Despite remaining a core issue for IT managers, a recent study by the United Kingdom’s Department of Trade and Industry indicates that as many as 78 percent of the U.K. companies surveyed have experienced at least one malicious security incident, with 44 percent experiencing them within the last year (2002/2001).
As the reality of the paperless office draws near, companies store more and more critical data in electronic form. This data is no longer restricted to simple day-to-day information used to run the business, but includes information that was once locked away in a drawer at the HR department, or the finance department, for that matter: documents such as business plans, research statistics, new business strategies, job applications and salary details. When the PC became the personal companion of even very paper-based departments such as HR, sensitive information was relocated. It has moved from the locked dark drawer, and is now available openly on the corporate network. However, the network that carries all this highly sensitive data is still very often given the barest of security protection.
Web site defacement is seen, by most companies, as nothing more than a nuisance, affecting only the web server and bringing the home page down for an hour or two. The web server, however, is one step closer to your sensitive data, and a malicious hacker will exploit any hole in the web server to gain entry to other systems, hopping from machine to machine, getting ever closer to the most sensitive of your company's information.
Another popular misconception amongst businesses is that installing a firewall will give you all the protection you need. Although firewalls, in general, deliver good protection from outside attacks, studies show that outside attacks should not be your biggest fear – 80 percent of the attacks are made from within the company. Furthermore, most of the well known firewall brands have been thoroughly examined by hacking groups, who usually know the technology in the more standardized solutions nearly as well as the manufacturers themselves. However, a firewall is very useful as a starting point on which to build your security.
Although a company can never be 100 percent secure, you can ensure that you are not an easy target by making life difficult for those who would compromise your security. In this, integration is the key. By taking an integrated approach, in which the different components such as firewalls, intrusion detection, web server protection and monitoring solutions complement each other, companies can increase the level of security, while at the same time reduce costs and even overhead.
An easy first step is to use a mix of firewalls, preferably including some with lesser-known technology. This places a much greater demand on the skills of the hacker, and could be enough to save your data. Also, look more closely at their features as they often meet different market demands; ensure the firewall you use is one that suits your company's needs.
However, the human aspect makes that no security solution is ever foolproof. People can make mistakes, either when installing and integrating the different security components, or at a later stage. The most common mistake is failing to implement a robust patching strategy. Microsoft, for example, brings out a new patch for holes in its operating system almost every week, but companies often do not install these new patches. This really should be done within 48 hours, but when there is no documented policy, companies often do not install patches on a regular basis.
Also, always remember security is not static. People come and go and passwords and privileges change all the time. Removing old passwords when people leave the company and changing passwords on a regular basis is key to a good security policy. A company can have the best intrusion detection system in the world, but this is worth little if someone has the key, i.e. accesses the network with a valid password.
It is therefore crucial to take a dynamic approach to security. Be aware that your security strategy should change over time to keep up with the increased skills of those who can compromise your network. Therefore, it is important that one person is made responsible for updating security software and patching holes, and this should be documented in a strict security policy. In addition, regular audits of the company's security approach by an external third party will identify changes that need to be made and ensure you are one step ahead of the hackers.
It's time companies started to rethink their security policies and invest in security where needed. A good policy does not just end with a firewall or even with covering external threats such as viruses and hackers. A good security policy never ends.
Matt Newman, security solutions product manager at GE Access