I had the insightful experience recently of meeting one of the most senior IT managers at a very large insurance company. As he accessed and showed me the company`s most mission-critical business system, he needed to enter a password. This he obtained by referring to a notebook on his desk!
Creating even further headaches is the fact that large organisations have multiple access points to their systems.
Ian Melamed, chief technology officer, SatelliteSafe
This by way of preamble to introducing the entire issue of passwords, which have long been and remain the first line of defence for corporate systems. Now along comes a study published by UK security consultancy Barron McCann which reports that 92% of IT managers interviewed in a 200-strong sample say passwords provide the best protection against internal data thieves. They win out against encryption, smart cards or biometrics.
Barron McCann says this is because security is still not taken seriously, and subjugated to many other corporate issues. However, passwords are the weakest link in corporate systems security. They are easily guessed by internal hackers, which represent the greatest risk to any company, and external hackers crack them with password sniffers, which are widely available on the Internet. Exacerbating the situation is the fact that many companies use four-digit passwords, which are cracked in minutes.
Creating even further headaches is the fact that large organisations have multiple access points to their systems, including network, application, database and e-mail. Administering and tracking these across thousands of users becomes a real issue, typically leaving security holes you can drive a truck through.
Time for a rethink, wouldn`t you say?
Speaking of rethinks, the FBI has created a precedent which definitely needs looking at. It used truly bleeding-edge cyber-surveillance technology to trap the son of jailed mob boss Nicodemo "Little Nicky" Scarfo in a federal gambling case. Scarfo was the target of a sophisticated surveillance tool - a keystroke-logging device - that allowed the FBI to capture every stroke he entered on a PC on which gambling records were stored. This led to Scarfo being charged with running a Mob bookmaking and loanshark operation in New Jersey. Obvious questions arise as to privacy issues, as the program can hardly distinguish between mob-related and personal data. On the other hand, if it helps them catch the bad guys, shouldn`t we welcome it? Tough questions...
Much easier to dismiss out of hand is a plan presented to the UK government which could force communications companies to retain data for seven years regarding every phone call made, every e-mail sent and every Web site visited. This data will be posted to the most monumental data warehouse ever created at a cost of lb33 million, and UK security forces will be granted access to this information. The plan was conceived by the National Criminal Intelligence Service and the Home Office is mulling over it. Apart from the civil liberties issue, the practical issues would mitigate against such a data warehouse seeing the light of day.
I reported last week that security vendor Network Associates had been hacked and two of its Web sites defaced. Now it has blamed one of its hosting service providers, Matrix Corporate of Brazil, for failing to apply a security patch issued in November. This patch would have closed a cross-site scripting vulnerability in Microsoft IIS 5.0, used to host both sites. My gut-feel is that this story has a long way to go yet.
It`s so easy to knock Microsoft that one is inclined to back off from it. But I just have to pass on this quote from Michael Bywater, in his column in London`s Independent on Sunday. Bywater muses "whether the people who hacked into the Microsoft computers and stole the source code will have the decency to touch it up so that it actually works before they put it back".
So there`s a certain irony in this latest development - the company that has been seen to be lax on security now wants to become the industry leader. Could it be coincidence that it`s mere weeks after it was compromised by unknown hackers? Microsoft has hosted its first security summit, SafeNet 2000, and signified its goal to establish leadership in the domains of security and privacy. Microsoft involved some of the US`s top security experts, and has taken the tack that security problems can be resolved with software, such as agents. Uh, yes, but first we need awareness, policy and a corporate will to eradicate this most pernicious of maladies.
There`s a weird new virus reported to be in the wild. It`s called Apology, and it`s claimed to block access to anti-virus sites. It uses the classic psychology of current e-mails to get you to open it, arriving as an e-mail attachment with headings such as "Playboy screen saver". Once it`s executed as an attachment, it prevents you from sending an e-mail alert to anti-virus companies. While it`s attracted significant attention from anti-virus vendors, no reports of corporate damage have been noted.
Sources: Observer, eWeek, HNN, ComputerWire and Independent
Share
