On the heels of the dismal security report card of numerous government agencies and the incessant attacks on high-profile Web sites, we wonder what it will take to secure the digital landscape in the new millennium. The U.S. General Accounting Office and the Inspector General released their report of 24 government agencies: Almost all received an F in security. In most of their attempts, the attack teams gained unauthorized access to data.
Both Western Union Holdings Inc.'s and Oil and Petroleum Exporting Countries' (OPEC) Web sites were recently broken into and their Web pages defaced. Although the act of breaking into an Internet Web site is nothing new, attacks on these highly publicized sites demonstrate the weakness in many organizations.
So what will it take to secure your systems? Here are a few suggestions:
Harsher punishments. Governments around the world are taking the act of gaining unauthorized access more seriously in light of recent attacks on high-profile e-commerce sites, such as Amazon.com Inc. and eBay Inc. The Council of Europe released its "Draft Convention on Cyber-crime" in an effort to begin discussions of harsher punishments for hackers. Check out conventions.coe.int/treaty/EN/projets/cybercrime.htm for more information.
Product vendors. Commercial software developers simply don't understand the importance of secure programming; we wonder if they ever will. They, like most IT organizations, are driven by time. If security does not fit in to their time-to-market window, then it seems to be the first "feature" cut. Some have suggested making product vendors financially liable for the damage caused by hackers who take advantage of poor programming in these products. Although this will undeniably raise the security awareness of vendors, it is akin to making gun manufacturers responsible for the misuse of their products.
In-house programmers. Internal developers of software and Web applications fall into the same trap the product vendors do. The direction from management usually works like this: "We must go live with this application on XYZ date, no matter what!" This ultimatum is clear: Get the application done on time, under budget, and with the requisite features. (Security and quality assurance be damned.)Administrators. Similar to in-house programmers, administrators often are not given the luxury (or the training) to fight the security battle. Their battle cry is the same, to keep the systems up and running; worry about security when you have the time. Our experience shows us that if IT groups would spend a few hours planning for a secure network design or secure system installation, they could avoid weeks of pain as a result of a later attack.
Security consultants. Bringing in objective, outside experts to test the security of your network is a highly valuable means of both understanding the real threat and getting management to see the security lightbulb go on. The problem is many of these consultants lack the expertise and communication skills to paint the real picture.
Training. This is the security panacea. Learning how attackers get into systems and how they use seemingly innocuous data to leverage serious attacks is absolutely critical to securing your systems. Few organizations can justify a security staff, which leaves the task of managing security to the IT administrators.
Security-savvy CTOs. Probably the largest hurdle to implementing security at your site is getting buy-in from the top. The best place to start is the heart of the technology wing of any company, usually the CTO's desk. If you can get those people hooked on the value of security, they can disseminate the message. Without management buy-in, almost all security initiatives will be dead in the water.
The way to increase your security may be a combination of these changes. What do you think it will take to secure the burgeoning computer landscape? Send your solutions to security_watch@infoworld.com.
Stuart McClure is president and CTO and Joel Scambray is managing principal at security consultant Foundstone Networks (www.foundstone.com).