Establishing Digital Trust: Don't Sacrifice Security for Convenience
In the wake of the tragedy of September 11, a lot of us have been left wondering what we can do to help.
On National Public Radio I heard reports of a cook from Louisiana who packed up his pots and pans and drove to New York to help cook for rescue workers. There was also a cello instructor who sat near the scene of the devastation playing his instrument, his way of trying to bring some sanity to an insane situation. One rescue worker left a note saying the instructor's playing brought him the first bit of peace he'd had since the disaster.
The press, meanwhile, reports on the story and its aftermath for television, radio, print and electronic media. Even those of us who normally write about technology are drawn to this story, as its importance clearly outweighs anything else we could be writing about at this time. We are journalists. Writing about important stories is what we do.Just as the cook cooks and the cello instructor plays, IT professionals must do what they have been trained to do. Along with the police, firefighters, airlines and governments, IT professionals are now involved in the battle against terrorism.
Whoever perpetrated the acts of September 11 has shown a willingness to strike anywhere and to exact a huge toll. There is no telling where the next attempted strike will be. Preparing against the possibility of another airplane hijack attempt, we are rightfully working to shore up airline security. But the next strike could be an attack on our information systems.
The National Infrastructure Protection Center (NIPC), a federal government body that acts as a focal point for information regarding attacks against critical infrastructures, raised warning flags to that effect as early as Sept. 14. The NIPC is urging "increased cyber awareness" and warning of the potential for an increase in political "hacktivism" and distributed denial of service (DOS) attacks (www.nipc.gov).
In particular, the NIPC singled out a group of hackers called the Dispatchers. The group claimed it was targeting communications and finance infrastructures and would increase activity Sept. 18. Perhaps not coincidentally, the Nimda worm, which had much the same affect as a DOS attack, was first widely reported Sept. 18.
The NIPC did not say whether the Dispatchers are affiliated with any known terrorist organization, and such organizations have not yet been widely known to engage in such cyber activity. But is it beyond the realm of possibility to think that they could?
After the attacks of September 11, there is little that seems beyond the realm of possibility.
Alan Paller, director of the SANS Institute, writing in the nonprofit security organization's SANS NEWSBITES email newsletter Sept. 12, said: "Tuesday's horrors demonstrate the lack of any boundaries on what terrorists are willing to do. That's a reminder that we in information security must plan for catastrophic attacks as well as the more limited types of attacks we have been facing."
Darwin Ammala, security software engineer for Harris Corp.'s STAT network security unit, says these times call for "diligent vigilance followed by vigilant diligence." That means you need to get caught up with the various patches to protect your systems against known vulnerabilities and stay caught up once you get there. "It's going to require companies and organizations to improve their security discipline and take this a lot more seriously," Ammala says.
In other words, it's going to require a lot of work.
The NIPC lists some basic measures to get you started:
- Increase user awareness
- Update anti-virus software
- Stop hostile attachments at the email server
- Utilize ingress and egress filtering
- Establish policy and procedures for responding to and recovering from attacks.
While this list is grossly oversimplified, that last point can't be overstated. Should the worst happen, you will be far ahead of the game if you have a policy in place for how to respond and recover. The NIPC also offers a list of far more detailed resources to help in your quest for vigilance:
- A series of "Security Improvement Modules" from the CERT Coordination Center at Carnegie Mellon University:
- A Microsoft security checklist:
- A SANS Institute guide to eliminating the most common vulnerabilities:
Another emerging product category that you may want to consider is one that seeks to prevent the unauthorized manipulation of applications. Vendors including Entercept Technologies, Okena, Sanctum and WatchGuard Technologies offer tools that protect operating systems and/or applications even in the event that you haven't yet installed the latest patches for known server vulnerabilities. (See our list of application security tools for more info.)
While I am loathe to let terrorists dictate how we conduct ourselves, it's even worse to let them get away with such heinous crimes. So now more than ever, we need to take any and all steps to protect our information systems.
"Diligent vigilance followed by vigilant diligence." I can barely say it - but I like it.
Desmond is editor of ecomSecurity.com, a source of practical security information for IT managers, CIOs and business executives.