Customers and outsourcing suppliers who engaged in the outsourcing boom three to five years ago are now facing significant security challenges. Particularly, the last 18 months have seen a shift in the perception of the security issues that face networking infrastructures.
For the first time, networking products have made it to the SANS Top 0 vulnerability list, with Cisco's IOS getting specific attention. In the past, there was very little attention paid to the possibility of security vulnerabilities in network infrastructure equipment being exploited.
The demonstration given at BlackHat symposium in 005 has also contributed to the new perception of network infrastructure as being subject to security issues previously only dealt with in relation to servers and desktop computing resources.
The research firm Gartner recommends that enterprises that run Cisco IOS pay close attention to IOS vulnerabilities, treat them seriously, and follow the guidelines within advisories to upgrade to a newer version of software at the earliest possible opportunity.
In the event of buffer/heap/stack overflow vulnerability exploitation, Gartner recommends that enterprises take immediate action to shield their network by implementing a layered defense, including network-based intrusion prevention technologies, to block exploits while executing normal test-and-patch deployment processes.
The sheer amount of Cisco equipment installed, the many versions of IOS involved, the difficulties of upgrading IOS and the IOS vulnerabilities already out there or yet to be discovered present a major challenge to network administrators and security professionals. This is an aspect that needs to be reflected in outsourcing contracts, or if handled in-house, the amount of effort required should be recognized and planned for.
Security Shift
All these developments resulted in widespread realization that traditional firewall and antivirus technologies, as covered in original outsourcing contracts, were not able to withstand emerging threats such as self-replicating worms, port 5 (mail), port 80 (Web), PP exploits and spyware, amongst others. And to compound the external threat, internal IT assets that were infected were infecting other internal assets.
A detection and response strategy within the perimeter was now required to supplement the ailing protection strategy. Many enterprises were also not aware that their insurance policies did not provide cover against malicious code attacks. Other companies who tried to buy coverage found there were few policies being written that protected against digital attacks.
The security industry experienced a very busy year in 2004. There was much piloting and testing of IPS and other appliances to solve specific problems. During this exploratory phase, a key issue for outsourcers and their customers was the question of who was going to take responsibility for paying for the implementation of the technology once they were satisfied with the tests/results.
The biggest error made by organizations and outsourcers was that they thought that deploying this technology would solve their issues. What they did not realize was that they were only solving particular issues, in much the same way as they had done when they invested in firewalls, VPNs and antivirus software. While IPS appliances, application firewalls, host-IPS, desktop firewalls and IDS were being installed, no one considered the fact that security needed to be a holistic process involving people, process and technology.
Outsourcing contracts were modified to include the provision and management of additional security hardware at strategic points within the network. These measures repeated the mistakes of the past. They catered for short-term challenges, but did not make provision for long-term issues.
Outsourcing contracts were modified to include the provision and management of additional security hardware. They catered for short-term challenges, but did not make provision for long-term issues
