In the past year, enterprise networks have faced a plague of security issues. Now, many companies are finding themselves forced to channel more time and money toward improving security. From worms and viruses to compliance and patching issues, businesses must develop ever-more complex protocols to keep unwanted visitors out of their networks. Is a new Iron Curtain about to fall as businesses lock down their network environments, or are more moderate measures still feasible?
“The tremendous amount of virus activity this year is affecting my own life,” Michael Rasmussen, principal analyst at Forrester Research, told the E-Commerce Times. “There have been more [viruses already] this year than in my entire life.”
Likewise, Dennis Barr, manager of information technology at Kansas City, Missouri-based Larkin Group, told the E-Commerce Times that he spent many days in early March combating viruses.
The fact that this year is shaping up to be the worst on record for computer malware is a frightening prospect.
In August 2003, viruses and hacker attacks cost US$32.8 billion, according to mi2g, a London-based risk assessment company. The SoBig worm alone represented $29.7 billion worth of damage, the firm estimated. Overall, in 2003, there were 137,529 incidents, up from 82,094 a year earlier, the Computer Emergency Response Team (CERT) found.
Moreover, it looks as if the horizon is cloudy. In the second half of 2003, Internet Explorer suffered from a 70 percent increase in disclosed vulnerabilities, according to Symantec’s Internet Security Threat Report, published last September. This spike, coupled with the fact that many vulnerabilities are easily exploitable, means “zero-day” threats — catastrophic attacks that arise immediately after an exploit is revealed, then proceed to spread quickly and wreak major havoc — may be approaching.
To combat this trend, organizations must put in place strict patch-management procedures, Symantec recommends, in addition to proactively barring unwanted visitors from their networks.
Can the Spam
After years of viewing security procedures as inconvenient, end users’ attitudes finally are evolving in favor of better security as well. For example, more than three-quarters of people polled by the Pew Internet & American Life Project said spam makes being online “unpleasant and annoying,” and 29 percent of e-mail users said they have reduced their reliance on the technology because of spam.
All together, about 86 percent of e-mail users “reported some level of distress with spam,” according to the nonprofit, nonpartisan research group.
Although patching is one avenue of defense, companies also may consider using operating systems that are less vulnerable, said Fred Cohen, a principal at the Burton Group, in an interview with the E-Commerce Times. In fact, this is one reason some enterprises are expanding their use of Linux, Solaris, HP-UX and other flavors of Unix, he said.
“Basically, the reason you get epidemics … is because of the population density. The density of the population makes it a problem,” Cohen said. “If properly managed, [Unix] systems can be very secure. I think [security] is a major factor in the server space. A very large portion of Web servers in the world are running Linux or Unix, increasingly so for security reasons.”
Additionally, some businesses are focusing a lot of energy and funds on securing road warriors’ notebooks and end points, Rasmussen said. “End-point security has become a huge, huge issue,” he noted. “There’s some focus on intrusion detection for mobiles and desktops.”
Sometimes mobile users pick up a virus at a remote access point, then infect the network once they plug in at the office, he added. WiFi hotspots, therefore, can be another burden for security executives, although Rasmussen said he has not seen corporations clamping down on the number of mobile users. However, those that have not already done so are creating protocols to manage road warriors and their technologies.
“People who haven’t locked down their laptops want to put procedures in place,” he said.
Law and Order
Meanwhile, the onslaught of viruses, worms and other malware is not the only security trend to which enterprises must adapt. New laws designed to protect sensitive data mandate new procedures — and new issues — for IT security personnel.
“People are reacting to regulatory requirements,” Cohen said. “They are reacting to the recent high volume of viruses. They are reacting to vulnerabilities in Internet Explorer and in everything else.”
In fact, corporations must set up stringent protocols to meet some new requirements. “All the mandates to protect personal information, [such as] Sarbanes-Oxley, seem to be a huge burden for a lot of companies I work with,” Rasmussen said. “The legal liability is growing tremendously.”