Procurement is a way to cut out IT security flaws, the annual SANS top 20 vulnerabilities launch heard in London. The event made the front page of the Financial Times on the day of the launch at the Department for Trade and Industry, this shows that business takes IT security seriously. In the FT, SANS director of research Alan Paller warned that it is easy for hackers to steal information from back-up systems. "Rarely does back-up software have encryption. Whereas Microsoft Windows (and Unix) regularly offer ‘patches' (fixes) for its software where there are security loopholes, there is no such fixing for back-up software. It could take the software companies years to respond, just as it took Microsoft years to respond to vulnerabilities in its products," Alan Paller feared.
Change the world
"At the conference, Mr Paller said a ‘shocking' number of people still run computer back-up systems the same (unpatched) way as they bought them." Rather than blame the vendors of software, he suggested using procurement as a security strategy, whereby everyone gained. He said: "If you change the world, you change it with procurement, not with regulation." By that, he meant buyers of IT security should use their spending power, as the US Air Force has. Buyers can insist that the IT software sellers sign contracts whereby, if there have to be patches later, or if the software is not free of SANS top 20 vulnerabilities, it is the responsibility of the software vendor to put it right. Improvements are immediate, according to Alan Paller "the software vendors find it costs no more to have safer products than as currently when software breaks down and patches have to be added."
Information assurance
The US-based SANS Institute is a collector of IT security information. The SANS top 20 came from IT people from around the world, including in the UK, Rhodri Davies of internet security firm Vistorm, the National Infrastructure Security Coordination Centre, and information security consultants AFENTIS. Other speakers at the event included Roger Cumming, Director of the NISCC, and Dr Steve Marsh, Director CSIA (Central Sponsor for Information Assurance), at the Cabinet Office. The CSIA promotes safe IT and has run regional information assurance roadshows for pubic sector IT security managers and purchasers.
Some words of SANS advice
- Backup media should be stored, tracked and accounted like other IT assets to deter and detect theft or loss; and it should be securely erased, or physically destroyed at the end of its useful life.
- Anti-virus software is now installed on almost all desktops, servers and gateways on various platforms to combat virus outbreaks. During the past year, there has been a shift in focus to exploit security products used by a large number of end users. This includes anti-virus and personal firewall software. The discovery of vulnerabilities in anti-virus software is not limited to just desktop and server platforms. Ensure that all of your anti-virus software is regularly and automatically updated.
- Databases are a key element of many systems storing, searching or manipulating large amounts of data. They are found in virtually all businesses, financial, banking, customer relationship and system monitoring applications. Due to the valuable information they store such as personal or financial details, databases are often a target of attack. Because databases are often distributed as components of other applications, it is possible for a database to have been installed without administrators realising it.
- Instant Messaging (IM) applications are being used by millions of users, for personal and business purposes; popular IM applications include Yahoo! and AOL. IM applications are available for virtually all platforms including the handheld devices. Set out corporate policy on ‘appropriate' IM usage in your company.
- Don't use default passwords on any accounts; and don't use weak passwords or passwords based on dictionary words. Audit your machines to ensure your password policy is being adhered to.