IT safeguards need their own security
Maintaining computer security can eat up work hours for information technology (IT) staff. While safeguards can be knocked out by hackers or disabled by software patches, they are often turned off — intentionally or unintentionally — by employees using the computers, according to a survey by Santa Clara, Calif.-based Intel and Cupertino, Calif.-based Symantec, opening the door to information thieves. Public sector IT departments are addressing the problem through specific policies and new technology.
The August 2006 phone survey of 300 IT managers in the private and public sectors found that respondents spent 25 percent of their time repairing broken or disabled safeguards, and 65 percent of the respondents said that resulted in increased overtime expenses. Eighty-nine percent were concerned about hackers and Trojan horse viruses shutting off the safeguards, and 64 percent said they see those issues as a rising problem. Eighty-three percent were worried about application patches disabling the safeguards, and 82 percent were concerned about employees disabling the safeguards on agencies’ machines. Half of the respondents said the latter is growing more common.
While employees sometimes unintentionally turn off the safeguards, some deliberately disable them to download unauthorized programs or send confidential information outside the network. Safeguard disabling and other human errors are the most common causes of sensitive data loss, such as Social Security and credit card numbers, according to the Altamonte Springs, Fla.-based Institute of Internal Auditors and the San Francisco-based Computer Security Institute.
According to the survey, strict computer policies are one of the top methods respondents used to protect safeguards. Phoenix, which employs 16,000 workers, has created a multi-layered security system and established strict policies outlining computer use, such as requiring users to report incidents quickly, and to install and maintain virus protection and firewall programs. Users also are prohibited from disabling virus scans on personal computers. “Failure to comply can lead to discipline up to termination,” says Phoenix Deputy CIO Don Eginton.
State and local governments must be careful to create policies that do not violate the constitutional rights of their employees, says Frederick Joyce, an attorney with the Washington-based Venable law firm. Governments have limitations that private companies do not, such as complying with “whistleblower” protection statutes, collective bargaining agreements and First Amendment freedom of speech protections. “The point is to be consistent about those policies, to clearly spell them out to employees, and then to honor them,” he says. “They can’t be arbitrarily adopted.”
To supplement policies, survey respondents reported using new technology called virtualization, which allows IT administrators to open multiple operating systems on one machine using specialized software. Montgomery County, Md., has been using virtualization software from Palo Alto, Calif.-based VMware for four years. Server Support Manager Todd Harper says the software creates “virtual machines” (VM) that can be deleted if they become infected, without compromising the rest of the system. “If you infect your physical machine you may have to reinstall everything,” Harper says.
Although Montgomery County has not specifically begun using the software for security, it uses VMs to test new applications with open-source software without risk to the rest of the system. Currently, most viruses cannot move from one VM into another. Virtual technology also allows administrators to create one highly secure VM while others can be more accessible. “It is the future,” Harper says.
Information technology (IT) departments in the public and private sectors spend about 25% of their time fixing disabled security safeguards.
An average computer user needs to have disabled or mis-configured safeguards fixed about 20 times a year.
IT departments spend approximately 10 hours fixing each safeguard, while the users experience an average of nine hours of downtime for each incident.
28% of successful malicious attacks on computer systems are caused by compromised security safeguards.
Source: Santa Clara, Calif.-based Intel and Cupertino, Calif.-based Symantec’s “Safeguard Disabling and Virtual Security Survey,” August 2006.