Security for the Budget ConsciousTight resources should not mean loose security. Make protection of the infrastructurean ongoing part of the process.BY ROBERT C. NORTON

As world events unfold and cyber-terrorism threats move to the forefront, we increasingly are aware our best IT defenses may not suffice. The statement Our best IT defenses may not be good enough should be taken very seriously. It is not a writers hyperbole but a serious warning.

Recent reports have verified viruses are coming at much faster rates and are far more complex. A recent Wall Street Journal story discusses Day Zero attacks as becoming more probable. If you are not sure what a Day Zero attack is, then you potentially are ill equipped to deal with one (see The Best Offense, below). That is not acceptable to your boss and your shareholders.

Yet doing more during a slow economy seems impossible to many insurance IT executives who are underbudgeted. As insurance providers use Web-based tools to speed application processing, underwriting, policy renewals, claims, and billing, network security becomes mission-critical. It is imperative insurers protect their institutions from the heightened vulnerability of cyber attacks, especially since an hour of downtime reportedly costs insurance providers $1.2 million in lost revenue. Todays do more with less thinking increasingly compromises the IT infrastructure and adds to its vulnerability to cyber attacks. The reason? Companies are putting their IT infrastructures at risk due to budgetary constraints. IT executives are choosing between staying up and staying secure. The result is the same as driving without an insurance policyputting organizations at risk of enormous loss.

IT security, when done right, should be an ongoing process instead of a one-off event. It should be part of a holistic IT environment, where all components (including security technologies) affect the systems health. Organizations typically are divided into two schools of thought. The first is where security is a stand-alone entity or, second, where security is an integrated component of the IT environment. When stand-alone, security may not benefit from the required IT planning to match overall organizational goals. On the other hand, many IT managers have shifted their priority to compliance and relegate security to a one-time event. Its not.

IT infrastructures are only as strong as their weakest links. Consider the area of patch managementinvolving the monitoring and installation of new patches to prevent virus attacks. This alone can be a daunting task when you consider the effort required to test and retest all the applications for compatibility. Given the rate of patch and bug-fix releases from the most affected vendors, its a wonder you have the time or resources to get anything else done.

The availability of the network and security go hand in hand. Viruses can reduce uptime to zeromeaning warding them off should be high on the list of things to do to keep the network available. It is generally accepted that 80 percent of virus-related outages are due to the exploitation of known bugsincluding bugs for which patches are obtainable. Eighty percent is avoidable. This means insurance companies should be assigning dedicated resources to researching current viruses and the antidotes already out there and ensuring patches are being properly and thoroughly deployed. Also investigate redundant systems so downtime is not an issue.

The larger issue, though, is the responsibility of IT executives to step up to the plate. IT executives value lies in enabling insurance providers to leverage information to support their revenue, profitability, and productivity goals. This means being proactive in implementing standards-based and reliable security technologies and not overly depending on old systems. Many executives have developed a false sense of security and are becoming too reliant on their firewalls. Anyone who believes a firewall is a simple commodity, needing limited skills to turn up and solve security requirements, is truly exposing his/her organization to any number of dangers.

Given these challenges, how can IT mitigate or avoid an attack altogether? On the technological side, there are several short-term options that should be considered to assure the network is available and secure.

Practice due diligence, including use of the security features and best practices already integrated within most systems and available from most vendors. These can reduce the known vulnerabilities.
Assign purchasing decisions to IT rather than accounting. IT managers are the only individuals who truly can discriminate among systems and solutions, especially where security issues are involved. Price should be an important differentiator but not the sole deciding factor.
Add a dark Web site. A dark Web site typically is hosted off site and is activated only under certain circumstances. Hosting off site eliminates the vulnerability produced by a building casualty. This serves many purposes including customer relations, public relations, emergency communications, and situational awareness.
Create virtual systems and security zones. These allow logical partitioning of your IT infrastructure into separate security domains for traffic, policy, and management separation.
Rely on strategies above and beyond intrusion detection. Although helpful, intrusion detection produces false positives and is subject to human error. When combined with intrusion prevention, however, intrusion detection is more effective.
Be extraordinarily cautious with offshore outsourcing. This popular trend in cost avoidance is opening major security threats from potential malicious code being inserted. Equally problematic is the potential for code theft. Contracts that include nondisclosure may be unenforceable in many countries that offer these services.

IT managers should insist on a holistic planning process to keep security virtually airtight. Not only is this important for their organizations productivity but for their reputations. Building a well-designed, highly secure, and continuously available IT infrastructure that addresses budgetary imperatives is doable. It starts with urging senior management to accept that security is the lifeblood of the IT infrastructure and must be a critical priority.

Robert C. Norton is founder, EVP, and COO of StrategIT (www.strategit.com), a strategic IT consultancy in Westwood, Mass., exclusively focused on the IT infrastructure.

The content of Inside Track is the responsibility of each columns author. The views and opinions are those of the author and do not necessarily represent those of Tech Decisions.

The Best Offense . . .
Day Zero attacks are ones that exploit previously unidentified code flaws. Current antivirus functionality is based on identified or known virus patterns. Once these footprints or signatures are defined, they easily can be included in the firewall defense. If a virus is intended to exploit an unknown flaw, there is little defense with a single-layer solution. However, a multilayer solution looks for, among other things, unusual traffic being sent from the protected site. Measures then can be taken to shut down that specific area.