<a href="javascript:winPop('http://www.infoworld.com/klink/security/security.html?w=Security');" class="richlinkstyle">Security</a> Part I: Strategies
<A HREF="http://ad.doubleclick.net/jump/idg.us.ifw.testcenter/tc;abr=!ie;pkey=security;paud=cto;saud=cio;saud=management;saud=midtolarge;pos=top;sz=468x60;tile=1;ord=151123111008?"><IMG SRC="http://ad.doubleclick.net/ad/idg.us.ifw.testcenter/tc;abr=!ie;pkey=security;paud=cto;saud=cio;saud=management;saud=midtolarge;pos=top;sz=468x60;tile=1;ord=151123111008?" BORDER="0" HEIGHT="60" WIDTH="468"></A>
[an error occurred while processing this directive]
[an error occurred while processing this directive]
[an error occurred while processing this directive]
[an error occurred while processing this directive]
[an error occurred while processing this directive]
[an error occurred while processing this directive]
Home
//
Test Center
//
Analysis
//
Article
Security Part I: Strategies
By
Tom Yager
August 16, 2002
Closing the loop on hackers
Hackers describe firewalled enterprises with no other defenses as "crunchy on the outside, soft and chewy on the inside." Bad guys can find lots of ways to go through the firewall (via e-mail or Ports 80 and 443) or around it (via rogue Wi-Fi). Good guys must therefore layer their defenses. One key strategy is the personal firewall, which wraps an extra layer of protection around individual PCs. It also helps catch unauthorized outbound access, a major concern for the 80 percent of the 2002 InfoWorld IT Security Survey respondents who worry about their systems being used as attack proxies.
When corporate users access the Internet from non-VPN-equipped home PCs, a personal firewall is ideally a second line of defense, behind a DSL or cable modem that's configured for NAT. Sometimes, especially in the case of a
mobile
PC, the personal firewall may be the only line of defense. Wherever the line is drawn -- at the corporate firewall, a home-office NAT, or a personal firewall -- IT managers tend to assume that the job is done as soon as a port scan or probe has been blocked. These activities are just "background noise," say the firewall vendors' advice pages, and can safely be ignored. One
security
activist thinks otherwise. Lawrence Baldwin, who runs
http://myNetWatchman.com
, believes that all malicious activity should be pursued. What is perceived as an attack, writes Baldwin, is most often "a cry for help from a likely victim whose system has been compromised and is just being controlled by a hacker."
To close the loop and triangulate the hackers who are pulling the strings of these victim PCs, Baldwin has created a network of agents that read the log files of personal
firewalls
and NATs and relay them to myNetWatchman.com. The incidents are collated, and when patterns exceed the threshold of background noise, they are automatically reported to the ISP or system owner.
Baldwin's experiment deserves wider support. Compromised systems, the vectors for worms and DoS (denial of service) attacks, threaten the Internet's integrity. Just blocking them doesn't attack the root of the problem. Sharing firewall logs and automating responses based on a global view of the data is the right way to help
ISPs
enforce accountability. If large-scale incident reporting can be made effortless for users, compromised systems will become more visible, and it will be more difficult for their controllers to hide.
-- Jon Udell
A MARTIAL ARTS teacher tells students, "You're going to get hit." They learn that although being hit isn't much fun, the fear of being hit is far more crippling. Once a beginner student excitedly threw an elbow and caught the instructor under the jaw -- a perfect strike. The teacher unashamedly relates that episode, dissecting what he did wrong and what the novice did right to put him on his backside. Despite being shown by an expert precisely how it was done, no student has ever duplicated that success.
IT leaders should approach security with similar acceptance and openness. But the 2002 InfoWorld IT Security Survey of almost 600 IT leaders reveals that the IT community overly worries about a broad spectrum of attacks, even though the odds of suffering damage by most of them are slim. Also, too many companies overspend on security; their yearly expenditures outpace potential damages by an astonishing margin. The average cost-to-risk ratio reported in the survey is 18-to-1.
There is too much spending and there aretoo many successful attacks because a large contingent of the IT community -- 38 percent of survey respondents -- refuses to share its hard-won security knowledge. The necessary technology -- security hardware, software, and services -- exists and is constantly improving, so what IT needs is a better-considered, more realistic application of these tools based on collective wisdom. If IT leaders banded together, they could develop a consensus on which attacks are worth preventing and which countermeasures work best. As it stands, what should be a sturdy defensive wall is missing every third brick, and those holes can't be spackled with money.
The endless onslaught of urgent security alerts can leave you numb, making it difficult to discern the realistic threats from hackers' harmless experiments. Or it could send you into a frenzied search to match every fresh exploit with a specific countermeasure, expense be damned. We expected the IT Security Survey to tell us that IT leaders are in denial about their level of exposure. Instead, we found symptoms of panic and overreaction. Out of 18 listed types of attacks, only two --
viruses
and worms -- penetrate respondents' networks with significant frequency. But 12 varieties of attacks provoke serious concern among at least 45 percent of respondents. Most attacks, such as DDoS (distributed denial of service) and transaction theft, inflict measurable damage so rarely that it's folly to deploy specific defenses for them.
Every attack can't be prevented, yet IT staffs try. On average, respondents' companies plan to spend $3.6 million on security products and services during the next year, whereas the average cost of security breaches in the past 12 months was $193,000. Some companies are paying many times more for insurance than they're likely to suffer in losses. It's cheaper and less stressful to design a resilient network that blocks everything it reasonably can and quickly contains and recovers from successful attacks.
