Everyone Must Take Responsibility for Network Security

By Wayne Rash  |  Posted 2011-08-04 Print this article Print

The fact is that as chilling as Alperovitch's report may be, it doesn't tell the whole story. While the victims of many of these attacks eventually found and remedied the malware intrusions, little has been revealed about this publicly. No general alarm was apparently raised in the halls of government or industry at least before McAfee discovered the command-and-control server. One of the primary purposes of the report was to make public the breadth and depth of this single set of related attacks.

What's perhaps the scariest part of this whole situation is people targeted people in this attack all enabled it by doing one of the things they should be teaching the employees in their companies never to do. They opened a suspicious email to give the malware access to their computers. It's hard to overstate how important it is to instill the proper level of suspicion into employees. Surely by now the amount of damage that's been caused and the amount of loss that's been incurred by careless actions on the part of employees sould motivate companies and agencies to train their employees not to do this.

Perhaps an equally scary revelation is these attacks all happened to unpatched Windows-based computers. In other words, the attacks were enabled through exploits that could have been prevented simply by updating Windows and the installed Windows security software.

None of these preventative steps is expensive or even difficult. Updating Windows is free. Updating security software is free, except for the annual subscription. Taking care of both these tasks isn't hard. In most cases it's automatic.

Training your employees isn't free, but it's not hard or expensive. Neither is managing the right level of access to your network. You can't have a secure network if everyone is a system administrator, even on their own machine. And while it does take an investment in time and money buy the right enterprise security software, the right firewalls, and the right encryption tools, that investment is relatively low compared to the risk of losing your most precious information.

Ask yourself whether you want to be the cyber-patsy chosen by the agents of a distant foreign government who want  to steal your organization's most strategic information. But that's exactly what you will be if you happen to be the weakest link in your organization's security cordon with an unpatched PC and a lame password that provides easy entry to the network with the right level of access. Then all they have to do is send you a cleverly disguised spear-phishing email that with your single mouse click opens the back door to your employer's data riches.

As an alternative, think about whether you or your company take security seriously. Do you actively train your employees about the dangers of email? Do you ensure that your computers at all levels are kept updated? Have you made sure that your security software is in place, properly configured and updated? A quick look around any office is almost certain to reveal at least one computer running an unpatched version of Windows XP. That alone could open the door to a massive security hole that could give away all that your company has worked to achieve.

Wayne Rash Wayne Rash is a Senior Analyst for eWEEK Labs and runs the magazineÔÇÖs Washington Bureau. Prior to joining eWEEK as a Senior Writer on wireless technology, he was a Senior Contributing Editor and previously a Senior Analyst in the InfoWorld Test Center. He was also a reviewer for Federal Computer Week and Information Security Magazine. Previously, he ran the reviews and events departments at CMP's InternetWeek.

He is a retired naval officer, a former principal at American Management Systems and a long-time columnist for Byte Magazine. He is a regular contributor to Plane & Pilot Magazine and The Washington Post.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel