I read an interesting article on the Internet Storm Center that poses the question of whether Green IT and IT Security are mutually exclusive. Powering off computers versus the traditional patching at night do seem at odds. The short article is copied below:
I was reading my morning newspaper one day this past week (a real treat since my cataract surgeries) and I came upon several articles concerning a local municipality that experienced a self-imposed DOS due to a massive malware infection. The CIO explained that "curiously, only those employees who had turned off their computers at night were infected". Now, in security, we understand fully why this happened and it is not curious at all. This statement causes flashbacks to all the times I have experienced many a cost-conscious "green" dept. heads, with good intentions, requesting their employees to turn off their computers at night to save money and the planet. Hey, I'm as green as the next guy, but at some point, penny pinching and IT just don't mix.
Maybe we aren't explaining this situation well enough, (more likely CIO support for security was non-existent), but it seems to me that the IT security department at this municipality needed to explain to the CIO and advise city employees that the majority of security updating is completed during off hours as to not interfere with production. Yes, we do have ways to kick off updates after the computer is turned on in the morning, but at the same time, we have allowed production requirements to interfere with those updates by allowing the users to stop scans or generally override any security setting which may interfere with the goal of production. That said, our main responsibility must be to keep our domains as up-to-date as possible to combat the barrage of morphing attacks. And we realize even that isn't enough, when that one "green guy" opens an infected PDF file or is redirected to a malware spewing site. A site directing attacks to the third-party software we can't find the budget or time to patch with any regularity.
The recent news of the ZeusBot revelations (not to us) and the whole Google/China mess shows what can happen when employees are not educated about their role in keeping the enterprise secure. Employees must have the "big picture" to be of any help. Counting on updating our AV program is just is not a viable methodology any more. While it is imperative that we keep doing our jobs by keeping definitions as updated as possible, (and prevent over-ride of security settings), we are still back to the subject of application patching. All the glorious AV definitions in the world will not prevent an employee from making that search that redirects, or opening an attachment that starts the proverbial ball rolling toward weeks of clean-up and bad press via media hype.
Maybe the publicity helps our cause. At one point I did believe that. Do you think we are still making in roads with the non-security folks with continuous media exposure? Or is it just possible that the public and our CIO's have come to accept these violations as a way of life?
From SANS Internet Storm Center.