WANs pose ongoing risks
Enterprises getting their first professional audit are finding out that their WANs are particularly vulnerable to single points of attack.
When vital traffic leaves the LAN, it's in the public network for great distances, no longer controlled by the company. Encrypting the data and taking other measures to create a VPN help. But companies also should secure their physical networks by having two separate routes to the public network--routes that go to separate central offices and that don't merge at one carrier hotel, experts said.
"There is a fundamental lack of understanding out there when it comes to the gravity of security breaches," said David Schatsky, senior analyst and research director of Jupiter Media Metrix. Every day, firms are surprised by audits that find their redundant networks aren't as effective as they thought they were, he said.
Enterprises are turning in great numbers to the business assistance divisions of blue-chip companies such as AT&T and IBM for outsourcing of business recovery services, said John Lawler, an Infonetics Research analyst.
"The whole business continuation market is being relegated to the big boys," Lawler said.
In lower Manhattan, customers of AT&T Business Solutions were up and running in a couple of days following the Sept. 11 attacks because AT&T knew its networks so well. Many of those without business continuation contracts are still struggling.
Sending data to multiple storage centres and data centres will reduce the damage done by geographically isolated terrorist attacks. Data center companies like Digital Island and Exodus Communications own innocuous buildings that would not be obvious targets, but two centres are always better than one.
"People want to spread their risk a bit," Lawler said. "They're saying, 'Let's spread it over two facilities.'"
Many large organisations are reluctant to put sensitive applications in Internet data centres, because individual servers that belong to different customers are often not restricted from "talking" to each other. Some I-managers--Calabrese is one of them--have never warmed to Web hosting for that reason.
"This is a decision that the management made and I think this is a mistake," Calabrese said about his company's decision to outsource Web hosting to a service provider. "We can get seriously nailed on this one."
Information system security is indeed a management responsibility BUT it also a responsibility of the vendors of the associated hardware, software and network systems themselves. AND this area was totally missing from the ZDNET analysis. You buy a car - you expect it to follow the appropriate Australian standards for car safety and quality. The problem today is that commodity systems, e.g. Windows 2000 / XP which have not even achieved a lowest level of trust analysis ( i.e. the old "C2" level of evaluation) are being used in mission critical server/hosts/workstations. It is time the IT industry was held responsible itself - profesisonals need to work with trusted systems that have been assessed according to security standards - and we have one - an international one - ISO 15408 - for system trust. None of this gets any mention in your analysis. Strange ! After all - there is no point blaming a driver for not stopping the car if it has no brakes ! By today, for example, mandatory / role based access control, segmented memory protection and the like should have been standard - they are not. There is the problem. Untrusted, commodity, consumer systems being used in government, business systems and networks for which they are ill suited. Even Steve Balmer of Microsoft was reported in June in the UK as commenting that his company could have done a better job in the security area ! Multiply that by a nation - and we have the potential for cyber disaster.
Bill Caelli
Information Security Research Centre
Queensland University of Technology