[prev in list] [next in list] [prev in thread] [next in thread] 

List:       isn
Subject:    [ISN] Security Solutions In The Real World
From:       InfoSec News <isn () C4I ! ORG>
Date:       2001-03-29 5:58:05
[Download RAW message or body]

http://www.techweb.com/wire/story/TWB20010328S0007

By Joy D. Russell
VARBusiness
03/28/01

BOSTON -- The most secure computer system is the one that's unplugged
and buried 10 feet underground, according to security expert Paul
Raines.

But there are specific steps a company can take to reduce security
threats to their live systemswhether from external hackers or
disgruntled IT workers.

Raines, head of global information risk management for Barclays
Capital, laid out those steps to security professionals here at the
eSecurity Conference & Exposition in his session entitled, "Security
In the Real World."

The most obvious steps that should be taken frequently aren't, Raines
said, citing such problems as co-workers loudly discussing faults in
their company's network while waiting inside an airport terminal.

"It's becoming much easier for someone to become a hacker," Raines
said. "Hackers are becoming more popularized, and there's greater ease
in finding tools on the Web to become a hacker."

In a survey, 90 percent of 273 respondents, mainly from large
corporate and government agencies, detected computer security breaches
within the last 12 months, according to researcher Computer Security
Institute.

Estimated losses amounted to more than $265 million, or nearly $1
million per organization.

Here are the top 10 vulnerabilities within companies, according to
Raines:

* Lack of well-defined security policies and procedures

* Weak employee security awareness

* Inadequate logging and intrusion detection

* Unsecured remote access

* Misconfigured Web servers

* Inappropriate trust host relationships

* Misconfigured firewall and router access control lists, or outdated
  application access control lists

* Unpatched or outdated software on servers, especially antivirus
  software updates

* Information leakage, both online and offline

* Lack of a well-defined incident response procedures and an incident
  response team.

Now that the vulnerabilities are defined, what does a security
professional do next?

"Make sure you get senior-level support when developing your policies,
and have awareness training and controls in place to support your
security objectives," Raines said. "Always check the computing
environment for common security vulnerabilities and, where possible,
follow industry standards as a means of demonstrating due diligence."

By showing due diligence, Raines said, not only can security
professionals save face when a breach occurs, they can save their
jobs.

"I'm willing to bet dollars to donuts there's low morale among
security professionals in your organization," Raines said. "Have
professional standards set. Invest in them with training. It will
improve morale in that you're not always thinking of them just when
something goes wrong."

Prior to joining Barclay Capital three months ago, Raines was vice
president of e-security for the Federal Reserve Bank of New York. He
has also been program manager of e-commerce initiatives for the U.S.
Postal Service.

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV@SecurityFocus.com with a message body of
"SIGNOFF ISN".

[prev in list] [next in list] [prev in thread] [next in thread]