Tipping sacred cows: Make bold decisions to protect your information

Computerworld - For some organizations, the recent spate of worms and hacking attacks has suddenly made security front-page news. For other organizations, security has been a multiyear journey, not toward a destination, but as a means toward greater discipline and attention to technical and business integrity.

For all, security means making changes: changes to the software development life cycle, to the desktop environment, to network architecture and remote access, and to business processes. If you've been in the IT business for 10 years or more, you have probably seen these changes.

Before you can make changes, you have to know what to change. What things in your organization are being built, run or performed the way they were 10, five or just three years ago? While the guiding principles of security best practices are still pretty much what they were several years ago (and justifiably so), the ways in which they are applied are still changing and improving. Part of this is because threats are evolving rapidly, and part of it is because we are learning how to better protect our environments: The tools and techniques are improving all the time.

Peter H. Gregory, CISSP, CISA, is an information technology and security consultant, a freelance writer and an author of several books, including Solaris Security, Enterprise Information Security, and CISSP for Dummies. As a consultant he provides strategic technology and security services to small and large businesses. He can be reached at p.gregory@hartgregorygroup.com. His Web site is www.hartgregorygroup.com.

• Is your remote access encrypted, and does it use strong authentication?
  

  
  

• Is customer information on your Web server?
  

  
  

• Are you keeping up with security patches?
  

  
  

• Has anyone taken a good long look at your firewall rules lately?
  

  
  

• Is anyone watching the logs on servers, firewalls and intrusion-detection systems?

Unless you or someone in your organization has the time to stay current on security issues and keep systems, firewalls, routers and everything else well configured, then your organization has a problem. Unless it is being regularly updated, any system or network device that was built and implemented more than two years ago lacks today's best security practices in one or more areas. Sooner or later, a script kiddie or a disgruntled employee will find, expose and hurt your company.

Get Objective Opinions

If telling management that changes are needed feels like a career-threatening move, then a good solution may be to find some well-respected, objective information that can help them to understand that the status quo is leading them straight to catastrophe. This information may be in the form of articles describing best practices in layman's terms or, at the other end of the spectrum, detailed findings of a security assessment. If management won't consider even a small, focused security assessment, then you'll have to rely for now on free or almost-free information.