Final Words

In today's hyperconnected business environment, external connections have become as much a part of business structure as telephones, overnight deliveries, and cubicle walls. You can no longer assume that your partner will put the proper controls in place. You must agree on a secure architecture, proper implementation, and testing.

McConnell Drugs trusted that JFC would put the proper controls in place controls that would protect both JFC's and McConnell Drugs' data. That trusted handshake could have destroyed McConnells' data and reputation, and JFC could have wound up in court. McConnell's employees could have easily pulled down bad code containing a Trojan horse, worm, or virus.

If you're still wondering just how bad a virus attack could be, you are one of the lucky ones. The 2002 CSI study found that 85 percent of the respondents had detected viruses. Not surprising given the speed at which the newer strains spread. As CERT's "Overview of Attack Trends" pointed out, "Tools like Code Red self-propagate to the point of global saturation in less than 18 hours." And the cost? Computer Economics reported the total cost of Code Red, and its cousin Code Red II, at a staggering U.S. $2 billion.

External connections are a big problem and are difficult to manage. Do you know how many modem connections your company has? Are your engineers allowed to install modems in the engineering lab where your source code is stored? If you don't know the answers to these questions, you could be in for a big surprise.

Sadly, even companies with strong legal and moral incentives to control access are often found wanting. A security audit at one such site, a large hospital with plenty of incentives to protect access to sensitive patient files, found 75 unauthorized modems on site. In nearly each case, a physician or administrator with enough clout had found a way around the policy against external connections. To be useful, security policies must apply to everyone, not everyone else. Easily skirted policy rules aren't worth the paper they're printed on.

Protecting your system from attacks requires more than a wing and a prayer. It takes training, determination, and a strong commitment to control access to your systems. In analyzing your company's access control, make sure that the rules are really rules and not guidelines that employees feel free to ignore at the slightest inconvenience.