CHICAGO -- The large number of high profile viruses has brought system security to the fore of many corporate agendas, but few customers have elaborate strategies or shortcuts to plug the endless number of holes that crop up.
In fact, the business of developing a grand security strategy is just talk for many companies, according to Roberta Bragg, an independent security analyst at Computer Will Travel Inc. in Grain Valley, Mo.
"We know what we need to do, but it's just not getting done," she said.
Bragg believes computing security is viewed as important, but the fixes are either too difficult to install or management vetoes spending for a project.
Since the Sept. 11 terrorist attacks in New York and Washington, discussions about security are on everyone's lips, but "it's mostly about guards and guns, not computers."
But some companies are starting to make things happen. From a business perspective, Windows security is deemed unsatisfactory by many because the software is "open" and relies on the people who manage the software to make it secure, said one IT manager who declined to be identified. His company has a large security team that used to focus on threats from outside the company, but lately has turned its attention to internal security as well.
The thrust for many users, weary from fighting viruses, is simply keeping up to date on service packs and hot fixes for Windows, Exchange and IIS. Many Microsoft customers are only just starting to put in place new security, password and auditing policies that take the shape of a formal program.
"Our company has been hit by Nimda and Code Red, and hackers as well, so security became a refocused priority," said Michael McDowell, senior communications analyst at Jefferson Wells International, a Milwaukee, Wis.-based accounting firm in 25 locations.
Jefferson Wells increased its spending for security tools this year, and much of the effort will be dedicated to attacking vulnerabilities. The company has already installed Windows 2000 and Exchange 2000, so its next priority will be installing management and monitoring tools. McDowell said Windows has some decent security options if they are installed the right way, but Active Directory requires that third-party tools be used to manage the security and configuration.
For most IT shops, managing security is largely a catch-as-catch-can operation. James Huston, a network engineer at Law School Admission Council in Newtown, Penn., is part of a team that is preparing to move from NT 4.0 to Windows 2000.
Huston said he thought Microsoft has improved its group policies in Windows 2000 and does a better job locking down a desktop and thereby preventing end users from digging into the control panel to do things like change video drivers or install large wallpaper files. One priority for Huston's company is to evaluate options for intrusion detection.
"We have to worry about everything that is exposed to the outside world," he said. "It's always a concern, and it's difficult to stay on top of."
One class of products that is getting attention is the automated software packages from third party vendors, such as those from Ecora Corp. of Portsmouth, N.H., and Configuresoft Inc., in Woodland Park, Colo. There are real-time monitoring products and intrusion detection products, but it's the configuration settings that allow the operating system to be secured.
"People are starting to realize that there is a lot happening on the inside, which comes down to who has access to what information, configuration changes, user group file access and file transfers," said Scott Carpenter, a product manager at Ecora.
Many customers have resigned themselves to the fact that the business of truly securing their computing environment will involve more than one plan of attack. Windows is too much of a moving target to do everything necessary to stay secure. Jim Kennedy, a network administrator at Robertson Transportation Services, Champaign, Ill., said part of his plan calls for using Norton Enterprise and for good firewall protection.
He said, for the most part, Windows 2000 does a good job. It also helps to have a little perspective on the situation. "Every day Microsoft comes out with another patch, but if you waited for the perfect operating system you'd still be running Windows 3.1," he said.
FOR MORE INFORMATION: