I had an occasion to interview a senior director of Symantec Security
Response recently. It seems that 2003 was not a good year for the
protection of systems from viruses, worms, Trojan horses, and
combinations of these, called blended threats.
What Sharon Ruckman told me wasn't really any different than what I
heard earlier in the year from a team of security auditors. It's pretty
simple stuff. So why aren't system administrators better at it?
Foremost, according to Ruckman, unneeded services should be shut down or
removed. There are plenty of applications, utilities, or operating
system modules that install FTP, telnet, or even a Web server by
default. These all provide an inward path for anyone with the
inclination, time, and tools to find them. Remove these and many avenues
for attack will disappear. As a side benefit, there is less software to
Patch levels remain out of date on many systems. That's a huge problem.
Any system accessible through the firewall, such as those running HTTP,
FTP, mail, or DNS, presents a security threat. It's crucial that patches
be applied on a timely basis.
Of course, there's software, too. Antivirus programs, antispam
utilities, firewalls, intrusion detection, and content filtering need to
be present and work with each other. None can stand on its own to keep
networks safe from attack. As Ruckman put it, blended threats require
blended solutions. I agree.
But it's not all about implementing technological solutions to these
threats. Education of users plays a major role. That's largely due to a
new technique, called social engineering. Instead of simply receiving
e-mail that is obviously spam, a socially engineered message looks
completely legitimate and harmless. The idea is to entice the user to
open the message, click on an embedded link, or open an attachment.
Socially engineered messages could look like a friendly e-mail from a
friend. Or an urgent message about your recent order that asks you to
open the attached file. Or a request for information for what appears to
be a legitimate site, such as ebay or PayPal. Of this last sort, these
messages ask people to furnish personal information, such as social
security number, credit card account number and expiration date, and
login passwords. And plenty of people comply, with disastrous results.
Dealing with these threats is purely a matter of educating users. And
it's not done nearly often enough. As you visit clients, reminding them
of this would not be a bad idea.
But wait, there's more.
Mobile devices are becoming a fertile ground for threats. Cell phones
capable of receiving text messages are vulnerable. So too are Bluetooth
devices. It's possible, according to Ruckman, for someone to create a
Trojan horse that can jump from one Bluetooth device to another. Bring
your infected Bluetooth-equipped PDA back to the office, sync it with
your PC, and now you've injected that Trojan horse into the corporate
network. You've done a bad, bad thing. Education, my friend. Education.
Ruckman did a fine job of painting a desperate picture. That's good.
Living with abject fear that everything we touch is a potential security
threat may not be all that bad. Doing something about it is everyone's
responsibility, IT directors, systems administrators, solution
providers, and, especially, individual users.
This year for Christmas, I'm praying for three things: peace on earth,
no more disease and famine, and an end to spam. I'm unlikely to get any