Calum Macleod, senior IT consultant at Cyber-Ark,
reflects on lessons from 2004 regarding security and what actions
to take this year.
It's that time of the year again when we all reflect on the year
gone by and consider what lies ahead. For many of us it's a time to
resolve to do better, or more often than not for others to resolve
on our behalf, especially if we're married.
In the world of IT, most of us have been grateful onlookers when
we consider the misfortunes of others, and wonder how they could be
so irresponsible as to allow such mishaps, or more likely thank our
lucky stars that yet again we’ve escaped, and hopefully no one more
senior asks too many questions about how we would have dealt with a
similar situation.
So, as we consider our resolutions work-wise, it might be good
to reflect on some of the twists of fate suffered by some of our
colleagues over the past year, and try to learn from someone else’s
bitter experience.
March saw a well known bank having to pay a substantial fine for
failure to produce some old e-mails on time, although it was not
alone in this since a number of other companies which fell under
the Sarbanes-Oxley umbrella suffered similar fates.
Under the Act, public companies are required to archive any and
all financial data, and also to keep a record of a document's
lifecycle, including who within the company had access to, viewed
or amended a given document. The information also needs to be
retrievable in just two business days.
August was the month for leaks! Not that kind – well maybe it
was given the summer we had. People had nothing better to do it
seemed, or maybe it was just a bad month for news, but suddenly it
was raining source-code. First, it was id Software, and then later
in the year it was Microsoft, and lately Valve got hit.
What is difficult to understand is why anyone who should not
have access would even know where to look. Come on folks, we're
talking about a couple of hours work to make sure that the stuff is
so out of sight that not even Santa would find the “grotto”. August
continued to be a bad month for consumer confidence with the news
that Hotmail had some flaws that allowed access to other people’s
e-mail.
October brought the issue of using home computers for work to
the forefront, well in the Netherlands at least. Known as the
Tonino affair, it involved the case of Dutch public prosecutor
putting his personal PC on the street with the rubbish, believing
it was defective due to a virus. A taxi-driver who happened to be
passing by, saw it, and took it home with him.
He easily got it to work and took it to a journalist. The hard
drive contained information on high profile cases, and the system
also allowed access into all Tonino's e-mail traffic. Adding insult
to injury, hackers raided Tonino's e-mail box and placed important
correspondence on the internet. Suffice it to say the unfortunate
gentleman’s caseload is not what it was.
So how are you working from home? – Using your private PC, and
downloading confidential information from the office, and only with
the best of intentions – to make your life easier and to be more
productive for the company?
Unfortunately, it seems that many of those PCs leaving the store
may not be as safe as we would like to think, since frequently they
have not been patched with the latest and greatest security fixes,
which leaves them open to all kinds of nasty stuff.
And then off we go providing easy remote access with all kinds
of whizzbang VPN stuff, and allowing colleagues to download
confidential data. Christmas comes along and if you are lucky maybe
the employee from human resources threw the old PC in the bin. It
might be worse – they might have given it to the kids.
December saw yet another government minister fall prey to the
wonders of e-mail. E-mail is a great invention, I simply cannot
imagine life without it, but I believe that frequently we forget
that “the keyboard is mightier than the sword”, because it has this
nasty habit of biting from time to time.
Mind you, our public servants continue to seemingly totally miss
the point. Using e-mail is not intended to be used by politicians
as a means to demonstrate to the rest of us that they are IT
literate.
Also, it seems that government has found the answer: whole scale
deletion of mail is the latest Whitehall brainwave. Not only could
you or I end up as a guest of HM for doing something similar but it
seems they still haven’t quite got the point. They will probably
delete them before they send them for security reasons.
So there we have it, a year of unfortunate mishaps, and many
more besides that. But how do you avoid being next year’s talk of
the town...
Well maybe a few resolutions would help:
- I resolve to put in place security layers such as file access
control and version control according to our company’s policy so
that only authorised users will be able to delete or modify
documents.
- I resolve to implement monitoring and auditing features to
insure that all activities are logged, and that reports can be
issued and sent according to a notification process.
- I resolve to put controls in place to ensure that users cannot
copy confidential information to unauthorised systems.
This would be a start, but in the event
that you find this all too much trouble, and you think that this
kind of stuff only happens to other people.
- I resolve to look into a good personal liability insurance
policy… because the chances are I might need it.