There are no quick fixes to this growing problem. One thing, however, is almost certain: The growing body of lawsuits on identity theft, medical record theft, software security, safety and reliability issues will lead to federal and/or state regulation.
While no one welcomes this prospect, it is due to the inability and unwillingness of the software industry to police itself. BTW, the identical thing occurred with the automobile industry in the early 1900s.
Now, we have the NTSB (National Transportation and Safety Board) and other organizations charged with ensuring travel safety. If we are not careful, we could easily end up with the "National Software Safety Board" or something like that.
In the meantime here are some helpful suggestions which, if carefully followed, will reduce your risk:
- Recognize and acknowledge that desktop technology is not secure and was never intended nor designed to be secure. So, do not deploy critical applications on such systems. Just don't do it. The desktop is best suited to serve as an interface to a centrally-managed, secure application using a very thin-client architecture. Professional IT people may not like to hear this, but that's just reality.
- If something is available via a web browser, it can be hacked. All web browsers on desktop operating systems are vulnerable. So, do not allow browser-based access to anything critically important. Use a thin client like XLIB for desktop to support a centrally-managed GUI rather than a browser. Again, professional IT people may not like to hear this, but this too is just reality.
- Understand that your network will always be polluted to some extent. The TCP/IP protocol is flawed because it permits challenge/response without authentication. So, it will always be possible to do remote foot-printing, scanning and enumeration – which are the three essential steps in the hacking process. Proper firewall configuration – and the use of only “stateful” firewalls – will help a lot but these technologies cannot completely prevent unauthorized traffic.
- Deploy critical applications only on secure O/S platforms. If the O/S itself is not secure, the application deployed on top of it cannot be secure - no matter how the application is designed and coded.
- Spend the money to design new systems right the first time. It is never cheaper to redo or to "fix it at system integration time". That never works. Also, the opportunity cost of not having the system deployed properly can be huge, since internal corporate databases can get polluted quickly.
- Plan for “rolling upgrades” with system segmentation. Use multi-vendor standards for GUI, database access and network communication. That way, you can upgrade portions of your system without disturbing the rest of it. Multi-vendor standards (e.g., XLIB, XML, etc.) ensure that you have alternative sources for critical pieces of software.
- Keep the IT and software application architecture flexible via intelligent system segmentation. This lets your IT systems adapt and scale upwards as your business needs change. A flexible architecture lets you incorporate new display, storage, computer and communication technologies as they become available. A well-architected and well-engineered IT system enables your organization to do new things whereas a poorly-designed system severely limits growth. Remember that the IT systems that you are wrestling with today was someone's dream a few years ago!
- Choose stuff because it works, it’s reliable, secure and scalable – not because it’s cheap or convenient. The money that you save in the long run will far outweigh the extra up-front cost.
© 2010 Dr. Steve G. Belovich, IQware, Inc., CEO