F-Secure's Mikko Hypponen has noted that, about ten days after it hit, cyber-criminals began installing a Trojan horse on machines affected by MyDoomA. This allowed spam to be sent via the compromised machines, and experts say there is worse to come. Investigators around the globe believe that this whole scene is becoming much more appealing for more professionally-inclined cyber-criminals to make some easy money – historically the primary motivation for spammers.
While legislators are trying to make some moves in the right direction to give organizations some form of recourse, companies are filing lawsuits against spammers as well as attempting to better educate their employees. However, most businesses are seeking viable solutions that totally stop spam from entering their networks. Unfortunately, such a silver-bullet solution is hard to find.
In this month's articles about spam, spammers' motivations and the solutions to stop them, we aim to review a combination of products and plans that companies can take advantage of in an attempt to drastically reduce the unsolicited mail hitting their inboxes.
Also in this issue, reporter John Sterlicchi shares information about solutions to reduce other vulnerabilities that plague companies and their networks, while west coast bureau chief Marcia Savage shares best practices being employed in counties across California – the bulk of which are based on ISO17799.
While these articles tackle different areas of IT security, taken together they highlight a truism that will likely persist for some time: advanced IT security tools are needed and constantly sought by companies, but if they fail to draft the necessary plans before these solutions are deployed most organizations will still face many of the IT security issues with which they started.
Tools, usually combining to form a layered defense, are only part of the solution. A chief security officer must be put in place and given boardroom access. This officer must be provided with the budget, resources and professionals necessary to protect the company's proprietary information. Strong policies must be forged and enforced. Company assets must be defined and protected. Also, all the tools deployed and action taken must be regularly monitored to ensure effectiveness and enable any necessary modifications. The best security an organization can get follows best practices that are supported by tools, not defined by them.