The security flaw in Microsoft's Internet Information Services Web server software, revealed Monday, is a textbook example of a buffer-overflow attack resulting from a coding error in the application.
Although Microsoft is not the only vendor to discover such flaws in its software, the widespread use of IIS makes the vulnerability more visible and attractive to hackers. Indeed, a worm is already traveling the Internet attacking this breach.
Although users need to be aware of this specific vulnerability, they must also recognize that this is only one of many security problems that continually appear in the complexities of computer code. Security must be viewed as a process, since hackers take the closing of one security hole as a challenge to find another.
Effective security should never be considered an absolute or binary measure. We will continue to see vulnerabilities discovered--a fact of life with code written by all-too-human programmers, who make simple mistakes that are later magnified by hackers.
Companies that are serious about security approach the problem with a combination of people, processes and automation. They view security as a routine procedure and implement the organizational mechanisms and policies to ensure constant vigilance. This approach to security deals with challenges at multiple levels.
First things first
First, organizations must put in place a set of security measures that include regular virus scanning, good backup and recovery, intrusion detection, formal trust domains, and user education. Meta Group recommends that organizations couple sound management of security configurations with ongoing security research. To facilitate this process, they also should create a security operations center that is responsible for at least five core processes: research, monitoring, scanning, response and reporting.
See news story:
Microsoft reveals Web server hole
Companies also need a set of forensic procedures and response plans that can be implemented when a security breach or new system vulnerability is identified. Organizations cannot presume that they will always be able to prevent security breaches, regardless of how rigorous their procedures are. They must anticipate each type of security problem and have sets of procedures in place to counter each.
Organizations with well-established security response systems have probably already downloaded the patch that fixes this IIS flaw and are well on the way to eliminating the current vulnerability. Organizations using IIS that have not downloaded the patch should do so immediately (patch MS01-033 on the Microsoft Web site). All should also review and enhance their research efforts to track and respond to security reports.
What to do, when to do it
System administrators at all organizations should take the following steps:
A senior IT/business person should be in charge of security. This is not an assignment for the lowest person on the corporate totem pole. We advise large organizations to name a full-time security chief at a level equal to the CIO.
All security patches for the organization's systems should be downloaded and installed. In the case of Linux in particular, developers' Web sites should be checked regularly, as these patches are often not well publicized. Microsoft security alerts should be tracked carefully, because its visibility and market share make its products a prime target. Security groups should monitor leading security Web sites that act as clearinghouses for vulnerabilities and fixes for all applications and systems (such as CERT or Security Focus). They should also have processes that monitor configurations and that research and prioritize new vulnerabilities and fixes.
Intrusion detection should be installed, and its log should be checked regularly, both to monitor activity and to develop evidence for presentation to business management to help judge the real level of risk.
If the company has an internal LAN or larger network, it should install firewalls between that network and the Internet or any dial-in access.
Access logs should be reviewed regularly for suspicious activity that might indicate a successful intrusion.
A plan should be in place for handling any intrusions. That plan should include early notification of the corporate executive office, public relations and the corporate legal office so that they can handle any adverse publicity that results from the intrusion.
Precautions should be taken against security breaches that do not originate outside the company. Employees sometimes make mistakes or become frustrated enough to cause malicious damage. Reasonable precautions, including regular backups of all data, should be adopted to protect against these risks.
At high-risk organizations
In addition, larger organizations or those that have particularly large exposure to security risks should consider the following steps:
Use of encryption to protect sensitive corporate information both from theft and from the more serious danger of alteration.
Placement of Web-based transaction systems in a "demilitarized zone" between some outer ID security and the corporate firewall. Tiered DMZs may be used to provide extra protection for core systems.
Companies that lack the internal expertise or the staff to run security 24 hours a day, 365 days a year can turn to outsourcers and consultants for help. Ultimately, however, the business decisions about how much to invest in security must be made by the business's senior management, not by an outsourcer.
Security is far more than just a technological issue--it is a core concern for protecting the equity of the company.
Meta Group analysts Val Sribar, Jack Gold, David Cearley, Chris King, Chris Byrnes and William Zachmann contributed to this article.
Visit Metagroup.com for more analysis of key IT and e-business issues.
Entire contents, Copyright ? 2001 Meta Group, Inc. All rights reserved.