How to make informed security choices

• Tags:
• Security,
• Cybersecurity,
• Audit

Jonathan Yarden

Published: 02 Mar 2005 13:10 GMT

• 
• 
• 
• 
• 

In less than a decade, Internet security has evolved from an almost esoteric topic to become one of the more important facets of modern computing. And yet it's a rarity to find companies that actually consider information security to be an important job function for all workers -- and not just the IT department's problem.

Unfortunately, it's the general opinion of most companies, particularly at the management level, that their computer systems are secure. However, one of the only ways to determine whether this is actually true is by performing a thorough audit of computer systems. But most companies don't make it a habit of performing regular security audits, if they perform them at all.

In my experience, many companies base their Internet and information security strategy entirely on assumptions. And we're all familiar with that old saying about making assumptions.

But I don't entirely blame companies for failing to conduct periodic computer security audits. Frankly, the complexity and variability of administering and interpreting a comprehensive computer systems audit is equal to the complexity and variability of the systems used in corporations.

Several dozen popular commercial network and computer security auditing programs are currently available. While I've used several myself, I've honestly found no favourites. These tools produce mountains of useful information, but understanding what to do with the data is no simple job.

Most computer network and system security audits begin the same way. An automated program gathers information about hosts on the corporate network, identifying the type of network device. If applicable, it also scans the TCP and UDP services that are present and "listening" on the host, and it might even determine the versions of the software supplying an Internet service.

In most cases, the process involves at least two automated scans -- one of internal networks, which are generally behind a firewall, and one of the Internet subnet used by the corporation. If a security audit doesn't include both an interior and exterior scan, then you're not getting a complete picture of what hosts are on your organisation's network.

In addition, I also recommend that companies perform their own auditing whenever possible. If not, it's vital that you select an Internet security vendor you don't currently do business with.

• 
• 
• 
• 

• Share this article:
• Digg
• Slashdot
• Del.ici.ous
• Stumble
• Reddit

• Most Recent
• Most Popular
• Most Discussed