System iNetwork

February 5, 2008

Some Security Concerns Playing Possum

"We have met the enemy and he is us" is a famous quote from a cartoon character, a possum named Pogo penned by Walt Kelly, in a strip which saw its heyday when people named Watson still ran IBM. Pogo lived in a swamp. He and his friends offered many lessons about human foibles, and the strip was in many ways a logical predecessor of today's Dilbert. As is the case with any classic literature, graphic or otherwise, Pogo's opinion is still correct. Particularly, it seems to me, in the area of computer security. (How much of a swamp we all still live in I leave to your judgement.)

As you've probably heard by now, we're all too complacent about security. As System i professionals used to a platform that offers some good protections built right into the operating system, we feel safe. Working on a platform that doesn't have such widespread public use and that doesn't offer so many opportunities for hackers and malware as some Microsoft products do, we feel safer. With a solid cadre of third-party software vendors who offer some really good security and compliance products in our market, we feel practically unassailable.

Most IT people know that this is an illusion, but it's a pleasant one, and it's aided and abetted by the nonchalant attitudes of end users, many of whom seem to trust IT to be their computer moms and dads when it comes to security protection. They're like kids asleep in the back seat of the car on the way home from a visit to grandma. Until the family minivan gets hit head on by a runaway semi, all seems well; but it isn't so.

Evidence of this nonchalance is becoming common. Verizon published a study of 545 U.S. Internet users in December that showed 92 percent felt "safe" or "somewhat safe" from spyware and viruses on their home PCs. The study, meant to promote Verizon's diagnostic freeware, Security Advisor, also featured results of Security Advisor scans of respondents' home setups. Security Advisor's verdict is that 58 percent of the respondents were at risk for spyware, and 45 percent were at risk for virus infection. Not only that, of those users who actually had a firewall, 19 percent had turned it off.

Radiance Technologies, a vendor of delivery systems for "large digital assets" (although not a System i vendor), published "How Conflicts Between Productivity, Security, and Standards Put Companies at Risk," which naturally enough focused on end users who send huge, multigigabyte files over the Internet. This practice is a big security hole somewhat related to using FTP, which I discussed recently, because FTP is a favorite means of doing this. However, it's not the only one. Many corporate networks have restrictions on sending such large files internally, which you might think would be a protection, but not too many of those restrictions apply to sending files via the Internet. Of the more than 300 "knowledge workers" Radiance surveyed, 71 percent said their companies put limitations on the size of e-mail messages and attachments, but 29 percent said they got around such limitations by simply using their personal e-mail or IM accounts to send such files while at work. Sixty-four percent admitted sending files of at least 5 MB daily or several times a week. Of course, that means there's no way to track what was sent or to whom. It might be a video clip, or it might be a company strategy paper. If you don't have a handle on how many of your users do this, could this be a security problem that's "playing possum" on you?

Why are end users so lax about security? Why does it take something bad happening to someone, such identity theft, to make the ordinary people aware that security really does affect them? Well. . . maybe it's not fair to put all the blame on them because unfortunately, sometimes even the IT professionals are starting to think too much like end users.

The best security policy in the world doesn't matter if key people aren't paying attention. The Ponemon Institute, a privacy and information-management research group, and RedCannon Security, a company specializing in secure mobile-access solutions, recently collaborated on a study that shows how poorly some enterprises enforce their own security policies. Derived from a survey of 893 IT professionals, this study released in December reveals that 39 percent of respondents said they've lost a PDA, cell phone, USB memory stick, zip drive, or laptop that contained sensitive information. What's a bit more disturbing is that 56 percent of those "losers" believe their employer would never be able to determine the type of data the lost device holds, and 72 percent admitted that they didn't report the lost or missing device immediately.

That's not all. Fifty-one percent said they've copied confidential information onto a USB memory stick even though 87 percent "believe" their company's policy forbids it. Seventeen percent say they've turned off security settings or firewalls on their workplace computers, and 80 percent are "unsure" if this violated policy. Forty-six percent say they've shared passwords with coworkers even though 67 percent "believe" company policy forbids it. These people are guessing what their enterprise security policy is in these "slam-dunk" areas?

These aren't ordinary end users, they're IT people! The study concludes that there's significant employee naivete towards the problem, with most staff members unaware of the rules in place or uncaring due to a lack of consequences.Think that's a fluke?

Sentrigo, a database security software vendor, has an interesting tattle on database administrators of some Oracle Corporation apps. Sentrigo has been making the rounds of Oracle Users Group meetings across the country since August and has surveyed 305 Oracle product database administrators about security practices. It seems that quarterly, Oracle (and hats off to them for this) sends out what it calls Critical Patch Updates (CPUs), which plug known security holes in Oracle databases. A security conscious DBA would probably apply those right away, wouldn't you hope? Uh-uh. Only 10 percent of the Oracle DBAs said they'd applied the latest CPU, and 67.5 percent said they'd never applied any.

OK, so a few examples don't make this a universal problem, but it's more than a little scary isn't it? If enterprises can't trust their IT people to follow security policies, where does that leave "the kids?" Why should we expect end users to be following the rules? No wonder some aren't doing so with role models like this!

It won't do to hide behind excuses like, "Oh, but none of these studies are of System i shops, and the numbers of people surveyed are statistically insignificant." The weak link in all these instances that I've cited isn't technology, it's people -- people and our love of expediency and the human frailty of following the path of least resistance. That's too common to ignore. If you think security level 40 is saving you, you're simply living on borrowed time.

What to do? I don't know, but I think the answer lies along the lines of "let's shake things up." Let's find ways of bringing home to everyone how laxity is creating some serious vulnerabilities and do it in a somewhat personal way so that there's some emotional impact. Fortunately, someone has come up with a clever idea to do just this in the area of phishing, and it wouldn't take too much imagination to extend it to other places.

Later this month, Intrepidus Group, a consulting company, is launching PhishMe.com, a site that will help enterprise IT departments design fake phishing attacks on their own employees. Intrepidus will send fake phish to employees, track how many people open them, how many try to check them out by pasting the address into their own browsers, and how many attempt to enter sensitive information. Employees won't be allowed to enter actual information, and the service will issue warnings to them as well as generating management reports. Although this sounded horribly Big Brother to me when I first heard about it, it's really pretty slick. It doesn't do any real harm, and it certainly could be a wakeup call for all concerned.

A lot of people seem to need one.

Posted by at February 5, 2008 11:35 AM