OPINION: Security is becoming one of the biggest concerns for the enterprise. So isn't it time we started doing something about it?
Sometimes the efforts made in the IT industry to improve network security seem about as effective as a Dutch boy trying to plug Niagara Falls with his pinky.
Why is it that Microsoft's latest and "most secure operating system yet" is still introducing new holes and flaws? Why, with the huge technological leaps in function and processing power, are our networks and PCs more vulnerable than ever before?
According to the US Computer Emergency Response Team (CERT) Coordination Center, the number of software bugs that could cause security problems rose 124 percent to 2437 in 2001. It has also been estimated that US companies spent roughly US$12.3 billion to clean up damage from computer viruses in 2001. Don't send me that bill this year, thanks.
Instant mess-aging
Obviously, the Internet is one big reason. To provide users with the convenience of being able to make the most out of Internet connectivity, software and networks end up being created with holes that hackers can take advantage of to, well, hack.
An excellent example of this can be seen in the growing concern over instant messaging (IM).
According to US research firm Jupiter Media Metrix, IM use has more than doubled over the past two years. Their study shows that in September 1999, IM took up 2.3 billion user minutes for the month. That figure jumped to 4.9 billion user minutes in September 2001. (I only used it for five or so minutes that month . . . I swear!)
This is extremely significant because IM opens up a huge number of potential security and legal problems for corporate users. In a recent ZDNet story it was reported that "IM traffic can open up port 80 [the port that handles most HTTP traffic] thousands to tens of thousands of times a day, which can significantly increase a company's exposure to security breaches."
The messages sent using Yahoo!, MSN, or AOL IM services are not generally scanned by companies for viruses or malicious programs. This means unscrupulous users are able to send attachments holding viruses, worms, and other malicious software with relatively little fear of those attachments being flagged by virus checkers.
IM security breaches are only beginning to make headlines, but the potential dangers have a lot of people worried.
According to Carey Nachenberg, chief architect at Symantec's security response team, "Imagine a day when all these people are on with broadband connections--they are always connected, their computers are always on, and a computer worm targeting a popular messaging system starts spreading. That would potentially ravage hundreds of millions of machines."
Hackers love slackers
The second big reason security staffers get very little sleep these days is pure laziness. It was true back when a young Richard Feynman "cracked" the safes of big-wig nuclear researchers in Los Alamos, simply because they had never changed the combination from the factory standard--people often just don't make the effort to take advantage of security measures that are just common sense.
"Even without any new security technologies, much better security would be possible today if technology producers, operators of critical systems, and users took appropriate steps," the US Computer Science and Telecommunications Board said in a report released four months after the events of Sept. 11.
Passwords, the most common method used to authenticate computer users, are really no better than those combinations on those Los Alamos safes. Especially when so many people don't even follow the basic guidelines about selecting a password that is not your birthday or your spouse's name.
Smart cards and hardware keys are available now that, used together with a personal identification number or biometrics, are able to provide much better security for computer systems. But companies are still slow to implement these systems.
The problem isn't really a lack of research into security, it's a matter of taking a bit of time to see that we're making the best use of what we already have.
Brian Haverty is Editor-in-Chief of Technology & Business magazine. Reach him at brian.haverty@zdnet.com.au
