I had an occasion to interview a senior director of Symantec Security Response recently. It seems that 2003 was not a good year for the protection of systems from viruses, worms, Trojan horses, and combinations of these, called blended threats.

Advertisement On this topic SOLUTIONS INTEGRATOR Solutions Integrator. Sign up Now! Microsoft opts to share more code Viacore hooks up with HP, PwC on trading exchanges Avoid ASP imprisonment

What Sharon Ruckman told me wasn't really any different than what I heard earlier in the year from a team of security auditors. It's pretty simple stuff. So why aren't system administrators better at it?

Foremost, according to Ruckman, unneeded services should be shut down or removed. There are plenty of applications, utilities, or operating system modules that install FTP, telnet, or even a Web server by default. These all provide an inward path for anyone with the inclination, time, and tools to find them. Remove these and many avenues for attack will disappear. As a side benefit, there is less software to watch over.

Patch levels remain out of date on many systems. That's a huge problem. Any system accessible through the firewall, such as those running HTTP, FTP, mail, or DNS, presents a security threat. It's crucial that patches be applied on a timely basis.

Of course, there's software, too. Antivirus programs, antispam utilities, firewalls, intrusion detection, and content filtering need to be present and work with each other. None can stand on its own to keep networks safe from attack. As Ruckman put it, blended threats require blended solutions. I agree.

But it's not all about implementing technological solutions to these threats. Education of users plays a major role. That's largely due to a new technique, called social engineering. Instead of simply receiving e-mail that is obviously spam, a socially engineered message looks completely legitimate and harmless. The idea is to entice the user to open the message, click on an embedded link, or open an attachment.

Socially engineered messages could look like a friendly e-mail from a friend. Or an urgent message about your recent order that asks you to open the attached file. Or a request for information for what appears to be a legitimate site, such as ebay or PayPal. Of this last sort, these messages ask people to furnish personal information, such as social security number, credit card account number and expiration date, and login passwords. And plenty of people comply, with disastrous results. Dealing with these threats is purely a matter of educating users. And it's not done nearly often enough. As you visit clients, reminding them of this would not be a bad idea.

But wait, there's more.

Mobile devices are becoming a fertile ground for threats. Cell phones capable of receiving text messages are vulnerable. So too are Bluetooth devices. It's possible, according to Ruckman, for someone to create a Trojan horse that can jump from one Bluetooth device to another. Bring your infected Bluetooth-equipped PDA back to the office, sync it with your PC, and now you've injected that Trojan horse into the corporate network. You've done a bad, bad thing. Education, my friend. Education.

Ruckman did a fine job of painting a desperate picture. That's good. Living with abject fear that everything we touch is a potential security threat may not be all that bad. Doing something about it is everyone's responsibility, IT directors, systems administrators, solution providers, and, especially, individual users.