FRIDAY IN FOCUS
IT managers become cyber security guards
10-10-2003
by
After the spate of critical updates and warnings over computer viruses issued in August and September, IT managers themselves may feel that they are on the verge of crashing.
The voracity and constancy of computer attacks in recent weeks has done more than wreak havoc on business networks and desktop PCs; the attacks have turned IT managers into weary-eyed trouble-shooters, many of whom are longing for the days when integrating new CRM tools or remote access software were the biggest tasks in a given week. These days IT management is all about three things: security, security and security.
Further complicating their newly defined jobs as cyber security guards is the fact that new threats are becoming increasingly difficult to detect. Take the Palyh and Swen/Gibe bugs that hit the Net in May and September respectively; both appeared as Microsoft e-mails and Swen in particular was especially well crafted and deceptive. Throw in ultra-infectious outbreaks like Blaster, Sobig and Bugbear and the job of updating a company's anti-virus software -- and occasionally cleaning a virus off a system -- becomes a monumental task.
But any IT manager worth their salt will tell you that anti-virus software isn't even half of it. Almost every component of any company's computer network is susceptible to attack from a hacker, or possibly a virus, seeking to exploit a seemingly unimportant vulnerability is some minute programme. Microsoft alone has issued dozens of patches for its most used products this year and nowadays simply keeping up with Redmond's latest fix is a full time job.
"Hacking attempts are increasing the workload of IT managers who are already stretched for time and budget," said Conor Flynn, technical director of Rits Information Security. Managers are spending 20 percent to 30 percent of their time on security issues, and if a virus actually hits or penetrates the system this goes up to 100 percent, he said.
Owen O'Connor, co-founder of the Information Systems Security Association in Ireland, agreed and said that sandbagging corporate networks with the latest patches in anticipation of the next assault is delaying other projects. A major factor is the complexity of just downloading and installing the latest update, he said.
To save time, IT managers tend to first apply Microsoft patches rated "critical" with less important patches worried about later. But of course it is not as simple as just checking Microsoft.com each day. For example, a patch for Microsoft Office earlier this year called MS03-037 affected a broad range of programs including Office 97 and Office 2000. But to download the patch, users need Office 2000 Service Pack 3, which in turn required Office 2000 Service Release 1a, which required Windows Installer version 2 or later. Frustrating to say the least and this process doesn't even account for slow system re-boots and licence confirmation processes that are part of every service pack and service release.
It's true that Microsoft is looking more closely at e-security with most newer products coming "locked down" and future versions of Windows pegged to have an auto-update feature, according to Stuart Okin, the chief security officer for Microsoft UK. But such releases are years away and are of little comfort to today's burned-out IT managers.
Security has been an issue for years, so it's worth asking why patching and updating has turned into the massive chore it has become. Analysts will say that companies should have been investing more in IT security all along and the problems of IT manager now come from a failure to invest in e-security during quieter times.
For example, Microsoft issued patches for the nasty Nimda virus 336 days before the first attack was launched, but since thousands of companies failed to install the patch, the virus spread world wide in just 30 minutes. Worse still is that 10 days after the outbreak, 20,000 hosts were still infected, Forrester research claims.
More recently, firms spent hundreds of hours finding and fixing infected versions of Microsoft's SQL Server 2000 and MSDE 2000 in January this year after the SQL Slammer attack. Again, a patch for the bug was issued 185 days before the first attack but since the update was more or less ignored, infections doubled every 8.5 seconds after the outbreak began.
Worryingly, attackers are getting faster at exploiting new gaps, with the attacks from the infamous Blaster virus this past August coming just 30 days after a patch was issued. The trend is clear. "Companies that haven't invested in security have a steep learning curve," said Flynn, "but it shouldn't be a continuous upward curve."
But since non-IT business units often influence how the IT budget is spent, cash for security is often misappropriated. Meanwhile, security vendors tend to mould customers' requirements to their products rather than the other way around, leaving firms with products that only half-fulfil needs. Both facts prove that just tossing a few euros at a vulnerable network is like trying to make a cake by just dumping flour, eggs and milk in the oven. You get some kind of concoction, but it won't be any good.
Creating successful email surveys: Denise Cox of email specialist Newsweaver argues that you can tap into your readers' likes or dislikes by surveying them.
