So as the year trudges forward and the ominous threat of recession looms, thoughts of implementing and enhancing security seem moot. As often happens, security is viewed as a cost center, even more so during times of financial belt tightening.
But is now really the time?
This is the time to implement security or add those final pieces of the puzzle that have been missing from your environment. While it may seem daunting at first, corporations are continually weaving security into their environments pieces, particularly now that security software makers have made it easier to integrate those products.
What pests am I talking about? Let's explore...
Spam = Wasted Bandwidth
Of the major security issues and annoyances that plague businesses today, one of the biggest is spam. Spam, depending on whom you ask, accounts for about 70-90 percent of all email. Regardless of the amount, it still remains an undisputed bandwidth waster. Further, this spam often includes links to questionable sites that employees may think are legitimate, and can, when clicked on or visited, inadvertently invite malware into the corporate environment.
Quite a few good tools exist to tackle spam at the end-user level, or even at the portal of a corporate network. However, there often needs to be better controls at the internetwork level to prevent the wasted bandwidth.
But the sad truth is that unlike many sneakier threats to security, spam is usually easily identifiable. Seriously, how many pills does one need to enlarge various body parts?
Here is where the "it's not my problem" mindset rears its ugly head. Since the internetworks of the Internet are shared between major ISPs, it is everyone's problem and no one organization can convince them to work together to eliminate this. How about some cooperation then?
One thing that might help is to require consumer ISPs to freeze Internet access for those where it's determined that someone is sending spam and/or viruses. This can help reduce or eliminate the source of most of the spam. Certainly, some providers ensure that all mail relayed to a user is checked for malware before it hits the inbox, but the effect of this has yet to be seen and my not be quantifiable for a few years.
Another challenge that remains today is the set of vast email lists that are circulating among spammers. To this day, one specific email account that I have used for over 10 years receives spam email regularly, enough for me to finally disable it for the time being to see if it will settle down the volume to a dull roar.
No Thanks for All the Phish
Related to spam is my long-standing pet peeve: phishing.
It's interesting to note that the Anti-Phishing Workgroup has indicated a bit of leveling out in regards to phishing attack activity, although September 2007 did show a record high of 38,514 phishing emails (PDF).
Attackers are also getting a little savvier and realizing that they cannot continually assume the same major corporate identities. I do recall receiving such phishing emails for Canadian banks such as Royal Bank of Canada and Bank of Montreal -- unusual since prior to that my inbox was assaulted by fake versions of WaMu, CitiGroup and an assortment of larger US banks.
The Tiny but Mighty Cell Phone
Another area that will require some thought from your security crew is the ubiquitous cell phone.
Today, cell phones do much more than place phone calls. Our phones perform the role of PDA, computer, email program and a variety of other tasks that have traditionally been the realm of laptops and desktops. The challenge is to start providing phones with protective mechanisms since malware coders are undeniably casting an eye toward these go-anywhere devices.
Imagine the damage to your network if infected phones and PDAs that run mobile operating systems like Windows Mobile 6, Blackberry and various mini-*nixes have a "chat" with a host. The fallout can even spread beyond the cell phone to other devices that have common, built-in OS-bases like Windows-based hardware appliances that are ubiquitous within some large networks. While employing these systems becomes easier due to an existing familiarity, it does make them susceptible to many of the same viruses, Trojans and other nasties that infect regular Windows systems.
Sleep with a Virtual Eye Open
As their popularity grows, virtualized infrastructures will become a tempting target. The same mechanisms that were used to protect their physical equivalents should also be used to protect these.
The biggest challenge for virtualization developers is how to include standard security practices into their underlying infrastructure. Part of this lies in the balance between hypervisors and hosted virtualized products.
So far, most hypervisors have been free of major security issues, but it is only a matter of time before vulnerabilities surface. As virtualization becomes more prolific -- or dare we dream, the norm -- we will begin to see more attempts to break the hypervisor.
The situation is compounded for hosted virtualization products. They not only have to deal with security for the virtualization platform, but also for the inherent issues of the host operating system. This is an area that needs to be better addressed by all virtualization vendors.
Vigilance Costs Little
So don't fear dwindling IT budgets. You may discover that there is little need to spend more for newer, better protection.
However, it pays to be persistently vigilant for tried-and-true problems, not just the ones that pack the "wow" factor. It is often the simplest attacks -- not Hollywood-envisioned hacker footwork -- that punch holes in your network.
In the 8 years that I've been involved in computer and network security, the most effective way to ensure a safe environment is to change the way the individuals think about security and incorporate it into their day-to-day activities. Perhaps we don't need to focus entirely on shiny, fancy appliances and software.
Instead, this is an opportunity to solidify the foundations our IT environments and make them resistant to the whims of the bears and bulls on Wall Street.
This article was first published on EnterpriseITPlanet.com.