Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

7/25/2008
03:15 AM
50%
50%

Ad Agency Keeps the Word From Spreading

Access control technology helps Arnold Worldwide protect client data, meet compliance requirements

In the high-risk, high-reward advertising industry, Arnold Worldwide has been a winner. In fact, it has helped to formulate the advertising plans for a whole range of heavyweights, including ESPN, Fidelity Investments, Hershey’s, Tyson Foods, and Vonage. Yet, although these client are happy with the ad agency’s creativity, they haven't always been enamored with the company’s IT environment.

That’s because, just a few years ago, Arnold was answering the question, “Are you sure that no one else is looking at our confidential data?” with a shrug of the shoulders, a scratch on the cheek, and a lot of stammering. The ad agency needed a better way of controlling and auditing data access.

It wasn't a simple challenge. Arnold has a distributed workforce. The bulk of the company’s 900 employees are stationed in its headquarters in Boston, but others work in satellite offices in New York City, Los Angeles, Milwaukee, Philadelphia, and McLean, Va. The agency serves mainly North American companies, but it has an office in London to support its European clients.

Like many other well established companies, the advertising agency has been moving to make its systems compliant with emerging regulatory requirements, such as Sarbanes-Oxley. After an initial checkup in 2005, Arnold found itself in good shape -- except for a few blank spots on its compliance report that questioned how the company protected its own, as well as its clients’, confidential data.

“We had password-protected the information and put policies in place to guard against data intrusion, but more was needed,” admits Greg Folsom, senior vice president and IT director at Arnold Worldwide.

The main issue was controlling data access. Problems could arise if employees switched departments or accounts -- the ad agency was not sure that the users’ new sets of privileges moved along with them. Also, the company lacked a good logging facility, so it was unclear which individuals had access to what applications.

The issue percolated on the back burner in 2006. At that time, the IT staff was on the lookout for compliance packages, but its evaluation process was ad hoc. Whenever vendors (Folsom isn’t sure which products the company looked at) notified the company about product demonstrations at local tradeshows or as part of their ongoing road shows, Arnold IT professionals came and took a peek.

In the fall of 2006, Arnold's IT team finally found an answer: Varonis Systems’ DatAdvantage, which seemed effective yet simple to deploy. The vendor agreed to supply the advertising company with a trial package, which ran for a few months. “Initially, we were leery of loading agents onto servers which had been performing well, but system performance was not impacted,” says Folsom.

Arnold then decided to switch from a trial run to a production system (Folsom declines to say how much the company spent) as the year ended. “We liked what we saw. Why examine 500 different products when the one we had did what we needed?” Folsom asks.

By early 2007, Varonis Systems’ DatAdvantage was monitoring data access for all of Arnold’s unstructured data files. The tool shows which users touch what unstructured data files, how much disk space is being used, and whether any changes are made to documents on file servers. With the product’s logging function, the advertising agency can definitively tell clients that no unauthorized users have accessed their information.

If Varonis has a drawback, it's that it's too flexible, Folsom says, noting that it can be difficult to determine which features to use and which to ignore. Even though it has used the product for a year, Arnold is still trying to make those decisions.

The vendor provided ad-hoc training, which enabled Arnold to get the system up and running quickly. However, the company had difficultly remembering how to fine-tune the system later on. The agency would have preferred a more formalized training, such as a series of Webinars, according to Folsom.

To date, however, the benefits of being fully compliant with Sarbanes Oxley requirements outweigh any of the product's drawbacks. And with the new system in place, Arnold is now confident that it can handle its clients’ IT questions, as well as their advertising queries.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/10/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-17476
PUBLISHED: 2020-08-10
Mibew Messenger before 3.2.7 allows XSS via a crafted user name.
CVE-2020-9525
PUBLISHED: 2020-08-10
CS2 Network P2P through 3.x, as used in millions of Internet of Things devices, suffers from an authentication flaw that allows remote attackers to perform a man-in-the-middle attack, as demonstrated by eavesdropping on user video/audio streams, capturing credentials, and compromising devices.
CVE-2020-9526
PUBLISHED: 2020-08-10
CS2 Network P2P through 3.x, as used in millions of Internet of Things devices, suffers from an information exposure flaw that exposes user session data to supernodes in the network, as demonstrated by passively eavesdropping on user video/audio streams, capturing credentials, and compromising devic...
CVE-2020-9527
PUBLISHED: 2020-08-10
Firmware developed by Shenzhen Hichip Vision Technology (V6 through V20, after 2018-08-09 through 2020), as used by many different vendors in millions of Internet of Things devices, suffers from buffer overflow vulnerability that allows unauthenticated remote attackers to execute arbitrary code via ...
CVE-2020-9528
PUBLISHED: 2020-08-10
Firmware developed by Shenzhen Hichip Vision Technology (V6 through V20), as used by many different vendors in millions of Internet of Things devices, suffers from cryptographic issues that allow remote attackers to access user session data, as demonstrated by eavesdropping on user video/audio strea...