Despite a succession of incidents involving viruses, worms, hackers and security “holes” in widely used software, real concern about computer security is still at a surprisingly low ebb, says Kentucky-based networking specialist Gary Porter.
Porter, who holds Novell's Master CNE qualification, was a keynote speaker at Novell’s “one Net summit” in Wellington last week. He was appointed to Novell's major accounts advisory board in 1996.
So who cares about security? “Systems administrators care,” Porter told Computerworld. “But management, who make policy for the organisation, generally don’t. They see the sys admins as uptight, overcautious individuals who like to have new toys to play with, and use a supposed need for security as a way of getting some of those toys.
“Managers are reactive. They generally have to be hit hard [by an electronic attack] before they think seriously about security. I’m not sure why that is.
“Users often don’t care; we’ve all seen those passwords on pages from sticky pads, pasted to the monitor.”
And surprisingly, he says, systems administrators’ attention to security sometimes has significant holes. “I’ve seen them use the same password for everything, and tell me passwords out loud in others’ hearing.”
Likewise a lot of users leave their screens unprotected, even failing to log off when they step away for a short time.
A firm security policy is a significant part of the remedy for these shortcomings, Porter says. This can be established with the help of a checklist of possibly desirable features of such a policy.
“There are several of these checklists on the web; the best I’ve seen is by a university tutor.” This asks you to identify the risk of events that you may not think of, such as theft of a server. “It’s happened; [in one case] the IT manager said ‘don’t worry, the data’s safe’. Then they broke it to him, the thieves had taken the Raid 5 storage as well.”
Security in the firewall sense is irredeemably linked with security against such physical intrusion and against natural disasters, he says; a security policy should include proper back-up and off-site disaster recovery facilitiies.
The policy in some respects has to be a compromise between reasonably stringent protection and user convenience and productivity, Porter says. For example, password changes should be enforced often, but not too often. “The appropriate level of security is the maximum level that that matches the ability of your users.”
Porter, who is a regular speaker at Novell conferences, says he is impressed with some of the security-related facilities in NetWare 6, such as e-Directory and Novell Modular Authentication Service (NMAS).