Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

4/19/2007
08:20 AM
50%
50%

Users Confess Security Fears

Megalomaniacs, laptops, and USB drives add to the pressure on CIOs and IT managers

SAN DIEGO -- Storage Networking World -- Maverick staff, portable media, and stolen laptops are just some of the issues keeping CIOs and IT managers up at night, according to a panel discussion here this week.

Execs agreed that their data protection strategies are coming under greater scrutiny in the aftermath of high-profile security snafus at the Department of Veterans' Affairs, ChoicePoint, and Time Warner (See On the Brink of Storage Disaster, ChoicePoint Fined $15M, Time Warner Talks About Lost Tapes, and The Year in Insecurity.) "There's a lot more visibility on the breaches and compromises," said Michael Cole, deputy CIO of defense contractor SAIC. (See SAIC Stretches Database Limits.)

The exec admitted that he received a serious wakeup call soon after joining SAIC two years ago. "Shortly after I came on board we had an experience where some burglars broke into one of our buildings and stole about eight laptops," he said, explaining that the laptops contained personal information on employees. "It was very shocking for the company to go through an experience like that."

Since the theft, SAIC has developed a comprehensive strategy for dealing with both physical and cyber security. "As good as we're getting at this thing, this is the one thing that keeps me awake at night," said Cole.

Another panelist, Richard Villars, the vice president of storage systems at IDC, highlighted the emerging risk posed by maverick, yet influential, members of staff. To illustrate his point, Villars used the example of a Wall Street trader he encountered who was bringing in $600 million a year to his employer.

The trader, who had his own NAS, refused point-blank to let his firm get their hands on this kit. "They tried to take it out to do a consolidation [but] they had to put it back in," said Villars. "This guy made so much money, he was treated like a God."

Letting individuals ride roughshod over corporate data and security policies is simply asking for trouble, according to Villars, who warned that some business analytics experts are a law unto themselves. "You will make exceptions for geniuses, and that's where the breaches can happen, because geniuses can lose their laptops as easily as anyone else," he said.

Six Flags Theme Parks, on the other hand, has been careful to limit data access for its employees, many of whom are seasonal workers. "On our point-of-sale systems we're moving more and more toward touchscreen only, no keyboards, locked down systems where you can't plug your iPod in any more," said Michael Israel, the firm's senior vice president of information services, and a security panelist.

The exec explained that Six Flags, which owns 29 parks in the U.S. and Mexico, is in the middle of a major IT restructuring, which involves "segmenting" different parts of the business for security purposes. "For example," he said, "if we bring Kodak in to sell photos to our customers, they are on their segment and it can't be hacked into."

Encryption was also high on the agenda during the panel debate, prompted by the apparent ambivalence of many IT managers toward the technology. (See Encryption on the Back Burner, Encryption's Hard Truths, and Vendors Dive Into Data Protection.) An electronic poll of around 300 audience members revealed that the majority (53 percent) do not encrypt any data. Just over a quarter of respondents confirmed that they encrypt laptop data, although only 8 percent lock down data on all devices, such as USB drives.

The biggest gripe from the panelists concerned the lack of security for portable media such as USB drives, which is something of an ongoing source of frustration for many IT managers. (See Users Go for Data Lockdown.) "It's amazing how much data is stored beyond the PC on external drives," said Cole. "The [security] technology is starting to catch on, but there's no great solution yet."

— James Rogers, Senior Editor Byte and Switch

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/21/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-5783
PUBLISHED: 2020-09-23
In IgniteNet HeliOS GLinq v2.2.1 r2961, the login functionality does not contain any CSRF protection mechanisms.
CVE-2020-11031
PUBLISHED: 2020-09-23
In GLPI before version 9.5.0, the encryption algorithm used is insecure. The security of the data encrypted relies on the password used, if a user sets a weak/predictable password, an attacker could decrypt data. This is fixed in version 9.5.0 by using a more secure encryption library. The library c...
CVE-2020-5781
PUBLISHED: 2020-09-23
In IgniteNet HeliOS GLinq v2.2.1 r2961, the langSelection parameter is stored in the luci configuration file (/etc/config/luci) by the authenticator.htmlauth function. When modified with arbitrary javascript, this causes a denial-of-service condition for all other users.
CVE-2020-5782
PUBLISHED: 2020-09-23
In IgniteNet HeliOS GLinq v2.2.1 r2961, if a user logs in and sets the ‘wan_type’ parameter, the wan interface for the device will become unreachable, which results in a denial of service condition for devices dependent on this connection.
CVE-2020-24213
PUBLISHED: 2020-09-23
An integer overflow was discovered in YGOPro ygocore v13.51. Attackers can use it to leak the game server thread's memory.