Admins stuck between a hack and a zero-day

Admins stuck between a hack and a zero-day

Summary: The world of IT security is in chaos, with CSOs seemingly on the front lines of a full scale global cyberwar being fought out by government hackers, botnet-controlling criminal gangs and compromised Web sites. Can we ever hope to keep networks safe in such an environment?

TOPICS: Security

The world of IT security is in chaos, with CSOs seemingly on the front lines of a full scale global cyberwar being fought out by government hackers, botnet-controlling criminal gangs and compromised Web sites. Can we ever hope to keep networks safe in such an environment?

Accusations of government-sponsored hacking have been flying in recent weeks with the US, UK, Germany, and most recently, New Zealand, claiming to have been attacked by hackers that allegedly work for the Chinese government -- charges denied by the country itself.

Meanwhile, Storm worm has also been in the news with security researchers debating whether the botnet controlled by the worm, which is estimated to contain between one and five million infected PCs, could be used by criminals as a massive distributed supercomputer, potentially packing the power to deliver massive spamming campaigns, knock out targets with a DDoS attack and even use a SETI@home-style operation to crack very strong encryption, very quickly.

It is not just the hackers, spam and DDoS activity we need to worry about. These days it isn't even safe to simply surf Internet because there is no way of knowing if a Web site has or hasn't been compromised -- take the IE-exploiting Facebook ad, for example, or the Sydney Opera House Trojan.

These are legitimate sites and yet people have most likely put themselves at risk by simply visiting them.

So how do you go about protecting your organisation in such a hostile environment? According to Graham Andrews, the CIO of PricewaterhouseCoopers, the task is "a nightmare".

Andrews believes a company cannot be truly secure if the responsibility for security is pinned on one person or one department.

"Security is everybody's problem. The core ownership of security is throughout the organisation. Not just within the IT group but in the user community so they are fully appreciative of the risks out there," he said.

When security is the responsibility of just one department, "you have already lost the game," said Andrews.

Andrews is spot on. Ensuring everyone in your organisation -- from the developers to the doormen -- are aware that the only way to reduce the chance of a security breach is for everyone to play their part.

Topic: Security

Munir Kotadia

About Munir Kotadia

Munir first became involved with online publishing in 1998 when he joined ZDNet UK and later moved into print publishing as Chief Reporter for IT Week, part of ZDNet UK, a weekly trade newspaper targeted at Enterprise IT managers. He later moved back into online publishing as Senior News Reporter for ZDNet UK.

Munir was recognised as Australia's Best Technology Columnist at the 5th Annual Sun Microsystems IT Journalism Awards 2007. In the previous year he was named Best News Journalist at the Consensus IT Writers Awards.

He no longer uses his Commodore 64.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • STOP - It's the NODES - not the NET!

    Why malware?
    Why the problems?
    Why the concern?
    Simple - the ICT industry stopped producing mass market secure systems, particularly that vital secure operating system, for the end-user 25 years ago, and government and regulators did nothing to help the situation at all.

    The problem is largely not the Internet per se, most of the time, it is the base operating systems, middleware and applications at the ends. AND it is NOT the end-user anymore who can now be easily bypassed by sophisticated attacks of growing complexity, particularly as we move to unsafe "web services" style of application development.

    BUT it's easier to blame him or her - that way public and private enterprises can convince themselves that it's not going to cost that much to fix up the the real problem - the base systems themselves.

    Imagine - enterprise servers could today be "hardened" and based around "mandatory access control (MAC)" type systems with solid protection and enforced application/software "profiles (minimising all the malware talked about and really "raising the security bar") with such systems as SELinux (Secure LINUX from the NSA and now in such systems as RedHat's Enterprise Linux 5 actually evaluated under the Common Criteria scheme which Australia adheres to), Trusted SOLARIS 8 and Enhanced SOLARIS 11.

    No - the time has come to realise that CIOs have to make the move to more secure bases for their systems and STOP blaming the poor old user all the time.

    AND to do that - they need legislation to convince boards of directors / departmental executives that the necessary education and training expense is needed (incidentally the actual software base cost itself is hardly different to the low security commodity software product)

    Let's STOP blaming the Internet and the poor old end user. The real problem is the computer system itself.

  • I agree.

    I think it should be made mandatory that all these sorts of stories also carry details of the operating systems affected.
    Of course, Redmond will scream blue murder as every single security story generated worldwide bears a "New MIcrosoft Windows virus on the rampage!" headline. Every 2-3 years or so there might be a "Researchers might have found a possible MacOS/Linux danger, assuming you do these 27 steps in exactly the right order and are also sitting in front of the target machine". headline....but that'll be rare.
  • You're right.

    All these 'computer' viruses and exploits are really WINDOWS viruses and exploits, yes? Imagine if people found out that accidents, breakdowns and poor performance only occured with Fords while Toyotas got 100 miles per gallon, 300 KPH and 35 years of trouble free motoring, for $25! Anyway, we all know what would happen, there would be a list of Windows viruses about 400,000 entries long while the Mac and Linux rows would be blank.

    Bit of a no brainer really.
  • Break Strong Crypto?

    Strong cryptographic algorithms can resist brute-force attacks executed by the computing power of all the machines in Earth. This attack would take dozens of years even if all this computing power would be used.
  • True, but...

    "A security system needs to be secured at all points, including the ISP, network and device.",1000000189,39289515,00.htm

    The end-user is mentioned nowhere in the quote above. But the end-user is not that innocent after all. There is no reason why they should browse the Internet without basic anti-malware protection.

    I agree, we will never be able to secure our systems 100%, but being reckless and then blaming it on a poorly designed system is not the way to go either.
  • "we will never be able to secure our systems 100%" - WRONG

    Step 1: remove Windows
    Step 2: Install linux.

    99% of the problems are instantly fixed. The other 1% is in setting the security facilities in linux correctly.
  • Out of date

    Bill, it's about time you updated your security architecture knowledge and also actually reviewed the list of evaluated products at the Common Criteria portal. Your opinions are fine for a research project but are not relevant in any corporate network.
  • This only helps demonstrate the mentality of fundamentalist LINUX users

    Sorry mate.....if you really do believe that installing Linux (and don't even get me started on how the term Linux is misused specific about the version, build, platform, kernel) will solve all your security problems, you are living in a dream world with your head in the sand. Sure, Windows ain't perfect but installing 'any' Linux based build will not make you unbreakable (to quote another company riddled with security exploits :)

    Windows is good for most people, Linux based OS's are good for lots of others, end of story.
  • end user

    I agree to a point but has'nt graffiti removal become a profitable business for those who help the proliferator of such hidious "art". Lets just say if profit is the motivator in all business adventures I sure would like to be the creator of a successful anti-virus, anti-whatever program. Thank you.