| About InfoWorld : Advertise : Subscribe : Contact Us : Awards : Events : Store |
 |
||||
|
||||
 | ||||
 |
|
|||
 |
||||
|
|
|
||
|
|||||||||||||||||||||||||||||||||||||||||||||||||||
 TEST CENTER Security protects bottom line By P.J. Connolly, InfoWorld Test Center April 4, 2001 Encryption, intrusion detection, and traditional security measures not only protect assets but also safeguard business relationships
The cost of beefing up security may seem like a tough sell during the current economic downturn. But companies that fail to ensure security may not be around long enough to learn from their mistakes. After all, the true cost of a security breach is not the overtime your emergency response team racks up or the potential fines and litigation expenses; what really hurts is the loss of confidence and goodwill that follow. Preventing security issues from knocking your business for a loop isn't easy, but it doesn't have to be overwhelming either. Rather than tackling everything at once, the best strategy is to determine where the greatest vulnerabilities are and address those problems first. Start with the basics There's an old saw in the IT business that the only completely secure system is one that is disconnected from a network, encased in concrete, and lying at the bottom of the ocean. Because that's an impractical goal for most of us, the next best thing is to ensure that your systems are protected at a level that befits the data on them. Obviously, security starts at the physical level. Your gear may be housed in the strongest bunker since Hitler's Chancellery, but there's more to security than gates, guards, and guns. Knowing who goes in and out of the server room -- and when -- is the difference between controlling access and simply handing out badges. Remote offices and telecommuters sometimes offer weak spots to hackers. There is little point in building a corporate data fortress if you're going to leave it open to a server stashed in an unlocked closet in Peoria. The unsecured home computer of an employee whose work follows him or her home is an even greater hazard, as we saw during the Microsoft "QAZ" incident earlier this year. Of course, these folks are your co-workers, and you can't string them up first and ask questions later. But remote workers should know that their privileged status means they must pay more attention to security basics than the ordinary cubicle rat does. If your shop is like most, the IT operations staff handles tasks such as data backup and disaster recovery. But that doesn't relieve the security manager from responsibilities in these areas. And disaster recovery and incident management plans are good things to have, but only if you rehearse them regularly. You stand a much better chance of recovering from any disaster -- natural or otherwise -- if your staff is practiced in the art of exercising its emergency responsibilities. That means taking extreme measures such as flying staff and tapes to the "hot" site -- assuming you've taken the precaution of making the appropriate arrangements -- and rebuilding the affected systems. The security manager's role in this process is not to prove whether or not the operations staff is violating the fine print of your security policy; it's to ensure that fundamental procedures are not ignored in the rush to bring a system online and that shortcuts do not undermine your policy's integrity. Making the connection The network connection brings with it an infinite variety of weak points. Turning that connection from a potential liability into a secure asset takes work, but it does pay off when it's done right. And when it's not done right, you practically have no protection at all. For example, most companies place a firewall between the company and the Internet, but too many shops either buy a firewall that's inadequate for the job or weaken the firewall by allowing so many specific traffic types to pass that it's no longer effective. The VPN is another potential source of trouble. True, VPNs permit secure networking by encrypting all traffic between two hosts, but they also slow data transmission rates because they have to perform encrypting and decrypting operations. (The conventional wisdom holds that a VPN link moves data about 40 percent as fast as an unencrypted connection.) This latency can wreak havoc on applications, especially those at the mainframe level, which assume that connections have instant access to the server. Although routers and similar programmable network devices are obviously your networking group's responsibility, the smart security manager will confer with these folks to confirm that devices are appropriately configured and regularly maintained -- particularly with regard to operating system patches. For example, the Cisco Internetwork Operating System (IOS) is considered fairly stable but is far from perfect, and security holes are discovered often enough to warrant a certain amount of paranoia on the part of Cisco's customers. Our point is not to bash Cisco, but rather to emphasize the fact that intelligent networking devices such as routers are not plug-and-play. Like a desktop computer's OS, a networking device's software requires the occasional patch job. Intrusion detection is a relatively new technology at the network level, but it is quickly gathering a following. Because many attacks try to masquerade as normal Internet traffic, intrusion detection requires some knowledge of what happens to your network in normal use. It's embarrassing to report an attack only to find that the data is from one of your partners who regularly sends several megabytes of data to your FTP site every Friday at 8 p.m. One nifty approach to intrusion detection is the "honeypot," a dummy system that appears to contain interesting files for intruders but which has been deliberately set up to track a hacker's every move. Into the fire On one hand, it's much easier to secure computers, which often feature tools that facilitate the process of installing patches and updates, than it is to harden routers. But because there are so many desktops and servers, it's easy to miss one. Unfortunately, and particularly when Windows systems are involved, all an attacker must do to establish a beachhead inside your network is to find that unpatched machine. Your only hope then is to discover the intrusion, wipe the machine, and reload its OS and applications. At the user level, security managers are being asked to implement a number of new -- or at least unfamiliar -- technologies. For example, biometric authentication is a hot button for many shops, in part because of the James Bond aspect (let's face it, scanning a handprint or a face pattern just sounds neat) and in part because the technology is maturing at a time when Federal regulations on medical patient privacy are about to kick in with a vengeance. Although the Health Insurance Portability and Accountability Act (HIPAA) of 1996 doesn't absolutely require the use of biometric authentication, the act does recommend its use. Many shops are forging ahead and adopting the technology. As for encryption technology, it's hardly limited to the VPN sphere. Despite a lack of simple tools that easily integrate into e-mail and other collaboration packages, the combination of increasing corporate interest and relaxed government strictures means that encryption technology's best days are ahead of it. Unfortunately, the same can be said for IT security in general. Anyone assigned the responsibility for securing corporate systems and networks should keep that firmly in mind. Return to our Test Center In-Focus package:Enterprise security Senior analyst P.J. Connolly (pj_connolly@infoworld.com) covers networking, operating systems, and security for the Test Center.
 RELATED SUBJECTS  SecuritySPONSORED WHITE PAPERS 
SPONSORED LINKS
|
|||||||||||||||||||||||||||||||||||||||||||||||||||
|
||||||||||
|
||||||||||
