Internal Security Breaches More Damaging
While external attacks are serious enough, the threat posed by one's own employees -- whether intentional or inadvertent -- can often be much worse. But a number of software management tools can help overburdened IT staffs reduce network vulnerabilities.
It used to be that simple for IT managers as well. Only a select few had access to the data center and intruders were unlikely to know how to do any harm even if they did pick the locks.
But that is no longer the case for either physical or data security. The nation has 12,248 miles of porous overland borders, another 20,000 miles of coastline and thousands of planes landing from overseas. And, while trillions of dollars in defense spending have protected the country from external threats for the last 60 years, the two biggest attacks -- those on the Oklahoma City Federal Building and the World Trade Center -- came from within our borders.
Computer security similarly must take care of threats both from within the company and without. The seventh annual Computer Crime and Security Survey released in April by the Computer Security Institute (CSI) and the FBI's Computer Intrusion Squad in San Francisco found that 90% of respondents had detected computer security breaches. The losses are staggering. The 223 survey respondents willing to quantify their losses reported total damage at over $455 million.
And that's just the tip of the iceberg. The CERT Coordination Center at Carnegie Mellon University in Pittsburgh received more than 52,000 security incident reports last year, more than double the previous year. Some estimate total losses worldwide may top $100 billion annually. According to Dave McCurdy, executive director of the Arlington, Va.-based Internet Security Alliance (www.isalliance.org), three attacks -- Code Red, SirCam and Love Bug -- cost corporations more than $13 billion.
Within These Walls
While external attacks are serious enough, the threat posed by one's own employees can often be much worse. "An external attacker is not motivated to do much damage, doesn't know what to look for and is more likely to stumble into an intrusion detection system," explains Marcus J. Ranum, chief technology officer of NFR Security, Inc. "The attacks that hurt are from a disgruntled employee who is motivated to come after you."
In the CSI survey mentioned above, for example, one-third of respondents said their internal systems were a frequent point of attack. Another study of 146 companies by Activis, a security company based in Reading, England, paints a grimmer picture: 81% of security breaches originated internally, another 13% percent came from ex-employees and 6% from external hackers. It's these disgruntled current or former employees who steal trade secrets, sell employee lists to headhunters or plant "time bombs" to bring down the network months after they leave.
In addition to deliberate attacks, employees can compromise a system inadvertently. Seventy-eight percent of the respondents in the CSI survey reported employee abuse of Internet access privileges such as downloading pornography or pirated software. While this represents an improper use of company time and resources, it exposes the company to huge fines from the Business Software Alliance (BSA) (www.bsa.org), a group formed by the likes of Microsoft, Adobe and Autodesk to stem the billions of dollars lost through piracy. To date, the BSA has collected more than $70 million in penalties, in addition to requiring the offending companies to get up to date in license fees.
While the security or license non-compliance threats posed by employees seem quite different, both can benefit from tighter software management. While automated tools that inventory hardware/software and monitor licensing have been with us for some time, a new breed has evolved that adds remote deployment of software and updates. Updates/upgrades, in particular is a thorny problem for IT. Its neglect leaves the drawbridge wide open to would be snoopers.
Interestingly, 99% of all attacks come from known vulnerabilities. Though readily preventable, IT personnel are typically too overloaded to keep pace with the traffic. The sheer volume of OS updates, application upgrades and security patches means that IT rarely makes timely server updates, never mind plugging up gaping security holes at every desktop throughout the enterprise. Despite knowing about the threat, the time involved in manual updates makes it impossible for IT to keep up.
"Managing software licenses and updates is a serious problem for administrators," said Paul Mason, group vice president of Infrastructure Software Research at IDC. "Any tool that can automate software inventory management and keep the technology current and performing these actions remotely will save companies enormous amounts of money."
Software vendors have developed a variety of approaches to this problem. Oftentimes, these come packaged within a larger systems or desktop management suite. For mid-sized Windows shops, for example, Microsoft System Management Server 2.0 (SMS) offers a relatively low-cost method of desktop/systems management that includes inventory and deployment capabilities. Its main strength lies in creating application packages for remote installation. At the same time, however, it has a reputation for complexity, and you have to first manually install SMS agents on every server and workstation before it affords you any remote deployment functionality.
Other possible desktop management packages that come with deployment and asset management functions include Novadigm, Inc.'s Radia, Intel's LANDesk and Marimba, Inc.'s Change Management suite.
Alternatively, those enterprises already utilizing a management framework have the option of buying additional modules for inventory and deployment. IBM's Tivoli Configuration Manager, Hewlett-Packard Co.'s OpenView Software Distributor, or Computer Associates, Inc.'s Unicenter TNG Asset Management and Software Deployment Options.
As most of the above products, however, go beyond licensing/deployment/inventory and get into such functions as remote help desk and overall systems management, they can be expensive and often entail substantial consultant/vendor fees for installation, configuration, and maintenance.
For an immediate and simple response to the threats posed by lax software management, specialized inventory/deployment tools offer a less expensive and easy-to-deploy option. Sitekeeper by Executive Software, Inc., for example, is designed for Windows networks (NT 4.0 or higher). It takes about an hour to download, install and configure for the network.
Unlike SMS, which requires manual agent installation, this tool does everything from a single workstation or server, with no need to walk from client to client to install the software. Sitekeeper automatically inventories all hardware and software, creating a directory tree interface. Administrators can run reports to determine which machines need updates. It takes a few clicks to deploy patches or virus signatures on all machines.
Just Do It
Whichever approach one decides to take to the software management problem, the essential action is actually to just do it. There is no excuse for being hit with a $150,000 fine from the BSA because you failed to spot illegal software downloaded by employees. Nor is there any excuse for leaving security holes exposed when patches have been made available by vendors and can be remotely deployed in minutes.
So which of the above options is right for you? Favor those that offer simplicity of operation, rapid install and as little work as possible for the IT department. With the current budget crunch, IT is being told to do even more with much less. Therefore, there is no point in choosing a tool which will only add to the workload or that will require a time consuming implementation period.
But whatever tool you choose, install it fast and put it to work policing internal software usage, catching piracy, tracking licensing, and rapidly pushing updates out to all nodes in order to minimize the risk of attack from without or within.
By Paul Desmond
July 10, 2002
Typically you use forensics software after a break-in occurs to find out what harm was done and hopefully catch the culprit. Guidance Software says forensics tools can also be used to catch surreptitious activity before it results in real damage.