Thankfully our firewall protects us from many illnesses. We all know, though, that human skin is at best marginally effective when it comes to stopping real viruses and weapons-grade anthrax. We cannot live our lives in hazmat suits or bubble tents, and, similarly, we cannot seal off our networks from the world and work through one tiny, filtered opening. So what should we do? We must implement a practical, measured approach to living a reasonably comfortable existence within our germ-ridden Internet.
The key here is "reasonably comfortable." We will catch the flu occasionally, and our corporate networks will get infections. But the Internet is not merely germ-ridden; it's the perfect breeding ground for pathogens. Once you accept this as the Internet's modus operandi, you can build a security program that goes beyond defense to covering health monitoring and treatment.
Most security strategies are primarily defensive. The plan is to stop attacks at the front (firewall), back (server) and/or bedroom (desktop) doors. This plan has zero tolerance for failure because it has no component for dealing with and diagnosing successful attacks. So when the inevitable breach occurs, so do the 2 a.m. phone calls, 24-hour work details and extensive system scrubbing and reconstruction. A more broadly-based approach will help you and your staff regain your sanity--and maybe even your lives.
Once you get past defense, your plan must include tools--such as a health monitor--to recognize a sick system. The recent SNMP-vectored ASN.1 attack demonstrated that even routers and hubs need watching. Monitoring is not a new idea, and many security programs include server examinations. However, health checkups are best performed regularly and on every system--not just the ones that appear to be most at risk. What would it take to know that an executive's system has been compromised and is busily seeding disease throughout the body corporate? In answering that question, take care not to devise a health program that is too cumbersome, too frequent or too intrusive. If your network fitness plan is any of these things, it simply won't be used and the funeral processions will march on.
The third critical element of a network health program is treatment. Remedies should not be limited to patch programs that excise the infection 24 hours after the contagion has spread, since that length of time easily could be lethal to a business. A broad approach includes the option to totally rebuild a system--be it a critical server, the CEO's notebook, or a clerical workstation--in one hour at most. To be a successful part of the total security framework, treatment, just like defense and monitoring, takes commitment, planning and the appropriate repair tools.
There's no one right answer for achieving a reasonably comfortable existence within an unforgiving and predatory Internet. We do know that any sound defensive posture will inevitably fail, and we must be prepared to quickly identify and resolve the problem (without depending on future patches to fix it) and get on with our business. I doubt we'll ever stop needing the 2 a.m. calls, but maybe we can back them up to midnight thanks to superior monitoring. And with a treatment plan in place, we'll know how to cure the diseased systems. Maybe we'll even find a way to be safely asleep again by 2 a.m after the late-night crisis.
Robert Moskowitz is a senior technical director at TruSecure Corp. Send your comments on this column to him at rgm@htt-consult.com.
REPORTS
ANALYTICS
Follow 
