Complex networks
Network security experts say that while some technologies are more prone to security breaches than others, the sheer complexity of modern enterprise networking is the greatest weakness for most companies.
I-managers responsible for evaluating new technologies have to understand how those technologies interact with existing setups, and make sure adequate resources are applied to maintaining high-touch systems. Individually, almost any communications service could be perceived as a security risk.
Private lines are staples of many enterprises, but new network vulnerabilities are leading I-managers to question whether they can afford to live with known security flaws in this immensely popular technology.
"AT&T has been hacked before," said Chris Calabrese, an Internet security analyst of a major health care company. "If you are going to use private lines, you have to understand you are relying on AT&T security, and you have to put it in all your contracts."
Most technologies that land on security experts' black list are new. They end up there for a simple reason: Not enough is known about their security flaws. They include network-based virtual private networks (VPNs), Multiprotocol Label Switching and Internet Protocol Security alike, and are mistrusted because customer traffic travels unencrypted from the origination point to the carrier's network.
Domain Name System servers and Border Gateway Protocol routers fall into that category because too few are patched properly against vulnerabilities. And fears persist over most Web-based technology that is open to viruses and worms--which covers almost any Internet technology.
Steve Bellovin, an AT&T Labs Research security scientist, pointed out that the technologies with the most vulnerabilities are the most popular ones--Web servers, Web browsers and mailers. But most of the problems that arise with those come from lack of maintenance; patches were available to prevent most recent virus outbreaks, including Code Red, he said.
I-managers should start to face the realities that, even with firewalls in place, most people are likely to sacrifice security for convenience, Bellovin said. A case in point was the Internet Engineering Task Force's recent infiltration by a virus that got in through an unsecured laptop used to dial in to the IETF network.
Should companies ban laptops from connecting to their local area networks? Experts said no. But security managers should spend more money and get firewalls they can control remotely so that they can refuse access to certain applications. Bellovin said some of the worst vulnerabilities can be introduced when users allow their computers to operate as servers for certain applications, a common practice with popular peer-to-peer file sharing setups.
Another reality of today's security situation is that most Web servers are vulnerable because most of their holes can't be patched--at least, not all at once.
"Web servers are very dangerous," Bellovin said. "I basically view those as sacrificial machines."
Whatever you do in your networks, he said, don't make a Web server a front end to your database, especially if valuable information such as credit card numbers is stored there. Put that database on a separate server, build a firewall in between and restrict the language spoken between the two machines. The main objective here is to ensure that the Web server can't retrieve the entire database in one data dump.
Information system security is indeed a management responsibility BUT it also a responsibility of the vendors of the associated hardware, software and network systems themselves. AND this area was totally missing from the ZDNET analysis. You buy a car - you expect it to follow the appropriate Australian standards for car safety and quality. The problem today is that commodity systems, e.g. Windows 2000 / XP which have not even achieved a lowest level of trust analysis ( i.e. the old "C2" level of evaluation) are being used in mission critical server/hosts/workstations. It is time the IT industry was held responsible itself - profesisonals need to work with trusted systems that have been assessed according to security standards - and we have one - an international one - ISO 15408 - for system trust. None of this gets any mention in your analysis. Strange ! After all - there is no point blaming a driver for not stopping the car if it has no brakes ! By today, for example, mandatory / role based access control, segmented memory protection and the like should have been standard - they are not. There is the problem. Untrusted, commodity, consumer systems being used in government, business systems and networks for which they are ill suited. Even Steve Balmer of Microsoft was reported in June in the UK as commenting that his company could have done a better job in the security area ! Multiply that by a nation - and we have the potential for cyber disaster.
Bill Caelli
Information Security Research Centre
Queensland University of Technology