New technologies expose fresh vulnerabilities, and those risks should be weighed against the technologies' benefits. To paraphrase an oft-quoted line from the war on terror, if you let security fears slow your efforts to modernize IT operations, the bad guys win. In some shops, they are winning. According to the survey, 24 percent of IT leaders are delaying the deployment of
Web services
because of security concerns, and 18 percent are holding back on
wireless
networks for security reasons. Most new services can be adequately protected by adjusting your current security infrastructure.
Fear-mongering pundits sneer at the impotence of existing security measures. But hackers haven't driven commerce off the Internet yet, so these measures, though uninspiring, are working well enough. The firewall,
router
, VPN, and
anti-virus
products made by vendors such as Symantec, Cisco, McAfee, and Check Point Software top respondents' list of favored solutions: 85 percent of respondents are using firewalls, IP VPNs, or both; 65 percent of firewall/VPN users are getting these capabilities from their routers. And just one respondent out of 597 reported not using an anti-virus solution.
These tried-and-true technologies don't engender much excitement, but they're affordable and stop the vast majority of attempted attacks; 57 percent of respondents are planning to buy new firewalls, IP VPNs, or both in the next year. If you've taken all the common-sense steps but feel they're not enough, consider these new approaches. According to the survey, two emerging solutions have joined the old favorites: the IDS (intrusion detection system) and security services.
The IDS, already deployed by 48 percent of respondents and in the planning phase of 26 percent, is like a hyperactive firewall. It examines the details of network connection attempts, looking for patterns associated with attacks. The IDS is a worthwhile step up from firewalls, but it's not perfect yet. For example, a misconfigured router at a partner's site can scare your IDS into shutting down a critical connection. IDSes will get more discerning, but sharing attack details with the vendor and with other users of your IDS solution is essential.
Security services are rising in popularity, mostly in niches. The majority of IT leaders outsource discrete elements of their security plan, such as VPNs (55 percent of respondents) or
PKI
(34 percent). Also, 37 percent use outside
consulting
and training to augment their security knowledge.
To keep up with security technology, buy smart, not often. Invest in expandable, multipurpose platforms that can handle a combination of routing, firewall, VPN, IDS, and content filtering.
Your network will get hit sometimes. But the low average damage costs and limited variety of successful attacks show that serious harm is rare. Counsel management that security costs and risks must be balanced with larger IT objectives.
Return to our
Security package
BOTTOM LINE
IT security
EXECUTIVE SUMMARY
IT leaders worry excessively and spend more on security than the actual level of risk requires. Sensational reports of exotic exploits distract IT staff from the mundane yet effective security regimen of firewalls, anti-virus tools, and VPNs.
TEST CENTER PERSPECTIVE
The best security plan includes sharing your experiences to help secure others' networks; helping vendors develop smarter, stronger defenses; and buying expandable, configurable security products and services that can take on new capabilities, such as intrusion detection, as technology advances.
RELATED ARTICLES
Black Hat, Def Con rumors swirl, tricks continue
Fast-forward, rewind
FBI: Cybersecurity is priority no.3
RELATED SUBJECTS
Security
[an error occurred while processing this directive]
Home
//
Test Center
//
Analysis
//
Article
[an error occurred while processing this directive]
<A HREF="http://ad.doubleclick.net/jump/idg.us.ifw.testcenter/tc;abr=!ie;pkey=security;paud=cto;saud=cio;saud=management;saud=midtolarge;pos=top;sz=468x60;tile=1;ord=151123111008?"><IMG SRC="http://ad.doubleclick.net/ad/idg.us.ifw.testcenter/tc;abr=!ie;pkey=security;paud=cto;saud=cio;saud=management;saud=midtolarge;pos=top;sz=468x60;tile=1;ord=151123111008?" BORDER="0" HEIGHT="60" WIDTH="468"></A>
SUBSCRIBE
[an error occurred while processing this directive]
[an error occurred while processing this directive]
<A HREF="http://ad.doubleclick.net/jump/idg.us.ifw.testcenter/tc;abr=!ie;pkey=security;paud=cto;saud=cio;saud=management;saud=midtolarge;pos=sky;sz=120x600;tile=2;ord=151123111008?"><IMG SRC="http://ad.doubleclick.net/ad/idg.us.ifw.testcenter/tc;abr=!ie;pkey=security;paud=cto;saud=cio;saud=management;saud=midtolarge;pos=sky;sz=120x600;tile=2;ord=151123111008?" BORDER="0" HEIGHT="600" WIDTH="120"></A>
<A HREF="http://ad.doubleclick.net/jump/idg.us.ifw.testcenter/tc;abr=!ie;pkey=security;paud=cto;saud=cio;saud=management;saud=midtolarge;pos=badge;sz=120x90;tile=3;ord=151123111008?"><IMG SRC="http://ad.doubleclick.net/ad/idg.us.ifw.testcenter/tc;abr=!ie;pkey=security;paud=cto;saud=cio;saud=management;saud=midtolarge;pos=badge;sz=120x90;tile=3;ord=151123111008?" BORDER="0" HEIGHT="90" WIDTH="120"></A>
[an error occurred while processing this directive]
