Verifying identities
While security consultants are fielding calls from new customers, they are also getting more inquiries from existing customers about additional security. Most of those involve authentication, the practice of ensuring that individuals who log onto the network are who they say they are.
"One thing we do see now is the request for more biometrics, and customers asking how an organization implements biometrics," said Marlina Yee-Hales, a product manager of Novell. "Companies have been talking to our consulting business asking how we can help them."
While a number of new technologies can help shelter companies from cyberattacks, many security experts feel recent events simply placed more attention on what businesses should have been doing all along: getting serious about security.
"It's not so much about the latest and greatest technology, it's more of a focus on the fundamentals of security," said Ed Skoudis, vice president of security strategy of Predictive Systems, a security consulting business in New York. Skoudis is also the author of Counter Hack: A Step-by-Step Guide to Computer Attacks and Defenses.
Skoudis said most of the inquiries he's getting from I-managers now are about shoring up security policy. Most also want to tighten disaster recovery plans so an event doesn't wipe out security perimeters.
Setting up intrusion detection and response practices, establishing mandatory security settings for all servers and software that reside on their networks, and going through those networks to make sure those settings are in place are also getting top priority.
Said Skoudis: "The fact people are returning to the basics to make their systems more secure--that's a good thing."
Senior Writers Robert Bryce, Nancy Gohring, Brian Ploskina, Bill Scanlon and Max Smetannikov, and Matrix Editor Todd Spangler contributed to this report.
Information system security is indeed a management responsibility BUT it also a responsibility of the vendors of the associated hardware, software and network systems themselves. AND this area was totally missing from the ZDNET analysis. You buy a car - you expect it to follow the appropriate Australian standards for car safety and quality. The problem today is that commodity systems, e.g. Windows 2000 / XP which have not even achieved a lowest level of trust analysis ( i.e. the old "C2" level of evaluation) are being used in mission critical server/hosts/workstations. It is time the IT industry was held responsible itself - profesisonals need to work with trusted systems that have been assessed according to security standards - and we have one - an international one - ISO 15408 - for system trust. None of this gets any mention in your analysis. Strange ! After all - there is no point blaming a driver for not stopping the car if it has no brakes ! By today, for example, mandatory / role based access control, segmented memory protection and the like should have been standard - they are not. There is the problem. Untrusted, commodity, consumer systems being used in government, business systems and networks for which they are ill suited. Even Steve Balmer of Microsoft was reported in June in the UK as commenting that his company could have done a better job in the security area ! Multiply that by a nation - and we have the potential for cyber disaster.
Bill Caelli
Information Security Research Centre
Queensland University of Technology