Ten Security Land Mines

Good list of common corporate security pitfalls.

Posted on March 28, 2008 at 5:55 AM • 27 Comments

Comments

PaeniteoMarch 28, 2008 6:26 AM

The list, apart from being interesting, illustrates nicely that there is usually a tradeoff between security and usability (or, let's call it "user-friendliness", or even "convenience").

E.g., let's take point 1:
I would not really want to miss the auto-complete on email addresses.
Consequently, this would even mean to remove address books or contact lists as well (if I use the wrong auto-complete, I might as well wrongly click on a similar-looking entry in "My Contacts").

DavidMarch 28, 2008 8:15 AM

Some of this advice will cause problems getting the job done, or make it less pleasant for employees. If a company doesn't allow its employees some personal use of the net, it may not be able to attract and retain all the good people it needs.

Some of the advice appears to be to hire something other than specimens of Homo Sapiens, and that's going to be difficult. Humans do things in certain ways. Humans have continued to do things in certain ways despite all sorts of ranting and threatening. It is unsafe to assume that humans will suddenly change their ways to be convenient for corporate policy.

If humans give out their passwords freely, come up with something other than a password to gain access. If humans lose laptops and thumb drives, have them encrypted. It'll work a lot better.

shoobe01March 28, 2008 8:53 AM

eWeek and InfoWeek like to run articles like this, blaming users for being human, trying to get their work done, etc.

Very few folks who live in IT-land seem to understand:
1) Getting the work done is job #1. The copier repair guy doesn't get to say how I do my job, why should the network guy?
2) Therefore, to achieve the supporting goals of economy, availability and security its all about designing better overall experiences for the workers and managers.

BlottMarch 28, 2008 9:08 AM

"Getting the work done is job #1. The copier repair guy doesn't get to say how I do my job, why should the network guy?"

Because it's the 'Network Guy' to whom you'll go crying when you've just handed your password/unencrypted laptop/keycard/etc to J Random Scammer and your company's being hauled over the coals for it.

StillgettingitdoneMarch 28, 2008 9:11 AM

@shoobe01

No, staying in business is job #1. Getting the work done is job #2 or #3.

It's part of staying in business, but if you get the work done unprofitably (and a security breach can lead to expenses greater than the value of the business) then getting the work done doesn't get you paid.

Oh, and the copier guy should get to tell you not to use the copier, if using it would burn the building down.

PaeniteoMarch 28, 2008 9:20 AM

@Stillgettingitdone:
Getting the job done is a *necessary* part of staying in business. In other words, not getting it done is a sure way out of business.
A certain risk of unprofitability is usually deemed acceptable (even more so, when the risk appears rather abstract as is often the case with those "worst case security disaster scenarios").

Benjamin WrightMarch 28, 2008 9:47 AM

Bruce: Re landmine #2, employees disclosing secrets: It is inevitable that employees will post on company web sites information that they should not have posted and really should be treated as a legal "trade secret". A company can publish legal terms (like a EULA for its web site) declaring that sensitive material posted on the web is still confidential and intended to be a legal trade secret. http://hack-igations.blogspot.com/2008/03/trade-secret-web-terms.html --Ben

VMarch 28, 2008 10:21 AM

Actually, point 1 is the one I kind-of disagree with. The problem is less that auto-complete leads to data breaches and more that auto-complete could be a lot better. I think something as simple as "highlight the background of contacts inside and outside the organization differently" would help mitigate this problem, maintain the current ease-of-use, and actually make it more useful.

Apart from that, I think the rest of the list illustrates nicely that "silver-bullet" technologies and audit checklists aren't the be-all and end-all of security.

AnonymousMarch 28, 2008 10:45 AM

@Benjamin Wright

"A company can publish legal terms (like a EULA for its web site) declaring that sensitive material posted on the web is still confidential and intended to be a legal trade secret."

Is that like how parking lots can say they aren't responsible for the vehicle or their contents?

