Seeing as how e-mail servers across the planet were once again throttled last week by some mud-brained misanthrope’s idea of a giggle, I figured it might be a good time to discuss the viability of a dedicated security manager even in medium-size networks.
Before the bottom fell out of the IT market, pundits like me were touting security administrators and even chief security officers as positions ranking right up there with CIO and CTO. But in the mad rush to satisfy corporate bean counters after the Great Web Depression, many companies (my clients at least) eliminated dedicated security positions early on, opting instead to make security a part of core network administration. The trouble with that approach is that security is a multi-faceted problem requiring not only full-time attention, but often more than one discipline of expertise.
Consider the last few months: We had trouble from the record industry claiming bloody vengeance on any person or organization caught pilfering copyrighted songs via file sharing applications like the annoyingly-spelled Kazaa; there was some industry buzz around SNMP (Simple Network Management Protocol) security vulnerabilities; Cisco reported a dangerous problem with its routers facing the Internet, requiring a quick code upgrade; Microsoft reported its usual half dozen or so "suddenly discovered" Windows 2000 and Windows XP vulnerabilities; and then, blaster and sobig reared their pointless, ugly heads.
Now if you’re a network administrator tasked with keeping the usual Ethernet nightmares to a minimum, simply tracking the aforementioned issues, to say nothing of preventing them, would prove troublesome. More to the point, security isn’t just evolving for four-eyed sociopaths and anti-virus companies. New tools and security strategies are being developed, and tracking these is just as much a part of a security specialist’s job as are direct threats to the system.
A couple of useful examples in this department might start with BrowseControl 1.4 , recently released from a United Kingdom-based company called Codework. This version adds an Application Blocking feature that lets companies build a “black list” of applications that users will no longer be able to launch from their PCs. Using BrowseControl, administrators can quickly and easily block users from running dangerous, time-wasting or badly spelled applications such as Kazaa, instant-messaging programs or specific games. BrowseControl does its job well by using the software’s internal Windows name, so power users who decide to re-name their .exe files to scam BrowseControl won’t make it.
Or there’s the recent Microsoft Knowledgebase article written addressing the proper steps to secure its SNMP service. SNMP is often a critical part of a network management scheme, yet all its overhead messages are sent in clear text. Trap these in a sniffer, and it’s pretty simple to pick out detailed information about the network. In its paper, Microsoft gives step by step instructions on how to create an IPSec SNMP security policy based on filters.
Take the immediate list of a network admin’s duties into account, and it’s easy to see how simply tacking on the broad topic of “security” might quickly balloon into an unmanageable burden — or an unfulfilled task. Not to mention that if the last few months have taught us anything, it’s that IT security problems can come from more than just the network side. Security professionals need to be multi-faceted folks, comfortable with application-level discussions as well as network gear such as routers and firewalls, and even legal issues.
My advice? If your network is large, hiring even just one security professional is a worthwhile investment. If medium or small is more your measure, then hey, give one of us consultants a ring. Managed security services abound these days and can give you all the expertise your network needs at a fraction of the full-time cost. And do it soon, because this situation is going to get worse before it gets better.