- Email: [email protected]
Real IT security on a limited budget?
Budgets
Real IT security on a limited budget? Peter Wood, Chief Operations, First Base Technologies No organization likes to spend money on infrastructure, especially when the topic is security. An increase in headcount is unacceptable under any circumstances, so where should an IT Security manager spend his limited budget? Let's look at where things really go wrong. What has had the biggest impact on businesses over the last couple of years? The answer has to be viruses and worms. And these only succeed for two reasons — user ignorance and unpatched systems. So here are the first two areas for spend: effectively educating users on malware, and keeping servers and workstations patched up to the minute.
Train the users Effective user education really means a marketing campaign. A co-ordinated programme using low-cost ideas such as logon screens, mouse mats, posters and competitions can be very sucessful yet inexpensive. It just requires some brainstorming and cooperation.
Patching Patching systems is a nightmare for everyone. However, organizations that already have software distribution tools in place can often add scripts for applying patches to their existing processes. Toolsets such as Tivoli can be configured to provide all the functionality needed without extra investment. For businesses without
such a framework, there are many tools emerging to address this requirement. Either way it could be an IT infrastructure cost not an IT security cost! Creative use of existing systems can deliver benefits too. Logon scripts can catch laptop users and force anti-virus updates and patches as soon as they connect to the corporate network. Inventory software can be deployed to detect unauthorized PDAs, wireless connections and USB thumb drives, stopping infection and information leakage at source.
Train the developers Where else do things go famously wrong? Web applications have become a favourite target for hackers frustrated by better firewalls and hardened servers. And the reason that Web application hacks succeed? Innocent code, created in a rush against crazy deadlines. This leads to software that is vulnerable to buffer overflows, cross-site scripting and SQL injection. The long-term solution must be security training for Web application developers and their managers, to prevent
What to spend on when funds are scarce: • User education.
• Patch management. • Train developers in application development. • Incident reporting and response.
18
these mistakes being endlessly repeated. In the short-term, we need to fix those weak applications to prevent abuse. A combination of automated Web application audit tools and manual testing is required to find the flaws and facilitate repairs. Although not a cheap option, this is a valuable investment for the security manager and may often be part-funded from the application developer's budget. These same tools and techniques can then be built in to the development process to catch errors earlier in the project and thus reduce remediation costs.
Incident response Lastly I'd recommend spending some money on incident reporting and response. The better the incident handling process, the more effective the security team is perceived to be. The more incidents that are logged and managed, the more evidence there is for a bigger slice of the budget pie next time around. There's nothing better for a security manager than being able to walk in to the board meeting and announce exactly how many incidents their investment has caught and prevented, thus gaining kudos and better justifying his role.
First Base Technologies are exhibiting at Infosecurity Europe 2004 which is Europe's number one IT Security Exhibition. The event brings together professionals interested in IT Security from around the globe with suppliers of security hardware, software and consultancy services. Now in its 9th year, the show features Europe's most comprehensive FREE education programme, and over 200 exhibitors at the Grand Hall at Olympia from 27th to the 29th April 2004. www.infosec.co.uk
Real IT security on a limited budget? Peter Wood, Chief Operations, First Base Technologies No organization likes to spend money on infrastructure, especially when the topic is security. An increase in headcount is unacceptable under any circumstances, so where should an IT Security manager spend his limited budget? Let's look at where things really go wrong. What has had the biggest impact on businesses over the last couple of years? The answer has to be viruses and worms. And these only succeed for two reasons — user ignorance and unpatched systems. So here are the first two areas for spend: effectively educating users on malware, and keeping servers and workstations patched up to the minute.
Train the users Effective user education really means a marketing campaign. A co-ordinated programme using low-cost ideas such as logon screens, mouse mats, posters and competitions can be very sucessful yet inexpensive. It just requires some brainstorming and cooperation.
Patching Patching systems is a nightmare for everyone. However, organizations that already have software distribution tools in place can often add scripts for applying patches to their existing processes. Toolsets such as Tivoli can be configured to provide all the functionality needed without extra investment. For businesses without
such a framework, there are many tools emerging to address this requirement. Either way it could be an IT infrastructure cost not an IT security cost! Creative use of existing systems can deliver benefits too. Logon scripts can catch laptop users and force anti-virus updates and patches as soon as they connect to the corporate network. Inventory software can be deployed to detect unauthorized PDAs, wireless connections and USB thumb drives, stopping infection and information leakage at source.
Train the developers Where else do things go famously wrong? Web applications have become a favourite target for hackers frustrated by better firewalls and hardened servers. And the reason that Web application hacks succeed? Innocent code, created in a rush against crazy deadlines. This leads to software that is vulnerable to buffer overflows, cross-site scripting and SQL injection. The long-term solution must be security training for Web application developers and their managers, to prevent
What to spend on when funds are scarce: • User education.
• Patch management. • Train developers in application development. • Incident reporting and response.
18
these mistakes being endlessly repeated. In the short-term, we need to fix those weak applications to prevent abuse. A combination of automated Web application audit tools and manual testing is required to find the flaws and facilitate repairs. Although not a cheap option, this is a valuable investment for the security manager and may often be part-funded from the application developer's budget. These same tools and techniques can then be built in to the development process to catch errors earlier in the project and thus reduce remediation costs.
Incident response Lastly I'd recommend spending some money on incident reporting and response. The better the incident handling process, the more effective the security team is perceived to be. The more incidents that are logged and managed, the more evidence there is for a bigger slice of the budget pie next time around. There's nothing better for a security manager than being able to walk in to the board meeting and announce exactly how many incidents their investment has caught and prevented, thus gaining kudos and better justifying his role.
First Base Technologies are exhibiting at Infosecurity Europe 2004 which is Europe's number one IT Security Exhibition. The event brings together professionals interested in IT Security from around the globe with suppliers of security hardware, software and consultancy services. Now in its 9th year, the show features Europe's most comprehensive FREE education programme, and over 200 exhibitors at the Grand Hall at Olympia from 27th to the 29th April 2004. www.infosec.co.uk