Security by sticky tape!
By Byrne Ghavalas, February 13, 2002.
New threats to corporate security are revealed every day; these threats come in a variety of forms and flavours, some crippling, others merely bothersome. It is interesting to note that many systems are breached through the use of old techniques and vulnerabilities and, all too often a company's security is breached through the most trivial means: default passwords, misconfigured software, insecure services, poor security policies and a lack of security procedures, to name a few.
There have been many articles discussing recent problems such as Code Red, Nimda and the like. Many of the articles try to offer quick fix solutions, missing the point that security is not about plasters and sticky tape.
Several of the articles about curing the Code Red and Nimda style problems suggested running the web service over HTTPS (SSL). While this would solve the immediate technical problem, it creates several problems in its place. The use of HTTPS will typically result in slower performance as the pages are typically not cached and the server has to handle the encryption and decryption processes.
These are not the only problems that would be presented; IDS systems are unable to detect potential attacks if the data is encrypted and new variations of the attacks running over HTTPS would succeed.
I believe that several of the threats that have created many a headache in the business world could easily have been avoided by using a little common sense and in the case of host or application security, following the security guidelines provided by the manufacturers and developers.
This may seem obvious, but if it is so obvious, why doesn't it happen? Why are we still plagued by simple, yet effective attacks?
Although I have used Code Red and Nimda to illustrate a point, it is important to realise that security is not only about having secure web servers; nor is it simply a case of installing a firewall and perhaps an intrusion detection system. It is not the latest content scanning tool. Security is more than simply network security. Security encompasses all aspects of business practice.
It is unfortunate that for many organisations security tends to be an afterthought, something that is usually of concern on a project-by-project basis, provided the budgets make the necessary allowances. Worse, too many companies don't even consider security!
Of the organisations that do take security in to consideration when implementing a new project, very few consider all aspects of security. Many projects tend to account for some aspects of network security, making allowances for firewalls, intrusion detection systems, and perhaps some form of content scanning. More often than not, companies tend to neglect the less technical aspects of security: Policies, procedures, education and awareness.
Time and again companies bring in the security consultants to audit the project for vulnerabilities, once the project has been completed. This is often referred to as 'due diligence'. This is interesting as due diligence implies 'giving the proper degree of care and caution required by the circumstances'.
It is strange that companies understand the necessity and benefit of planning and testing when implementing new projects, and more often than not, conduct a pilot to ensure the project will reach a successful conclusion; however, this logic does not seem to be transferred over in to security. Security is thought to be an add-on; something to be considered once the project is completed.
So why is it that we are still plagued by simple, yet effective attacks?
Until companies adopt security as a fundamental business practice, incorporating it in to every aspect of the organisation, simple, effective attacks will continue to abound.
By attacks, I am not only referring to network security attacks like viruses, vulnerabilities and application flaws. I am also referring to social engineering, physical access violations, and retrieval of sensitive information that has been incorrectly disposed.
Perfect security is idealistic and obviously not a reality, but it is a noble goal. By implementing comprehensive security policies, providing education and training to increase understanding and awareness, and adjusting attitudes toward security, companies can begin to combat the rising level of attacks.
No doubt, it will be a slow process and an uphill battle, but the companies that adjust their culture so that security is ingrained, will reap the benefits.
