February 24, 2006
Few people will miss the irony that IT security giant, McAfee, is itself on the receiving end of a serious security incident after an external auditor lost a CD containing information on thousands of current and former McAfee employees.
According to reports, the auditor from Deloitte and Touche left the un-labelled CD in an airline seat pocket two months ago. Although the CD was misplaced on 15th December 2005, McAfee wasn’t notified of the potentially-serious breach until January 11th 2006. McAfee has notified all current and past employees of the incident, but claims there has been no misuse of the lost data so far.
This latest scare further highlights the risks associated with carrying unprotected sensitive information on small removable media devices. While iPods and USB sticks are often singled-out as the main threats, this shows that even the humble CD, left unencrypted and unattended can create a serious security breach - which potentially could cost an organization millions.
February 23, 2006
Scott Levine, the man convicted of downloading over 80 gigabytes of personal records from an Axicom computer, was today sentenced to eight years in jail for what the US Justice Department described as one of the largest data heists to date.
February 22, 2006
As if we didn’t know it already, a clever marketing stunt from a UK IT skills company has claimed proof-positive that users don’t care about security.
Operatives for the training provider camped out at subway stations in London’s financial district, handing out CDs supposedly as a Valentine’s special offer. In reality, the CDs contained a tracking code that showed a large number of employees in top financial firms had tried to run the disks when they got into the office.
Considering the employees had no knowledge of what was really on the CD, this clearly illustrates a major security issue facing all organizations today. But instead of simply taking the ‘all users are stupid’ line, shouldn’t companies themselves be looking afresh at their PC security policies?
After all, how many staff really need to install software from a CD-ROM, or indeed write data to removable media devices? And if staff try to read from a disk, or write to a device, shouldn’t you at least know about it? PCs are currently the weak link in network security measures and need to be secure, no matter who’s using them or where they are.
As such, the reponsibility has to lay with the employer to centrally manage the connection of different device types to company PCs, not to rely on users to know instinctively what devices they should and should not use. After all, employees don’t care about security. Fact.
Endpoint security vendor, Centennial Software, has developed a simple five-step process to intelligent USB lock down. Following a number of recent high-profile security incidents, where sensitive data was stolen from company PCs, the vendor is warning all companies to guard against the threats posed by removable media devices.
The five-step plan comprises:
1. Audit how many employees are currently using removable media devices in the workplace
2. Compare use against legitimate business requirements
3. Create or refine your computing security policies to encompass mobile gadgets
4. Enforce the policy with an ‘intelligent USB lockdown’ solution
5. Educate staff, review usage trends and refine policy
To help organizations understand the current usage levels of removable media devices, Centennial Software offers a free trial version of its DeviceWall endpoint security solution, which will automatically monitor and record all device connections.
Read Centennial’s five steps here.
February 21, 2006
Google Desktop has become something of a savior for many business users, quickly finding lost emails, old Word documents and alike. But the search company has had its latest Google Desktop 3 Beta software criticized by Gartner for a serious security flaw which could see many organizations’ endpoint security efforts rendered useless.
The trouble is that data from the user’s network is transferred to remote Google servers, where it is stored and can be searched for up to 30 days. According to Gartner, this represents a serious threat of lost Intellectual Property, which will more than many organizations can stomach.
As such, the advice has to be not to install the latest version of the software, which raises the potential for a serious data loss or identity theft incident. As a minimum, companies are advised to disable the “Search Across Computers” facility in the latest Beta.
The problem for many organizations is that they will have little or no visibility of who has installed the Google Desktop software. Auto-inventory solutions like Centennial Discovery 2005 can help identify the presence of unwanted or potentially dangerous software on the network, helping administrators take action to close any security gaps.
