Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

7/25/2008
03:15 AM
50%
50%

Ad Agency Keeps the Word From Spreading

Access control technology helps Arnold Worldwide protect client data, meet compliance requirements

In the high-risk, high-reward advertising industry, Arnold Worldwide has been a winner. In fact, it has helped to formulate the advertising plans for a whole range of heavyweights, including ESPN, Fidelity Investments, Hershey’s, Tyson Foods, and Vonage. Yet, although these client are happy with the ad agency’s creativity, they haven't always been enamored with the company’s IT environment.

That’s because, just a few years ago, Arnold was answering the question, “Are you sure that no one else is looking at our confidential data?” with a shrug of the shoulders, a scratch on the cheek, and a lot of stammering. The ad agency needed a better way of controlling and auditing data access.

It wasn't a simple challenge. Arnold has a distributed workforce. The bulk of the company’s 900 employees are stationed in its headquarters in Boston, but others work in satellite offices in New York City, Los Angeles, Milwaukee, Philadelphia, and McLean, Va. The agency serves mainly North American companies, but it has an office in London to support its European clients.

Like many other well established companies, the advertising agency has been moving to make its systems compliant with emerging regulatory requirements, such as Sarbanes-Oxley. After an initial checkup in 2005, Arnold found itself in good shape -- except for a few blank spots on its compliance report that questioned how the company protected its own, as well as its clients’, confidential data.

“We had password-protected the information and put policies in place to guard against data intrusion, but more was needed,” admits Greg Folsom, senior vice president and IT director at Arnold Worldwide.

The main issue was controlling data access. Problems could arise if employees switched departments or accounts -- the ad agency was not sure that the users’ new sets of privileges moved along with them. Also, the company lacked a good logging facility, so it was unclear which individuals had access to what applications.

The issue percolated on the back burner in 2006. At that time, the IT staff was on the lookout for compliance packages, but its evaluation process was ad hoc. Whenever vendors (Folsom isn’t sure which products the company looked at) notified the company about product demonstrations at local tradeshows or as part of their ongoing road shows, Arnold IT professionals came and took a peek.

In the fall of 2006, Arnold's IT team finally found an answer: Varonis Systems’ DatAdvantage, which seemed effective yet simple to deploy. The vendor agreed to supply the advertising company with a trial package, which ran for a few months. “Initially, we were leery of loading agents onto servers which had been performing well, but system performance was not impacted,” says Folsom.

Arnold then decided to switch from a trial run to a production system (Folsom declines to say how much the company spent) as the year ended. “We liked what we saw. Why examine 500 different products when the one we had did what we needed?” Folsom asks.

By early 2007, Varonis Systems’ DatAdvantage was monitoring data access for all of Arnold’s unstructured data files. The tool shows which users touch what unstructured data files, how much disk space is being used, and whether any changes are made to documents on file servers. With the product’s logging function, the advertising agency can definitively tell clients that no unauthorized users have accessed their information.

If Varonis has a drawback, it's that it's too flexible, Folsom says, noting that it can be difficult to determine which features to use and which to ignore. Even though it has used the product for a year, Arnold is still trying to make those decisions.

The vendor provided ad-hoc training, which enabled Arnold to get the system up and running quickly. However, the company had difficultly remembering how to fine-tune the system later on. The agency would have preferred a more formalized training, such as a series of Webinars, according to Folsom.

To date, however, the benefits of being fully compliant with Sarbanes Oxley requirements outweigh any of the product's drawbacks. And with the new system in place, Arnold is now confident that it can handle its clients’ IT questions, as well as their advertising queries.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
A Realistic Threat Model for the Masses
Lysa Myers, Security Researcher, ESET,  10/9/2019
USB Drive Security Still Lags
Dark Reading Staff 10/9/2019
Virginia a Hot Spot For Cybersecurity Jobs
Jai Vijayan, Contributing Writer,  10/9/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-17612
PUBLISHED: 2019-10-15
An issue was discovered in 74CMS v5.2.8. There is a SQL Injection generated by the _list method in the Common/Controller/BackendController.class.php file via the index.php?m=Admin&c=Ad&a=category sort parameter.
CVE-2019-17613
PUBLISHED: 2019-10-15
qibosoft 7 allows remote code execution because do/jf.php makes eval calls. The attacker can use the Point Introduction Management feature to supply PHP code to be evaluated. Alternatively, the attacker can access admin/index.php?lfj=jfadmin&action=addjf via CSRF, as demonstrated by a payload in...
CVE-2019-17395
PUBLISHED: 2019-10-15
In the Rapid Gator application 0.7.1 for Android, the username and password are stored in the log during authentication, and may be available to attackers via logcat.
CVE-2019-17602
PUBLISHED: 2019-10-15
An issue was discovered in Zoho ManageEngine OpManager before 12.4 build 124089. The OPMDeviceDetailsServlet servlet is prone to SQL injection. Depending on the configuration, this vulnerability could be exploited unauthenticated or authenticated.
CVE-2019-17394
PUBLISHED: 2019-10-15
In the Seesaw Parent and Family application 6.2.5 for Android, the username and password are stored in the log during authentication, and may be available to attackers via logcat.