Beruflich Dokumente
Kultur Dokumente
BEHAVIOR
Attending a Review
Seminar online
AnTi-SociAl
Be hAvior
The threat Drip, drip, drip… That’s the sound of
level of social- confidential corporate data leaking out onto the
networking Web through social-media sites. Information secu-
platforms is rity professionals can’t ignore it any longer.
rising fast, The Brits love a good scandal, and this was a
writes good one. In April, a senior aide to England’s Prime
John Soat. Minister Gordon Brown was forced to resign after
emails written by him purportedly detailing plans
to humiliate his political rivals were made public.
In his resignation statement, Damian McBride
wrote: “I am shocked and appalled that, however
they were obtained, these e-mails have been put
into the public domain.”
However, it isn’t only politicians’ tion security professionals. DesigneD
information that is being leaked to the experts say a comprehensive It secu- to Leak
public. In a study called “risky Business: rity strategy must incorporate the use of the problem is straightforward. “Social
reputations online,” public-relations social media, and that this demands a media [platforms] are designed to leak,”
firm Weber Shandwick surveyed more reorientation to the Internet. Security says Mark rasch, a consultant with
than 700 senior executives last year. managers must stop thinking of Inter- Secure It experts and the former head
respondents ranked “confidential or net access in on/off, all-or-nothing of the u.S. Department of Justice’s com-
leaked info will appear online” as being terms and instead look on it as a series puter crime unit. the casual nature of
the top online risk to their companies’ of conversations to be monitored in real communication in social media and its
reputations. time and in context, with effective rules immediacy and informality, combined
confidential corporate data finding being applied. with the global reach of the Internet, con-
its way onto the Web isn’t new. But the Just as important, information secu- tributes to making social networks “the
rapid proliferation and popularization rity professionals must ensure that their world’s largest coffee klatch,” he says.
of interactive online platforms such as organizations’ written security policies It’s a klatch that’s growing. time
blogs, wikis, chat rooms and messag- spell out the appropriate use of social spent on social-networking sites has
ing sites such as twitter—collectively media and that employees are well- eclipsed time spent on email, according
known as social media—have upped aware of consequences for not follow- to a recent survey by market research
those stakes significantly for informa- ing those rules. firm nielsen online. and that includes
top 3 allows users to search such as employees, cowork- because Google in its privacy what happens to the privacy
across multiple computers. ers and customers—to store policies states that it records and confidentiality clauses in
GD3 stores index and copies their health records with IP addresses. your employee and customer
of files on Google’s servers for Google. Recently, CVS Care- So, what’s to stop Google contracts?
nearly a month. mark, along with Walgreens from analyzing all search data Another area of con-
Chrome: Chrome is and Longs Drugs in the from your organization’s net- cern for hosted email is the
Google’s browser. It’s avail- United States, agreed to allow works? What’s the difference potential of having to turn that
able for download today and Google Health users to import between analyzing flu trends data over to the government.
will eventually be installed on their pharmacy records. and “Top 100 search terms Google, Yahoo and Microsoft
new PCs. some of the risks it from XYZ Corp.”? Or what if have a history of comply-
poses include: Organizational Threats a company were to correlate ing with the united states’
• Every URL visited gets uninstalling these products regional threats from swine flu and foreign governments’
logged by Google or using competitive tools with search data from Google requests for information. If
• Every word, partial word can mitigate many of these Health/Prescription data and such data is turned over, how
or phrase typed into the loca- threats. but what about the then analyze the health of its much corporate security is
tion bar, even if you don’t click dangers to your organiza- employees and detect long- being eroded?
the Enter/Return button, gets tion? One example is Google term effects? Consider the amount of
logged by Google search with its Google Flu Overall, the most critical money and manpower dedi-
• Chrome sends an Trends (www.google.org/ threat is reliance on Gmail— cated to handling microsoft
automatic cookie with every flutrends). whether the setting is uni- Windows patches, viruses,
automatic search it performs Google has correlated flu versities, cities, companies or spyware and botnet detec-
in the location bar. data from the u.s. Centers countries switching to Gmail tion. Imagine the impact that
Android: Android is for Disease Control (CDC) en masse, or the newest reliance on Google products
Google’s operating system from 2003 to the present with employees in the organization could have on corporate
for cell phones. It retains its own search data. spikes using Gmail as their primary or privacy and security.
