In-Depth

All Quiet on the Security Front?

Has the absence of a big security threat lulled you into inaction?

• By Rich Weiss
• 05/04/2005

You’ve probably noticed that it’s been a while since a Slammer-, Blaster-, or Nimda-magnitude crisis has occurred. Many organizations continue to incur damage from this class of exploits and their endless series of variants, but it's no longer big news. Attention has shifted to the consumer arena where phishing, identify theft, and Paris Hilton’s cell phone breach are generating headlines. This is just fine with most security administrators (except those in the financial services industry, who absorb the costs of phishing scams). After a long period of frequent fire fighting and scrambling to find solutions to the latest punishing attacks, it’s good to be able to ease off a little.

It’s human nature to act as if a current trend will continue indefinitely. We’re especially prone to this behavior when things are going well, since most of us avoid contemplating future pain. A related trait is our tendency to rationalize why we feel things will stay as they are, even as warning signs begin to appear. Investor behavior during the dot-com stock market bubble is a vivid example of this phenomenon.

The current lull in truly new and highly damaging enterprise exploits has the potential to induce a similar effect on security professionals. You probably feel that you’re much better prepared now to repel attacks than you were a year ago. It’s tempting to think that the biggest holes in operating systems, applications, and networking equipment have been discovered and addressed. It may even seem as if hackers have run low on inspiration and are just churning out me-too viruses and worms that don’t represent major threats.

Of course, as a security pro you know it’s your job to think ahead to what might go wrong and take steps to preempt the most likely and dangerous developments. On a rational level, you probably agree that the arms race with the bad guys is still on, and that we’re in a temporary period of calm before the next storm. But you’re human, after all. Consider these questions:

• Are you scheduling upgrades to your organization’s security posture as aggressively now as you were six or twelve months ago, or are you pushing out delivery dates for evaluations or implementations?

• Have you fully secured your network against the wide variety of threats that now occur inside the perimeter (due to infected laptops connecting to the LAN, spyware downloads, keystroke loggers, etc.)? Are you truly confident your Web services can’t be compromised by users connecting with infected PCs?

• Are you pursuing management support for your proposals as aggressively now as you did in the past?

• Have you started taking vacations again and/or getting home in time for dinner every night?

If you’re moving forward just as fast now as you were last summer, congratulations: you have super-human resistance to complacency. If not, beware: this is no time to kick back. This period of relative calm won’t last forever.

Now is an ideal time to harden the core of your network with well-considered and tested measures. Accelerate initiatives to neutralize internal malware and other exploits; enforce compliance with network access policies that require up-to-date antivirus, patches, and other safety measures; and filter out attacks directed at your Web-facing resources. You’ll be glad you did when the next wave of attacks crashes on your shore.