Network security: it’s not just 
about computers anymore

The new economy exposes businesses in new ways, like denial-of-service attacks.

The denial-of-service attacks that recently hit such high-profile Web sites as eBay.com and Amazon.com delivered a wake-up call to companies and consumers world wide. Once concerned mainly with credit card numbers and confidential data, participants in the new economy were rudely reminded that security is not just about information and that critical business operations can be compromised in other ways. In fact, there are three main parts to security:

• Confidentiality: This is typically what comes to mind when people think about security. Consumers worry about typing in their credit card numbers when shopping online, while companies are concerned with protecting these numbers, as well as other confidential data.
• Availability: The denial-of-service attacks took this away from the targeted companies. In the electronic marketplace, an unavailable Web site can mean big, bottom-line trouble for the affected business.
• Integrity: This ensures systems and data are accurate. For example, if a hacker was able to change the online price of a $100 item to $20 on an e-commerce site, and a customer bought the item, the company likely would be obligated to honor that price. 

With these three areas in mind, simple firewalls and other stopgap measures clearly are no longer enough to protect companies doing business online. Businesses now must take a more proactive and strategic look at network security management. Companies must truly consider how their systems are structured and how that structure supports their overall business. Securing computers is a priority, but securing the business should be the ultimate goal. 

Here are the key considerations for companies taking a more “holistic” approach to network security management:

• Know the network: During the recent denial-of-service attacks, one of the systems that was used to attack other sites was a remote router for a university, which was literally sitting out in the middle of nowhere collecting and passing data. Some of the sites that were attacked were connected to it, but these companies did not necessarily consider the router a key part of their network. That router, however, turned out to be a critical component because it provided an entry point for the hackers. This illustrates why it is crucial for systems administrators to get a handle on exactly what is on the network and what impacts it. They must map the network and know every entry way and every point at which their system has trust with another. They must know what the vulnerabilities are and how those might impact the business. 
• Update the network: One of the best steps systems administrators can take to protect their network costs nothing: keeping up-to-date on operating system patches and “hot fixes.” This includes patches not just for computers but also routers. Just like with updates for basic word-processing software, new fixes come out every several months. Most of these upgrades are free; updating is just a matter of obtaining and implementing them.
• Dedicate time and people to security: Being proactive when it comes to security means investing the time up front to address potential problems. For some companies, this may mean that they need an extra person who focuses strictly on security, maintaining patch levels and knowing the network. Most security problems and attacks can be avoided by investing one simple but valuable resource: time. 
• Address security across the entire network—whether big or small: Any company, no matter its size, can become a target for hackers not necessarily for its own assets but as a place to launch attacks. Organizations that lose money due to hackers often go looking for someone to blame. Even if a company does not need to vigilantly protect its own data, it is important for every organization to show it has done due diligence with respect to security so that it will not be liable for damages. Companies, especially smaller ones, however, do not necessarily have to spend millions of dollars on security. As has been noted, many of the best proactive steps are free.

Unfortunately, liability for denial-of-service and other types of attacks will eventually float downstream to smaller companies who have unwittingly played host to hackers. Whether a company’s network is composed of 10 computers or thousands of computers, strategic and proactive network security management must be a top priority. After all, the problem is no longer just about computer security; it is about business security. 

Adams is director of development, enterprise solutions division at Symantec Corp., Cupertino, Calif.