Threat of the Day

By eweek  |  Posted 2001-07-16 Print this article Print

Threat of the Day

Most of what the security intelligence services do, however, is grunt work: scouring the Internet for the latest security holes and patches that match the software that specific customers are operating. With daily reports of security vulnerabilities in software ranging from Microsoft Windows to Linux servers, its very difficult for systems administrators to know exactly whats out there, The Yankee Groups Kerravala said.

"The chasm thats been growing between the technical skills of the administrator and sophistication of the technology has been getting bigger and bigger over time," he said. "The only way to keep up is to outsource responsibility to another company."

Offerings such as Vigilinxs Security Intelligence Service aim to provide a comprehensive report on the problems and fixes, if available, tailored to a specific organization. "Vendors provide pieces of information, but most organizations dont have a resource arm to look across multiple channels for the fixes they need," said Mike Assante, Vigilinxs vice president of intelligence. "We monitor that external landscape, look and analyze that information, validate and verify it, put a risk associated with it and turn that around to the enterprise."

However, no company should rely exclusively on an outsourced security intelligence service, said Jim Magdych, senior research manager of Network Associates subsidiary PGP Security. A business should ideally employ a trained security administrator who knows the network, is up-to-date on current threats, and knows what to apply and when, he said.

"Nobody knows your organization like someone who works there," Magdych said.

Organizations such as the government-funded Computer Emergency Response Team Coordination Center at Carnegie Mellon University, as well as private vendors such as PGP Security, provide companies with free alerts when they find security vulnerabilities. In many cases, companies such as Vigilinx will package that information and sell it as part of their security intelligence services.

For Chris Joy, vice president of global information technology security of the Dresdner Kleinwort Benson Bank investment bank in London, tracking the endless stream of security alerts was a major headache. Joys crew subscribed to more than 30 information sources and had to read them daily, keeping track of which fixes were implemented and which ones werent.

"We had to cut down on the time we used to sift through this," Joy said.

Besides the time sink, Joy was finding much of the data he was getting was outdated, incomplete or even inaccurate. So he began using the Vigilinx service, which provides all the data in one report, as well as advice on actions to take.

"We want to know what problems exist in the technology that we use, even when its a problem that theres no vendor patch for," Joy said. "Were a global organization, so when a patch does comes out, we want to know where it is and go get it."

IDefenses Kelly said security intelligence services offer more than just alerts — they recommend ways to address specific security incidents. For example, an organization in the U.S. might get a warning from its service at 3 a.m. that theres an e-mail virus spreading in Europe. If no update has been prepared by its antivirus software vendor, that organization can at least make arrangements to temporarily shut down its U.S. e-mail servers before people get to work, thus preventing the virus from spreading.

Of course, most of these steps only pay off when the organization has already put basic security measures into place. The knowledge that some teen-ager in Pakistan plans to hack your site doesnt provide much benefit when someone in the mailroom has had unfettered access to the payroll file for months.

So how prepared are e-businesses to handle the onslaught? Not very, according to those people whose job it is to assess businesses security preparedness. "The reality is that its worse than most people think," said Sunil Misra, managing principal of Unisys Worldwide Enterprise Security Practice. "Senior management would be surprised at how fragile the infrastructure is that theyre working on."

The most common security problems Misra finds are misconfigured systems. Devices such as firewalls arent installed properly or dont have the latest patches, or remote access through that firewall isnt blocked correctly. In other cases, default system passwords havent been changed, or modems remain active on connected PCs that can be dialed into and become susceptible to control by a hacker, who can then get on the network.

Peter Browne, Predictive Systems vice president of security consulting, said modern hackers still take part in whats called "war dialing," named after the 1983 film WarGames, in which Matthew Brodericks character would call every phone number in an exchange until he reached a live modem.

Frequently, Browne said, its too late to stop some of the damage when a security consulting team begins to assess a corporate network. "In many cases, we have found that other people have been there ahead of us and compromised those systems."

One of the reasons some business networks are ill-prepared is that administrators may have no good way to measure exactly how secure they are. "The problem in the industry is there is no one system that allows you to qualify exposure to differentiate between how exposed one company is compared to others," said George Kurtz, CEO of Foundstone, a managed security services provider that offers risk assessment to businesses. Kurtz and Stuart McClure, Foundstones president and chief technology officer, co-wrote the security handbook Hacking Exposed with Joel Scambray.

Foundstone has developed a 100-point scale for rating a companys exposure to unauthorized access, with 100 being the most secure. "In general, any enterprise system is hard-pressed to get above 70 or 75," Kurtz said. "We just finished a large enterprise that got a 5. When we went through the process, we found many of their servers were already hacked."

If anything has surprised Kurtz about organizations hes advised, its how unconcerned some are about securing their data. "There are many companies that know theyre exposed and put their head in the sand," he said. "There are others that have looked at their operation, and from a risk perspective, theyre willing to take it. Thats a really short-sighted view on trying to protect yourself."


Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel