As cyberterrorism threats move to the forefront, we're becoming increasingly aware that our best IT defenses may not be good enough. Yet doing more to prevent cyberterrorism during a slow economy seems impossible to many IT executives whose budgets are frozen or reduced. Many corporate IT infrastructures are becoming increasingly compromised and more vulnerable to cyberattacks. They're choosing between staying up and staying secure. The result is the same as driving without an insurance policy—an increased chance of enormous loss.
Security the right way
IT security should be an ongoing process instead of a one-off event. It should be part of a holistic IT environment in which all components (including security technologies) affect the health of the system. But today, many CIOs have shifted their priority to uptime percentages and believe security is a one-time event.
Enterprise infrastructures are only as strong as their weakest links. Consider the area of patch management, involving the monitoring and installation of new patches to prevent virus attacks. This is an area where availability and security go hand in hand. Viruses can, of course, reduce uptime to zero, meaning warding them off should be high on the list of availability priorities. And 80 percent of outages are due to the exploitation of known bugs, including bugs for which patches are available.
But what happens in practice is another matter. CIOs and IT managers, even at highly visible Fortune 500 companies, are making repair decisions on the basis of what they may lose in the short-term by bringing systems down to install new revisions and patches, rather than what they'll lose in the long-term by performing proper software maintenance. They should be assigning dedicated resources to researching current viruses and the antidotes already available, and ensuring that patches are being properly and thoroughly deployed. They should also be investing in redundant systems so downtime is not an issue.
CIOs should take charge
This example points to a larger issue—the responsibility of IT executives to step up to the plate. The CIO's value is in enabling a company to leverage information to support its revenue, profitability, and productivity goals. This means implementing standards-based and reliable security technologies, and not being overly dependent on old systems. Many CIOs have developed a false sense of security and are becoming overly reliant on their firewalls. Any IT executive who believes that a firewall is a simple commodity, requiring limited skills to turn up and solve security requirements, is truly exposing his or her firm to any number of dangers. This is much like a man with a bodyguard who keeps wandering into dangerous territory. Even with a well-trained guard, he is putting himself in greater danger by not considering the full spectrum of potential security hazards.
Given the challenges, how can you mitigate or avoid an attack altogether? On the technological side, consider several short-term options to maximize availability and security at the same time:
- Practice due diligence, including use of the security features and best practices already integrated within most systems and available from most vendors. These can reduce the known vulnerabilities to which these systems are subject.
- Assign purchasing decisions to the IT department, rather than accounting. IT managers are the only individuals who can truly discriminate between systems and solutions, especially where security issues are involved. Price should be an important differentiator, but not the sole factor in influencing decisions.
- Add a dark Web site. A dark Web site is typically hosted off-site but is only activated under certain circumstances. Hosting off-site eliminates the vulnerability produced by a building casualty. This serves many purposes, including customer relations, public relations, emergency communications, and situational awareness.
- Create virtual systems and security zones. These allow logical partitioning of your IT infrastructure into separate security domains for traffic, policy, and management separation.
- Rely on strategies above and beyond intrusion detection. Although helpful, intrusion detection produces false positives and is subject to human error. When combined with intrusion prevention, however, intrusion detection is more effective and creates a smaller burden on the security management team.
A lock only keeps an honest man honest. CIOs must continually look over their shoulders to make sure that lock isn't easy to pick. On the strategic side, continue insisting on a holistic planning process to keep security virtually airtight. It's very possible to build a well-designed, highly secure, and continuously available IT infrastructure that addresses budgetary imperatives. It starts with urging senior management to bring the security of the IT infrastructure back to the position it once held, a critical priority. The result is business continuity, for which IT executives will be held accountable whether their budgets are generous or lean.
TechRepublic originally published this article on 26 August 2003.