Author: Yogi Schulz
Every day we hear stories about businesses being disrupted by computer shutdowns caused by viruses and worms. The world is awash in unwanted e-mail. Over half of the e-mail messages I receive are spam. A few messages contain nasty viruses and worms that wipe out data and render servers inoperable. I’ve been receiving three to four sobig.f viruses per day during the past 10 days.
However, some businesses appear to suffer much less from such distractions and potentially expensive calamities than others. What’s the difference? Is it just luck or are there management strategies that can be pursued to protect an organization?
Back up your system
Having business data on a backup tape is a cheap insurance policy against a calamity. Store the tapes at an off-site location. To make the backup process as comprehensive as possible, reduce the amount of data that is stored on individual workstations to almost nothing.
To ensure that the backup tape is truly usable in case of disaster, ask for a surprise test of the restore process at least twice a year. If calamity strikes, a full system restore can be achieved for many businesses within one to two days.
Install a Firewall
In addition to operating anti-virus software, all organizations should own and operate a firewall between themselves and the Internet. Firewalls prevent unauthorized Internet users from accessing a company’s private network that is connected to the Internet. In the absence of a firewall, a hacker can hijack a server and use it to launch attacks on other servers or send out vast quantities of spam.
Firewalls cost from a few hundred dollars to several thousand dollars. More expensive firewalls are designed to handle more network traffic and offer more sophisticated features.
Follow relevant security policies
Many IT security problems are caused by well-meaning employees who simply don’t follow the rules. They pick poor passwords or place them on stickies near their monitor. They take secure laptops and attach them to insecure networks at home or at conferences. They let strangers follow them through secure doors.
Create, communicate and follow some company policies for IT security. A typical policy will address topics such as invalidating lost security cards, changing passwords on a regular basis, handling employee terminations, restricting access to sensitive facilities and briefing new hires.
Insisting on compliance with some easy-to-follow policies will go a long way to reducing the likelihood of a destructive security breech. In this area, management example goes a long way to ensuring employee vigilance.
Keep your software up to date
Ironically, Microsoft Security Bulletins inspire many worms and viruses. Whenever Microsoft software engineers discover a problem, Microsoft will issue a patch that corrects the problem. Organizations only benefit from the solution if they install the patch. Until then, the organization is susceptible to a worm or a virus that exploits the problem to launch a flood of e-mails or to destroy files.
SQL Slammer Worm is an example of a worm that was effective because many organizations failed to install a well-advertised Microsoft patch for SQL Server 2000. Due to this neglect, the worm clogged many networks with useless traffic.
Know what you’re trying to protect
Computer security professionals encourage end-users and administrators to develop a threat model. The model lists what you’re trying to protect from whom. For example, are you worried about the confidentiality of certain files on your system? Are you concerned that malicious people might alter or destroy data? Do you want to keep hackers from defacing your Website and damaging your corporate image? Do you want to ensure that your customers can always reach your Website?
With the model in hand, your IT staff can ensure that specific software and operational procedures are in place to counter the higher impact threats that have been identified. For example, a business that operates a highly visible Website will assign a staff member to inspect its Website hourly for unauthorized content, acceptable performance and no obvious broken links.
Perfect security is impossible and not justified. However, paying attention to these basics is cheap and fast to implement. Although neglected by many organizations, these basics will go a long way to improve IT security and reduce the risk of a calamity.
The following web page lists specific actions an individual or an organization can take to reduce their vulnerability to worms and viruses: www.microsoft.com/security/incident/blast.asp. Similar pages can be found at McAfee and Symantec.
Keep an eye out for likely threats
Subscribing to security mailing lists and monitoring related web sites are essential to staying abreast of threats. CIAC at ciac.llnl.gov and CERT at www.cert.org offer mailing lists with information about security threats. If you want a closer look at day-to-day happenings, BugTraq is the mailing list where many security issues first surface.
To keep an eye on what’s happening closer to home, read your server log files. If you run an intrusion detection system such as Snort, you should read those logs too. The SANS Institute’s GIAC atwww.sans.org/giac.htm lets you find out what other people’s intrusion detection systems are uncovering.
What Price Security?
It’s up to the company, not the CIO, to decide how much trust is too much.
Understanding Security and Privacy
You can find the answers to your tough Linux and Unix security questions in our Web Security Q&A discussion:
State of Oregon vs. Randal Schwartz computer security case:
“CIA Secret Chat Room Investigated,” Tabassum Zakaria (ZDNet News, Nov. 12, 2000):
The Sudo homepage:
The OpenSSH homepage:
CIAC (Computer Incident Advisory Capability):
CERT (Computer Emergency Response Team) vendor security sites:
GIAC (Global Incident Analysis Center):
SANS InfoSec Reading Room – Security Basics
Featuring 64 papers as of Sep 8, 2003