Look in the mirror: those bags under your eyes, that sallow skin, the haunted look. You must work in IT. Between keeping the network running and dealing with hackers, slackers, and clueless managers, it's a wonder you get any rest at all.
But if you think you're losing sleep now, just wait. A batch of new problems is about to make a good night's sleep even more elusive. Nightmare scenarios include VOIP security breaches, scary data leaks, rogue software infestations, configuration calamities, and creepy compliance concerns. By all accounts, there's good cause to sleep with one eye open.
Things That Go VOIP in the Night
In November 2004, Edwin Andres Pena allegedly paid suspected computer hacker Robert Moore US$20,000 to steal more than 10 million minutes of VOIP telephone service so Pena could resell them to unsuspecting customers. But the hacker didn't attack Vonage or any of the second-tier VOIP providers. He went after an investment firm in N.Y., which had no clue its network had been hacked.
As enterprises increasingly replace segments of their traditional phone systems with VOIP, they put themselves at risk for what Covergence CTO Ken Kuenzel calls "phone flu" -- attacks that target weaknesses in the Session Initiation Protocol that VOIP applications employ.
"The problem is we've not yet applied the same security principles and models to the SIP protocol that we have to HTTP and SMTP," says Kuenzel, whose company sells VOIP security solutions. "It's a situation where systems are vulnerable to all sorts of attacks and intrusion."
Aside from denial or degradation of service, VOIP attackers could eavesdrop on your calls or steal passwords and other sensitive information. They could also record voice packets and inject them into other conversations -- conceivably, capturing your voice saying "buy" or "sell" and playing it back to an employee during a call. And once they're in, little can prevent them from accessing the rest of your network.
"With VOIP, it's significantly easier to disrupt communications from remote locations," says Richard Telljohann, manager of security software at IBM Tivoli. "The same worm that takes out your e-mail system can also take out your phones."
WorldxChange, a New Zealand VOIP provider, uses Covergence's Eclipse software to secure VOIP service for its commercial and residential customers. Many IT pros fail to take into account the complexity of VOIP deployments, says Phillip Moore, operations manager for WorldxChange. He says they don't pay enough attention to signaling and media security, port restrictions, firewall rules, account access, and provisioning information.
"If IT managers want to sleep better at night, they need to apply the same security practices to voice that they have to e-mail and Web traffic," Kuenzel says. "They know what to do and how to do it, they just need to deploy products that bring these new apps in line with their tried-and-true security models."
The Data Leak Under the Bed
It seems you can't open a newspaper without encountering yet another story about a calamitous data leak. Bank of America, ChoicePoint, Citibank, Ernst & Young, the Veterans Administration, Wells Fargo -- all have collectively misplaced millions of records over the past two years.
Bob Gligorea knows about data leaks from both sides. As information security officer for Exchange Bank, he's responsible for ensuring that the bank's data stays where it's supposed to -- in the bank. But he also was the victim of a data spill last February, when the American Institute of Certified Public Accountants lost a hard drive containing 330,000 unencrypted Social Security Numbers, Gligorea's included. His consolation prize? One free year of credit monitoring.
"There's no excuse for businesses to store customer data on desktop or portable computers without encrypting the data," Gligorea says. The bank recently began encrypting its backup tapes and does not allow customer data to be stored on desktops or portables. It has also implemented additional security measures to ensure that any data files being sent outside the bank are encrypted to prevent unauthorized disclosure of customer data.
Portable devices also are causing many IT managers to lose sleep. "In the past, organizations used to be concerned about laptops not behind their firewall," says Warren Smith, vice president of marketing at GuardianEdge Technologies, maker of encryption software. "Now they're concerned somebody could drop in a 3-Gig USB drive, inside or outside the corporate perimeter, and walk away with some serious information."
Many large enterprises are quickly adopting end-to-end encryption, and SMBs are following suit, Smith says. But it's hard to police something as small and ubiquitous as thumb drives. "Many organizations would be shocked to find out how mobile their data really is."
Other potential sources of data leaks are those Blackberries and Treos in everyone's pocket, says Sara Gates, vice president of identity management at Sun Microsystems. "PCs are moving down in importance in terms of accessing data. Everything is moving to the edge -- to Blackberries, Treos, and other wireless devices," she says.
In a perfect world such devices would be "naked and dumb," with the intelligence and data residing on the network, protected by an identity management system. "Whether you're a person, a device, a Web service, or a hacker -- we need to know who are, what you can do, and what you will do," Gates says.
But Gates acknowledges that even the most advanced corporations are years away from that kind of bullet-proof identity management.