The Code Red and SirCam worms, which attack computer systems via Microsoft's Internet Information Server (IIS) code and e-mail programs, respectively, underline the need for vigilant corporate security policies and practices.
Security is a continuous, multilevel effort that includes firewalls and virus definitions--by no means a complete list. Because computer code is written by humans who make simple mistakes and cannot anticipate every possible scenario that can be exploited by hackers, new, increasingly subtle viruses and worms will continue to appear. Each generation contains new features, such as SirCam's self-mailing code. This makes it imperative that companies do not let their guard down on security.
As IT groups write their 2002 budget proposals, they need to make it clear that operational and marketing aspects of security are not a place where organizations can afford to cut budgets. Security operations and awareness-building need to be placed firmly in the nondiscretionary-spending category. If anything, many companies will need to increase their security budgets in the coming year as security risks grow.
One growing area of risk is individual PCs, which are increasingly gaining the capabilities traditionally associated with servers. For example, many desktops are already configured with Web server features, such as the Microsoft IIS code that Code Red targets. PCs that are IIS- and indexing-enabled (common to facilitate information exchange) are vulnerable, particularly if the organization's firewall fails to intercept the worm or if the desktop or laptop is connecting from home via a high-speed Internet connection, an increasingly common occurrence in this day of telecommuters.
See news story:
Officials sound Code Red alarm
Given the large and growing amount of sensitive corporate information stored on the desktop and laptop hard drives of these employees, there is a considerable risk to organizational, as well as individual, security. We expect an increasing emphasis on personal firewalls in corporations to provide a stronger defense against attacks on these hundreds of thousands of desktop and laptop systems.
Companies that are serious about security approach the problem with a combination of people, process and automation. Moreover, they view security as a continual process and implement the organizational mechanisms and policies to ensure the company remains vigilant. This approach to security deals with the challenges at multiple levels.
First, organizations need a set of security procedures that include regular virus scanning, good backup and recovery, intrusion detection, formal trust domains and user education. Meta Group recommends implementing a solid process for managing security configuration coupled with continuing security research. We believe reasonable attention to security configuration management would have prevented this resurgence of the Code Red worm. To facilitate this process, organizations should create a security operations center, which is responsible for at least five core processes: research, monitoring, scanning, response and reporting.
Training users and driving awareness to security issues is a very important part of maintaining system security, since often users create security breaches without meaning to do so. IT needs to create a set of trust domains based on the computer access needs of different groups. These include a base domain that encompasses all users and more restricted domains for specific classes of users. Each individual must be trained and sensitized to function within his domain without breaching security.
Once again into the breach
Companies also need a set of forensic procedures and contingency plans that can be implemented when a security breach or new system vulnerability is identified. Organizations cannot presume that they will always be able to prevent security breaches, regardless of how rigorous their procedures are. They need to expect that security problems will occur and have procedures in place to counter the most likely impacts so that they are not caught by surprise.
In addition to the obvious steps of deploying firewalls and antivirus systems, IT organizations should take the following steps to provide minimal security for their systems:
A senior-level IT/business person should be put in charge of security--this is not an assignment for the lowest person on the totem pole. We advise large organizations to name a full-time security chief at a level equal to the CIO. The security chief and the CIO should adopt risk-management control objectives.
Technical staff should regularly download and install all security patches for their systems. They need an active program to check the Web sites of their major vendors, particularly Microsoft's, since its high visibility makes it a particularly attractive target, and security Web sites (such as CERT and Security Focus) for security alerts. They should also have a process that monitors configurations, and another that researches and prioritizes new vulnerabilities and fixes.
Technical staff should install intrusion-detection systems and check logs regularly, both to monitor activity and to develop evidence to present to business management to help judge the real level of risk and level of investment that is justifiable to counter the risk. They also should review access logs regularly for suspicious activity that may indicate a successful intrusion (most initially appear to be insiders).
They should have a contingency plan in place to handle any intrusions. That plan should include notifying the corporate executive office, public relations, the corporate legal office, and the appropriate law enforcement authorities early.
Organizations with internal LANs or larger networks should install internal firewalls between networks, as well as those between internal systems and the Internet or dial-in access.
Everyone should remember also that not all damage comes from the outside. Employees can make mistakes or become frustrated and cause malicious damage. System administrators need to take reasonable precautions, including regular backups of all data, to protect against that possibility.
In addition, larger organizations or those that face particularly high risk levels should consider the following steps:
They should use encryption to protect sensitive corporate information both from theft and from the more serious danger of alteration. Encryption should be considered not only on networks, but on information wherever it is stored.
Companies hosting Web-based systems should put those in a "demilitarized zone" between some outer ID security and the corporate firewall. Transaction-based systems require tiered DMZs to provide extra protection for their core systems.
Small to midsized companies that lack the internal expertise or the staff to run security 24 hours a day can turn to outsourcers and consultants for help. Ultimately, however, the business's senior management, and not an outsourcer, must take responsibility for security. The key issue for executives is the tradeoff between the level of risk and the amount of investment justified to reasonably offset the risk.
It needs to be stressed that security is not just a technological issue or an occasional concern. Security is at the core of protecting the brand and equity of every company and government.
Meta Group analysts Val Sribar, Dale Kutnick, David Cearley, Chris King, Christian Byrnes and William Zachmann contributed to this article.
Visit Metagroup.com for more analysis of key IT and e-business issues.
Entire contents, Copyright ? 2001 Meta Group, Inc. All rights reserved.