Each week vnunet.com asks a different expert to give their views on recent security issues, with advice, warnings and information on the latest threats.
This week Calum Macleod, senior IT consultant at Cyber-Ark, highlights some of last year's mishaps and offers a few tips for a safer 2005.
It's that time of the year again when we all reflect on the year gone by and consider what lies ahead. For many of us it's a time to resolve to do better, or more often than not for others to resolve on our behalf.
In the world of IT most of us would have to admit, at least at some stage, to being grateful onlookers when we consider the IT misfortunes of others.
We might wonder how our peers could be so irresponsible as to allow such mishaps. Or more likely thank our lucky stars that yet again we've escaped, and hopefully no one above us asks too many questions about how we would have dealt with a similar situation.
So as we consider our IT security resolutions, it might be good to reflect on the twists of fate suffered by some of our colleagues over the past year, and try to learn from the bitter experience of others.
March saw a well-known bank having to pay a substantial fine for failure to produce some old emails on time, although it was not alone in this since other companies that fell under the Sarbanes Oxley umbrella suffered similar fates.
Under the Act, public companies in the US, or those dealing with US firms, are required to archive any and all financial data, and to keep a record of a document's lifecycle, including who within the company accessed, viewed or amended any given document. The information also needs to be retrievable in just two business days.
August was the month for leaks. People had nothing better to do it seemed, or maybe it was just a bad month for news, but suddenly it was raining source code. What is difficult to understand is why anyone who should not have access to this code would even know where to look.
August continued to be a bad month for consumer confidence with the news that Hotmail had some flaws that allowed access to other people's email.
October brought the issue of using home computers for work to the forefront, at least in The Netherlands. Known as the Tonino affair, it involved case of a Dutch public prosecutor putting his personal PC on the street with the garbage, believing it to be defective because of a virus.
A passing taxi-driver saw it and took it home with him. He easily got it to work and took it to a journalist. The hard drive contained information on high profile cases, and the system allowed access to all of Tonino's email traffic.
Adding insult to injury, hackers raided Tonino's email box and placed important correspondence on the internet. Suffice it to say the unfortunate gentleman's caseload is not what it was.
So how are you working from home? Using your private PC and downloading confidential information from the office with the intention of making your life easier and being more productive for the company?
Unfortunately it seems that many of those PCs leaving the store may not be as safe as we'd like to think, as they are not always patched with the latest security fixes.
And then off we go providing easy remote access with all kinds of whizz bang VPN stuff, and allowing colleagues to download all kinds of confidential data. Christmas comes along and if you're lucky maybe the employee from human resources threw the old PC in the bin. It might be worse: they may have given it to the kids.
December saw yet another government minister fall prey to the wonders of email. Email is a great invention, and I simply can't imagine life without it. But we frequently forget that the keyboard is mightier than the sword, because old emails have a habit of rising from the grave and biting us when we least expect it.
So there we have it, a year of unfortunate mishaps, and many more besides that. But how do you avoid being next year's talk of the town? Well maybe a few resolutions would help:
- Put in place security layers such as File Access Control and Version Control according to your company's policy so that only authorised users will be able to delete or modify documents.
- Implement monitoring and auditing features to insure that all activities are logged, and that reports can be issued and sent according to a notification process.
- Put controls in place to ensure that users cannot copy confidential information to unauthorised systems.
This would be at the very least a start, but in the event that you find this all too much trouble, and you think that this kind of stuff only happens to other people ...
- Look into a good personal liability insurance policy, because the chances are that you might need it.
And, yep, it'll run Android rather than RiscOS
US engineering giant's cost-cutting outsourcing plan is on the rocks, according to insiders
HP Envy X2 laptop only affordable if you've got loadsamoney
Counterfeit code-signing certificates enabling hackers to hide malware being sold by cyber criminals
Certificates can be used as part of layered obfuscation to evade detection by anti-virus software