Security Threats That Can’t Be Stopped

While enterprises face all kinds of security risks, including vulnerabilities that must be patched and viruses that bombard corporate firewalls, the threats that strike the most fear into the hearts of chief security officers and their employees are the ones nobody has thought of yet.

After all, any known threat can be at least minimized, but a new exploit is always difficult to stop.

“We have to expect that cyber outlaws are devising new attacks,” said Stan Stahl, president of Citadel Information Group, a Los Angeles-based information security consultancy. “Cyber criminals are bright people, expert at thinking out-of-the-box.”

Last year alone, more than 4,000 computer flaws and viruses were found.

That may be a scary message, but CIOs and security admins can greatly reduce their companies’ risk of falling victim to attack by taking a few vital steps. Most of those steps have more to do with sound policy than with intricate technological hacker-traps.

“There are no security silver bullets and no automatic technological answers,” he said. “Senior management must take leadership and assume responsibility.”

Plan of Attack

Bernie Cowens, vice president of security services at Rainbow Technologies, a security software provider, said it all begins with making sure everyone is on the same page.

“Companies must develop a comprehensive security policy and communicate it to all of their users,” Cowens told the E-Commerce Times. He recommended that companies decide for themselves which data assets are most important, then implement an education program to inform users why security of those assets is vital.

“Companies sometimes attempt to secure everything to the same level,” he said. “As a result, either routine access becomes too hard or insufficient protection is afforded to highly sensitive data.”

Password: Trouble

Cowens added that passwords are a two-pronged problem, since they offer a false sense of security and are actually easy to bypass, guess or steal.

One recurring scenario is ex-employees who use their former coworkers’ passwords to wreak havoc on a network or steal sensitive data.

Other experts also cite passwords as a major source of security failures, particularly because they may be used as a crutch to avoid more costly or difficult measures, such as data encryption, that could provide a higher level of security.

Paper or Digital?

It is also useful to keep the big picture in mind when considering enterprise security. John Wilson, vice president and general manager at network security specialist Ubizen North America, noted that companies sometimes try so hard to protect digital data that they forget about the paper trail.

“There should be a policy for proper disposal of documents and media that are no longer needed,” he told the E-Commerce Times. “Otherwise, anyone can retrieve information from sensitive documents that haven’t been shredded.”

Wilson said another common and gaping security hole is that desktop computer users often leave PCs turned on while they are away from their desks — sometimes logged in to sensitive parts of the network.

Brave New World

Several basic maneuvers can make seemingly unstoppable threats much less threatening. For example, a company can boost security dramatically by applying patches regularly and scanning incoming e-mail, which carries more than 98 percent of all viruses that hit computer networks.

More frequent system updates are also de rigueur nowadays, according to Mike Hrabik, chief technology officer of managed security service provider Solutionary. Otherwise, corporations may find themselves defending against last week’s security vulnerability while this week’s ravages their systems.

Even with such tactics implemented, however, “it is impossible to anticipate and prevent all threats and attacks,” said Larry Lunetta, a vice president at ArcSight, a security risk management software firm. “Not all exploits can be caught and prevented before inflicting damage.”

Lunetta told the E-Commerce Times that security monitoring is the best way to get real-time information about threats to a network. That way, defenders can see an attack coming as early as possible and hopefully counter it, “even if it represents something completely new and unexpected.”