About InfoWorld : Advertise : Subscribe : Contact Us : Awards : Events : Store
InfoWorld HomeNewsTest CenterOpinionsProduct GuideTechIndex
 COLUMN ARCHIVE  FORUMS
 

COLUMN

 
Security Advisor
Stuart McClure & Joel Scambray

Your best defense against hack attacks: Good information and an insurance policy

IF YOU SPEND much time bantering in security circles, you're bound to hear the dogma: Technology won't solve your security problems anytime soon, so stick to the basics, such as policy, risk mitigation, vigilant monitoring, disaster preparedness, and -- most important -- keeping informed on the latest attack information. As disheartening as it may be, it is true.

   ADVERTISEMENT
  

Free IT resource

Virtualization Insights from Top Experts - Learn how virtualization gets real!

Sponsored by Dell

Free IT resource

TechNet: More ways to know it, share it, and keep it running.

Sponsored by Microsoft

RELATED LINKS
»  IE 7 bug reopens debate over patch responsibilities
»  Woman ordered to pay for file-sharing will appeal
»  McAfee to buy SafeBoot for $350M
»  Security RSS feed 

IDG ENTERPRISE NETWORK
Research Reports  (CIO)
Ask the Expert  (CIO)

TOP NEWS 


IT SOLUTION SEARCH
So why are there still so many information-security-clueless companies, vendors, and end-users? Is it because security is so difficult? We don't think so. Rather, it's because definitive information on what the underground is doing to breach security is still kept rather hush-hush. The reasons range from victims trying to keep a low public relations profile on potentially embarrassing lapses to vendors trying to keep a competitive edge in an ever-expanding security product and services market. Whatever the reasons, they lack any hearty justification.

How to break this vicious circle of silence? In the past we've pushed for a public database of attack information. Security practitioners could anonymously contribute valuable information about security attacks; it could be supported by a minimal subscription. Would it work?

Many vendors have attempted to collect such data in various forms. For example, Internet Security Systems has demonstrated good citizenship by publishing its X-Force database of vulnerabilities over the years. A new initiative is underfoot called Common Vulnerabilities and Exposures (CVE), at www.cve.mitre.org, that is attempting to bring order to the madness that ravages the Internet every day.

We also enjoy reading many of the full-disclosure-oriented mailing lists such as those at securityfocus.com, sans.org, and ntsecurity.net. Two recent examples: Securityfocus' Incidents list recounts the "I Love You" worm's inner workings, and a highly interesting post appears on ntsecurity.net's Win2KsecAdvice list about a Windows NT and Windows 2000 Registry setting called MaxClientRequestBuffer. The latter prevents DoS (denial of service) conditions in Internet Information Server. (See Microsoft knowledgebase article Q260694.) Mailing lists, however, are somewhat free-form and have yet to provide a well-managed overview of incident trends that would really aid the overworked IT administrator.

One of the most frequently cited annual surveys on information security breaches is sponsored by the Computer Security Institute (CSI), at www.gocsi.com. The CSI essentially polls 500 security personnel and acts as a weather vane, but count us among those who yearn for more granular tracking of what's going on.

Another potential source of information is the new crop of managed monitoring services. For example, way back in the spring of 1998, we wrote a Test Center Comparison of intrusion-detection products. That article included IBM's Emergency Response Service (ERS), one component of which was the installation of Wheel Group's (now Cisco's) NetRanger network monitoring device on client sites and remote collection of attack data. At the time, an IBM employee intimated that the company was building an interesting meta data set of attack information from dozens of clients around the world. We wonder what ever became of this database. Is IBM going to publish this pot of gold?

Cryptography guru Bruce Schneier recently put his company, Counterpane (www.counterpane.com), behind a Managed Security Monitoring service, which will collect security data to be parsed by software filters, and even human expertise, in Counterpane's data centers.

We talked recently with Schneier, and he sounded confident that Counterpane would make its data publicly available, at least to the extent that it isn't injurious to client confidentiality concerns. "As far as I know, there isn't any real data on the incidence or frequency or type of attacks in the real world," Schneier said. "This will be a very valuable research result." If no one will listen to us, maybe Schneier can get them to take notice.

Is your organization regularly reviewing firewall logs and tracking potential threats, trying to understand what'll happen next? If you're anything like the companies we see day in and day out, the answer is no. It's about time we let someone else do it for us. Contribute to our database of e-mail attacks at security_watch@infoworld.com.


Stuart McClure is president/CTO and Joel Scambray is a managing principal at security consultant Foundstone ( www.foundstone.com ), formerly Rampart Security Group.




RELATED SUBJECTS

Security
MORE >


SPONSORED WHITE PAPERS
EMC - Lower costs and improve reliability-Get the EMC CLARiiON white paper!
Ciphertrust - Are you ready for Sobig.G? Learn how to protect your email systems.
CDW - Personal attention. CDW. The Right Technology. Right Away.
EMC - Explore key performance features and capabilities of EMC ControlCenter 5.1.1.
Intel - Free Intel white paper shows you how to deploy a secure wireless LAN
Cisco - FREE WHITE PAPER: BLUEPRINT to design and implement secure VPNs
Verity, Inc. - "Mass Consolidation Hits the Web-Search Market"
McDATA - Download a FREE storage consolidation white paper from McDATA(R).
Lucent Technologies - Overcoming Common Firewall Limitations
Lucent Technologies - Leverage Your Mobile High Speed Data Access. Download Free White Paper!
Nokia - Get the scoop! Mobilizing business white papers & case studies.
BMC Software - Maximize the Potential of Enterprise Data: Free white paper!
Network Associates - Free white paper - Strategies for Optimizing Network Costs and Benefits
Entrust - Manage identities across applications. Improve productivity.
Stalker Software - CommuniGate Pro - Transform your Email and Calendaring
Remedy - A NEW Gartner Research Note:Producing Quality IT Services

Search the IDG White Paper Library:


SPONSORED LINKS

INFOWORLD MARKETPLACE


» IT Compliance Conference: Nov. 5-7 in San Diego
Best Practices, Peer Experiences, & Expert Advice for Building a Defensible IT Compliance Program
» FREE Sophos Threat Detection Test
Is your AV catching everything it should? Free virus, spyware and adware scan.
» IT Audit Checklists
Prepare for your next internal IT audit. Checklists cover security, risk management, PCI, and more.
» FREE White Paper: Mitigating Rock Phish Attacks
Standard anti-phishing methods cannot defeat complex Rock Phish attacks. Learn how to fight back...
» Apply BPM and ITIL at your IT Help Desk
ServiceWise brings BPM to complete IT service while eliminating integration cost. Learn more here.

 HOME  NEWS  TEST CENTER  OPINIONS  PRODUCT GUIDE  TECHINDEX   About : Advertise : Subscribe : Contact Us : Awards : Events 

Copyright © 2008, Reprints, Permissions, Licensing, IDG Network, Privacy Policy

All Rights reserved. InfoWorld is a leading publisher of technology information and product reviews on topics including viruses, phishing, worms, firewalls, security, servers, storage, networking, wireless, databases, and web services.

Computerworld :: Network World :: CIO :: PC World :: Darwin :: CMO :: CSO
IT Careers :: JavaWorld :: Macworld :: Mac Central :: Playlist :: GamePro :: GameStar :: Gamerhelp
ITWorld Canada :: Computerwoche :: Techworld UK :: tecChannel :: IDG.se :: IDG.no