Time to Get Tough on Security Threats

With this month marking the annual RSA security conference, it seems like a good time to reevaluate your company’s security policies, given the changing nature of the cyberthreats facing everyone today.

In general, the good news is that most companies are getting more adept at fighting routine battles against viruses, worms and other forms of malware; the bad news is that the bad guys are now using various combinations of blended attacks against specific systems, launched from “zombie” computers to which they gain control remotely. Worse yet, these attacks sometimes come with embedded data mining tools that crawl through systems, looking for specific types of files that contain sensitive data.

In fact, in a recent survey conducted by CIO Insight, 50% of companies with revenue of more than $1 billion reported that their Web site or data has been targeted by cybercriminals.

This state of security affairs is likely to get a lot worse before it gets better. There is really no preventative approach to fighting botnet attacks, because the sheer weight of attacks being launched by hundreds or thousands of machines means that all you can do is isolate the affected machines on your network as quickly as possible. But to have a team of I.T. professionals ready to spring into action on a moment’s notice, you need a systematic approach to the more routine security challenges of the day so your forces are not spending the bulk of their time patching systems.

For example, Bill Bradley, chief of IRMS customer support for the Veterans Administration Medical Center in Denver, relies on patch management tools from Shavlik to help him almost single-handedly manage all the updates that need to be in place on a daily basis to ward off malware. The VA adheres to a set of national security standards, but Bradley says he prefers to use the Shavlik tools because even though they may have a steeper learning curve, they are a little more robust. This means that instead of dedicating a squad of people to managing security updates, Bradley has a standard procedure and consistent set of policies that make distributing security updates a routine task as opposed to a dramatic event.

This approach is what sets organizations that practice good security hygiene apart from the rest. The danger it creates, however, is that complacency may set in because without a targeted attack at your site, you may start to think that everything is under control. And as many companies that have had to deal with a targeted botnet attack can attest, there is nothing that leaves you feeling quite so helpless despite your best-laid plans.

Our best hope going forward lies in an effort to create some kind of uniform approach to security. Right now, a big part of the problem lies in how easy it is for the people who create botnets to take over a remote system and turn it into a zombie. We need to require individual customers, as well as companies we do business with, to pass a series of security tests before they can interact with organizations online.

That may sound impossible, but it’s likely to become as necessary as the health standards we have put in place in major cities to prevent the outbreak of diseases such as cholera. Ideally, we’d like to have more effective tools for identifying and targeting the real source of these types of attacks, but in the meantime companies will have to start taking Draconian measures—some of which might seem tantamount to marshal law—to protect their assets.

In fact, you don’t have to look too far in the vendor community to find mainstream companies that are starting to think about how they can develop the tools needed to manage this heightened level of cybersecurity. For example, Cisco recently moved to acquire IronPort Systems not only to increase its portfolio of security assets, but also to gain access to IronPort’s engineering talent. The technologists at IronPort have been doing a lot of the early work to automate the processes needed to create and share security reputations around the Web.

We’re still a long way from creating the necessary technology infrastructure to accomplish many of these goals. But in the meantime, when it comes to the next generation of security attacks, an ounce of prevention may not mean nearly as much as the ability to respond instantly, moment by moment.

Michael Vizard is Editorial Director at Ziff Davis Media’s Enterprise Technology Group.