Please Santa, I want system security and an end to spam

I had an occasion to interview a senior director of Symantec Security

Response recently. It seems that 2003 was not a good year for the

protection of systems from viruses, worms, Trojan horses, and

combinations of these, called blended threats.

What Sharon Ruckman told me wasn't really any different than what I

heard earlier in the year from a team of security auditors. It's pretty

simple stuff. So why aren't system administrators better at it?

Foremost, according to Ruckman, unneeded services should be shut down or

removed. There are plenty of applications, utilities, or operating

system modules that install FTP, telnet, or even a Web server by

default. These all provide an inward path for anyone with the

inclination, time, and tools to find them. Remove these and many avenues

for attack will disappear. As a side benefit, there is less software to

watch over.

Patch levels remain out of date on many systems. That's a huge problem.

Any system accessible through the firewall, such as those running HTTP,

FTP, mail, or DNS, presents a security threat. It's crucial that patches

be applied on a timely basis.

Of course, there's software, too. Antivirus programs, antispam

utilities, firewalls, intrusion detection, and content filtering need to

be present and work with each other. None can stand on its own to keep

networks safe from attack. As Ruckman put it, blended threats require

blended solutions. I agree.

But it's not all about implementing technological solutions to these

threats. Education of users plays a major role. That's largely due to a

new technique, called social engineering. Instead of simply receiving

e-mail that is obviously spam, a socially engineered message looks

completely legitimate and harmless. The idea is to entice the user to

open the message, click on an embedded link, or open an attachment.

Socially engineered messages could look like a friendly e-mail from a

friend. Or an urgent message about your recent order that asks you to

open the attached file. Or a request for information for what appears to

be a legitimate site, such as ebay or PayPal. Of this last sort, these

messages ask people to furnish personal information, such as social

security number, credit card account number and expiration date, and

login passwords. And plenty of people comply, with disastrous results.

Dealing with these threats is purely a matter of educating users. And

it's not done nearly often enough. As you visit clients, reminding them

of this would not be a bad idea.

But wait, there's more.

Mobile devices are becoming a fertile ground for threats. Cell phones

capable of receiving text messages are vulnerable. So too are Bluetooth

devices. It's possible, according to Ruckman, for someone to create a

Trojan horse that can jump from one Bluetooth device to another. Bring

your infected Bluetooth-equipped PDA back to the office, sync it with

your PC, and now you've injected that Trojan horse into the corporate

network. You've done a bad, bad thing. Education, my friend. Education.

Ruckman did a fine job of painting a desperate picture. That's good.

Living with abject fear that everything we touch is a potential security

threat may not be all that bad. Doing something about it is everyone's

responsibility, IT directors, systems administrators, solution

providers, and, especially, individual users.

This year for Christmas, I'm praying for three things: peace on earth,

no more disease and famine, and an end to spam. I'm unlikely to get any

of them.

ITWorld DealPost: The best in tech deals and discounts.
Shop Tech Products at Amazon