Now is a lousy time to be in charge of network security. And not just because of the regular occurrence of dangerous new problems such as Code Red and its progeny.
No, the worst part about being a network security manager is dealing with the constant barrage of reports on new security risks from the media and security organizations, followed closely by the announcements of new products and services that supposedly patch the newly reported holes. (Yes, I know Im the media, but Im also responsible for security in the East Coast lab here at eWeek.)
We do need to know about security problems, but, too often, stories about these problems are full of problems themselves. Many reports on the Code Red worms, for example, were full of so much misinformation that they unnecessarily added to IT managers already unmanageable workloads.
Ive always trusted risk announcement sources such as CERT, SANS and Security Focus for warnings about new problems, but even they seemed to fall under the sway of the general media during the coverage of Code Red.
For example, many experts highlighted the risk of an Internet slowdown due to the second coming of the Code Red worm. However, these experts knew full well that most systems had been patched after the first occurrence of Code Red, which meant that an Internet slowdown was highly unlikely. The decision of these organizations and the government to highlight this unlikely risk probably served only to reinforce the complacency of those who tend not to take security seriously.
And I know that somewhere, right now, a harried security manager is being forced to deal with employees who have read stories about risks to Palm devices and want protection for their PDAs, even though they dont use them in ways that put them at risk.
Even the rush of new tools for improving security has a good and a bad side. Many of these tools are extremely useful to overworked security managers. I know I appreciate any help I can get at finding and patching holes in systems and stopping well-known forms of attacks.
However, many administrators Ive spoken to tend to treat these tools as silver bullets, which is understandable because many vendors seem to be claiming just that in their marketing literature.
Of course, this attitude is exactly what leads to problems such as Code Red. Security managers cant afford to think, "I have a firewall, an IDS, a nifty new patching tool—Im all set."
Sorry, but that attitude doesnt cut it. Security managers need to filter out hype, constantly watch for problems and keep everything up-to-date.
Or they could disconnect all systems from everything. Thats as close as youll get to a silver security bullet.