The IT Security Paradox

Imagine you’re the CEO of a major bank. Now, imagine paying more and more for security guards, only to find that the risk is increasing, not decreasing, due to threats that can’t be countered by security guards. That’s the situation facing today’s CIOs and software managers, who continue to increase spending on IT security — only to face a growing list of digital threats.

Indeed, U.S. businesses now spend roughly four percent of their overall IT budgets on security, up from 2.5 percent a few years ago, according to International Data Corp., a research firm in Framingham, Mass. Unfortunately much of that money may be misspent. While many organizations continue to pump millions of dollars into enterprise perimeter security, they often overlook the critical need for endpoint security.

“Endpoint security is here today, and it is more than personal firewalls and antivirus software,” noted Michael Rasmussen, director of research at Forrester Research Inc. in Cambridge, Mass., in a recent research report.

Understanding the Endpoint

Proper endpoint security involves several key attributes. When a desktop or notebook connects — whether attached directly to the corporate network or remotely via a VPN tunnel — endpoint security verifies that the system is hardened, properly patched, running up-to-date antivirus software, and that the host firewall is running the proper rules. All this must occur before the endpoint system is permitted to connect to the corporate network, according to Rasmussen.

The stampede toward endpoint security comes as hackers move beyond digital joy-riding and seek financial gain. Indeed, today’s hackers are trying to infiltrate systems — particularly endpoint systems or network holes — and potentially profit from them.

Dangerous Trend

This trend originally surfaced in 2000, when a hacker infiltrated networks at the Bloomberg financial news service. The hacker attempted to extort $200,000 from Michael Bloomberg, now mayor of New York. In return, the hacker promised to remain silent about the security breach and offered to give Bloomberg detailed information about the security hole in his network. The hacker was ultimately convicted of attempted extortion.

In 2003 Lowe’s Companies Inc. came under attack through an unsecured WiFi access point at one of its Detroit locations. Aspiring hacker Brian Salcedo used the access point to penetrate Lowe’s corporate IT systems in North Wilkesboro, N.C. During the hack, he installed a program on the retailer’s central systems that to hijack credit card information.

In December 2004, Salcedo was sentenced to nine years in prison for the hack. His two accomplices still awaited sentencing as this article went to press.

“The Lowe’s example is the type of situation we’re all guarding against,” said Jill Cherveny-Keough, director of academic computing at New York Institute of Technology, a college that operates one of the largest wireless networks on Long Island. “People are always trying to probe wireless networks for holes.”

Worsening Problem

The problem is only getting worse. Seventy percent of large organizations suffered at least one e-crime or intrusion in the past year, according to Carnegie Mellon’s famed Computer Emergency Response Team. Many of those digital crimes involved hijacked endpoints that were used to propagate distributed denial of service (DDoS) attacks, phishing expeditions, worm outbreaks, malware and spyware.

IDC estimates that 67 percent of all computers have some form of spyware. Proper endpoint security — involving automated stateful inspection firewall and properly updated anti-virus software — can go a long way toward minimizing or eliminating spyware and malware.

Yet many organizations fail to implement proper endpoint security. Government systems are particularly at risk. Only 70 percent of federal IT systems are considered secure according to a recent report from the White House Office of E-Government and IT. In other words, 3 out of 10 federal IT systems are likely open to attack.

One exception is the U.S. Department of Justice, which in November 2004 embarked on an aggressive endpoint security strategy, according to Ted Shelkey, assistant director of security at the DOJ.

Mitigating Risk

The strategy calls for the DOJ to maintain centralized control over endpoint security policies. The effort will also include audit reports that show how the department maintains compliance with FISMA (Federal Information Security Management Act). “We now have the ability to control security policies automatically, where none existed before,” said Shelkey.

“We wanted to mitigate the risk of information theft, and prevent the inadvertent introduction of malware into our environment,” added Brenda McClure, director of computing environment and enclave defense at the department. “For example, what if somebody plugs into the network and there’s a virus on their system or thumb drive. Without proper endpoint security in place, that scenario would allow the virus to enter our network directly — and thereby bypass our Internet gateway and firewalls.”

With proper endpoint security in place, such a scenario is effectively eliminated, McClure said.

Tackling Compliance

Compliance issues — such as Sarbanes-Oxley and HIPAA — also drive corporations to increase their endpoint security. Without proper controls in place, CEOs and CFOs could wind up paying a steep price — including fines and prison terms — for shoddy security practices.

“Government mandates and regulatory requirements put heavy demands on corporations. They must be able to demonstrate that internal controls and technologies are in place to ensure network reliability, data integrity and privacy,” said Charles Kolodgy, research director of Security Products at IDC.

“Security policy compliance and enforcement are among the most difficult technology challenges today,” added Bill Malik, vice president of technology research at Aberdeen Group, a technology research firm in Boston.

In addition to securing their networks and servers, corporations should consider a comprehensive endpoint security enforcement solution that checks system integrity, prevents intrusions, and controls wireless connectivity and removable storage devices, according to Malik.

False Sense of Security

Many organizations are embracing VPNs (virtual private networks) to enhance security. In fact, 82 percent of companies deployed VPNs in 2004, up sharply from 55 percent in 2003, according to Forrester Research. But VPNs can provide a false sense of safety. Without proper endpoint security in place, hackers can use hijacked VPNs as conduits to pump viruses, worms and other malware into corporate networks.

“Even though the VPN connection is trusted, there’s still a need to harden, secure and authenticate the endpoint before allowing any PC or notebook computer onto a network,” said Edward Golod, president of Revenue Accelerators Inc., a consulting firm in New York.

Translation: IT security is no longer about perimeter security. It must now include proper endpoint security.