Let s Not Go There

Let's Not Go There…

Both S&B Systems and Express Time were lucky that I detected the risky customer connection. Of course, that connection never should have been made in the first place.

Here's what S&B should have done to prevent the problem.

Conduct Security Assessments

There are many ways to audit systems. You can run a network audit to test for known vulnerabilities (the kind that hackers know about and are already looking for). You need to run this type of audit on a regular basis.

Keep in mind, though, that you don't need to do it in person. At Sun, we automated security auditing with a tool called AutoHack. AutoHack tests over 20,000 systems for vulnerabilities and reports back any problems it finds. It's also nice enough to report the severity of any problems it finds. If it finds a serious problem on a system, it reports the problem to the owner of that system.

Do It Right

Without the proper procedures, your people can very easily omit important steps from their audits. As a result, you can end up double-bolting the front door but leaving the windows wide open. To avoid that, make sure you have detailed procedures for your audits. And make sure that those procedures are followed!

Do It Regularly

In addition to the audit procedures, you need to develop an audit policy that spells out clearly exactly when and under what circumstances audits are to be performed. You might require an audit every six months and every time a new system goes online. If your network has a highly dynamic configuration (as in, say, a software-development environment), you may want a brief security audit as often as every two weeks whatever works for you.

The point is that you need to be consistent. Don't allow your security people to put off this month's audit because quarterly reports are due out and their section is lagging. Make sure that audit dates and conditions are set in stone.

Fix the Problems You Find

You wouldn't believe the number of times I "uncover" problems that have already been reported (time and again) but have never been fixed. Oh, they always plan to fix them some day, but somehow, that day never comes.

Risk does not go away over time. If anything, it uses the breathing space to grow in size and expand in complexity. If you put off security fixes because you don't have the funding this quarter, you will pay much more in the long term. Imagine the cost to S&B Systems if a hacker had found the risk I did and shut down their shipping operations.

Don't Use the Sink-or-Swim Approach

The sink-or-swim approach to security training never works. Expecting your new security administrators to figure out everything for themselves is cruel and ineffective.

There's little point in appointing a security administrator if you don't give her the training she needs to do the job. Ideally, of course, you could hire someone who already has all the necessary skills. But that's not an easy job. Security professionals are in high demand. ZDNet reports that staffing shortfalls in this field are predicted to go as high as 50,000 75,000 in the next few years. Already, salaries rose 50 percent during the year 2001 a sure sign of impending shortages.

Sensing a time of desperation, a few enterprising hackers have even attempted to market themselves as security experts, claiming that their criminal pasts demonstrate their expertise. The Department of Defense has a long history with hackers, losing $25 billion in 1999 alone from a total of over 22,000 attacks. The DOD now openly recruits "white hat" hackers. Although its approach to "black hats" is less open, reports have been made of offers to foreign nationals (such as the Russian hacker Vers).

With desperate shortages of truly qualified professionals and an accompanying trend for hackers themselves to masquerade as security experts, you may have little choice but to train your own security expert.

Checklist

Use this checklist to determine whether your company's outsourcing situation and/or auditing procedures are exposing your network to unnecessary risk. Can you mark a "Yes" beside each item?

Outsourcing

___ Are customer connections (extranets) audited on a regular basis?

___ Does a formal architecture exist for connecting customers (extranet) to your network?

___ Does a formal policy exist to spell out when, why, and how extranet connections will be permitted?

___ Is management approval required before bringing an extranet connection online?

___ Is a formal security audit required before bringing an extranet connection online?

Audit Procedures

___ Does your company have a formal audit policy?

___ Does your company have written audit procedures for testing security?

___ Are audits conducted on a regular schedule?

___ Is auditing software installed on all platforms in use?

___ Is funding provided to buy the needed auditing tools?

___ Does management support security auditing by providing the right training for auditors?