Tip

Security on the cheap



Last month, I predicted that despite all the increased talk about security in the wake of the Sept. 11 terrorist attacks, most companies wouldn't add much, if anything, to their security budgets

    Requires Free Membership to View

for 2002.

So my editor asked me, quite naturally, for a list of things security managers could do to beef up security without spending a boatload of money. I've come to the conclusion that when it comes to security, there's no such thing as a free lunch. There are free appetizers -- inexpensive or even free things you can do to close obvious security holes or to secure servers or network gear from a single vendor.

But you'll quickly start running up a tab as you try to protect yourself against some of the more obscure or ambitious attacks out there. That's not just because security tools rapidly get more expensive as you need the capability to secure multiple vendor environments, but also because securing your organization well takes time. It takes time to assess vulnerabilities, weigh the business risk against the cost of protecting a given system, keep up with new threats and analyze new security tools. Even if every firewall and intrusion-detection system were free, you would still need to spend time to implement them properly -- and time is, eventually, money.

Having gotten that out of my system, here are some basic ways to improve your security at relatively low cost and with a reasonable amount of work.

  • Configure what you've already got. Don't just run server or desktop operating systems as they ship from the vendor, says Giga Information Group Analyst Michael Rasmussen. Out of the box, he says, Microsoft's desktop and Internet Information Server (IIS) "are horribly insecure." On its Web site, Microsoft lists basic security changes administrators should make in products such as Windows 2000 and IIS. This includes making sure that all disk partitions on the system are formatted with NT File System to take advantage of its superior security features; configuring the "administrator" account to make it harder to hack; and shutting down unnecessary Web services that could serve as a launching point for crackers. Microsoft also offers an IIS lockdown wizard that allows the administrator to disable services such as SMTP and HTTP so hackers can't use them to launch attacks.

    Unix servers also ship with vulnerabilities that can be easily fixed, such as allowing users to access password files using the Trivial File Transfer Protocol and default account passwords that provide easy entry for crackers. One such list of such basic vulnerabilities and how to fix them is available at http://www.cert.org/tech_tips/unix_configuration_guidelines.html#A.

  • Patch and update what you've got. One simple example: Make sure the antivirus software you've already purchased is configured to automatically check the vendor's Web site for updates. Finding, checking and installing security patches for operating systems and applications is a more complicated problem that I'll tackle in a coming security tools roundup for searchSecurity. But you can at least keep informed about the latest patches by subscribing to any one of a number of security newsletters. Some vendors also offer free tools or services to manage their updates. For example, Microsoft's Web-based Personal Security Advisor scans a user's machine for missing patches, as well as other security vulnerabilities. Unfortunately, most of the free scanning and updating tools work only with software from a single vendor. Systems that work across vendor platforms can cost upwards of $1,000 per server, says Rasmussen.

  • Don't forget about the security tools which are free, low-cost or bundled with other software. Perhaps the most well known is Zonelabs Inc.'s ZoneAlarm firewall (free for individuals or non-profits, $19.95 for business users.) Windows XP has a built-in firewall, and other vendors have released low-cost firewalls, sometimes combined with other security products. Symantec Corp.'s Norton Internet Security 2002, for example, combines firewall, privacy, antivirus and content filtering capabilities for about $70 per user. Again, remember to configure these tools for your environment and to check for patches and updates to them.

  • Take advantage of all that free security information on the Web. Besides the sources already mentioned and various vendors' Web sites, the SANS (Systems Administration, Networking and Security) Institute offers updates on security threats and countermeasures. The National Security Agency offers guidelines for securing Windows systems and Cisco Systems' routers, among other guidelines, and the FBI's National Infrastructure Protection Center posts recent security alerts.

    Of course, nobody can live on such security "appetizers" forever. But if you're willing to put in some time and effort, they will get you at least a basic level of security without breaking the bank.

    About the author
    Robert L. Scheier writes about security from Boylston, Mass. He can be reached at rscheier@charter.net.


    This was first published in January 2002

  • There are Comments. Add yours.

     
    TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

    REGISTER or login:

    Forgot Password?
    By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
    Sort by: OldestNewest

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to:

    Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.