extremely high level of assurance in a properly configured and managed system," says Dodson. "IT security is more of a risk management issue than ever before and many organisations are treating this issue with the same diligence they treat other forms of risk management."

"There is a risk to doing business of any sort," says Smith. "No system can be completely fool-proof, however with the right risk-based approach, we can make our assets as secure as possible whilst still enabling the business to run."

Sadly, there is no ultimate solution. "You need to be as proactive as possible--but that may be just building in measures that protect against known problems," says Campbell. "If you're targeted with a new exploit, you're going to go down. You need to do everything you can do to protect against what's known, everything you can to respond to what's new, and pray for the rest."

Vulnerabilities abound

Because Web servers by definition must offer some level of public access, they are one of the most common sources of security problems. -No security system can be 100 percent effective and still allow a business to function normally," points out Arthur Argyropoulos, CEO of managed security provider Zento. -As long as you need a connection to the outside world, people will be able to break in."

That doesn't mean you can't fix some obvious problems, though. The following are the most common Web security vulnerabilities found in Australia, according to OWASP (Open Web Application Security Project):

1. Non-validated parameters
2. Broken access control
3. Broken account and session management
4. Cross-site scripting flaws
5. Buffer overflows
6. Command injection flaws
7. Error handling problems
8. Insecure use of cryptography
9. Remote administration flaws
10. Web server misconfiguration

Executive summary: securing your systems
Creating secure IT systems today requires adoption of numerous elements. Some of those which are found in networks of all sizes and description include:

• Antivirus software. Although viruses tend to have nuisance value rather than specific malicious intent, they can still wreak havoc across your network. Make sure your software stays current.
• Firewalls. Firewalls provide a basic mechanism for protecting your network from unwanted intruders and denial-of-service attacksâ€"but most experts believe that they don't provide a sufficient level of protection on their own.
• Intrusion detection and prevention systems. These use more sophisticated mechanisms to identify and stop unusual network behaviour. IDSes and IPSes are an effective complement to firewalls, but you need to be prepared to invest time analysing the data they produce if they're to be truly effective.
• Patch management systems. Security software has little chance of protecting your systems if known vulnerabilities are not fixed as they occur. Ensure that patches are deployed regularly on all production systems.
• While creating a hacker-proof system is virtually impossible, effectively deploying these different technologies in conjunction will protect your business from most obvious threats.

Subscribe now to Australian Technology & Business magazine.

SQL slammerâ€"a security wake-up call
On a Saturday morning in late January, many system administrators woke up to mobile phones and pagers alerting them to serious network problems with their servers. A worm targeting SQL Servers had hit company and commercial data centres around the world. In the US, a national bank's ATM network was brought to its knees, and a major carrier's airline reservation systems were totally shut down. The worm directly affected only machines with SQL Server installed, but the traffic generated by the worm made it almost impossible for other servers on the Internet to continue communicating with one another.

The worm, dubbed -SQL Slammer", attacked via a vulnerability discovered six months ago in SQL Server 2000 software from Microsoft. Microsoft had released a patch in mid-2002, but hundreds of IT managers hadn't yet installed the patch.

This incident was similar to the Chinese worm event that took place a month before. In that case, Microsoft had also issued a security patch to protect Web servers using its IIS software six months in advance of the attacks. Given the increasing focus on Internet security, how could an attack like this have happened again?

Keep your guard up
One reason is that IT managers have been focused on securing Web servers and firewalls, and these SQL Server attacks weren't even on the radar screen. But in some cases, it's not even the IT managers who are to blame but the service providers that they use. Many of the systems affected by the worm weren't infected but were housed in data centres or co-location facilities that had other customers whose servers were infected. Because of the traffic generated by these infected servers, other machines couldn't get enough bandwidth to operate effectively.

SQL Server viruses typically infect machines with Internet connections using the standard 1433 port and default passwords. These worms use the default SQL Server system administrator account (sa) with an empty password to infect the system. The newly infected SQL Server then becomes an attacker, looking for other servers to infect.