Anyways, a quick search of the net did bring up this though:

http://www.precydent.com/citation/759/F.2d/1053/?csb=&page=&lookformenu=&fromCitation=920%20F.2d%20171

759 F.2d 1053, Defiance Button Mach. Co. v. C&C Metal Prods, 1985, where it was ruled (at least in that case) that trade secrets that were not sufficiently protected are not trade secrets at all. From page 11 of this decision:

"In the present case, Judge Goettel found that Defiance-NY's customer lists lost their character as trade secrets because the company failed, upon selling most of its tangible assets (including its computer), to take reasonable steps to protect the lists from coming into C & C's hands. Since that finding is not clearly erroneous we accept it and affirm the district court's dismissal of the claim alleging conversion of the lists. Fed.R.Civ.P. 52(a); see 1 R. Milgram, supra, ยง 2.03 at 2-32 to 2-33 ("Existence of a trade secret is a question of fact for the determination of the trier of fact, secrecy being a basic element.") (Footnotes omitted)."

I would argue that any website that served up "trade secrets" is ipso facto evidence of a failure to take "reasonable steps to protect" said secrets, so once served, the secrets lose any protections they have under trade secret law (at least in the USA). I suspect that you could find a long list of security professionals who would be willing to testify to that as well.

Tony H.March 28, 2008 10:45 AM

Well, I'm not sure this is a good list, let alone the "top 10"; it seems more like random points made by various vendors and consultants.

Conspicuously absent in points 6 and 7 (the only ones about managing the problem once it's happened) is anything about not denying everything until it's impossible to deny it any more. Look at all the well publicized security and data breaches where the company has said nothing, or denied there's any problem, or even threatened those who try to make it public. This never fails to make things worse. Maybe if the writer had asked a PR firm as well as anti-virus vendors and security consultants, he'd have a point about this too.

Martin SeebachMarch 28, 2008 11:02 AM

It's got it upside down. The security threat isn't a document about an M&A emailed to Joe Foe - it that fact that a document about M&A exists in a form where you'd choose to email it. Or put in on a thumbdrive, or on a laptop you can leave on the bus.

The document should live on a central, secured server, and only shown to people that are properly authenticated and authorized - think SharePoint or Wiki. Make it work so well that users won't bother to save a document to their computer.

The email should say "The new info is on the wiki", and Joe Foe can do nothing with that information. Home broadband, high-speed mobile connections and VPNs makes this perfectly viable.

For the very few persons that might need to work offline, e.g. on a plane, you'll have to setup something with an encrypted drive, but that will be the exception, rather than the rule.

Martin Seebachone already March 28, 2008 11:11 AM

Oh, and a comment to item 1: Disabling auto-complete opens a spelling mistakes vulnerability. There's a significantly higher chance that anyone already in my address book is a friend, than Joe.Friendly@cit_y_bank.com is, or .net, when you meant .org and so on.

Martin SeebachMarch 28, 2008 11:12 AM

Oh, and a comment to item 1: Disabling auto-complete opens a spelling mistakes vulnerability. There's a significantly higher chance that anyone already in my address book is a friend, than Joe.Friendly@cit_y_bank.com is, or .net, when you meant .org and so on.

mooMarch 28, 2008 11:34 AM

What would be better, is a plugin that scans all the outgoing addresses you've put in the To: and Cc: and Bcc: lists, comparing them to a database of "internal only" addresses. If any address on the list is NOT an approved address, you should get a pop-up dialog box reminding you that SOME RECIPIENTS MAY NOT BE APPROVED TO RECEIVE SENSITIVE INFORMATION with a list of the e-mail addresses in question.

Of course, this mechanism would only work if (1) users ever read dialog boxes without clicking through them, and (2) the database was kept accurate enough that it almost never gave false positives, because any false positives would quickly condition users to just click through.

