SECURITY How long did it take your company to recover from the CodeRed and Nimda viruses? Charlie Johnson, Symantec’s vice-president of security services, recalls asking that question at seminars in New York and Boston. He knew the attendees had problems even before he put the question — he had seen people from the same company introducing themselves to each other at the entrance to the seminar room. If they hadn’t met before, they were unlikely to have devised an integrated security solution. So how long did it take them to recover? One day? No hands went up. Five days? A couple of hands went up. Ten days? A third of the room raised their hands. “I said if it took them longer than that we didn’t really want to know,” says Johnson. And therein lies a problem: if businesses are to succeed against a multitude of attacks from hackers, they need to get organised. The cost of recovering from hacker attacks is appalling — $US2.6 billion for CodeRed, $US530 million in costs and 2.2 million systems infected in just 24 hours by the Nimda virus.
Today’s hackers are much more sophisticated than the hackers of yesteryear, says Johnson. Today they use military attack techniques. “You run a diversion. You run a second diversion. And then you launch your real attack and take the system down,” he says.
So what’s a poor business to do? You throw a firewall up, but that’s not enough. You set up network-based intrusion detection. That’s not enough either. Your hacker has already figured out that administrators sometimes switch off security features because they can slow down response times.
What you need is a comprehensive integrated response. You need to figure out what your intruder is likely to be after — it could be the payroll, your research and development data, your marketing plans …. Intruders are likely to be after your crown jewels, whatever it is that gives you competitive advantage. You need to protect all these things.
Some organisations are pretty good about understanding some of their critical data. Beverage companies, for example, keep a firm hold on the formulas that give their drinks their special taste. Banks keep a firm hold on their money. But when it comes to other critical information, they often don’t have a clue. “You ask, ‘Where are the personnel files held?’,” says Johnson. “They don’t have a clue. You ask them how they are protecting their records and they don’t know. Where are those records? ‘Don’t know.’ Where’s the marketing server? ‘Don’t know.’ Where’s the executive file server? ‘Don’t know.’ What controls do you have on the server itself? What kinds of control do you have on the executive laptop? What controls do you have on the PDAs? Any of these can provide a point into a network.”
What businesses need, says Johnson, is a strong security plan to identify what they are trying to protect, right down to the device level. They need a security road map in place and they need to train people what to look for, how to manage and monitor their systems, and how to respond when something happens.
Those responsible for security need to make sure their businesses have virus protection, content filters, a firewall, intrusion detection and overall configuration management around their entire gateway, says Johnson. “This is the best method of stopping them at the outer point of the perimeter.”
But some are still smart enough to get in, and some might be working inside the organisation — they might be on the staff or have gained access through suppliers or partners. That means businesses under attack must have the same content protection as exists on the perimeter. “It’s the same for the clients. We now have to move security down to each level — the gateway, the server and the client.”
Johnson says companies need to change the way they do business if they are to succeed against attacks. “Sometimes we need to step back and ask, ‘What are we trying to do? What are we really trying to protect? And do we have integrated controls in place to take care of those things? Do we have solid policies and standards in place?’”
Hackers are counting on business to continue with what he calls silo management. “That’s where the intrusion detection people will tell us, ‘Don’t you touch my computers — that’s my job.’ The content filter people will say, ‘Don’t touch that — that’s my job.’ So what does the hacker do? He finds two or three people who are not doing their job and that’s where he finds a way to compromise you.”
His words make sense when you consider that a patch that would have beaten the Nimda virus came out 18 months earlier.
Johnson’s comments were accompanied by an announcement that Symantec had introduced a gateway security appliance that integrates firewall, gateway-level antivirus, intrusion detection, content filtering and VP capabilities in a single solution.
IDC analyst Natasha David says the firewall appliance market is expected to increase at a 38% compound annual growth rate between 2000 and 2005. Another relative newcomer in this market is Nokia, with its own firewall appliance.
Up to eight of Symantec’s gateway appliance can be clustered to handle increasing loads. Each node continuously monitors the other nodes and, if an appliance fails, the other appliances pick up the workload. Each can support a throughput in excess of 50 broadband connections.
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.