Locking Up All of That 'Free Information'

The open source community goes with the saying, ''Information wants to be free''. But does free necessarily mean safe? And how do you safely lock it down?
Posted December 7, 2004
By

Drew Robb

Drew Robb


'Information wants to be free.'' This has become an oft-repeated mantra of the open source movement.

The saying applies both to gaining access to software source code, and being able to freely copy and distribute books, music, videos and other forms of intellectual property. For IT managers, or even individual computer users, however, that mantra can lead to their worst nightmare -- the inadvertent or malicious disclosure of confidential information.

Take the example of the Eagle County, Co. court clerk who accidentally ''freed'' information in the Kobe Bryant rape case by sending the transcripts to news media rather than to the attorneys working on the case. Or there's the case of the person last August who hacked into a UC Berkeley database which contained the names, addresses, telephone numbers, Social Security numbers and birthdates of about 600,000 people.

No, information shouldn't be free.

In fact, in most cases you want all that information to be locked down tighter than the solitary confinement cells at San Quentin. That's why the federal government has gotten into the mix by setting severe penalties for failing to prevent improper disclosure of medical records (HIPAA) or customers financial data (Gramm-Leach-Bliley).

Information, then, has to be readily available to employees, customers and business partners, while also remaining confidential -- a difficult balance to achieve since enterprises have a greatly expanded and porous security perimeter.

Removable media storage, for example, is the Grand Canyon of gaping security holes.

Employee workstations have a variety of access points where data can be easily downloaded to a storage device and taken out of the building. Most computers now come with a writeable CD or DVD drive and an employee can copy up to 4.7GB of data on a single DVD. Thumb drives posing as pens are even harder to catch and can contain upwards of 128 MB.

Such threats have now come to the attention of the government.

U.S. Energy Secretary Spencer Abraham, for example, recently ordered 17 federal installations to stop conducting classified work on computers with removable storage. This move came after two zip drives containing nuclear weapons information went missing from the Los Alamos National Laboratory.

''Those USB ports have been open for years, but now everybody is walking around with MP3 players and USB thumb drives,'' says Vladimir Chernavsky, CEO of AdvancedForce in San Ramon, Calif. ''Every janitor is equipped like James Bond. The janitor comes into the office with a 40GB MP3 player, which has twice as much capacity as my laptop.''

Then there is the matter of granting access to contractors, customers, service providers and business partners. This means controlling access and being responsible for the security policies not only of one's own company, but of the other as well.

Office Depot, Inc., the office supply superstore based in Delray Beach, Fla., for example, uses human capital management firm Kenexa Corp. of Wayne, Penn. to survey each of its 50,000 employees annually. But to execute the surveys, Office Depot needs to let Kenexa into its HR Information System (HRIS) to get the identities of all the employees and map their location within the company's hierarchy.

''We have a tool that takes the information from their succession planning or HRIS, and map the entire organization for them,'' explains Troy Kanter, president of Kenexa's HR capital management business. ''Then we assign the individual passwords that will define which manager has access to which data sets.''

In addition to ensuring that the data is secure on both companies' servers, it must also be kept secure while traveling between the two data centers.

Building it Back Up

Many believe that open source software is inherently more secure since more people can examine the source code and look for vulnerabilities. Whether or not this is actually the case, it can at least be said that hackers currently view Microsoft products as more attractive targets.

''Many of the vulnerabilities that continue to be identified in Windows 2000, XP and Server 2003 are easily exploitable,'' reports John Pescatore, a security consultant with Gartner, Inc., a major industry analyst firm based in Stamford, Conn. ''Attackers will continue to develop worms that will cause damage equal to, or more severe than, the system shutdowns and network congestion caused by the Slammer worm... Enterprises that are dependent on Windows systems must invest both in means to patch faster and in host-based intrusion prevention software for all Windows PCs and servers.''

Windows is so prevalent, however, that most companies want to stick with it, regardless of the potential for security issues. Fortunately, you don't have to switch to Linux to take advantage of open source security tools.

One place to start looking for such tools is the SourceForge Web site (www.sourceforge.org), which has nearly 2,000 security projects listed. Some of the ones that are fully developed are Password Safe, a password database utility; IPCop Firewall, a Linux firewall distribution product; Eraser, a data removal tool for Windows, and Bastille Linux, which configures security settings on Linux and Unix systems.

An open source Intrusion Detection System that has gained wide popularity (more than 2 million downloads) is Snort (www.snort.org). It performs real-time traffic analysis, packet logging, protocol analysis and content searching and matching in order to detect problems, such as denial of service attacks, port scans, OS fingerprinting, Server Message Block probes, buffer overflows and Common Gateway Interface attacks. It also is one of the better supported open source products, including manuals, user conferences, training and commercial support through SourceFire, a firm established by Snort creator Martin Roesch to commercialize the software.

Many of these tools run well on Windows platforms and can help reduce the risk posed by thumb drives, wireless, and other similar threats.

Value Vs. Freedom

The statement ''information wants to be free'' is only part of the original statement. Stewart Brand, in fact, first used that phrasing during a discussion at the fall 1984 Hackers' Conference when he said, ''On the one hand, information wants to be expensive, because it's so valuable. The right information in the right place just changes your life. On the other hand, information wants to be free, because the cost of getting it out is getting lower and lower all the time. So you have these two fighting against each other.''

Open source security tools can service both sides of this fight. For those who want it to be free, they have their choice of no-cost downloads. But for those who consider them valuable, and want the highest level of support, they too can get what they need.






0 Comments (click to add your comment)
Comment and Contribute

 


(Maximum characters: 1200). You have characters left.