that despite all the increased talk about security in the wake of the Sept. 11 terrorist attacks, most companies wouldn't add much, if anything, to their security budgets for 2002.
So my editor asked me, quite naturally, for a list of things security managers could do to beef up security without spending a boatload of money. I've come to the conclusion that when it comes to security, there's no such thing as a free lunch. There are free appetizers -- inexpensive or even free things you can do to close obvious security holes or to secure servers or network gear from a single vendor.
But you'll quickly start running up a tab as you try to protect yourself against some of the more obscure or ambitious attacks out there. That's not just because security tools rapidly get more expensive as you need the capability to secure multiple vendor environments, but also because securing your organization well takes time. It takes time to assess vulnerabilities, weigh the business risk against the cost of protecting a given system, keep up with new threats and analyze new security tools. Even if every firewall and intrusion-detection system were free, you would still need to spend time to implement them properly -- and time is, eventually, money.
Having gotten that out of my system, here are some basic ways to improve your security at relatively low cost and with a reasonable amount of work.
Configure what you've already got. Don't just run server or desktop operating systems as they ship from the vendor, says Giga Information Group Analyst Michael Rasmussen. Out of the box, he says, Microsoft's desktop and Internet Information Server (IIS) "are horribly insecure." On its Web site, Microsoft lists basic security changes administrators should make in products such as Windows 2000 and IIS. This includes making sure that all disk partitions on the system are formatted with NT File System to take advantage of its superior security features; configuring the "administrator" account to make it harder to hack; and shutting down unnecessary Web services that could serve as a launching point for crackers. Microsoft also offers an IIS lockdown wizard that allows the administrator to disable services such as SMTP and HTTP so hackers can't use them to launch attacks. Unix servers also ship with vulnerabilities that can be easily fixed, such as allowing users to access password files using the Trivial File Transfer Protocol and default account passwords that provide easy entry for crackers. One such list of such basic vulnerabilities and how to fix them is available at http://www.cert.org/tech_tips/unix_configuration_guidelines.html#A.
Patch and update what you've got. One simple example: Make sure the antivirus software you've already purchased is configured to automatically check the vendor's Web site for updates. Finding, checking and installing security patches for operating systems and applications is a more complicated problem that I'll tackle in a coming security tools roundup for searchSecurity. But you can at least keep informed about the latest patches by subscribing to any one of a number of security newsletters. Some vendors also offer free tools or services to manage their updates. For example, Microsoft's Web-based Personal Security Advisor scans a user's machine for missing patches, as well as other security vulnerabilities. Unfortunately, most of the free scanning and updating tools work only with software from a single vendor. Systems that work across vendor platforms can cost upwards of $1,000 per server, says Rasmussen.
Don't forget about the security tools which are free, low-cost or bundled with other software. Perhaps the most well known is Zonelabs Inc.'s ZoneAlarm firewall (free for individuals or non-profits, $19.95 for business users.) Windows XP has a built-in firewall, and other vendors have released low-cost firewalls, sometimes combined with other security products. Symantec Corp.'s Norton Internet Security 2002, for example, combines firewall, privacy, antivirus and content filtering capabilities for about $70 per user. Again, remember to configure these tools for your environment and to check for patches and updates to them.
Take advantage of all that free security information on the Web. Besides the sources already mentioned and various vendors' Web sites, the SANS (Systems Administration, Networking and Security) Institute offers updates on security threats and countermeasures. The National Security Agency offers guidelines for securing Windows systems and Cisco Systems' routers, among other guidelines, and the FBI's National Infrastructure Protection Center posts recent security alerts. Of course, nobody can live on such security "appetizers" forever. But if you're willing to put in some time and effort, they will get you at least a basic level of security without breaking the bank. About the author
Robert L. Scheier writes about security from Boylston, Mass. He can be reached at firstname.lastname@example.org.