Information Security News mailing list archives
Security Solutions In The Real World
From: InfoSec News <isn () C4I ORG>
Date: Wed, 28 Mar 2001 23:58:05 -0600
http://www.techweb.com/wire/story/TWB20010328S0007 By Joy D. Russell VARBusiness 03/28/01 BOSTON -- The most secure computer system is the one that's unplugged and buried 10 feet underground, according to security expert Paul Raines. But there are specific steps a company can take to reduce security threats to their live systemswhether from external hackers or disgruntled IT workers. Raines, head of global information risk management for Barclays Capital, laid out those steps to security professionals here at the eSecurity Conference & Exposition in his session entitled, "Security In the Real World." The most obvious steps that should be taken frequently aren't, Raines said, citing such problems as co-workers loudly discussing faults in their company's network while waiting inside an airport terminal. "It's becoming much easier for someone to become a hacker," Raines said. "Hackers are becoming more popularized, and there's greater ease in finding tools on the Web to become a hacker." In a survey, 90 percent of 273 respondents, mainly from large corporate and government agencies, detected computer security breaches within the last 12 months, according to researcher Computer Security Institute. Estimated losses amounted to more than $265 million, or nearly $1 million per organization. Here are the top 10 vulnerabilities within companies, according to Raines: * Lack of well-defined security policies and procedures * Weak employee security awareness * Inadequate logging and intrusion detection * Unsecured remote access * Misconfigured Web servers * Inappropriate trust host relationships * Misconfigured firewall and router access control lists, or outdated application access control lists * Unpatched or outdated software on servers, especially antivirus software updates * Information leakage, both online and offline * Lack of a well-defined incident response procedures and an incident response team. Now that the vulnerabilities are defined, what does a security professional do next? "Make sure you get senior-level support when developing your policies, and have awareness training and controls in place to support your security objectives," Raines said. "Always check the computing environment for common security vulnerabilities and, where possible, follow industry standards as a means of demonstrating due diligence." By showing due diligence, Raines said, not only can security professionals save face when a breach occurs, they can save their jobs. "I'm willing to bet dollars to donuts there's low morale among security professionals in your organization," Raines said. "Have professional standards set. Invest in them with training. It will improve morale in that you're not always thinking of them just when something goes wrong." Prior to joining Barclay Capital three months ago, Raines was vice president of e-security for the Federal Reserve Bank of New York. He has also been program manager of e-commerce initiatives for the U.S. Postal Service. ISN is hosted by SecurityFocus.com --- To unsubscribe email LISTSERV () SecurityFocus com with a message body of "SIGNOFF ISN".
Current thread:
- Security Solutions In The Real World InfoSec News (Mar 29)