What keeps IT up at night?

Nightmare scenarios range from data leaks to compliance, but fortunately there are strategies to help ensure some shut-eye

Look in the mirror: those bags under your eyes, that sallow skin, the haunted look. You must work in IT. Between keeping the network running and dealing with hackers, slackers, and clueless managers, it's a wonder you get any rest at all.

But if you think you're losing sleep now, just wait. A batch of new problems is about to make a good night's sleep even more elusive. Nightmare scenarios include VoIP security breaches, scary data leaks, rogue software infestations, configuration calamities, and creepy compliance concerns. By all accounts, there's good cause to sleep with one eye open.

Things That Go VoIP in the Night

In November 2004, Edwin Andres Pena allegedly paid suspected computer hacker Robert Moore $20,000 to steal more than 10 million minutes of VoIP telephone service so Pena could resell them to unsuspecting customers. But the hacker didn't attack Vonage or any of the second-tier VoIP providers. He went after an investment firm in Rye Brook, N.Y., which had no clue its network had been hacked.

As enterprises increasingly replace segments of their traditional phone systems with VoIP, they put themselves at risk for what Covergence CTO Ken Kuenzel calls "phone flu" -- attacks that target weaknesses in the Session Initiation Protocol that VoIP applications employ.

"The problem is we've not yet applied the same security principles and models to the SIP protocol that we have to HTTP and SMTP," says Kuenzel, whose company sells VoIP security solutions. "It's a situation where systems are vulnerable to all sorts of attacks and intrusion."

Aside from denial or degradation of service, VoIP attackers could eavesdrop on your calls or steal passwords and other sensitive information. They could also record voice packets and inject them into other conversations -- conceivably, capturing your voice saying "buy" or "sell" and playing it back to an employee during a call. And once they're in, little can prevent them from accessing the rest of your network.

Click for larger view.

 "With VoIP, it's significantly easier to disrupt communications from remote locations," says Richard Telljohann, manager of security software at IBM Tivoli. "The same worm that takes out your e-mail system can also take out your phones."

WorldxChange, a New Zealand VoIP provider, uses Covergence's Eclipse software to secure VoIP service for its commercial and residential customers. Many IT pros fail to take into account the complexity of VoIP deployments, says Phillip Moore, operations manager for WorldxChange. He says they don't pay enough attention to signaling and media security, port restrictions, firewall rules, account access, and provisioning information.

"If IT managers want to sleep better at night, they need to apply the same security practices to voice that they have to e-mail and Web traffic," Kuenzel says. "They know what to do and how to do it, they just need to deploy products that bring these new apps in line with their tried-and-true security models."

The Data Leak Under the Bed

It seems you can't open a newspaper without encountering yet another story about a calamitous data leak. Bank of America, ChoicePoint, Citibank, Ernst & Young, the Veterans Administration, Wells Fargo -- all have collectively misplaced millions of records over the past two years.

Bob Gligorea knows about data leaks from both sides. As information security officer for Exchange Bank, he's responsible for ensuring that the bank's data stays where it's supposed to -- in the bank. But he also was the victim of a data spill last February, when the American Institute of Certified Public Accountants lost a hard drive containing 330,000 unencrypted Social Security Numbers, Gligorea's included. His consolation prize? One free year of credit monitoring.

"There's no excuse for businesses to store customer data on desktop or portable computers without encrypting the data," Gligorea says. The bank recently began encrypting its backup tapes and does not allow customer data to be stored on desktops or portables. It has also implemented additional security measures to ensure that any data files being sent outside the bank are encrypted to prevent unauthorized disclosure of customer data.

Portable devices also are causing many IT managers to lose sleep. "In the past, organizations used to be concerned about laptops not behind their firewall," says Warren Smith, vice president of marketing at GuardianEdge Technologies, maker of encryption software. "Now they're concerned somebody could drop in a 3-Gig USB drive, inside or outside the corporate perimeter, and walk away with some serious information."

Many large enterprises are quickly adopting end-to-end encryption, and SMBs are following suit, Smith says. But it's hard to police something as small and ubiquitous as thumb drives. "Many organizations would be shocked to find out how mobile their data really is."

Other potential sources of data leaks are those Blackberries and Treos in everyone's pocket, says Sara Gates, vice president of identity management at Sun Microsystems. "PCs are moving down in importance in terms of accessing data. Everything is moving to the edge -- to Blackberries, Treos, and other wireless devices," she says.

In a perfect world such devices would be "naked and dumb," with the intelligence and data residing on the network, protected by an identity management system. "Whether you're a person, a device, a Web service, or a hacker -- we need to know who are, what you can do, and what you will do," Gates says.

Click for larger view.

But Gates acknowledges that even the most advanced corporations are years away from that kind of bullet-proof identity management.

Nightmare on Config Street

What does it take to bring down a Web server? Try a misplaced comma in a configuration file. That tiny typo once took three servers offline for a major player in the hospitality industry, says Jim Hickey, vice president of marketing at mValent, a producer of configuration management products. A routine check of configuration files using mValent's Integrity app uncovered the error, which might otherwise have gone undetected.

In fact, three-quarters of enterprises surveyed by mValent said they'd suffered application downtime during the prior month due to a configuration glitch.

