The February 2000 denial of service attacks on the Internet highlighted the need for security in your IT environment. This is especially true for all your externally visible systems, such as Web servers and firewall devices, especially if those systems support e-commerce.

The February attacks received a lot of coverage in the press. Viruses continue to be an ongoing issue for your business, as do penetrations where your Web site is defaced or your URL hijacked.

In addition to external threats, internal security breaches continue to be the single largest security concern for businesses. Depending upon the statistics you read, anywhere from 60 to 85 percent of all computer-related crime stems from internal sources.

According to the International Computer Security Association (ICSA), privacy was the single greatest concern of the ordinary, Internet-using public in 1999. This is a valid concern, as shown by the Fourth Annual Computer Security Institute/Federal Bureau of Investigation (CSI/FBI) Computer Crime and Security Survey in 1999, which stated that computer crime is a growing problem for U.S. companies, financial institutions, and government agencies.

It isn't enough to prepare for attacks from the outside. You also have to consider threats from inside your organization. System penetrations by outsiders increased for the third year in a row last year. Unauthorized access by insiders also rose for the third straight year, with 55 percent of the respondents reporting incidents. Those reporting their Internet connection as a frequent point of attack rose to 57 percent in 1999, up from 37 percent in 1996.

According to the ICSA, insiders cause 60 percent of computer abuse. Eighty-five percent of computer break-ins occur internally, and insiders remain the most serious threat to your intellectual property.

The CSI says one of five Internet sites has suffered a security breach, and according to an Ernst & Young Security Survey, over 90 percent of Fortune 500 networks have been hacked.

As a result, it isn't enough that you understand the need for security. You must also understand that security, like any other business function, is a result of numerous technical and administrative mechanisms. There's no silver bullet, magical tool, or product that addresses the entire spectrum of security concerns.

Steps to take

So what can you do to secure your IT infrastructure? Start with the small and work to the large. If you haven't already, evaluate your security needs as they relate to your business needs. You'd be surprised how many companies are unable to determine what data or information they consider proprietary and/or why. Scary. Before something can be protected, you must know you need to protect it. Start with a security policy that identifies and explains your enterprise security requirements. Make sure to address such issues as identification and authentication, password guidelines, malicious software, and standard host/server software settings (for UNIX, Linux, and Windows NT, etc.).

After you know what you need to protect and why, look at the existing architecture. Have you spent tons of money on a firewall but left phone lines uncontrolled? Do you have a demilitarized zone (DMZ)? Is it configured so all communications are brokered by the firewall device? Common architectural problems can lead to significant security breaches.

You also need to evaluate the configuration of existing systems. Do you have the appropriate security features correctly implemented and configured? In many cases, systems are penetrated because available security mechanisms were misconfigured or even turned off. Use controls such as mandatory passwords or minimum password lengths. Consider performing an internal assessment or audit and evaluate your findings against your stated policy.

If you're worried about external penetrations, try one on yourself. You can easily scan your own network with tools freely available on the Internet. The same goes for scanning your telephone lines. In addition to these freeware/shareware tools, you can purchase one of the many commercially available products.

These are very basic steps that many companies overlook when they're implementing enterprise IT solutions. In this issue of INTERNET SECURITY ADVISOR, you'll read about specific steps you can take to protect your network and data, as well as where your risks are.