Protecting the server is simple: just change the password on your sa account to a strong one and block access to your SQL server from the public Internet.

Renewed vigilance
Security incidents like these should inspire you to have a sense of renewed vigilance in protecting your infrastructure. Take a hard look at SLAs signed with your data centre or co-location provider to make sure that your partners are doing everything they can to ensure uptime. You should revisit the following five security actions:

1. Install the latest patches on your servers. Having the latest patches is especially important for servers that are directly connected to the Internet. Many IT managers won't install operating system or application server patches until they're able to do some testing first. Having worked with hundreds of customers who've spent thousands of hours testing these patches without any negative effects on their servers, I can confidently state that you stand a better chance of being infected with a virus than causing damage to your production machines by applying security patches.

2. Don't allow anyone to install servers with simple passwords. Many breaches occur because developers want to test systems with minimum amounts of security and therefore put in accounts with administrative privileges and blank or simple passwords (like -password"). When the systems go into production, these immature security schemes get propagated to the final application. In fact, I participated in a public presentation recently where the presenter was showing his production system. When he logged into the machine across the Internet, one of the attendees noticed that he accessed his SQL Database using the sa user ID and no password. In the middle of his presentation, all of his data -magically" disappeared. The attendee had logged into the presenter's SQL Server using the wireless connection in the conference centre and had dropped all the tables from the database. Needless to say, it was quite embarrassing for the speaker and had a profoundly negative effect on the application's users.

3. Protecting the servers inside your firewall is only half the battle. You need a regular maintenance program for your PCs, especially machines that leave the building, such as laptops and Palm and Pocket PC devices. (Although there have been no widespread reports of viruses borne by PDAs, I think it's only a matter of time before it happens.)

   The vast majority of corporate desktops use Microsoft Outlook or Outlook Express as an e-mail client, so it's only natural that virus authors choose to spread their venom using the features of these products against the users. If you're a corporate Outlook user, your IT staff needs an organised way to download and install the latest Outlook security patches from Microsoft. Microsoft provides the Windows Update service to allow individual machines to download the latest security and application patches directly. IT managers who don't want users downloading the patches directly have the option of installing a local copy of the Windows Update service and allowing users to get the patches from a local security server that includes the latest patches.

   Your IT staff should especially be concerned about laptops. When users take laptops out of the office and connect them to the Internet, they do so without any of the firewall, virus-screening, or other protections built into your corporate infrastructure. I recommend that you configure laptops that communicate remotely to come through a VPN in the corporate network whenever they use Internet resources, even though the laptop may not perform as quickly if you do so. Without this protection, it's relatively simple for a user to pick up a virus or worm on the laptop when connecting remotely and then spread it through your corporate network when they connect locally.

4. Consider turning off all access to instant messaging (IM) clients or newsgroups. Many companies have removed IM access, though I think the potential benefit of using instant messaging and newsgroups outweighs the risk as long as you advise your users not to accept attachments from strangers in online chat systems and to avoid downloading files from public newsgroups. Vendor newsgroups are a different matter, however, since vendors do a good job of policing their own news servers and keeping dangerous files from being posted.

Security is a full-time job
Most companies want the benefits of giving their customers, employees, and partners 24x7 access to systems by using the Internet as their communications backbone.

But one of the things most often overlooked by the CIOs who want this capability is the responsibility of policing systems and connections on a 24x7 basis. If you expect your IT managers to invest the time required to keep your systems safe and connected, you must be willing to invest the money and other resources to help them do so.

Tim Landgrave, TechRepublic.

TechRepublic is the online community and information resource for all IT professionals, from support staff to executives. We offer in-depth technical articles written for IT professionals by IT professionals. In addition to articles on everything from Windows to e-mail to fire walls, we offer IT industry analysis, downloads, management tips, discussion forums, and e-newsletters.

©2001 TechRepublic, Inc.

Copyright © 2009 CBS Interactive, a CBS Company. All Rights Reserved.
ZDNET is a registered service mark of CBS Interactive. ZDNET Logo is a service mark of CBS Interactive.