Network administrators are besieged today with a growing list of security risks, and analysts warn that too often they get caught up in battling one or two vulnerabilities and remain blind to a league of others.

"There are so many risks to deal with, it's an overwhelming job," says Dan Woolley, a vice president at Reston, Va.-based SilentRunner Inc., a wholly owned subsidiary of Raytheon. "In the day-to-day, they're responding to wildfires, and they just don't get a chance to stand back and figure out where they need to go next...Security administrators are really struggling to keep up."

Security officers have been battling worms, viruses, denial of service attacks and hackers for years now. When you add the threat of cyber-terrorism, employees using Instant Messengers and downloading full-length feature movies onto their work PCs, the list of risks is multiplying far faster than security budgets or staffs can keep pace.


SilentRunner has created a Top 10 list of risk factors that security administrators should guard against. Here's what has made their short list of vulnerabilities:

  • Email Attachments -- Workers opening an attachment could unleash a worm or virus onto the corporate network, and a new evolution of viruses means that they can propagate themselves even without a user double-clicking on them;
  • VPN Tunnel Vulnerabilities -- A hacker who worms his way into the VPN has free and easy access to the network;
  • Blended Attacks -- Worms and viruses are becoming more complicated, and now a single one may be able to execute itself or even attack more than one platform;
  • Diversionary Tactics -- Hackers may strike a set of servers in a target company and then when security administrators are busy putting out that fire, they slip in and attack another part of the network;
  • Downloads from Web Sites -- Workers frequently misuse their Internet access in the workplace, downloading games, movies and music and even porn. It opens the network up to attack and sucks up valuable bandwidth;
  • Supply Chain and Partners Added to the Network -- An administrator may grant access to the network for a partner company and then forget to close that access point when the job is over. The same applies to employees who are leaving the company;
  • Microsoft's SOAP -- The Simple Object Access Protocol (SOAP) doesn't have security specifications built into it, warns Silent Runner's Woolley;
  • Renaming Documents -- An employee could save business-critical information in a different file, give it a random, unrelated name and email the information to her home computer, a friend or even a corporate competitor. Monitoring software that checks emails leaving the company might fail to pick up on the outgoing message if the subject name has been changed;
  • Peer-to-Peer Applications -- In a peer-to-peer environment there is an implied trust between servers. That means if a user has access to one server, he automatically has access to another if the servers share trust. Woolley points out that hackers or rogue employees can gain access to one server and move freely throughout the network;
  • Music and Video Browsers -- These are browsers that automatically will connect the user with related web sites -- all without the user's permission. A music browser, for instance, may note that the user likes jazz so will connect the user to other jazz sites and executable applications, putting the network at risk and potentially using up huge amounts of bandwidth.
  • "It is a big job that's for sure," says Van Nguyen, director of global security for American Presidential Lines, a oceanic shipping company with 11,000 employees and more than 76 container ships worldwide. "One thing interesting to me is that due to the state of the economy right now, our senior executives want us to cut costs and be secure at the same time. It's doable but it's difficult. It has to be blended into the business process."

    And to do that, Nguyen says security and network administrators would be smart to form official policies around most, if not all, of SilentRunner's 10 risk factors.

    For instance, Nguyen says they drastically cut down the bandwidth that was being used by simply telling users that they are not allowed to download movies, and then tied the policy in with employees' performance reviews. Instant Messaging is in the same category, he notes.

    "We have users who claim they have legitimate reasons to use it," says Nguyen. "They say they can save the company money because they won't make long-distance calls. But stay with policy. There are too many risks inherent in Instant Messaging. You have to educate users to the risks so they understand what theyre doing."

    Charles Kolodgy, an analyst with Framingham, Mass.-based IDC, says Instant Messaging is such a risk that he's surprised it didn't make SilentRunner's Top 10 list.

    "It's a solid list but the only thing I'd add is Instant Messaging," says Kolodgy. "That should be No. 11 if it's not Top 10."

    But it is on Woolley's own list of vulnerabilities that companies should be worried about -- and writing policy for.

    "When they finally get encrypted Instant Messaging, it will be great," says Woolley. "When a user types that message, it goes out of the network, to an ISP and around there two or three times and then to the intended recipient...You may be chatting with the guy down the hall and not realizing that the message doesn't just go down the hall. It's actually leaving your network. You're broadcasting that information."

    IDC's Kolodgy says tackling all these risk factors is becoming a bigger job than just one department can handle.

    "The network and the security guys need to start communicating more because so many vulnerabilities are dealing with the network and bandwidth," he says. "There's so much going on and you've got to lay down policy on top of it all."