Don't gamble on systems security

Security is a minefield, where anything you lay down to protect your network or your organisation can blow up in your face.

Yesterday's best practice becomes today's gaping system hole leaking your data to unauthorised eyes.

But as you tell yourself when something goes wrong, you can learn from your mistakes.

Mistake 1: Relying on the vendor

Tony Krzyzewski, of Auckland consultancy Kaon Security, says the biggest mistakes are assuming a piece of software or hardware is secure, and assuming the person they have paid for a security solution knows how to close all the holes.

"I come across so many systems, even those put in by professional organisations, which are misconfigured, because people don't understand the vulnerabilities associated with each type of system," Krzyzewski says.

"People focus on internet vulnerability, but in general business terms the greatest threat comes from within the organisation - people getting improper access, people abusing systems, and leading on from that we see commercial fraud, time-wasting, and generally having access to what they shouldn't see."

Ian Mitchell, from security alert specialist Co-logic, agrees people have excessive confidence in software suppliers and their alert services.

Mistake 2: No change

Even when systems do get locked down, and Krzyzewski doesn't see a lot that are, administrators fail to recognise the environment changes.

"People do open things for temporary reasons and fail to lock them down again, or the threat changes."

This is where patch systems come in. Organisations need systems in place to ensure they install patches and keep anti-virus systems up to date.

Patching can often require testing of systems to make sure the patch hasn't affected interconnected systems. Krzyzewski says that is the reason some system managers shirk the task.

"You have to make an investment. It requires constant management.

"Microsoft released eight patches last Monday morning, and I know sites which will be up to date because they have systems in place and testing in place. Other sites are two or three years out of date, so there are basic vulnerabilities.

"In some cases, management don't know they got into that situation - their IT staff or facilities management company claimed they were doing the patches, but it was too hard.

"A lot of IT organisations gamble on IT security."

Mistake 3: Buying on cost

Krzyzewski says when it comes to firewalls, many organisations buy perimeter defence equipment based on cost.

"We always say base your frontline defence on certifications, preferably by government bodies," he says.

A firewall isn't enough. "What is worse than no firewall is turning it on and running it without checking the settings meet your business requirements.

"For example, we have come across installations where all ports are open outbound. That means if a bit of malware does get in, you can find you are transmitting connections to anyone."

Mistake 4: Not having and enforcing a security policy

Organisations must have policies controlling their security. These policies need to be documented and available in an easily accessible form on the corporate internet.

Kaon offers a template for a policy system on www.kaonsecurity.com, based on the ISO 17799 standard. Krzyzewski says policies have to state how the company's information and its systems are to be managed. They need to control what people can do, how the information is stored, what access levels are required.

"Polices are in place to protect an organisation from information loss. My accounting records are as important to me as a defence record.

Mistake 5: Relying on intrusion detection systems

"Intrusion detection is a waste of time. People get so many alerts they ignore them," Krzyzewski says.

Mitchell agrees that administrators can get bogged down with information.

"There is a lot of white noise out there," Mitchell says.

Cologic's approach is to provide a service after extensive analysis of an organisation's systems, so only relevant alerts go out.

Mistake 6: Allowing uncontrolled net access

Assuming staff will comply by default with what management expects is a no-no. Krzyzewski recommends an internet access control system like Websense, which blocks sites which may be home to malware such as Active X controls.

Mistake 7 : Treating email as a personal asset

"Very few organisations archive email. Email is a business record. Our general opinion is it should be archived and maintained as a business record," Krzyzewski says.