Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

4/19/2007
08:20 AM
50%
50%

Users Confess Security Fears

Megalomaniacs, laptops, and USB drives add to the pressure on CIOs and IT managers

SAN DIEGO -- Storage Networking World -- Maverick staff, portable media, and stolen laptops are just some of the issues keeping CIOs and IT managers up at night, according to a panel discussion here this week.

Execs agreed that their data protection strategies are coming under greater scrutiny in the aftermath of high-profile security snafus at the Department of Veterans' Affairs, ChoicePoint, and Time Warner (See On the Brink of Storage Disaster, ChoicePoint Fined $15M, Time Warner Talks About Lost Tapes, and The Year in Insecurity.) "There's a lot more visibility on the breaches and compromises," said Michael Cole, deputy CIO of defense contractor SAIC. (See SAIC Stretches Database Limits.)

The exec admitted that he received a serious wakeup call soon after joining SAIC two years ago. "Shortly after I came on board we had an experience where some burglars broke into one of our buildings and stole about eight laptops," he said, explaining that the laptops contained personal information on employees. "It was very shocking for the company to go through an experience like that."

Since the theft, SAIC has developed a comprehensive strategy for dealing with both physical and cyber security. "As good as we're getting at this thing, this is the one thing that keeps me awake at night," said Cole.

Another panelist, Richard Villars, the vice president of storage systems at IDC, highlighted the emerging risk posed by maverick, yet influential, members of staff. To illustrate his point, Villars used the example of a Wall Street trader he encountered who was bringing in $600 million a year to his employer.

The trader, who had his own NAS, refused point-blank to let his firm get their hands on this kit. "They tried to take it out to do a consolidation [but] they had to put it back in," said Villars. "This guy made so much money, he was treated like a God."

Letting individuals ride roughshod over corporate data and security policies is simply asking for trouble, according to Villars, who warned that some business analytics experts are a law unto themselves. "You will make exceptions for geniuses, and that's where the breaches can happen, because geniuses can lose their laptops as easily as anyone else," he said.

Six Flags Theme Parks, on the other hand, has been careful to limit data access for its employees, many of whom are seasonal workers. "On our point-of-sale systems we're moving more and more toward touchscreen only, no keyboards, locked down systems where you can't plug your iPod in any more," said Michael Israel, the firm's senior vice president of information services, and a security panelist.

The exec explained that Six Flags, which owns 29 parks in the U.S. and Mexico, is in the middle of a major IT restructuring, which involves "segmenting" different parts of the business for security purposes. "For example," he said, "if we bring Kodak in to sell photos to our customers, they are on their segment and it can't be hacked into."

Encryption was also high on the agenda during the panel debate, prompted by the apparent ambivalence of many IT managers toward the technology. (See Encryption on the Back Burner, Encryption's Hard Truths, and Vendors Dive Into Data Protection.) An electronic poll of around 300 audience members revealed that the majority (53 percent) do not encrypt any data. Just over a quarter of respondents confirmed that they encrypt laptop data, although only 8 percent lock down data on all devices, such as USB drives.

The biggest gripe from the panelists concerned the lack of security for portable media such as USB drives, which is something of an ongoing source of frustration for many IT managers. (See Users Go for Data Lockdown.) "It's amazing how much data is stored beyond the PC on external drives," said Cole. "The [security] technology is starting to catch on, but there's no great solution yet."

— James Rogers, Senior Editor Byte and Switch

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/6/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Another COVID-19 Side Effect: Rising Nation-State Cyber Activity
Stephen Ward, VP, ThreatConnect,  7/1/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15600
PUBLISHED: 2020-07-07
An issue was discovered in CMSUno before 1.6.1. uno.php allows CSRF to change the admin password.
CVE-2020-15599
PUBLISHED: 2020-07-07
Victor CMS through 2019-02-28 allows XSS via the register.php user_firstname or user_lastname field.
CVE-2020-8916
PUBLISHED: 2020-07-07
A memory leak in Openthread's wpantund versions up to commit 0e5d1601febb869f583e944785e5685c6c747be7, when used in an environment where wpanctl is directly interfacing with the control driver (eg: debug environments) can allow an attacker to crash the service (DoS). We recommend updating, or to res...
CVE-2020-12821
PUBLISHED: 2020-07-07
Gossipsub 1.0 does not properly resist invalid message spam, such as an eclipse attack or a sybil attack.
CVE-2020-15008
PUBLISHED: 2020-07-07
A SQLi exists in the probe code of all Connectwise Automate versions before 2020.7 or 2019.12. A SQL Injection in the probe implementation to save data to a custom table exists due to inadequate server side validation. As the code creates dynamic SQL for the insert statement and utilizes the user su...