Reality IT: The Key to Security: Prevention

I made sure that Bucky followed our computer incident response plan, most of which he wrote. As part of the plan, I advise our CIO, Steve Fox, who in turn is responsible for informing senior business leadership at ACME. Steve wanted to keep the problem quiet--it seldom helps your business to announce security troubles--but in situations like this, informing key business leadership is critical. That's why Bucky reports to both IT and our auditing department: We want to be sure the right hand always knows what the left is doing.

Steve informed the appropriate corporate contacts. Next, we told our employees which services were down, though we didn't go into details about why. At that point, Bucky, Dirk and I sat down to figure out what went wrong.

Fool Me Once

Getting to the root cause was a painful process that demanded complex computer forensics on the compromised box. We sent the server drive out to be analyzed by a security specialist company, which gave us back some good information as to why we were hacked. On the positive side, the consultancy confirmed that no corporate data had been stolen, and we determined that no other systems were affected.

We had budgeted this year to implement host-based and network-based intrusion detection systems, especially for all our Web-facing systems. But Murphy's law kicked in--we hadn't started that project yet either.Today, we have completed the vulnerability analysis, and we have begun implementing new intrusion-detection systems. And we have a proxy box running a hardened version of Unix in front of our Web-facing servers to further protect them from malicious miscreants.

One of the primary reasons the server was compromised was that it was running a vulnerable service--one that should not have been active. Apparently, the service had been turned on temporarily, but was never turned off. The problem escaped our network-monitoring system because we monitor only the services that are supposed to be running. It just goes to show that security problems can be caused or exacerbated by problems that may not initially seem related to security--in this case, configuration management.

Networkers, Protect Yourselves

The key to security is prevention. No matter what tools you have in place, a reactive approach is bound to be arduous, time-consuming and expensive.

Today, thank goodness, it's not hard to cost-justify well-known preventive tools, such as firewalls, multiple levels of antivirus protection and antispam technology. But we can't stop there. We must constantly inform management of vulnerabilities, develop forward-looking solutions and make the investment to prevent problems today--before our weaknesses are exposed by others.Hunter Metatek is an enterprise IT director with 15 years' experience in network engineering and management. The events chronicled in this column are based in fact--only the names are fiction. Write to the author at [email protected].