A few weeks ago we posted a blog on security and paying attention to details (see – Good Security Is All About Planning, Execution, And Paying Attention to Details). While this blog was intended to address a broad approach to security, some readers felt we should have included more on security breaches associated with computing and software systems.

Computing system security is a huge problem and we hope the following touches on a few of the relevant security concerns. However, first we just want to reiterate that security is everyone’s business, not just your IT departments. That’s a point worth taking the time to contemplate, because security is like a chain and those individuals bent on causing trouble will find and exploit the weakest link.

“The ZeuS Compromise” may sound like a great movie, but it’s actually a newly uncovered, massive hacking network – and it’s a doozy. According to a recent news report, it has already affected more than 74,000 PCs in 2,400 business and government systems around the world. The computers were infected with spyware called ZenS, which is freely available on the Internet.

But worse, the security analysts who detected the underground network believe the criminals behind it aren’t even after money. Instead they have built a secret underground network to rent out to gangs, cybercrooks, and even rogue governments.

The threat is global and constantly growing. Toralv Dirro, a security strategist with McAfee, points out that there are “a few thousands” of such networks (referred to as botnets). He said that, “With 75,000 machines, The ZeuS Compromise is a big botnet, but we’ve seen much bigger, unfortunately.”

According to Dirro, around 4 million new computers are being added to these botnets each month. Companies need to be aware that not just consumer machines but users inside corporate networks are becoming part of these networks. He hopes these latest revelations inspire companies to become more proactive about protection.

Security Is All About Business Continuity

A key objective of any security system is to ensure that business processes continually function.

Security experts and analysts are warning that the timeline between finding system vulnerability and correcting it before a hacker strikes is shrinking. Many will remember the Slammer worm (Jan. 2003) followed by the notorious Blaster worm (Aug. 2003), which some estimated cost U.S. businesses billions of dollars in lost revenue. It hit servers and computers barely a month after Microsoft found the vulnerability and issued a patch. And a month apparently wasn't enough time to protect all the computers and host systems out there.

Actually, a month was plenty of time. However, inertia (i.e., not installing the patch immediately) resulted in one of the worst Internet slowdowns in history. Overcoming inertia is something we will all have to do, because not only do the attacks keep coming, experts predict faster attacks, and on system vulnerabilities for which there are no patches. Soon, you'll have just a few hours to take steps to secure your systems, then there will be no time at all before a worm or virus strikes. It's better to develop good habits now.

Patching can be a time consuming and disruptive process, which is one reason many companies delay action. Software vendors are of course working to develop automatic patching processes with some success. But until those processes are 100% dependable, it's up to everyone to ensure that when a patch becomes available, it's installed immediately. For some real-time systems using Microsoft software, that can be an issue as the patch may interfere with the real-time features of the system. Work with your system partner to ensure that patches don't delay operations.

What Can You Do To Secure Your System?

It would be nice if software came without vulnerability. Vendors are working on that, too. It’s complicated and it takes time to develop and test resilient and bug-resistant code. You can insist on vendors developing code with security issues in mind. And, you can be realistic about how long and how much this will cost. By comparing the cost of a secure program against a virus bringing your supply chain to its knees – spending a little more up front now is better than a lot more later.

NetWitness CTO Eddie Schwartz agrees, noting that his company’s software is more effective at detecting this type of attack than many common commercial packages, which often rely upon databases of known threats. Their NetWitness Investigator software (which can be downloaded for free at http://download.netwitness.com/download.php?src=DIRECT ) instead acts like an instant replay button for your network, letting analysts “mine” through the traffic to look for irregular activity.

Ian Huynh, VP of Engineering at HubSpan (http://www.hubspan.com/), provided the following security questions supply chain logistics execs should ask when evaluating a computing services provider:

• How does your vendor plan on securing your data?
• Do they secure the transactional data as well as the data at rest?
• How often are they audited? By what groups? (List common industry practices)
• What certifications do they possess? (List some of the key standards)
• How does your vendor detect a compromise or intrusion?
• What are their disaster recovery plans and how does data security figure into those plans?

Executives and IT personnel can set policy and procedures all they want, but unless those directives are communicated clearly and enforced, your systems will be easy to attack. Executives need to do a better job of prioritizing security, and employees need to really execute the plans.

This brings us to some bad habits we need to eliminate. These include such no-no's as writing passwords on Post-It notes and sticking them to computers, connecting any cell phone to the corporate website, working from home on a laptop computer with no firewall software - you get the idea. It's up to every manager to ensure that security directives are taken seriously.

Final Thoughts

While the automobiles we drove years ago were not originally equipped with seatbelts, sometime in the 70s/80s seatbelts became standard in all new passenger automobiles. In the last decade or so, states enacted laws mandating that they be used. Now, without even thinking about it, most drivers and passengers alike buckle up before driving off – it’s the law, but more importantly, it has become a safety habit. And that’s the way safety and security in cyberspace should be – a matter of habit.

Anyone and everyone who uses a computer, cell phone, laptop or other electronic device that connects to corporate communication, web and Internet-based systems must develop good habits regarding security. Your operations and processes as well as your livelihood are at stake.

Agree or disagree with Holste's perspective? What would you add? Let us know your thoughts for publication in the SCDigest newsletter Feedback section, and on the website. Upon request, comments will be posted with the respondent's name or company withheld.

You can also contact Holste directly to discuss your material handling or distribution challenges at the Feedback button below.