ITXPO - Most IT security problems are self inflicted
IT professionals in charge of computer security need only look in the mirror to meet their biggest enemy.
About 90 percent of security breaches occur because attackers take advantage of software that IT staffers have either misconfigured or failed to patch, a Gartner Inc. analyst said on Monday during the company's Symposium/ITxpo 2001 here. Thus, by fixing known vulnerabilities and properly configuring software products, IT departments would be able to prevent most security incidents, such as Web site defacements, information theft and denial of service attacks.
"We have met the enemy, and they are us," said analyst John Pescatore.
Most of the malicious code that is unleashed on the Internet simply mimics existing attack scripts and attempts to exploit known security holes for which patches exist.
"Internet attacks are 90 percent imitation and 10 percent innovation," Pescatore said.
That these types of easily-preventable viruses and worms -- such as the Nimda worm and the Code Red worm -- often wreak havoc across computer systems worldwide, proves that many IT departments are simply not showing even basic levels of diligence and care regarding security. But that must change. As companies increase their use of the Internet for critical operations, the cost of security breaches will rise significantly in the coming years.
"As your company's use of the Internet evolves, your security program must lead the way," Pescatore said.
Another big problem is that many IT departments don't have a unified view of their security infrastructure because security initiatives are dispersed among a variety of groups that don't always coordinate their efforts. So the team in charge of a company's PCs may load anti-virus software on client machines, while the networking group puts up firewalls and the server people implement wares to protect applications, all the while without checking with each other first to make sure that those products interoperate, he said.
This lack of communication and coordination often leaves security gaps no one is aware of until it is too late. Gartner estimates that companies where a variety of groups monitor and manage security will suffer 50 percent more attacks than those where security management is consolidated. Companies should evaluate products designed to pull together the management and reporting functions of a variety of security tools from different vendors, he said.
"A fractured approach to security monitoring and management leads to security fractures," he said.
Other security tips, facts and warnings from Pescatore:
-- Desktop operating systems, including Windows 2000 and Windows XP, do not provide all the necessary security safeguards client machines need, so most users must buy third-party security software for adequate protection.
-- Companies shouldn't go overboard protecting their systems from internal attacks launched by employees. While critical servers should be guarded, applying the same level of security inside the company that is applied outside could hamper productivity.
-- In most cases, trying to find out who launched an attack against the company isn't worth the effort and money. This type of after-the-fact investigation is best left to government authorities.
-- Companies should spend extra money to buy security services from their Internet service providers to nip attacks at the ISP (Internet service provider) level, before the attacks hit companies directly.
-- Companies should outsource day-to-day grunt security tasks to outside service providers, to free their internal IT teams to do more strategic security planning and design.
-- A company's security strategy and its security policies must evolve and change to continually support and benefit business processes. Otherwise, security measures will be seen as an impediment and will be abandoned.
-- Some 50,000 of a total 25 million Web servers got hit by attacks in the year 2000, a figure that is expected to climb to 200,000 in 2001, or to 1 million counting Code Red victims.
The event ends Friday. More information can be found at http://symposium.gartner.com/news/index.html.