Friday, March 29, 2024

Locking Up All of That ‘Free Information’

Datamation content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

‘Information wants to be free.” This has become an oft-repeated mantra

of the open source movement.

The saying applies both to gaining access to software source code, and

being able to freely copy and distribute books, music, videos and other

forms of intellectual property. For IT managers, or even individual

computer users, however, that mantra can lead to their worst nightmare —

the inadvertent or malicious disclosure of confidential information.

Take the example of the Eagle County, Co. court clerk who accidentally

”freed” information in the Kobe Bryant rape case by sending the

transcripts to news media rather than to the attorneys working on the

case. Or there’s the case of the person last August who hacked into a UC

Berkeley database which contained the names, addresses, telephone

numbers, Social Security numbers and birthdates of about 600,000 people.

No, information shouldn’t be free.

In fact, in most cases you want all that information to be locked down

tighter than the solitary confinement cells at San Quentin. That’s why

the federal government has gotten into the mix by setting severe

penalties for failing to prevent improper disclosure of medical records

(HIPAA) or customers financial data (Gramm-Leach-Bliley).

Information, then, has to be readily available to employees, customers

and business partners, while also remaining confidential — a difficult

balance to achieve since enterprises have a greatly expanded and porous

security perimeter.

Removable media storage, for example, is the Grand Canyon of gaping

security holes.

Employee workstations have a variety of access points where data can be

easily downloaded to a storage device and taken out of the building. Most

computers now come with a writeable CD or DVD drive and an employee can

copy up to 4.7GB of data on a single DVD. Thumb drives posing as pens are

even harder to catch and can contain upwards of 128 MB.

Such threats have now come to the attention of the government.

U.S. Energy Secretary Spencer Abraham, for example, recently ordered 17

federal installations to stop conducting classified work on computers

with removable storage. This move came after two zip drives containing

nuclear weapons information went missing from the Los Alamos National

Laboratory.

”Those USB ports have been open for years, but now everybody is walking

around with MP3 players and USB thumb drives,” says Vladimir Chernavsky,

CEO of AdvancedForce in San Ramon, Calif. ”Every janitor is equipped

like James Bond. The janitor comes into the office with a 40GB MP3

player, which has twice as much capacity as my laptop.”

Then there is the matter of granting access to contractors, customers,

service providers and business partners. This means controlling access

and being responsible for the security policies not only of one’s own

company, but of the other as well.

Office Depot, Inc., the office supply superstore based in Delray Beach,

Fla., for example, uses human capital management firm Kenexa Corp. of

Wayne, Penn. to survey each of its 50,000 employees annually. But to

execute the surveys, Office Depot needs to let Kenexa into its HR

Information System (HRIS) to get the identities of all the employees and

map their location within the company’s hierarchy.

”We have a tool that takes the information from their succession

planning or HRIS, and map the entire organization for them,” explains

Troy Kanter, president of Kenexa’s HR capital management business. ”Then

we assign the individual passwords that will define which manager has

access to which data sets.”

In addition to ensuring that the data is secure on both companies’

servers, it must also be kept secure while traveling between the two data

centers.

Building it Back Up

Many believe that open source software is inherently more secure since

more people can examine the source code and look for vulnerabilities.

Whether or not this is actually the case, it can at least be said that

hackers currently view Microsoft products as more attractive targets.

”Many of the vulnerabilities that continue to be identified in Windows

2000, XP and Server 2003 are easily exploitable,” reports John

Pescatore, a security consultant with Gartner, Inc., a major industry

analyst firm based in Stamford, Conn. ”Attackers will continue to

develop worms that will cause damage equal to, or more severe than, the

system shutdowns and network congestion caused by the Slammer worm…

Enterprises that are dependent on Windows systems must invest both in

means to patch faster and in host-based intrusion prevention software for

all Windows PCs and servers.”

Windows is so prevalent, however, that most companies want to stick with

it, regardless of the potential for security issues. Fortunately, you

don’t have to switch to Linux to take advantage of open source security

tools.

One place to start looking for such tools is the SourceForge Web site

(www.sourceforge.org), which has nearly 2,000 security projects listed.

Some of the ones that are fully developed are Password Safe, a password

database utility; IPCop Firewall, a Linux firewall distribution product;

Eraser, a data removal tool for Windows, and Bastille Linux, which

configures security settings on Linux and Unix systems.

An open source Intrusion Detection System that has gained wide popularity

(more than 2 million downloads) is Snort (www.snort.org). It performs

real-time traffic analysis, packet logging, protocol analysis and content

searching and matching in order to detect problems, such as denial of

service attacks, port scans, OS fingerprinting, Server Message Block

probes, buffer overflows and Common Gateway Interface attacks. It also is

one of the better supported open source products, including manuals, user

conferences, training and commercial support through SourceFire, a firm

established by Snort creator Martin Roesch to commercialize the software.

Many of these tools run well on Windows platforms and can help reduce the

risk posed by thumb drives, wireless, and other similar threats.

Value Vs. Freedom

The statement ”information wants to be free” is only part of the

original statement. Stewart Brand, in fact, first used that phrasing

during a discussion at the fall 1984 Hackers’ Conference when he said,
”On the one hand, information wants to be expensive, because it’s so

valuable. The right information in the right place just changes your

life. On the other hand, information wants to be free, because the cost

of getting it out is getting lower and lower all the time. So you have

these two fighting against each other.”

Open source security tools can service both sides of this fight. For

those who want it to be free, they have their choice of no-cost

downloads. But for those who consider them valuable, and want the highest

level of support, they too can get what they need.

Subscribe to Data Insider

Learn the latest news and best practices about data science, big data analytics, artificial intelligence, data security, and more.

Similar articles

Get the Free Newsletter!

Subscribe to Data Insider for top news, trends & analysis

Latest Articles