Monitoring security issues and making sure all the latest patches are installed on your system could be almost a full-time job for one staff member in a moderate-sized IT department, says Jay Garden, head of the government's Centre for Critical Infrastructure Protection (CCIP). And it still won’t confer complete protection.
Too many organisations adopt a philosophy of “security by patching”, and it isn’t enough, Garden warned, speaking at a New Zealand Computer Society session in Wellington late last month. Rather, a “secure architecture” should be created, by, for example, minimising the number of services supported on the computer system to only those necessary for the operation of the business and ensuring minimal exposure to the internet, again, only where necessary.
Many organisations that once used private networks to communicate among remote sites are entrusting some of that communication to the internet for economic reasons, and that could be an ill-advised move, or at least one to be approached with great care.
Staff training in secure practices and the entrenchment of a “security culture” is vital too, he says.
The volume of reports on security issues that come out of the major tracking agencies such as the Computer Emergence Response Team (CERT) and its Australian equivalent, AusCERT, would take nine weeks a year just to read, Garden says. If only 1% of those are relevant to the organisation, especially one running a mix of computer enviroments, it is still a substantial chunk of a full-time job installing and testing them all. After each patch, too, the system will ideally be rechecked for side-effects of the upgrade. “You have to know the ‘fix’ you’ve just installed isn’t going to trip anything else.”
Garden attacked the prevailing belief that Linux and other open source software is inherently more secure than proprietary software like Microsoft’s. He showed a page of successful website defacements publicised by the hackers themselves on the Zone-h “internet thermometer” site. Most of them pertained to Linux and other Unix sites.
A website defacement may be only a temporary embarrassment, Garden says, but if the webserver is vulnerable the victim should ask whether their mailserver, DNS or firewall might be just as loosely configured. A website attack, too, may just be the visible face of an attack on the databases that feed the site.
In a world of increasing outsourcing, an organisation should “control its dependencies”, asking partners providing online services for evidence that the are secure too.
Hee warns against the risk of “bots” either compromising an individual machine, or hosting themselves there and being used with thousands of similarly compromised processors to launch distributed attacks.