"One of the dirty little secrets of the software business is that there are hundreds of configuration files with tens of thousands of individual parameters that need to be tuned to make the infrastructure work and keep apps running," Hickey says. "What keeps IT pros up at night is worrying about who has access to these files, what changes are being made, and if they're happening in a controlled fashion."

State Street, a Boston-based custody bank, uses mValent Integrity to check for errors in in-house application development for its Wealth Management Division. Joe Kennedy, vice president of technology architecture and R&D, estimates 30 percent to 40 percent of the problems his organization encounters are due to configuration errors, not bad code. Avoiding such errors is critical to keeping the business running.

"When there's a configuration error, nine times out of 10 you have an outage," Kennedy says. "That's just not acceptable in finance. When you're dealing with people's money, you can't be down."

Configuration management is really part of the bigger challenge of managing in a constantly changing environment, says Charles Ramsey, executive vice president at Service-now.com, an on-demand IT service management company.

"What's keeping IT execs awake is trying to understand what the heck is going on in their environments," Ramsey says. "I recently met with the CIO at a major wireless carrier, which has a change management app so complicated no one uses it. They probably have 85 systems of record in the IT org stored in Access databases, Excel spreadsheets, and on the mainframe. There's no point of integration between them."

Ramsey says enterprises can get a handle on such problems by combining asset, change, configuration, and problem-management tools into a single system of record -- which, not surprisingly, is what Service-now offers.

"The service desk is a critical component," Ramsey says. "If there is true integration and all applications behave in a similar manner, processes like change, problem, asset, and release management all will contribute to having a more effective service desk."

Help! My Network's Overrun by Rogues

Pop Quiz: How many enterprises have software installed on their desktops that their IT departments don't know about and wouldn't approve of if they did know about them?

Answer: All of them, says Peter Evans, vice president of marketing and business development at Internet Security Services.

"Probably 100 percent of enterprises have a problem with rogue software," Evans says. He also says employees typically download software that makes their jobs easier or favorite programs they've used in the past. Many times, though, they're installing IM clients or peer-to-peer apps, which can cause serious problems.

"Any software installed without appropriate oversight can introduce security risks," says Ed Moyle, manager of CTG Consulting, an IT staffing and consulting firm. "We're seeing a lot of interest in extrusion prevention software that scans outgoing network activity for confidential or proprietary data, to make sure it doesn't leak out of the firm."

And if rogue software troubles your sleep, imagine a bigger nightmare: rogue networks. People often think nothing of bringing in insecure devices and logging on to the corporate LAN, says Evans. He cites one instance at a major financial institution in New York where an employee brought in a Wi-Fi enabled laptop. He then began broadcasting an unencrypted, ad hoc wireless network with the name "Apartment" across parts of lower Manhattan, inadvertently connecting to another network and opening an unsecured bridge into the financial institution.

"You cannot predict where wireless is going to be," he says, which is why ISS recommends performing periodic vulnerability scans of clients' offices for unauthorized hardware, including Wi-Fi devices.

He says enterprises may move to a security-on-demand model, where the network automatically scans your device and, if it determines that it's insecure, takes appropriate corrective actions, such as downloading an agent to secure the device for however long you need to log on.

"At a high level you have policy and technology measures that govern what people can and can't do with their machines," says CTG's Moyle. "But in any organization of any size, there will always be nooks and crannies where it's hard to find out what's really going on."

The Compliance Secret Hiding in the Closet

When hackers attack your VoIP system, when employees take sensitive data home on thumb drives, when configuration errors or rogue software takes down your network, it's not just an IT disaster, it's increasingly a compliance problem. And when organizations ignore this reality, it can easily put them in Dutch with state and federal laws.

"Under [California law] SB 1386, people know if a laptop with personally identifiable information on it gets stolen they must disclose that," Moyle says. "But they don't understand that if you put the same data on a thumb drive and bring it home with you, and your home machine has been compromised by spyware, you're still required to disclose that the data has been compromised. They don't know they're out of compliance. It's a huge problem."

But keeping up with the reporting requirements of laws such as SB 1386, HIPAA, Sarbanes Oxley, the Gramm-Leach-Bliley Act, and all the rest too often becomes a primary responsibility of IT pros who already have full-time jobs. Combine that with poorly understood requirements and poorly defined IT controls, and you have a recipe for regulatory disaster.

Little wonder then that IT firms are struggling more with their SOX audits this year, says Wynn White, Oracle's senior director of security and identity management.

"One dirty little secret of compliance is that the bar keeps getting raised, and what met the requirements a year ago isn't working this year," White notes. "I've spoken with a number of customers who failed this year's audits even though they passed the year before."

Ed Hill, managing director of IT audits at Protiviti, a risk management consultancy, says the most likely reason is IT orgs didn't correct problems noted on last year's audits.

"If you have a deficiency one year that's not deemed 'significant,' and you don't do anything to alleviate it, the next year it almost always becomes significant because it's a repeat finding," Hill notes.

White says there's no simple solution, but he has hope. "It's been ugly for the last couple of years, but our customers understand they need to take a number of steps to become compliant, and that no single solution will do it for them."

In organizations that lack a formal compliance team, dealing with compliance issues saps IT resources that could be used to build the business, says CTG's Moyle. "They still need to build that customer tracking application they promised, but now they have fewer resources to do it."

Copyright © 2006 IDG Communications, Inc.