With Internet onslaughts such as last year's SQL Slammer and Blaster, "The threats have changed," says Vincent Weafer, senior director of Symantec's Security Response group in Cupertino, California. You can be attacked directly over the Internet or by e-mail, rogue Web sites, IM, wireless access point, peer-to-peer packages, shared file folders or probably something else tomorrow. Says Weafer, "If you have a system that's exposed, it can be automatically scanned and attacked within 15 to 20 minutes."
Increasingly, small firms are targets for such attacks. That's not because hackers are more interested in your customers per se, but because they "want to compromise your box so they can use it to attack someone else," Weafer explains. What you need, he says, is "defense in depth." That means using a suite of tools to protect both individual PCs and shared network resources, such as an Internet gateway or a messaging server. Weafer also emphasizes the need to regularly update antivirus software, which the latest packages make easy.
Additionally, you must take special care with laptops and other remote PCs. Weafer points out, "You have situations where 90 percent of machines are well protected, and then you bring in a laptop and infect the whole network."
Antivirus makers have taken steps to respond more quickly and predictably to major crises, notes David Perry, global director of education in the Cupertino, California, office of Trend Micro, a security software and services firm. However, antivirus software doesn't do the whole job. You also need a properly configured firewall, regularly implemented security patches for Windows or other critical software, passwords that are enforced, and a company security policy that everyone understands.
Other software tools that are trickling down from larger enterprises could also prove highly desirable. Content-filtering tools not only block spam and access to inappropriate Web sites, but also check for key information coming in or going out-making sure that credit card information doesn't go out over e-mail, for instance. Intrusion detection alerts you when someone is trying to break in or if a program is logging keystrokes, for example.
Additionally, you should scan your system for vulnerabilities. There are a host of automated tools for this job. You can try some for free (such as Qualys), since the vendors know that security is not a one-shot deal. Alternatively, you may want to bring in a security specialist, especially if you're expanding or making major changes in your network. -E.B.
In the mind-bogglingly complex world of Internet security, a firewall's role seems straightforward: It's software and/or hardware that sits between your computers and the Internet, keeping the nasty stuff out. But firewalls come in many guises, playing a more complex role as threats broaden and integrating with antivirus and other defensive tools.
The firewall bundled with Windows XP is a simple example, blocking inbound access but not addressing other threats such as e-mail viruses or desktop programs that access the Net in ways you don't want.
Stand-alone software products offer much more. For instance, Zone Labs' free ZoneAlarm allows only the programs you've approved to access the Internet and offers very basic e-mail threat prevention. At the high end, ZoneAlarm Pro also locks up personal information and key files on the PC, does content filtering against e-mail viruses and other plagues, and offers many other handy protections. Similarly, antivirus vendors may bundle firewall services with their full-featured suites, such as Symantec's Client Service Small Business Edition and Trend Micro's InterScan VirusWall for Small and Medium Business.
Of course, you can also buy hardware firewalls, which many believe provide better security, especially for network deployment. The trend here is to combine a firewall with "every security service you can think of and plunk it into a single box," says Mark Bouchard, a senior program director at META Group Inc., an IT research and consulting firm with headquarters in Stamford, Connecticut. Growing businesses appreciate the convenience of this approach-you just plug the hardware into the network, do some configuration and you're ready to go. Among the many appliance vendors are Check Point Software Technologies, Cisco Systems, SonicWall and WatchGuard Technologies.
Regardless of which approach companies decide to take, firewalls must be correctly configured, open only for the services that are needed. (Curiously enough, some vendors leave everything open by default!)
Additionally, running personal firewalls on each PC, and not just remote PCs or notebooks, may improve your protection against attacks such as Blaster, which slipped through many main external firewalls. Says Bouchard, "Companies could go a long way to securing their environments by putting personal firewalls on all their PCs." -E.B.
Hackers know where your public Web site lives. And it can be a mighty juicy target, particularly if it's running an e-commerce operation or is hooked into other critical databases.
That means you need to be extremely rigorous about enforcing standard security practices for your Web server. You start by following the laundry list of security recommendations for the software, carefully managing how those operating the site get access to it (simple password protection won't do) and taking other steps, such as turning off services you aren't using. E-commerce operations demand special attention to keep all transactions encrypted and the database secure.
Eric Ogren, senior analyst with communications research and consulting firm The Yankee Group, in Boston, suggests two more defensive weapons for your Web site security arsenal: First, protect the Web site applications by putting security software and/or hardware in front of the Web server that understands what kind of application traffic is appropriate. There's a fast-evolving collection of products for this, from vendors such as KaVaDo, NetContinuum and Sanctum.
Secondly, Ogren recommends installing a network integrity system from vendors such as Arbor Networks and Top Layer Networks. These systems can be seen as successors to intrusion-detection systems, which have been more focused on giving alarms than on dealing with them. Network integrity systems take a more active role in dealing with attacks.
As with any Internet-connected network, you should be sure to scan your site setup for security glitches. In addition to general software tools for network security, Web site security vendors such as KaVaDo and Sanctum offer specialized packages for this.
But for growing businesses, these specialized tools raise a problem: They typically target enterprise operations and are not necessarily cheap or easy to install and run. This suggests that, to get the best protection for your site, you should outsource security to a company already outfitted with a suitable infrastructure. (You may already be doing so if you rent Web and database servers from a host or outsource your entire site and e-commerce operation; there are many other reasons why renting such services can be cost-effective.)
If you choose to go the outsource route, be sure to grill your supplier in detail about its security practices, backup and disaster-recovery expectations. Alternatively, if you choose to do it all on your own, it may well be worth the cost to hire a security consultant. -E.B.