SmartAdvice: Map Out An Organizational Structure For Security

Treat security as a business process, The <b>Advisory Council</b> says. Also, abandoning IE won't end security worries, and learn how to protect information in tiny USB storage devices.

InformationWeek Staff, Contributor

July 6, 2004

6 Min Read
InformationWeek logo in a gray background | InformationWeek

Question B: There have been several attacks in recent weeks against an Internet Explorer vulnerability for which Microsoft has not released a fix. Should we replace IE?

Our advice: It was bound to happen sooner or later. The people who are mounting these "phishing" campaigns are interested in acquiring sensitive consumer information for nefarious purposes. Think of the new attacks as a form of credit-card fraud on a massive scale. Now that serious business is transacted on the Web and there's money to be made, the criminal element eventually was going to start exploiting the vulnerabilities of the medium. Until recently, most of the holes were found and patches made available before there were any organized attacks, but that was more luck than foresight on the part of the computer security community. The user community usually hasn't been so well-prepared. The latest attacks represent a more worrisome trend.

Internet Explorer, like all Microsoft products, is targeted not because it has more holes, but because it's a large and inviting mark. With more than 80% of the browser market, it's the obvious place to focus an attack. This time the hackers took advantage of Microsoft's famous application integration to create a difficult-to-detect keystroke logger to capture the sensitive data directly while the user is browsing. Several viruses from the previous assault in the spring also had malicious code of a similar nature, but because they infiltrated systems through mail programs, they were easier to stop. Switching browsers to escape the current security hole will save you only momentarily; unfortunately, you're just putting off the inevitable.

In the end it's a race between the crackers and everyone else. Yes, Internet Explorer is full of vulnerabilities that criminal elements are actively exploiting, but switching to an alternate browser just to avoid the current set of security holes won't solve your security problem. Investing in some top-quality security systems, good staff training, and clear escalation procedures when the attacks do come will protect you far better than disrupting your entire staff by moving to another browser.

-- Beth Cohen

Question C: How do we keep sensitive information from walking out the door on high-capacity, thumb-size USB storage devices?

Our advice: This problem isn't a new one. Companies have always had to deal with the challenge of the loss of sensitive data, whether in the form of handwritten notes, printed material, downloaded data, diskette copies, E-mailed information, or burned CDs. What's new about this challenge, however, is that it has become progressively easier for a disgruntled worker to deliberately, or for a nondisgruntled worker to accidentally, take larger quantities of valuable information, such as design sheets, customer records, or employee information, and pass it along to competitors, suppliers, and others.

The solution
• From a people perspective, the key lies in developing a culture where information is respected and data is considered sacrosanct, and communicating the importance of adhering to strict intellectual-property protection policies. Instituting a whistleblower-protection program will help bring to the attention of senior management possible unscrupulous or underhanded dealings of employees with possible competitors, vendors, and the like.

• From a technology perspective, there are a number of solutions available, ranging from disabling USB ports within the system BIOS to locking users out of accessing the driver.cab device file on a Windows platform to deploying such third-party software as DeviceLock, which lets IT prevent users from accessing certain devices such as USB ports. However, the challenge with all these methods is that ultimately, if someone wants to get away with it, that person quite easily could use another form of media/transmission to illegally export the information out of the organization and into the hands of someone who shouldn't have it.

• From a physical security perspective, it's possible to do random bag-checks and other forms of screening for such devices as diskettes, CDs, and thumb-size USB storage devices. However, the biggest challenge with this is that in a typical organization it isn't possible to screen everyone who enters and leaves, and many employees and visitors will likely find it offensive that management resorted to such distasteful measures. This will be perceived (correctly) as mistrust and will likely result in causing some workers to become disgruntled and thereby find innovative means of getting information out. In addition, it's virtually impossible to train the security staff in all the new USB storage devices that are entering the market, such as executive storage pens, storage watches, and Swiss Army drives.

• From an information-security perspective, the organization needs to be cognizant and careful about granting access to sensitive pieces of information to employees. Access to design specifications, data sheets, customer records, and employee information is best kept limited to those whose jobs require them to have it. Others must be locked out of such data using information-security policies and procedures such as system passwords, database security, and application security. The likelihood of data pilferage declines substantially when one or more of these methods is put into place in an organization.

• Finally, from a legal perspective, how does the company protect itself in the event of the loss of such data? This boils down to the intellectual-property protection policies that the organization has put in place through patents, trademarks, and copyrights, as well as the legal protection the company has in terms of confidentiality agreements and privacy policies. Ideally, an organization wouldn't need to resort to such measures as taking legal action against an employee. However, should the need arise, the organization is better off taking action sooner rather than later.

-- Sanjay Anand

David Foote, TAC Thought Leader, has more than 20 years of experience in technology, including 13 years as an analyst and consultant at Gartner, Meta Group, and Foote Partners, where he's co-founder, president, and chief research officer. His specialties include a range of private and public-sector IT management practices and workforce trends, offshore sourcing and strategic resource management, enterprise project delivery, organizational transition and transformation, and IT compensation. His editorial opinion columns, articles, and contributions appear in a variety of business, IT, and HR publications, and he appears on radio, television, and global Webcasts.

Beth Cohen, TAC Thought Leader, has more than 20 years of experience building strong IT-delivery organizations from user and vendor perspectives. Having worked as a technologist for BBN, the company that literally invented the Internet, she not only knows where technology is today but where it's heading in the future.

Sanjay Anand, TAC Expert, has more than 20 years of IT and business-process-management experience as a strategic adviser, certified consultant, professional speaker, and published author. More than 100 personal clients, both large and small, have included companies from an array of industries and geographies, from academia to technology. He's often referred to as a "consultant's consultant" for his training and mentoring skills. He was the creator of Asia's first best-selling computer-assisted learning software package at the age of 17.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like


More Insights