IT Has Evolved - Shouldn't Your Security?

By Erik C. Boles of MX Logic, Inc.

I have been in technology and security since before technology and security were cool. I often hearken back to the days when the business would come up with an idea, only to have IT shoot it down based on technical incapability or security risk. And we’d all go back to playing Duke Nukem at our desks.

If you haven’t been paying attention, the landscape has changed so much since then that it’s almost unrecognizable. IT dudes and dudettes don’t wear baggie jeans anymore that barely cover up their tattoos. Instead, they are now well-dressed men and women who are respectfully referred to as “IT Professionals”.

And as IT professionals we now go to meetings; make recommendations and decisions on business issues; recommend and buy software, hardware and services; and even have to answer to management when things fail, don’t go as planned or run over budget. For better or for worse, we are a completely viable and essential part of the business model, and that business model has changed… a lot.

The Internet Changed Everything

In the late 90s businesses knew they had to be part of this new revolution. They needed email, they needed a website, and they needed online ordering. They didn’t know why they needed it other than their competition had it, and their nephew recommended it, and the last thing they wanted was to be left behind. The race was on!

Then all of a sudden out of nowhere – CRASH! The dot-com bubble burst. Businesses and technology progressed more slowly and much more carefully. Caution ruled the IT world once again. Nothing else mattered except making sure that the corporate website, email, remote site connectivity and our networks were safe again.

If there was going to be a potential problem, we would block it at our firewall, update virus definitions in preparation for that new virus that might get wild and crazy over the next few days, defend what we own, and go back to our core business. We knew the edge of our network and we placed a stake in the sand with our employees. If we had had any idea what was coming, we would have thought this was easy.

The Internet Changed Everything… Again

While we were all busy defending our perimeters, a new breed of websites and technologies started to emerge. First, there was MySpace. Then a little over a month later, we had Facebook. Of course, the business world paid little attention to these new “social media” sites. After all, these were websites for Generation Y and maybe Generation Z crowd, but certainly not for the more serious and professional Generation X masses. So what did we do? We quickly identified them as productivity killers, and we began blocking them.

Then businesses slowly began to realize that the real power of the Internet lies in what everyone else is saying about your product, not what your marketing is pushing about your product. Gone are the days of “you talk, they listen.” Instead they interact, recommend, slander, suggest and promote everything they see, hear, touch and buy on websites like MySpace, Facebook, You Tube, Viddler, Seesmic, Twitter, Flickr, Gather, Yelp – the list goes on. Companies are realizing that the productivity killing, malware-laden social networking sites they worked so hard to block are now integral parts of their businesses. Companies also recognize that these sites are not one-way vehicles to market themselves, but rather two-way avenues to help them hear what others are saying about them (you are using Google Alerts, right?). In fact, companies are now encouraging their employees to blog and engage in one-on-one conversations with customers. Even HR departments are now using MySpace and Facebook to investigate potential new hires. The Internet now doesn’t just distribute information, it provides an interactive medium for everyone to join in and give their opinion.

Of course, there are those who still think the Internet needs to be locked down – or at least tightly controlled. Sure, you can block these sites for everyone but Marketing and HR, but can you block all of the proxy sites that let your users still get to the sites you just worked so hard to block? And if you can, just how much are you willing to pay an IT professional to make this a nearly full-time job? Oh wait, back to Marketing and HR, what are you doing about the zero-hour threats that emerge before anti-virus companies even know they exist, much less have signatures for them available for you to download, install and push to all clients in your network, provided they are not offsite at a hotel or café and they launch a browser before you can remotely push updates to them?

You Can Run, but You Can't Hide

Let’s assume, for argument’s sake, that you bury your head in the sand, pretend the Internet isn’t evolving into a user-contributed marketing tool for business and you block all of the known bad sites and only allow access to sites you know and trust. That’s cool and that’s your choice. But when that page pops up and there is that awesome “how did they do that” banner ad on the site, aren’t you going to wonder where that advertising content came from? Was it provided by “Bob” that runs the site you know, love and trust? Chances are, it isn’t. In fact, it probably came from an online advertising company, that outsourced to a reseller, that got the ad from an agency over which they have no control. Welcome to malware 2.0! So complex and deep are the threats of today, that most times you can’t see them coming. And even if you could, you couldn’t block or prevent them from hitting your network without some significant on-site infrastructure – which by the way doesn’t protect roaming users outside of your network.

The Invasion of the Spackers

While the hackers sitting in the dark corners of the Internet were working diligently to exploit the next router, firewall or web server bug, the spammers of the world were making only slight modifications to the content they sent and the way in which they sent it to bypass spam filters. Even if they only got a few thousand emails through your spam protection over the course of a few hours, a click is a click and a click is success. It didn’t take long for the hackers to realize that spammers were on to something. Clean, smooth advertising and convincing images that lured trusting users to click on that link for the full story of Sarah Palin dressing an elk while wearing a bikini, or Senator Biden sleeping at a press conference were the way to go. The emails that used to be nothing more than a simple annoyance have now become a major security threat. So stealthy and sophisticated, these next-generation email-borne threats often have no visible payload at all. Instead, they simply install a backdoor that can be exploited later by a botnet or keystroke logger, just waiting for you to log into the administrative side of your public web server or corporate bank account.

The Lateral Consumption of Bandwidth

It’s not just about threats and viruses. Bandwidth is at risk too. Take a look back at the last 36 months of your bandwidth usage. Is it commensurate with employee growth rate? With each passing day we all become more connected, and each of these connections costs us. Maybe not in actual dollars, but it costs us in bandwidth and lost productivity. Users wait longer for emails. They wait longer for websites and remote applications to load. And all because your routers, firewalls, switches and servers are busy denying traffic they don’t want. Simply put, the good stuff waits in the same bandwidth line as the bad stuff.

Work Smarter, not Harder

There is no question about it, the landscape has changed. The business model has changed and the things we access have changed. iPhones, Blackberries, Windows Mobile devices, USB Drives, laptops, social networking sites are all critical components of our everyday work lives. And that once impenetrable edge of our network has all but vanished too. IT no longer has the latitude to say something cannot be done. The buzzword of the new millennium is revenue. And if there is revenue to be had, your job is to figure out how to make it happen as safely, quickly and cheaply as possible.

I believe it was Albert Einstein that said the definition of insanity is doing the same thing over and over again but expecting different results. Your network and desktop firewalls are still as vital as ever. The critical need to have anti-virus software on the desktop hasn’t changed. What has changed is that it’s no longer enough. Moving early detection and protection outside the network (or in the cloud) just makes sense. Protect your infrastructure from email-borne threats and the distribution of possibly company damaging information by using both inbound and outbound email filtering that is “in the cloud.” Protect your employees and your infrastructure from web-borne threats by using “in the cloud” web defense services. Get away from the click and pray email restores from a three-month-old tape by utilizing “in the cloud” email archival services. Some other reasons why “in the cloud” defense and protection make sense:

• 24 hour staffed threat centers that address and block threats within minutes, not hours.
• Highly available, highly redundant infrastructure that keeps working, even when your hardware isn’t.
• No hardware to deploy, update and pay service contracts on…ever.
• Complete, robust protection for all employees, in all locations, at all times.
• You get to focus on the job you are really supposed to be doing.

Nearly 1,000 years ago castles were protected in layers by being built on hilltops with high walls, thick, strong doors, steep entrance ramps and moats because they knew a single layer of protection was a bad idea. Is there any reason we as IT professionals are not doing the same thing?