IT vs. the mischief makers

As cyberpunks crank up their games, network executives fight back by building security-aware corporate cultures.

The summer of 2003 will go down in the history books as a rough one for network security executives. According to Computer Economics, an IT research and consulting firm, hackers unleashed at least 50 viruses during August alone. These include the Blaster worm, which Symantec estimated infiltrated 330,000 systems within its first four days, and SoBig.F, to which e-mail security tools vendor MessageLabs awarded the dubious honor of being the fastest-spreading virus ever. The company intercepted 12.8 million SoBig.F-laced e-mails for more than 65,000 business customers within 13 days of its release.

Computer Economics estimates that the financial effects of worms and viruses unleashed in August could reach $2 billion. A toll like that leaves network executives struggling to answer two big questions: Will business always live in fear of virus writers? And what will it take to turn the tide against the bad guys?

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Action plan Practice what you preach Patience in the playing Struggle synopsis

The summer of 2003 will go down in the history books as a rough one for network security executives. According to Computer Economics, an IT research and consulting firm, hackers unleashed at least 50 viruses during August alone. These include the Blaster worm, which Symantec estimated infiltrated 330,000 systems within its first four days, and SoBig.F, to which e-mail security tools vendor MessageLabs awarded the dubious honor of being the fastest-spreading virus ever. The company intercepted 12.8 million SoBig.F-laced e-mails for more than 65,000 business customers within 13 days of its release.

Computer Economics estimates that the financial effects of worms and viruses unleashed in August could reach $2 billion. A toll like that leaves network executives struggling to answer two big questions: Will business always live in fear of virus writers? And what will it take to turn the tide against the bad guys?

Action plan

Security experts say network executives can triumph over the ne'er-do-wells. What's needed, they say, are pervasive security-aware corporate cultures.

To get there, network executives must begin by insisting on CEO leadership. The CEO must decide on the risk level the company is willing to take and instill in the workforce the importance of being security-savvy and of using security technologies to protect against attacks.

In a security culture, regularly changing passwords, not opening suspicious e-mail attachments and other basic precautions are second nature. One way to engender such a culture is to include security compliance in performance reviews, suggests Mike Rasmussen, a security analyst at Forrester Research and vice president of standards and public policy at the Information Systems Security Association (ISSA ).

Getting tough on non-compliers is another option. David Cullinane, ISSA president, explains how one company avoided succumbing to this year's MS-S Slammer worm by giving users 48 hours to apply patches and then severing network connections for those who did not comply by the deadline.

For their part, network security professionals must accept the CEO's risk assessment and strive to better understand the delicate balance of remaining open for business while staying protected, security experts say. "Some security people seem to think that they can issue edicts and that things will happen. But businesses take risks all the time - that's how they make money," says Cullinane, who also is chief information security officer at a Fortune 500 financial services company he declined to name.

Practice what you preach

To be sure, IT departments are not excused from the cultural change necessary to combat all the script kiddies, malicious hackers and serious cybercriminals out there.

Blaming Microsoft  for selling software with vulnerabilities is easy, but in-house developers should be building better security into their code. And as Microsoft works to streamline its much-maligned patch-management architecture, user organizations should standardize on one version of an operating system. "You can't afford to deal with systems that can't be patched because they are too old," Cullinane says.