News Stay informed about the latest enterprise technology news and product updates.

Stop kicking the tires, start securing the system

Application security awareness continues to grow as more data move to Web-based systems. But even though awareness is on the rise, Scott Hollis, director of security product management at NetIQ Corp., San Jose, Calif., agrees that many mainstream customers are still kicking tires and not spending much yet. At the same time, system breaches of all types are kicking IT. In fact, in an annual computer crime and security survey released earlier this year by the Computer Security Institute and the FBI, 94% of respondents reported a virus attack, 91% reported insider abuse of Internet access, 49% reported unauthorized network access by an insider, and 40% reported system penetration. In terms of financial losses suffered, theft of proprietary information accounted for losses of nearly $4.5 million, system penetration by an outsider can cost $453,967, and insider abuse of network access is pegged at $357,160. There is no question that IT-related theft can add up to some real dough. Hollis offers some tips for administrators who are getting serious about building better security.

NetIQ recently offered two updates to help the IT community combat Camera/Shy, a hacking tool released by Hacktivismo. Would you provide some history of how Camera/Shy started out as a good program and is now considered a problem for enterprise customers?
"Camera/Shy" was released by Hacktivismo, which is an offshoot of hacker group Cult of the Dead Cow. Their goal in releasing this was to help aid workers or people behind country walls who cannot communicate to communicate. Camera/Shy lets you encrypt data into a GIF or JPEG file and allow it to be viewed. So Hacktivismo released it with noble intentions, but now someone in a corporation can take this tool and post a picture on any Web site for viewing. Our concern is the picture could be mailed with steganographic data. It's a way for sensitive information and files to be transferred. No existing intrusion or antivirus software can detect this. People are unpredictable when there is a termination and there is bad blood. When intellectual property is stolen the cost per incident is huge. What advice would you give IT administrators who are just starting to build their security policies?
First they need to assess their current state and the risks of their current state. They need to prioritize which systems are most important to their business. IT administrators are interested in availability. CFOs and security analysts are more focused on confidentiality and on the integrity of data. So figuring out what's in the environment and assessing vulnerability is number one. It's about process and policy. Once they define policies, they need to implement and enforce the policies. They then have to analyze the policies. From there it's back to step one because the environment changes all of the time. Are you starting to see changes to enterprise staffing in terms of who is buying and using your products?
We are, especially in the Fortune 100. We are actually starting to see security organizations being created. Security used to be handled by IT operations or someone who reported to a CIO. Now these larger financial companies are naming security organizations. Sometimes they report to the CIO and sometimes the COO. These organizations are more interested in defining and enforcing policies. They will dictate to IT. What's the biggest challenge for providing security and analysis features for the Windows platform?
Knowing the configuration on all the distributed machines and managing that. Knowing what is installed. It's hard for IT staff to know what's on the network, and who is making what changes in the network. Locking down IIS has been an issue in the past, but it will be less of one going forward. Microsoft is doing better at providing patches and focusing developers on security. Microsoft is always making improvements, and we are looking for ways to leverage things to focus on extending on what they do. It seems like IT administrators do a lot of talking about security, but it's not clear that they are doing much spending. Is this similar to what you are seeing?
We are seeing the same thing. They are more sensitized to security. They are evaluating and thinking. But they have limited budgets, and they are balancing their purchases. It's about risk and what pain they are willing to take. Some industries -- financial, stock exchanges, pharmaceutical companies -- have government regulations, so they are spending. But there is a reluctance to spend in other industries. It's hard to decide where to start. How do you build an in-depth defense? There are firewalls, host intrusion detections, antivirus, and other points of pain that must be solved to have a protected environment. Do you expect .NET Server to make a difference in terms of reducing system breaches, or will intruders compensate for any security improvements Microsoft makes to its products?
It will change the environment. Microsoft is doing a better job protecting against all types of attacks, but hackers get more sophisticated. We are seeing this with the blended threats (where a virus comes in as an attachment to an e-mail and then lands a payload on the machine).

Scott Hollis plans and manages product strategy at NetIQ and spends most of his time with customers whose businesses run on the Windows platform. Hollis has held positions in research and management at BMC Software, and at IBM, where he developed networking products across various divisions.


Best Web Links on security

Article: Partners say Microsoft delivering on Trustworthy Computing promise

Best Web Links on hardware and infrastructure management

Ask security expert Roberta Bragg a question

Sound off on your security experiences, dreams, nightmares, concerns, etc. in our forum.

Dig Deeper on Windows Server troubleshooting

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.