Learning to Deal with Change and the Unknowns
As companies push in new intrusion detection systems and patch-management policies, there's something that often gets overlooked. Change. And change can lead to the unknown. And if you're not thinking it through, it can lead to lots of problems.
Unless they are addressed, the defense in-depth strategy is seriously undermined. Two areas that are routinely skipped are termed 'change management' and 'configuration management' in the Information Technology Infrastructure Library (ITIL). It's important to review these two often overlooked areas.
For the sake of talking about change management here, let's consider a change to be a modification of state. If there is a variance in state, then a change has occurred. These changes can be both from proactive and reactive sources, as well as from authorized and unauthorized parties. These kinds of changes might include software updates from vendors, patches to operating systems and new code from the development group.
Now, not all changes are bad, but all changes do carry the risk of unknown outcomes due to the tremendous amount of vectors that affect actual implementation results. That means it is wise to scrutinize changes prior to their going into production to determine impacts in your unique environment.
First, as complexity increases and changes are introduced, then the possibility for mistakes to be made also increases. All one need do is look to the current IT literature to hear all the horror stories over software patches undoing bug fixes, opening security holes, etc. Due to all of the variables that exist in a modern system, the only way to check for impacts in a given environment is to test. Always remember that as the rate of errors increases, so does the likelihood of security flaws. So, it is very important to test security, as well as functionality prior to deploying a change into production.
Second, if changes are uncontrolled, then it is far more difficult to determine legitimate changes from security breaches. These breaches could be from hackers or even people making changes on systems that they should not have access to, but due to multiple control failures, actually do have access to.
The point is that if everything is in a state of flux, it is far harder to tell what is going on from an internal accountability perspective, let alone a security breach.
January 14, 2004
If 2003 was the worst year in history for viruses and spam, hold onto your hat. This year, according to security experts, is setting up to see the malicious problems that appeared last year grow and fester into major security problems for 2004.