PALM DESERT, CALIFORNIA (03/09/2004) - There's nothing like a detailed, hands-on demonstration of just how easily hackers can break into supposedly secure corporate networks to spark CIOs into action.
Alan Paller, director of research at SANS Institute, proved that in Palm Desert, California, Tuesday morning. Following his presentation on cybercrime and cybersecurity, 75 percent of about 500 attendees polled electronically at Computerworld's Premier 100 IT Leaders Conference, said they would immediately require all users at their companies to meet minimum security configuration requirements to gain access to corporate networks.
Paller laid out the seven most common and dangerous kinds of security attacks, which range from viruses, Trojans and worms to Web site defacements, denial-of-service attacks, credit card theft accompanied by extortion, and direct attacks on critical infrastructure, such as dams and power plants.
What makes many of these attacks possible is that commercial software vendors are selling and delivering products with known vulnerabilities, he said. CIOs and other IT leaders can stem this tide of vulnerabilities by taking any one of three steps or a combination of them.
The first is removing vulnerabilities on existing systems. Imperial Chemical Industries PLC, a U.K.-based chemical and paints company with several U.S.-based subsidiaries, did this by first running weekly scans on its systems to determine the exact nature of flaws in software from Sun Microsystems Inc. It then internally published these vulnerabilities, a subset at a time, making them visible to all departments and executives. From there, system administrators developed patches, one problem at a time.
"They did not start with all vulnerabilities," Paller noted. "Instead, they started with a few," so systems administrators would not become overwhelmed and feel defeated from the outset.
A second step users can take is what Paller described as the "Just Say No" approach. This entails defining a safe configuration for all users' systems and then enforcing this standard by cutting off network access to machines that do not conform to it.
"When you sign on, you don't get a full network connection," Paller explained. "Instead, the network tests you and doesn't let you on unless you comply. This way, there's no (security or IT) bad guy. It's the network that enforces the configurations."
The third option for CIOs is to require security to be "baked in" to software products they purchase. At the U.S. Department of Energy, for example, Oracle Corp. is required to deliver all new database software complete with embedded security benchmarks developed by the Center for Internet Security.
The bottom line, Paller said, is that CIOs are not powerless over the security problems that plague virtually all companies. They can and should establish minimum security benchmarks for every system on their networks and enforce those standards. The risk of not doing so can be near fatal, he said.
"The security risk is much higher than we think," Paller said. Known kinds of security attacks such as viruses and worms "affect more than e-mail. They can take down the whole infrastructure."