From the June 2003  issue of Communications News

Enterprise networks remain vulnerable

Network-based attacks–excluding worm and blended-threat activity–have declined by 6%, according to a recent security report from Symantec. While good news for IT security staff scrambling to protect their corporate networks, the small drop represents only two hairs off of a big bear.

Symantec analyzed more than 30 TB of data on network-based attack activity, vulnerability discovery and malicious code. Proving that cyber attacks remain a real threat to enterprises, the report points out that, on average, companies still experienced 30 attacks per company per week. This number is 20% higher than the rate recorded during the same six-month period in 2001.

“Any company that does not provide a regular focus on security will likely be compromised,” says Jeffrey Guilfoyle, vice president of systems and security for Solutionary in Omaha, Neb.

Of specific concern to Guilfoyle is the increasingly advanced methods used by even the most inexperienced hackers. Symantec’s security report echoed similar concern over the relative ease with which attackers are able to exploit new vulnerabilities. Symantec documented 2,524 new vulnerabilities in 2002, representing an increase of 81.5% over 2001. According to the report, approximately 60% of all new vulnerabilities could be easily exploited either because the vulnerability did not require the use of exploit code or because the required exploit code was widely available.

“A network is only as secure as its weakest link,” says Guilfoyle. “Even the most sophisticated organizations are still regularly compromised.”

Guilfoyle suggests that companies establish a cross-functional enterprise security committee to oversee all aspects of security, including the creation, updating and execution of a comprehensive security policy. He also makes the following recommendations regarding five often-missed weaknesses:

Misconfigured firewalls. A firewall is an absolute requirement for any business with a connection to the Internet, but it is only as effective as its configuration, which should be customized around the network profile. Companies should be as explicit (and restrictive) as possible as to what data can come in or go out and then simply block everything else. In no case should companies use a firewall’s default settings, and firewall rules should be periodically reviewed and assessed.

Business partner connections. The traffic on internal connections that provide information sharing with vendors and partners needs to be treated as untrusted, the same as a general Internet connection. Relying on a router is often not sufficient. Additional measures like encrypted VPN tunnels, firewalls and intrusion-detection systems can greatly reduce the risk of these types of connections.

Server and application “holes.” Almost 95% of server, operating system and application vulnerabilities are the result of known software holes. Companies should implement a regular schedule of software patching, and identify staff in the network and IT groups who will be responsible for the regular implementation of the constant stream of patches distributed by IT vendors, and verify that the patches are applied in a timely manner.

Home and remote-office VPN users. Few home users or remote offices adhere to the same security standards present at a corporate location, and often deploy insecure wireless networks. Organizations should enforce security standards for off-premises machines, limit network access from VPN users and institute strict password policies.

External e-mail systems. Employees checking e-mail from third-party e-mail providers, such as Yahoo, AOL and MSN, can unwittingly unleash viruses, Trojans and worms. Companies should implement policies that limit employee access to external e-mail systems, and utilize technological solutions to enforce this policy. Additionally, companies should keep updated antivirus software at each desktop.

For more information: