Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

7/25/2008
03:15 AM
50%
50%

Ad Agency Keeps the Word From Spreading

Access control technology helps Arnold Worldwide protect client data, meet compliance requirements

In the high-risk, high-reward advertising industry, Arnold Worldwide has been a winner. In fact, it has helped to formulate the advertising plans for a whole range of heavyweights, including ESPN, Fidelity Investments, Hershey’s, Tyson Foods, and Vonage. Yet, although these client are happy with the ad agency’s creativity, they haven't always been enamored with the company’s IT environment.

That’s because, just a few years ago, Arnold was answering the question, “Are you sure that no one else is looking at our confidential data?” with a shrug of the shoulders, a scratch on the cheek, and a lot of stammering. The ad agency needed a better way of controlling and auditing data access.

It wasn't a simple challenge. Arnold has a distributed workforce. The bulk of the company’s 900 employees are stationed in its headquarters in Boston, but others work in satellite offices in New York City, Los Angeles, Milwaukee, Philadelphia, and McLean, Va. The agency serves mainly North American companies, but it has an office in London to support its European clients.

Like many other well established companies, the advertising agency has been moving to make its systems compliant with emerging regulatory requirements, such as Sarbanes-Oxley. After an initial checkup in 2005, Arnold found itself in good shape -- except for a few blank spots on its compliance report that questioned how the company protected its own, as well as its clients’, confidential data.

“We had password-protected the information and put policies in place to guard against data intrusion, but more was needed,” admits Greg Folsom, senior vice president and IT director at Arnold Worldwide.

The main issue was controlling data access. Problems could arise if employees switched departments or accounts -- the ad agency was not sure that the users’ new sets of privileges moved along with them. Also, the company lacked a good logging facility, so it was unclear which individuals had access to what applications.

The issue percolated on the back burner in 2006. At that time, the IT staff was on the lookout for compliance packages, but its evaluation process was ad hoc. Whenever vendors (Folsom isn’t sure which products the company looked at) notified the company about product demonstrations at local tradeshows or as part of their ongoing road shows, Arnold IT professionals came and took a peek.

In the fall of 2006, Arnold's IT team finally found an answer: Varonis Systems’ DatAdvantage, which seemed effective yet simple to deploy. The vendor agreed to supply the advertising company with a trial package, which ran for a few months. “Initially, we were leery of loading agents onto servers which had been performing well, but system performance was not impacted,” says Folsom.

Arnold then decided to switch from a trial run to a production system (Folsom declines to say how much the company spent) as the year ended. “We liked what we saw. Why examine 500 different products when the one we had did what we needed?” Folsom asks.

By early 2007, Varonis Systems’ DatAdvantage was monitoring data access for all of Arnold’s unstructured data files. The tool shows which users touch what unstructured data files, how much disk space is being used, and whether any changes are made to documents on file servers. With the product’s logging function, the advertising agency can definitively tell clients that no unauthorized users have accessed their information.

If Varonis has a drawback, it's that it's too flexible, Folsom says, noting that it can be difficult to determine which features to use and which to ignore. Even though it has used the product for a year, Arnold is still trying to make those decisions.

The vendor provided ad-hoc training, which enabled Arnold to get the system up and running quickly. However, the company had difficultly remembering how to fine-tune the system later on. The agency would have preferred a more formalized training, such as a series of Webinars, according to Folsom.

To date, however, the benefits of being fully compliant with Sarbanes Oxley requirements outweigh any of the product's drawbacks. And with the new system in place, Arnold is now confident that it can handle its clients’ IT questions, as well as their advertising queries.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Intel Issues Fix for 'Plundervolt' SGX Flaw
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5252
PUBLISHED: 2019-12-14
There is an improper authentication vulnerability in Huawei smartphones (Y9, Honor 8X, Honor 9 Lite, Honor 9i, Y6 Pro). The applock does not perform a sufficient authentication in a rare condition. Successful exploit could allow the attacker to use the application locked by applock in an instant.
CVE-2019-5235
PUBLISHED: 2019-12-14
Some Huawei smart phones have a null pointer dereference vulnerability. An attacker crafts specific packets and sends to the affected product to exploit this vulnerability. Successful exploitation may cause the affected phone to be abnormal.
CVE-2019-5264
PUBLISHED: 2019-12-13
There is an information disclosure vulnerability in certain Huawei smartphones (Mate 10;Mate 10 Pro;Honor V10;Changxiang 7S;P-smart;Changxiang 8 Plus;Y9 2018;Honor 9 Lite;Honor 9i;Mate 9). The software does not properly handle certain information of applications locked by applock in a rare condition...
CVE-2019-5277
PUBLISHED: 2019-12-13
Huawei CloudUSM-EUA V600R006C10;V600R019C00 have an information leak vulnerability. Due to improper configuration, the attacker may cause information leak by successful exploitation.
CVE-2019-5254
PUBLISHED: 2019-12-13
Certain Huawei products (AP2000;IPS Module;NGFW Module;NIP6300;NIP6600;NIP6800;S5700;SVN5600;SVN5800;SVN5800-C;SeMG9811;Secospace AntiDDoS8000;Secospace USG6300;Secospace USG6500;Secospace USG6600;USG6000V;eSpace U1981) have an out-of-bounds read vulnerability. An attacker who logs in to the board m...