‘Information wants to be free.” This has become an oft-repeated mantra
of the open source movement.
The saying applies both to gaining access to software source code, and
being able to freely copy and distribute books, music, videos and other
forms of intellectual property. For IT managers, or even individual
computer users, however, that mantra can lead to their worst nightmare —
the inadvertent or malicious disclosure of confidential information.
Take the example of the Eagle County, Co. court clerk who accidentally
”freed” information in the Kobe Bryant rape case by sending the
transcripts to news media rather than to the attorneys working on the
case. Or there’s the case of the person last August who hacked into a UC
Berkeley database which contained the names, addresses, telephone
numbers, Social Security numbers and birthdates of about 600,000 people.
No, information shouldn’t be free.
In fact, in most cases you want all that information to be locked down
tighter than the solitary confinement cells at San Quentin. That’s why
the federal government has gotten into the mix by setting severe
penalties for failing to prevent improper disclosure of medical records
(HIPAA) or customers financial data (Gramm-Leach-Bliley).
Information, then, has to be readily available to employees, customers
and business partners, while also remaining confidential — a difficult
balance to achieve since enterprises have a greatly expanded and porous
security perimeter.
Removable media storage, for example, is the Grand Canyon of gaping
security holes.
Employee workstations have a variety of access points where data can be
easily downloaded to a storage device and taken out of the building. Most
computers now come with a writeable CD or DVD drive and an employee can
copy up to 4.7GB of data on a single DVD. Thumb drives posing as pens are
even harder to catch and can contain upwards of 128 MB.
Such threats have now come to the attention of the government.
U.S. Energy Secretary Spencer Abraham, for example, recently ordered 17
federal installations to stop conducting classified work on computers
with removable storage. This move came after two zip drives containing
nuclear weapons information went missing from the Los Alamos National
Laboratory.
”Those USB ports have been open for years, but now everybody is walking
around with MP3 players and USB thumb drives,” says Vladimir Chernavsky,
CEO of AdvancedForce in San Ramon, Calif. ”Every janitor is equipped
like James Bond. The janitor comes into the office with a 40GB MP3
player, which has twice as much capacity as my laptop.”
Then there is the matter of granting access to contractors, customers,
service providers and business partners. This means controlling access
and being responsible for the security policies not only of one’s own
company, but of the other as well.
Office Depot, Inc., the office supply superstore based in Delray Beach,
Fla., for example, uses human capital management firm Kenexa Corp. of
Wayne, Penn. to survey each of its 50,000 employees annually. But to
execute the surveys, Office Depot needs to let Kenexa into its HR
Information System (HRIS) to get the identities of all the employees and
map their location within the company’s hierarchy.
”We have a tool that takes the information from their succession
planning or HRIS, and map the entire organization for them,” explains
Troy Kanter, president of Kenexa’s HR capital management business. ”Then
we assign the individual passwords that will define which manager has
access to which data sets.”
In addition to ensuring that the data is secure on both companies’
servers, it must also be kept secure while traveling between the two data
centers.
Building it Back Up
Many believe that open source software is inherently more secure since
more people can examine the source code and look for vulnerabilities.
Whether or not this is actually the case, it can at least be said that
hackers currently view Microsoft products as more attractive targets.
”Many of the vulnerabilities that continue to be identified in Windows
2000, XP and Server 2003 are easily exploitable,” reports John
Pescatore, a security consultant with Gartner, Inc., a major industry
analyst firm based in Stamford, Conn. ”Attackers will continue to
develop worms that will cause damage equal to, or more severe than, the
system shutdowns and network congestion caused by the Slammer worm…
Enterprises that are dependent on Windows systems must invest both in
means to patch faster and in host-based intrusion prevention software for
all Windows PCs and servers.”
Windows is so prevalent, however, that most companies want to stick with
it, regardless of the potential for security issues. Fortunately, you
don’t have to switch to Linux to take advantage of open source security
tools.
One place to start looking for such tools is the SourceForge Web site
(www.sourceforge.org), which has nearly 2,000 security projects listed.
Some of the ones that are fully developed are Password Safe, a password
database utility; IPCop Firewall, a Linux firewall distribution product;
Eraser, a data removal tool for Windows, and Bastille Linux, which
configures security settings on Linux and Unix systems.
An open source Intrusion Detection System that has gained wide popularity
(more than 2 million downloads) is Snort (www.snort.org). It performs
real-time traffic analysis, packet logging, protocol analysis and content
searching and matching in order to detect problems, such as denial of
service attacks, port scans, OS fingerprinting, Server Message Block
probes, buffer overflows and Common Gateway Interface attacks. It also is
one of the better supported open source products, including manuals, user
conferences, training and commercial support through SourceFire, a firm
established by Snort creator Martin Roesch to commercialize the software.
Many of these tools run well on Windows platforms and can help reduce the
risk posed by thumb drives, wireless, and other similar threats.
Value Vs. Freedom
The statement ”information wants to be free” is only part of the
original statement. Stewart Brand, in fact, first used that phrasing
during a discussion at the fall 1984 Hackers’ Conference when he said,
”On the one hand, information wants to be expensive, because it’s so
valuable. The right information in the right place just changes your
life. On the other hand, information wants to be free, because the cost
of getting it out is getting lower and lower all the time. So you have
these two fighting against each other.”
Open source security tools can service both sides of this fight. For
those who want it to be free, they have their choice of no-cost
downloads. But for those who consider them valuable, and want the highest
level of support, they too can get what they need.