Interesting People mailing list archives

Previous By Date Next
Previous By Thread Next

IP: Top 10 Enterprise Security Risks

From: Dave Farber <dave () farber net>
Date: Sun, 14 Jul 2002 13:30:12 -0400

------ Forwarded Message
From: "John F. McMullen" <observer () westnet com>
Date: Sun, 14 Jul 2002 13:12:32 -0400 (EDT)
To: johnmacsgroup () yahoogroups com
Subject: Top 10 Enterprise Security Risks


From E-Security Planet --

http://www.esecurityplanet.com/trends/article/0,,10751_1384081,00.html

Top 10 Enterprise Security Risks
By Sharon Gaudin

Network administrators are besieged today with a growing list of security
risks, and analysts warn that too often they get caught up in battling one
or two vulnerabilities and remain blind to a league of others.

"There are so many risks to deal with, it's an overwhelming job," says Dan
Woolley, a vice president at Reston, Va.-based SilentRunner Inc., a wholly
owned subsidiary of Raytheon. "In the day-to-day, they're responding to
wildfires, and they just don't get a chance to stand back and figure out
where they need to go next...Security administrators are really struggling
to keep up."

Security officers have been battling worms, viruses, denial of service
attacks and hackers for years now. When you add the threat of
cyber-terrorism, employees using Instant Messengers and downloading
full-length feature movies onto their work PCs, the list of risks is
multiplying far faster than security budgets or staffs can keep pace.

SilentRunner has created a Top 10 list of risk factors that security
administrators should guard against. Here's what has made their short list
of vulnerabilities:

# Email Attachments -- Workers opening an attachment could unleash a worm
or virus onto the corporate network, and a new evolution of viruses means
that they can propagate themselves even without a user double-clicking on
them;
# VPN Tunnel Vulnerabilities -- A hacker who worms his way into the VPN
has free and easy access to the network;
# Blended Attacks -- Worms and viruses are becoming more complicated, and
now a single one may be able to execute itself or even attack more than
one platform;
# Diversionary Tactics -- Hackers may strike a set of servers in a target
company and then when security administrators are busy putting out that
fire, they slip in and attack another part of the network;
# Downloads from Web Sites -- Workers frequently misuse their Internet
access in the workplace, downloading games, movies and music and even
porn. It opens the network up to attack and sucks up valuable bandwidth;
# Supply Chain and Partners Added to the Network -- An administrator may
grant access to the network for a partner company and then forget to close
that access point when the job is over. The same applies to employees who
are leaving the company;
# Microsoft's SOAP -- The Simple Object Access Protocol (SOAP) doesn't
have security specifications built into it, warns Silent Runner's Woolley;
# Renaming Documents -- An employee could save business-critical
information in a different file, give it a random, unrelated name and
email the information to her home computer, a friend or even a corporate
competitor. Monitoring software that checks emails leaving the company
might fail to pick up on the outgoing message if the subject name has been
changed;
# Peer-to-Peer Applications -- In a peer-to-peer environment there is an
implied trust between servers. That means if a user has access to one
server, he automatically has access to another if the servers share trust.
Woolley points out that hackers or rogue employees can gain access to one
server and move freely throughout the network;
# Music and Video Browsers -- These are browsers that automatically will
connect the user with related web sites -- all without the user's
permission. A music browser, for instance, may note that the user likes
jazz so will connect the user to other jazz sites and executable
applications, putting the network at risk and potentially using up huge
amounts of bandwidth.

"It is a big job that's for sure," says Van Nguyen, director of global
security for American Presidential Lines, a oceanic shipping company with
11,000 employees and more than 76 container ships worldwide. "One thing
interesting to me is that due to the state of the economy right now, our
senior executives want us to cut costs and be secure at the same time.
It's doable but it's difficult. It has to be blended into the business
process."

And to do that, Nguyen says security and network administrators would be
smart to form official policies around most, if not all, of SilentRunner's
10 risk factors.

For instance, Nguyen says they drastically cut down the bandwidth that was
being used by simply telling users that they are not allowed to download
movies, and then tied the policy in with employees' performance reviews.
Instant Messaging is in the same category, he notes.

"We have users who claim they have legitimate reasons to use it," says
Nguyen. "They say they can save the company money because they won't make
long-distance calls. But stay with policy. There are too many risks
inherent in Instant Messaging. You have to educate users to the risks so
they understand what they are doing.

Charles Kolodgy, an analyst with Framingham, Mass.-based IDC, says Instant
Messaging is such a risk that he's surprised it didn't make SilentRunner's
Top 10 list.

"It's a solid list but the only thing I'd add is Instant Messaging," says
Kolodgy. "That should be No. 11 if it's not Top 10."

But it is on Woolley's own list of vulnerabilities that companies should
be worried about -- and writing policy for.

"When they finally get encrypted Instant Messaging, it will be great,"
says Woolley. "When a user types that message, it goes out of the network,
to an ISP and around there two or three times and then to the intended
recipient...You may be chatting with the guy down the hall and not
realizing that the message doesn't just go down the hall. It's actually
leaving your network. You're broadcasting that information."

IDC's Kolodgy says tackling all these risk factors is becoming a bigger
job than just one department can handle.

"The network and the security guys need to start communicating more
because so many vulnerabilities are dealing with the network and
bandwidth," he says. "There's so much going on and you've got to lay down
policy on top of it all."


*** FAIR USE NOTICE. This message contains copyrighted material whose use
has not been specifically authorized by the copyright owner. The
'johnmacsgroup' Internet discussion group  is is making it available
without profit to group members who have expressed a prior interest in
receiving the included information in their efforts to advance the
understanding of literary, educational, political, and economic issues,
for non-profit research and educational purposes only. I believe that this
constitutes a 'fair use' of the copyrighted material as provided for in
section 107 of the U.S. Copyright Law. If you wish to use this copyrighted
material for purposes of your own that go beyond 'fair use,' you must
obtain permission from the copyright owner.

For more information go to:
http://www.law.cornell.edu/uscode/17/107.shtml


   "When you come to the fork in the road, take it" - L.P. Berra
   "Always make new mistakes" -- Esther Dyson
   "Be precise in the use of words and expect precision from others" -
    Pierre Abelard
                          John F. McMullen
   johnmac () acm org ICQ: 4368412 Fax: (603) 288-8440 johnmac () cyberspace org
                  http://www.westnet.com/~observer


------ End of Forwarded Message

For archives see:
http://www.interesting-people.org/archives/interesting-people/
Previous By Date Next
Previous By Thread Next

Current thread: