How To

Cheap IT Security? The Tools Were There All Along

Fortunately, there are plenty of cheap tools to ensure a solid defense. Some of these tools have been in the arsenal all along, but you never knew it. (Part four in a series: How to Manage Security in a Recession)

By Bill Brenner, Senior Editor

Page 2

"Microsoft bought DesktopStandard last year and gave it to its Group Policy customers for free," he says. "It has tons of new functionality, one of which lets you change local administrative password accounts. It can cost thousands of dollars to buy a tool to do that, but this is free."

Moskowitz has written two books on how to make the most of Group Policy, and he has made a believer out of Keith Gosselin, information technology officer at Biddeford Savings Bank in Maine.

"Group Policy, if properly utilized, is an effective way to lock down workstations that are typically your weakest security link," says Gosselin.

Gosselin has also come to rely on other Microsoft tools to maximize security without spending extra money. One is the Microsoft Baseline Security Analyzer (MBSA), designed to help small- and medium-sized businesses determine their security state in accordance with Microsoft security recommendations. Another is Windows Server Update Services (WSUS), which most Windows-based IT environments use for the automated deployment of Microsoft security patches.

Security through open source
As useful and cheap as Microsoft's embedded security has become, IT shops have turned to the open source community to flesh out the security arsenal without breaking the budget. Gosselin, for example, uses the open-source Nessus Security Scanner maintained by Tenable Network Security. "The free version of Nessus is a great way to get a handle on network vulnerabilities," Gosselin says.

Joseph Guarino, CEO and senior consultant for Boston-based Evolutionary IT, which specializes in security tools and management, is a big advocate of open source security. He notes that a free open source tool exists for just about every piece of the security market.

"Free and open source software has always had an essential role in information security," he says. "It's always been a building block for best-of-breed solutions as well as a source of innovation for things to come."

In an e-mail, he offered this list of examples:

Open BSD, operating systems built with security as its primary objective.
Linux, which has a history of high-quality, stable and secure code, making this OS a vital building block on which to build security infrastructure. Most security appliance solutions are built upon it, Guarino notes.
Snort, the open source IDS tool maintained by Sourcefire, among the most widely deployed IDS tools around.
Wireshark, a high-quality open source protocol analyzer.
OpenVPN, a full-featured SSL VPN.

Eliminate complexity
As companies seek out cheap security tools to keep the bad guys at bay, some industry experts worry that the zeal to collect more technology has led to a bloated IT infrastructure. Atlanta-based strategic architect James DeLuccia is among those who yearn for more simplicity in security. A recession is as good a time as any to achieve that, he says.