Analysts Robert Frances Group (RFG) believes recent high-profile attacks against public, outward-facing Web sites are the tip of the iceberg due to grow rapidly in size and import to enterprise CIOs. Fortunately, current and emerging tools can be combined with common-sense operational practices to help CIOs "circle the routers" against such attacks, which are only likely to grow in both number and scope.
Business Imperatives:
* If they do nothing else, CIOs must immediately make sure no e-business, Web site and internal servers, are left operating with default or null passwords or identifiers for administrators, supervisors and "super-users." CIOs and other industry experts agree that this one step is the most effective and most overlooked protection that can be implemented without any additional product or service expenditures.
* CIOs must also develop, monitor and enforce policies that make sure that every network protection already in place or available is being used. This includes implementing the packet-filtering features of routers that support them, and taking advantage of intrusion-detection software, which vendors such as Computer Associates and McAfee offer via free download from their Web sites.
* CIOs should implement all appropriate available tools to help identify, prevent and predict attacks on their networks, and to differentiate between actual attacks and operational or technical shortcomings. This is especially important given that some experts estimate that up to half of the problems that look like network attacks from outside are actually the result of tampering, laxity or foolhardiness committed by personnel within an organisation. CIOs should also establish teams chartered with tracking these implementations and updating them as necessary.
For decades, crime prevention experts have repeated that the easiest, most obvious and most effective way to prevent car theft or break-ins at homes or offices is to lock our cars, homes and workplaces. Apparently, the analogy of this message has not yet reached a sufficient number of enterprise CIOs and network managers.
Media reports in the wake of the much-publicized "denial of service" (DoS) attacks on the Web sites of Amazon.com, CNN, eBay, Yahoo! and others have made this very clear. Pundit after pundit has repeated what some CIOs know and some learned too late: no server, especially a Web site or other outward-facing server, should be deployed until its default passwords and user ID information have been changed. Just as thieves often try potential targets until they find one unlocked and without alarms, hackers and other electronic miscreants are usually looking for the easiest way into a network, not the one that is most challenging.
Of course, locking the e-doors is only a first line of defense, and some corporate networks prove irresistible to hackers, even when those network appear tightly locked down. An executive at Computer Associates (CA), a leading purveyor of enterprise anti-virus and intrusion detection solutions, said at a recent briefing that Microsoft's worldwide network, which uses CA's eTrust anti-virus and intrusion detection solutions (available at www.cai.com), endures more than 100 attack attempts every month. Clearly, the obvious assumption that a network populated primarily by commercial software developers would likely be well protected is insufficient to discourage determined hackers.
Thus, CIOs need policies, procedures and products that integrate their efforts to protect their networks, and make those efforts manageable and proactive. CIOs and other network staff who think firewalls alone are sufficient are simply fooling themselves. (See the RFG Research Note "Is Your Firewall Fireproof?," Jan. 20, 2000.) Firewalls can protect against DoS attacks, but can be overwhelmed by such attacks if they are sufficiently voluminous.
CIOs must work with CTOs, network and Web site managers and others within their organisations to develop, promote and enforce policies that touch every potential interface between the enterprise and the outside world. These policies must be translated into specific product choices, and procedures for how products are deployed.
In some cases, CIOs will have to consider moving to switches and routers that operate above Layer 3 (or the network layer) of the widely used seven-layer Open Systems Interconnection (OSI) networking model developed by the International Standards Organisation (ISO). Newer, high-capacity, high-speed routers, switches and load-balancing solutions from companies such as Alteon WebSystems, ArrowPoint Communications, Coyote Point Systems, F5, Foundry, Network Peripherals (NPI) and others either have enhanced security features incorporated into them, interoperate with such features when found in other network or management components, or can have their security features enhanced easily via software upgrades.
CIOs should begin their efforts to beef up protection of their networks by developing a clear picture of the attacks already taking place and the ability of their networks to withstand those attacks. This information will help CIOs and their teams match available technologies most closely to their networks' specific vulnerabilities, and where appropriate, put into place a foundation for future features such as profiling of attacks for adaptation of defenses, much as anti-virus solutions use virus profiles to detect and identify suspicious bit streams.
CIOs must also make sure their Internet service providers (ISPs) and Web-hosting services are deploying and enforcing adequate technological and procedural defenses against network attacks. This becomes particularly critical at enterprises pursuing aggressive e-business strategies with customers, partners or both. In some cases, liability issues may be raised if one enterprise's network resources can be shown to have played a role in attack on those of one or more other enterprises. In other cases, truly enterprise-class ISPs and hosts can help buttress an enterprise's defenses against attack considerably, and help CIOs and their teams remain abreast of the state of the art where defensive technologies are concerned.
CIOs must devote time and resources to remaining up to date on the technologies behind the latest attacks and defenses, if they are to keep their networks and Web sites up and running. This will sometimes require exchange of information with CIOs and other network managers at both partner companies and competitors. (A CIO at a leading online services company confirmed to RFG that information exchange among competitors was a result of the recent wave of DoS attacks.) Political and competitive differences must be put aside in the face of network attacks that threaten all competitors equally. In addition, security policies must be integrated with overall operational policies, to guard effectively against both attacks and mistakes with effects that mimic those of attacks.
RFG believes that while much of attention paid to recent network attacks is more noise than substance, the spate of recent attacks is nonetheless a warning to savvy CIOs and their teams. To the extent that networks are increasingly essential to traditional and e-businesses alike, those networks must be protected, primarily by far-reaching, well-designed and stringently enforced policies for network security and information protection. These policies must include support for CIOs to keep abreast of the latest and best products and services in these areas, and for replacing incumbent technologies that prove inadequate to protect against all attacks, whether pranks, accidents or malicious intrusions.
Michael Dortch is the Robert Frances Group's Senior Research Analyst
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.