Around 90% of security breaches occur because attackers take advantage of software that IT staffers have either misconfigured or failed to patch, a Gartner analyst said on Monday during the company's Symposium/ITxpo 2001 in Florida.
By fixing known vulnerabilities and properly configuring software products, IT departments would be able to prevent most security incidents, such as Web site defacements, information theft and denial of service attacks.
"We have met the enemy, and they are us," said analyst John Pescatore.
Most of the malicious code that is unleashed on the Internet simply mimics existing attack scripts and attempts to exploit known security holes for which patches exist. "Internet attacks are 90% imitation and 10% innovation," Pescatore said.
That these types of easily-preventable viruses and worms - such as Nimda and the Code Red - often wreak havoc across computer systems worldwide, proves that many IT departments are simply not showing even basic levels of diligence and care regarding security.
But that must change, said Pescatore. As companies increase their use of the Internet for critical operations, the cost of security breaches will rise significantly in the coming years.
"As your company's use of the Internet evolves, your security programme must lead the way," Pescatore said.
Another big problem is that many IT departments do not have a unified view of their security infrastructure because security initiatives are dispersed among a variety of groups that often fail to coordinate their efforts.
So the team in charge of a company's PCs may load anti-virus software on client machines, while the networking group puts up firewalls and the server people implement wares to protect applications, all the while without checking with each other first to make sure that those products interoperate, he said.
This lack of communication and coordination often leaves security gaps that no one is aware of until it is too late.
Gartner estimates that companies where a variety of groups monitor and manage security will suffer 50% more attacks than those where security management is consolidated. Companies should evaluate products designed to pull together the management and reporting functions of a variety of security tools from different vendors, he said.
"A fractured approach to security monitoring and management leads to security fractures," he said.
Pescatore also made the following recommendations:
- Desktop operating systems, including Windows 2000 and Windows XP, do not provide all the necessary security safeguards client machines need, so most users must buy third-party security software for adequate protection.
- Companies should not go overboard on protecting their systems from internal attacks launched by employees. While critical servers should be guarded, applying the same level of security inside the company that is applied outside could hamper productivity.
- In most cases, trying to find out who launched an attack against the company isn't worth the effort and money. This type of after-the-fact investigation is best left to government authorities.
- Companies should spend extra money to buy security services from their Internet service providers to prevent attacks at ISP level, before the attacks hit companies directly.
- Companies should outsource day-to-day security tasks to outside service providers, to free their internal IT teams to do more strategic security planning and design.
- A company's security strategy and its security policies must evolve and change to support and benefit business processes. Otherwise, security measures will be seen as an impediment and will be abandoned.