Locking Up All of That 'Free Information'

SHARE
Share it on Twitter  
Share it on Facebook  
Share it on Google+
Share it on Linked in  
Email  
''Information wants to be free.'' This has become an oft-repeated mantraof the open source movement.

The saying applies both to gaining access to software source code, andbeing able to freely copy and distribute books, music, videos and otherforms of intellectual property. For IT managers, or even individualcomputer users, however, that mantra can lead to their worst nightmare --the inadvertent or malicious disclosure of confidential information.

Take the example of the Eagle County, Co. court clerk who accidentally''freed'' information in the Kobe Bryant rape case by sending thetranscripts to news media rather than to the attorneys working on thecase. Or there's the case of the person last August who hacked into a UCBerkeley database which contained the names, addresses, telephonenumbers, Social Security numbers and birthdates of about 600,000 people.

No, information shouldn't be free.

In fact, in most cases you want all that information to be locked downtighter than the solitary confinement cells at San Quentin. That's whythe federal government has gotten into the mix by setting severepenalties for failing to prevent improper disclosure of medical records(HIPAA) or customers financial data (Gramm-Leach-Bliley).

Information, then, has to be readily available to employees, customersand business partners, while also remaining confidential -- a difficultbalance to achieve since enterprises have a greatly expanded and poroussecurity perimeter.

Removable media storage, for example, is the Grand Canyon of gapingsecurity holes.

Employee workstations have a variety of access points where data can beeasily downloaded to a storage device and taken out of the building. Mostcomputers now come with a writeable CD or DVD drive and an employee cancopy up to 4.7GB of data on a single DVD. Thumb drives posing as pens areeven harder to catch and can contain upwards of 128 MB.

Such threats have now come to the attention of the government.

U.S. Energy Secretary Spencer Abraham, for example, recently ordered 17federal installations to stop conducting classified work on computerswith removable storage. This move came after two zip drives containingnuclear weapons information went missing from the Los Alamos NationalLaboratory.

''Those USB ports have been open for years, but now everybody is walkingaround with MP3 players and USB thumb drives,'' says Vladimir Chernavsky,CEO of AdvancedForce in San Ramon, Calif. ''Every janitor is equippedlike James Bond. The janitor comes into the office with a 40GB MP3player, which has twice as much capacity as my laptop.''

Then there is the matter of granting access to contractors, customers,service providers and business partners. This means controlling accessand being responsible for the security policies not only of one's owncompany, but of the other as well.

Office Depot, Inc., the office supply superstore based in Delray Beach,Fla., for example, uses human capital management firm Kenexa Corp. ofWayne, Penn. to survey each of its 50,000 employees annually. But toexecute the surveys, Office Depot needs to let Kenexa into its HRInformation System (HRIS) to get the identities of all the employees andmap their location within the company's hierarchy.

''We have a tool that takes the information from their successionplanning or HRIS, and map the entire organization for them,'' explainsTroy Kanter, president of Kenexa's HR capital management business. ''Thenwe assign the individual passwords that will define which manager hasaccess to which data sets.''

In addition to ensuring that the data is secure on both companies'servers, it must also be kept secure while traveling between the two datacenters.

Building it Back Up

Many believe that open source software is inherently more secure sincemore people can examine the source code and look for vulnerabilities.Whether or not this is actually the case, it can at least be said thathackers currently view Microsoft products as more attractive targets.

''Many of the vulnerabilities that continue to be identified in Windows2000, XP and Server 2003 are easily exploitable,'' reports JohnPescatore, a security consultant with Gartner, Inc., a major industryanalyst firm based in Stamford, Conn. ''Attackers will continue todevelop worms that will cause damage equal to, or more severe than, thesystem shutdowns and network congestion caused by the Slammer worm...Enterprises that are dependent on Windows systems must invest both inmeans to patch faster and in host-based intrusion prevention software forall Windows PCs and servers.''

Windows is so prevalent, however, that most companies want to stick withit, regardless of the potential for security issues. Fortunately, youdon't have to switch to Linux to take advantage of open source securitytools.

One place to start looking for such tools is the SourceForge Web site(www.sourceforge.org), which has nearly 2,000 security projects listed.Some of the ones that are fully developed are Password Safe, a passworddatabase utility; IPCop Firewall, a Linux firewall distribution product;Eraser, a data removal tool for Windows, and Bastille Linux, whichconfigures security settings on Linux and Unix systems.

An open source Intrusion Detection System that has gained wide popularity(more than 2 million downloads) is Snort (www.snort.org). It performsreal-time traffic analysis, packet logging, protocol analysis and contentsearching and matching in order to detect problems, such as denial ofservice attacks, port scans, OS fingerprinting, Server Message Blockprobes, buffer overflows and Common Gateway Interface attacks. It also isone of the better supported open source products, including manuals, userconferences, training and commercial support through SourceFire, a firmestablished by Snort creator Martin Roesch to commercialize the software.

Many of these tools run well on Windows platforms and can help reduce therisk posed by thumb drives, wireless, and other similar threats.

Value Vs. Freedom

The statement ''information wants to be free'' is only part of theoriginal statement. Stewart Brand, in fact, first used that phrasingduring a discussion at the fall 1984 Hackers' Conference when he said, ''On the one hand, information wants to be expensive, because it's sovaluable. The right information in the right place just changes yourlife. On the other hand, information wants to be free, because the costof getting it out is getting lower and lower all the time. So you havethese two fighting against each other.''

Open source security tools can service both sides of this fight. Forthose who want it to be free, they have their choice of no-costdownloads. But for those who consider them valuable, and want the highestlevel of support, they too can get what they need.

Submit a Comment

Loading Comments...