Also I agree with the idea above that different coloring or background coloring for e-mail addresses would be a great idea. Our company uses Outlook for e-mail and Microsoft Office Communicator for IM, and they are integrated together so that you can see the online status of the people mentioned in your e-mail via a little icon next to their name. Its not much of a stretch to further decorate the names with e.g. green for "internal" users, yellow for "external but in your address book", and orange for "we don't even know who this is".

Captain ObviousMarch 28, 2008 12:11 PM

The number one security problem in every major company or institution I've ever worked with is: use of Microsoft Windows.

Isn't that obvious?

Ion FreemanMarch 28, 2008 12:20 PM

@moo

"What would be better, is a plugin that scans all the outgoing addresses you've put in the To: and Cc: and Bcc: lists, comparing them to a database of "internal only" addresses. If any address on the list is NOT an approved address, you should get a pop-up dialog box reminding you that SOME RECIPIENTS MAY NOT BE APPROVED TO RECEIVE SENSITIVE INFORMATION with a list of the e-mail addresses in question."

Just popping in to say we make and sell that. Come on over to the website!

HALMarch 28, 2008 12:53 PM

"The number one security problem in every major company or institution I've ever worked with is: use of Microsoft Windows."

DRM is the problem!
http://www.boingboing.net/2005/10/31/sony_drm_uses_blackh.html
Now this: Sony Playstation Network Victim Of Security Breach

Giving information to a game console seems dumb to me. It's not built around security. It can be used to break security.

'Crackstation' Uses Game Console for Hacking
An Australian security expert has rigged a PlayStation 3 to steal passwords.
""We seem to have a world's first here, with potentially huge implications around the validity of some encryption algorithms going forward," says Security-assessment.com chief executive Peter Benson"
http://www.pcworld.com/article/id,140037-pg,1/article.html

SavikMarch 28, 2008 1:30 PM

@shoob01

Are you going to tell an engineer that you don't want brakes on your car because it stops you from "getting the job done"?

You need to go back to elementary school and grow up.

MarkMarch 28, 2008 2:04 PM

Martin Seebach: The email should say "The new info is on the wiki", and Joe Foe can do nothing with that information.

It also consumes rather less resources. Especially in comparison with emailing an attachment (especially in a non space efficent format) to a group of people only some of whom are actually interested in it in the first place.

JimFiveMarch 28, 2008 3:33 PM

@Martin
If It's on a wiki then I can view it in my browser. If it's in a Document Management system then I can view it in the client. If I can view it then I can turn it into a pdf and email it.
--
JimFive

AnonymousMarch 28, 2008 6:22 PM

@JimFive

"If I can view it then I can turn it into a pdf and email it."

Strip outbound attachments from the email, and notify corporate security because of the policy violation.

sooth sayerMarch 28, 2008 10:21 PM

I am not sure it has any value unless you just came from Timbuktoo.

The article is just a way to create pageviews .. and I found the info to be childish and primitive.

jmrMarch 31, 2008 12:16 AM

@JimFive,

You're missing the point. Today, sharing a document is most easily done by emailing the document. If it's easier to share the document without emailing it, it won't be accidentally disclosed via email. Any further disclosures will probably be deliberate, and need a different way of preventing them.

jmr

Brian BabinMarch 31, 2008 12:35 PM

Email is an easy way to send out documents and potentially inappropriate data, however there are many, many other channels available. Being able to monitor and control data going through email is important, but only a small first step because of the dizzying number of IM and P2P applications being used to send data as well. Point four in the article touches upon this.

One stat:
85% of employees report that they use their work PCs for "personal, non-work purposes," and among these employees, 38% send personal IMs or engage in chat while at work.
(Source: http://www.facetime.com/solutions/greynets.aspx)

On a day to day basis we see companies that don't realize the extent of the threats posed by these applications. Or the threat is recognized but the safeguards fall short. In this case, what you don't know WILL hurt you.

Brian Babin
FaceTime Communications

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..