'Good Enough' Security: Network Security on a Shoestring Budget
A two billion dollar corporation headquartered in Massachusetts was recently hit by the SQL Server Slammer worm. It took down a key corporate database server for several days. Even though information about the vulnerability and the patch itself have been available since January 2003, the company had not upgraded its system and was, as a result, compromised. How did that happen? What can a computer manager to do to prevent something like this in the future?
A major ISP has been having problems with its customers' anti-spam filters because they are set too high and too much legitimate mail is being bounced. A couple of months ago the company had a major reduction in force, and they eliminated the department responsible for maintaining the filter software, which means it might be a very long time before the filters will be fixed. What can a computer manager do when this happens?
Your company CEO has been reading the trade press again. How can you tell? He has just told you that you need to beef up all of the company's computer security. Oh, and by the way, your budget is being squeezed once more, which means that you'll have to do it without any additional money, again. Sigh. Is there anything you can do to address the security concerns while not blowing the precious IT budget?
As you can probably tell by now, the topic for this column is computer security on a shoestring budget. What all these stories have in common is that there's NEVER enough time, money, or resources to fix all your computer security problems, but that doesn't mean you should just give up and open your company to the world. Fortunately, there are things you can do that will prevent 90% of your security problems without costing you loads of money or resources. Let's first discuss the major threats to watch for and then move on to covering several things you MUST do to minimize your risk of attack.
Threats and More Threats
Contrary to what you read in the trade press, the biggest threat to your computer security is not an evil empire of hackers ready to swoop down and steal all your corporate secrets; rather, it's your users. They are, after all, the ones who continue to insist on insanely easy passwords. No, your girlfriend's name is not a good password. They're also the ones that send virus-laden email attachments and can't figure out why everyone in the office is mad at them.
When planning a security strategy on a shoestring budget, at the very least you need to concentrate your efforts on educating your users as well as addressing the most well-known vulnerabilities. The major routes of attack include:
- Sloppy internal computer security - Over 60% of the average company's security incidents are internal. How many of your machines have the default or no screensaver password at all? I worked for an engineering company here in Boston. When I left, they carefully turned off my accounts. That was good policy, but since every person in the company has the identical easy password on their Internet-facing email server, how much security do they seriously have?
- External hackers - Yes, they are out there, and there are more of them every day, but the majority are kids who are just playing. There are some very serious hackers who are out for money, corporate espionage, or malicious destruction, but on a small budget you will not be able to stop a determined cracker. If you are targeted by a professional hacker, you will have much bigger problems to worry about. Still, at the very least, don't make it easy for them.
- Social engineering - The easiest way to break into a company computer network is not technical at all. More people share account information, leave company confidential information open on their desks, or share with strangers on the phone confidential computer information because the strangers say they are from "the helpdesk." Employee ignorance is the biggest security hole of them all.
If that doesn't get you thinking that you need some security policies and procedures, here are a few statistics from the FBI's "2002 Computer Crimes and Security Survey." 90% of the respondents reported computer security breaches in the past 12 months. 85% detected computer viruses, while 80% were willing to admit to direct financial loses. The most severe losses were theft of proprietary information and financial fraud. 74% reported their Internet connection had been a source attack, while 38% of those surveyed reported that there had been attacks on their corporate website.
Seven Highly Effective Security Habits
Is there anything you can do in the face of these frightening statistics?
Fortunately, yes. If you avert one security break by implementing a good firewall and virus protection, the productivity savings will more than pay for the cost of the system. That is money that you can bank! Here's a handy list of things that you can do to prevent the vast majority of attacks. Most of these items don't cost a dime except for the time involved.
- Create a solid and understandable company security policy, and enforce it. Work with your company's legal and HR departments to ensure that it is legal and fits with your corporate culture. Don't make it too onerous to administer.
- Educate your users on the security basics. Teach your users about strong passwords and not leaving their machines open when they are away from their desks. The Internet is not secure and neither is e-mail, so don't send company confidential materials out over the Internet without taking precautions. One major company makes the computer security rules part of their standard HR policies that each employee is required to sign. They fire anyone who violates it more than twice. While it might seem draconian, they do have a VERY high compliance rate.
- Install a good virus protection system on ALL computers on your network and maintain it. Modern anti-virus software is available by subscription and has built-in auto update features, so your administration headache is minimized. Install it as part of the standard company employee system with all the automated features already on. Insist that all employee-owned machines have current virus protection before they can be connected to your network.
- Install a firewall and check your logs periodically. You have a choice of using a managed service or purchasing a firewall appliance. The appliance is cheaper, but make sure to sign up for the subscription update service or be diligent in maintaining the system.
- Remove ALL unessential services and applications on your servers. After e-mail, this is probably the biggest security vulnerability. This minimizes the likelihood that, if a new security hole is discovered, a cracker would be able to exploit it because you forgot you were running that service.
- Keep all your servers updated with ALL the latest security patches. Minimizing the machine's applications also makes it easier to maintain, since you can focus on ensuring current patches on just the services that you do provide and not need to keep current on all security holes.
- Never keep any of the manufacturer's default settings. This item trips up more systems managers than care to admit. Immediately change ALL the default settings on your systems as you install them. The crackers know all the holes better than you do.
In the new hyper-security conscious world, does spending lots of money on computer security make sense? If you have the budget and are in an industry where it is critical, then the answer is an absolute yes. But if you are like the rest of us, squeezed for time, resources, and funds, then you can apply the principles of "good enough" computer security. It might not prevent a massive attack if you are targeted, but it will prevent 90% of your problems while keeping your finance department happy. In today's environment, what more can you ask for?