information about dialed in users’ searches about flu sole email platform.
phone numbers, received treatments correlated tightly Questions to ask your
phone-call numbers, Web with the CDC data. Flu Trends security team: How big is the Raj Goel, CISSP, is chief
searches, emails and geo- has demonstrated Google’s organization’s email archive? technology officer of Brain-
graphic locations at which the ability to analyze search data How many years of emails link International, an IT
phone was used. for a specific term or set of are saved? If your organiza- services firm. He is located in
Google Health: This terms. And it can retain this tion switches its email host- New York and can be reached
product allows consumers— data and where it came from ing service to Google Gmail, at raj@goel.com.
cell-phone users. the photo and video engage with,” says Dave Meizlik, direc- ful of what you’re communicating.” at a
capability of mobile phones represents tor of product marketing at Websense, tactical level, salespeople can’t talk about
a potential avenue to exposing propri- a Web monitoring and content manage- specific customers they’re working with
etary corporate data, both purposeful ment vendor. there are three impor- and developers can’t talk about particu-
and inadvertent. tant contextual indicators, he explains. lar projects or features they’re working
“When you understand the user, the data on, he says.
What’s and the destination, you can set policy a factor that should not be underesti-
Being said around those,” Meizlik says. “that allows mated is employee satisfaction. Security
addressing this security challenge you to set business intelligence controls professionals should encourage their
involves knowing what’s going out of but still enable business.” companies to conduct employee-sat-
your organization as well as what’s com- also, companies should track social- isfaction surveys and to take them seri-
ing in, says rasch. Instead of simply media sites for potentially compromising ously. Satisfied employees can be strong
blocking Websites, companies must be content. rasch calls this “open-source advocates for their companies in the
“appropriately monitoring what’s going monitoring,” and there are several prod- social media; unhappy employees are
out of the corporation and what’s being ucts and services that can follow every social-media time bombs.
said by people in the company,” he says. mention of a company’s brand or logo Information security professionals
there are a growing number of tech- in the blogosphere. usually these are can’t ignore the growing use of social
nology solutions attempting to address marketing tools, but information secu- media and the increasing threat level it
this problem, says the 451 Group’s rity professionals might want to employ represents. the security risks related to
roberts: “It’s a very hot area right now.” them, for instance, to seek wayward peer-to-peer networks are well-docu-
Most solutions have secure gateways intellectual property. this effort can be mented, yet many people might be sur-
that monitor Web traffic and keep track accomplished with tools as simple as prised to find out how prevalent P2P is
of social media as it evolves. “our core Google alerts or yahoo Pipes. in the corporate environment. face-
capability is our ability to understand time regularly polls the gateway devices
several thousand applications at the Policy installed at its customers’ sites. In its
egress level,” says Kailash ambwani, ceo Matters most recent survey of the 80 locations
of facetime communications, which Still, vendors themselves admit that represented, 94 percent have at least one
markets a Web monitoring and content technology alone won’t solve the prob- P2P end-point.
management system. lem. “technology is an enabler for good In terms of social-networking sites,
Part of the problem is that facebook, policy,” says Meizlik. that number is 100 percent. and that’s a
MySpace and twitter are only the best- companies must update their secu- lot of egress points.
known names in the social media; there rity policies to address the use of social
are many more, with a variety of pur- media. But what such a policy might John Soat is a freelance business and
poses, such as Delicious, friendfeed, entail depends, to a certain degree, on technology journalist based in Ohio.
tion before looking for their next Information security special- bridge Network Recruitment, which
job. the further up the career lad- ists, most notably penetration has been providing
der these professionals climb, the testers and forensics analysts, are specialist informa-
higher the expectation will be that continually in demand by employ- tion security recruit-
they hold one or multiple certi- ers. In these cases, while relevant ment services across
fications. the most commonly certifications and qualifications Europe for more
sought-after qualifications are are desirable, solid experience than 10 years.
Recruiting pre-qualified
infosecurity pros