Knucklehead security lets the backbone slide

In the tech press, certain topics tend to generate reader feedback.

Writing about Linux, pornography, spam or security are all sure-fire ways to find out if anyone out there actually notices the work you do. For some reason, readers are more likely to respond to Microsoft-baiting than critiques of the latest 10-point plan for evaluating your company’s middleware development strategy.

Maybe it’s because these types of subjects offer ways of exploring broader technical and ethical questions related to technology. Maybe they’re just more fun. Whatever the case, I’d like to take this opportunity to revisit enterprise security, and not simply as a way of trolling for mail.

This week, Adrian Lamo, the “harmless hacker” (according to one news report), admitted he wormed his way into WorldCom Inc.’s administrative network. Over the past two months, Lamo futzed with the backbone provider’s system and gained access to network documentation. In the wrong hands, he says, this information would have enabled crackers to mess with WorldCom customers’ networks.

Not so, says WorldCom, but thanks anyway for pointing out that open proxy. Those (paraphrased) words are anything but encouraging for organizations that rely on the telecom giant for their Internet services. They deserve more from the company, at the very least a full explanation and public apology.

It’s not as if Lamo went out of his way to exploit a hole in Microsoft Corp.’s Internet information server (IIS), a popular pastime for many a hacker. He just found an open window (a misconfigured server) and crawled right in.

To their credit, WorldCom reps owned up to the problem and expressed their appreciation for Lamo’s snooping. But that’s hardly a renewed commitment to security management.

While this particular problem may be all-too-common, it’s based on the earliest type of glitch: human error.

Rather than play the oops-I’m-so-sorry card, WorldCom should have its staff and management read up on security over the holidays, and report back with a renewed list of strategies.

They could start by checking out Gartner Inc.’s list of security and privacy reports released in late November, covering everything from encryption to risk management. The research firm’s “simple methodology for classifying and prioritizing vulnerabilities,” certainly looks appropriate here, as it promises suggestions for how to keep up with the continual flow of software security alerts and the ensuing patches.

Then there’s Forrester Research Inc.’s take on IIS problems (Firms Can’t Just Throw Out Microsoft’s IIS), released in October. According to the brief, IT managers can’t “realistically” switch to other platforms, despite security flaws.

Or consider IDC’s predictions that Internet security software revenue will top US$14 billion by 2005. That’s a compound annual growth rate of 23 per cent from 2000, according to a press report from this past summer, which also offers an analysis of a host of emerging trends in the field. This is clearly a market that merits some attention.

By now, you get the picture. With a little bit of patience and, if necessary, a few hundred dollars, IT managers can bone up on network security quickly and cheaply. All it takes is the acknowledgement that human errors happen far too often and can be readily avoided, with proper planning and supervision.

In the end, it sure beats bad press.

Share on LinkedIn Share with Google+