Security Pros Defend Their Defenses
Posted on Dec 28, 2005 at 05:45 PM by John Foley
When it comes to IT security, 2005 is ending much like it began, with a nonstop stream of bad news about software vulnerabilities, data breaches, ill-intended Trojans, and poorly protected Social Security numbers. It all reinforces a sense that computer security can't keep up with the barrage of badness. A few weeks ago, I suggested that computer-security professionals may be feeling overly confident about the defenses they've put in place. Some agree, but others don't, and here's why.
In a Nov. 28 column titled, "Security Threats Galore, But No Worries Here," I pointed out that when InformationWeek Research surveyed 2,540 IT security and other tech professionals in August, only 16% felt that their organizations were more vulnerable to malicious code attacks and data breaches than a year earlier. Most responded that their security exposure was no worse or about the same.
I expressed surprise that so few respondents felt things were deteriorating, and the letters have been coming in ever since. Here's how some readers responded:
"Your question doesn't take into consideration the amount of work I've done over the past year to fortify my defenses – an upgraded firewall with integrated anti-virus; an enterprise spyware checker; an enterprise inventory tracker to track installed programs; the training I've done to educate users about current threats & determent strategies, and the amount of time spent monitoring and adjusting our firewall, spam checker, & OS and application patch levels. Not to mention the time put in to keep up on the latest. These things and more I've done to shore up our defenses to better protect our network and resources from the nasties that abound. Are there more threats this year than last? Have things gotten worse? Most certainly. Am I more vulnerable? Not if I can help it." Tim
"Well, it might be true that a few security experts out there have their heads in the sand when they aren't worried about increased security threats, but in my case, my head is well above ground and I'm viewing things realistically….I have a firewall that is actually a Linux machine set up to do NAT translation, but even that could be breached with enough knowledge on their part. Behind that, I have 350 Macintosh computers in our network with routers between and lastly, only 2 little Windows based machines (these are the ones that give me nightmares!) Security, yes, I have to watch for internal people doing stupid or malicious things, but externally, we are as secure as it gets." Douglas
"Modern security problems are almost 100% caused by poor coding practices at Microsoft.That fact cannot be stressed enough. The solution to this problem is a no-brainer." Michael
"Now practically every piece I read about on computer security seems delighted to tell me about all of the threats and risks. But none of them tell me how to fix them, short of shutting down our business computers and going back to the abacus. Why aren’t IT professionals listening to all of these dire warnings? Maybe the bullets are bouncing off; or maybe security isn’t as good as it seems; or maybe there’s no point in spending all of our time trying to defend against everything that might go wrong. Frankly, if I spent all of my time worrying about all of the threats to my computer systems, I would never turn them on in the first place. But I have, and they’re just fine." Steve
"Anybody feeling secure in this environment is either extremely naïve or completely certifiable. The chilling truth is that cybercrime is just getting its act together and the worst is yet to come….The very architecture of the internet & client/server computing makes network security a nearly impossible moving target that adds more & more insecure devices & operating systems into the mix every day. Unfortunately, the economics of shared media and the culture of the over-empowered desktop have converged into a nearly indefensible fortress that presents a target of unprecedented opportunity to the criminal underworld: digital gold in a digital bank with digital guards." Alan
"We have spent fortunes on anti-badguy programs, strategies and devices. Where has it gotten us? The reason we feel things haven't gotten worse is because they were abominable last year and they are still abominable. Nobody can protect against all the attacks unless we want to cut the wires….We have enough to do keeping up with updates, versions, training, planning for all of the above. It's not that we are oblivious. We are totally aware of the threat. We just don't know what we can do about it." George
So, what's the outlook for 2006? Will your company's computers be more vulnerable to exploits and breaches than in 2005? Or less? While you think about it, watch out. There's another zero-day exploit running amok
This post falls under this topic(s):
Or read posts on these other topics:
This is a public forum. CMP Media and its affiliates are not responsible for and do not control what is posted herein. CMP Media makes no warranties or guarantees concerning any advice dispensed by its staff members or readers.
Community standards in the message center do not permit hate language, excessive profanity, or other patently offensive language. Please be aware that all information posted to this forum becomes the property of CMP Media LLC and may be edited and republished in print or electronic format as outlined in CMP Media's Terms of Service.
Important Note: The Message Center is NOT intended for commercial messages or solicitations of business.
