No business running a network

Ein interessanter Artikel über die Sicherheit von Firmen die Netzwerke betreiben (oder benutzen, was für fast alle Firmen zutreffen dürfte) ist bei eWeek zu finden. Ein interview mit Edward G. Amoroso, Chief Security Officer bei AT&T.

"We have a service where we send out advanced notice that attacks are on the way to customers," he said.

"We'll say, '[Check out] UDP 1712, something's brewing. Looks like a worm is coming.' And they say, 'Oh.' We ask, 'You got anything coming in? Anything going out?' They say, 'I dunno.' Most companies' answer is 'We have no clue.' Or 'We have no budget,' or 'Not enough people,' or this or that, or 'My department doesn't do that.'

"And you say, you shouldn't be running a network. If you can't monitor and understand goesintas and goesouttas of your network, you shouldn't be running a network."

Amoroso hat ein paar Hauptprobleme ausgemacht:

• First, the state of software engineering now is in "an abysmal mode."
• The second issue to Amoroso's mind is that system administration is also in "an abysmal state."

Amoroso plädiert dafür, die Sicherheit für Netzwerke in die Hände seiner jeweiligen Carrier zu legen. Ob die Carrier da mitspielen ist eine andere Sache, aber die Kosten für die Firmen würden sich definitiv reduzieren.

That intimate knowledge of IP traffic can be translated into malware awareness. In this day and age, Amoroso said, AT&T is seeing some 10 million PCs every day that are actively exhibiting scanning behavior. Do businesses recognize it? No, Amoroso said, and yet we still persist in recognizing exploits as an enterprise problem and tell businesses to shut off port 25.

Obviously, things have got to change, Amoroso said. "We need to redefine our relationship. We have a broken relationship between carrier and end user."