Safety: a path full of obstacles!
This week I am a completely different road warrior. I’m usually the type to carry my laptop from city to city and travel remotely across the country. This month I have had a few weeks in the office, my real office in downtown Richmond, not my virtual office. The complaint I have is the treacherous commute from the West End to the city on I-64 West and I-195 South. The roads are atrocious! One day recently I thought a pothole would swallow the whole tire, let me paraphrase it, a pot crater!
I’ve been so distracted trying to avoid the big holes in the road that I forgot to be a good defensive driver, keeping an eye out for what the other cars around me are doing. In the few decades that I have been driving, I have become quite adept at avoiding road obstacles such as branches, traffic cones, the occasional lost shoe, and most importantly, being hit. However, the sheer amount of craters lately has made it impossible to navigate the roads without falling into a few holes during my daily commute. I haven’t even been able to enjoy my new 100% Funk CD due to the irritating and damaging potholes.
Last weekend, I made the trip to my mother’s house and finally hit a good stretch of highway (Route 17) and was able to let my mind wander a bit while humming “Low Rider” by War. It occurred to me that maintaining a highway system is a lot like managing an IT department. Seriously, think about it, what are roads and bridges called, infrastructure. What are our computer systems running on? The infrastructure. I am like a small IP packet on the net! Do you see which way I’m headed (pun intended)?
Like a highway, our IT systems need constant care to enable optimal efficiency for our users. Ah ha! – Potholes are bad and need to be repaired. Think of safety patches as the asphalt used to fill potholes! Just think that if we never patch our roads, it would be a nightmare; our vehicles (and lives) would be in constant danger. The health of our IT systems is also at risk when we don’t provide proper care.
There are more similarities, for example, capacity planning, ensuring quality materials are used, evaluating suppliers, establishing service level agreements, etc. In fact, I listened to the rest of my new CD in that part of the trip thinking about the parallels. It’s important to focus on some of the basics of security planning and practices to keep our systems safe, secure, and optimized.
The Computer Security Institute (CSI) recently released its Annual Cyber Security and Crime Survey. The results of that report and others have led me to focus on some security basics this week. Of nearly 500 IT and security managers surveyed, 53% have experienced an attack in the past 12 months. The cost of such security breaches was estimated at $ 141 million. The number one attack type was denial of service (DoS), which accounted for approximately 18% of the total cost of these invasions.
Another study, conducted by Deloitte & Touche, indicated that 83% of financial services companies acknowledge external theft in the last year. OH! About 40% of the companies surveyed indicated that they had suffered financial losses due to the attacks. Ironically, more than 25% of companies said their security budgets had been stable over the past 12 months and almost 10% were actually cut!
In addition to that good news, the General Accounting Office reported that the IT systems of the Federal Deposit Insurance Corporation (FDIC) put critical financial information at risk of unauthorized disclosure, disruption of operations and loss of assets. Maybe Grandma knew what she was doing when she put her money in the cookie jar; at least if one was missing, it could narrow down the culprits to family members.
Let’s face it, cyber predators are a part of life and we must be diligent in our efforts to combat them. Many experts agree that most home computer users, as well as small and medium-sized businesses (SMBs), do not tend to proactively address security concerns. Experts have outlined the basics for addressing security risks as follows:
Develop a risk management plan for IT assets. There must be a process for the identification, analysis, control and communication of risks. Risk management is critical to the success of any business. A plan will allow for the proper allocation of staff and financial resources to address problems.
In some organizations, such as financial institutions, healthcare organizations, etc., regulatory compliance issues should top the list of concerns. There may be other high-risk areas in your business, such as remote access for mobile workers, electronic transactions, data retention, and the like.
Document your infrastructure – draw a map in a graphics package like Microsoft® Visio®. Then imagine a series of ever-expanding circles around your critical data stores. Each of the circles will represent a layer of technology and risk. Remember that attacks can and do come from both inside the infrastructure and outside.
Starting with some of the basics, ask yourself if you are tracking users on your network (s). Are you auditing to make sure unnecessary accounts are removed immediately? Have you checked lately to determine if some staff members have been given authorities that they shouldn’t have? If you have found anomalies, have they been addressed correctly? Have the password policies been followed correctly?
Are you looking for fraudulent applications on the net? Instant messaging and peer-to-peer apps are the kiss of death! Do you have remote users on the network? How do these users access the network and from where? A home computer can be the open door for hackers to help themselves with your data.
Invest in a perimeter firewall; consider one that includes antivirus and antispam functions. Don’t forget about email content filtering – we don’t want fraudulent executables and other inappropriate material entering our systems from attachments in user email. Consider using an expert to install and configure the device or software, as setup can be difficult even for an experienced network administrator.
Make sure mobile devices are configured with desktop firewalls and antivirus software. Think of all the places you plug in your own laptop; Your edge devices will not stop any malicious code entering the infrastructure from the front door of the office!
Consider software that will automatically check for provider updates when connecting to the Internet or on a regular basis to keep pattern files up-to-date.
Zooming in on your data, take a look at the operating systems. Have you applied all the recommended patches to servers, desktops, and applications? Remember the MSBlast worm? The vulnerability it exploited had been known for almost a month before it infected at least 8 million machines! The Slammer worm infected tens of thousands of systems in less than ten minutes! Proactive patch management is essential, and folks, it really needs to be automated in your environment to make deployment fast and inexpensive. Before deploying mobile PCs for staff, configure them to perform automatic updates with operating system, firewall, and antivirus vendors.
While this list is obviously not exhaustive, following it will be a good start on the path to developing a risk management approach to security. Establish your baseline, identify your vulnerabilities, prioritize risks, establish written controls, and establish repeatable, widely understood, and widely distributed policies and procedures for all users to follow. Once this phase is complete, it is essential to thoroughly test and audit processes on a regular basis to ensure continued success.
Let’s see: what can I share with the Virginia Department of Transportation to help them mitigate risk on our roads? As I’ve been reading about an ongoing issue VDOT has with office cybercriminals, I would say “reassign those office personnel to pothole patrol! This will prevent them from wasting work hours and make our roads safer to traverse “. Be safe out there!