Lock the Door and Make Sure Your Data is Protected
by Calum Macleod - Cyber-Ark - Monday, 23 July 2007.
You would think that at some point in time your children will reach the age at which you can reason with them, I’m hoping it’s a year older than the oldest one is right now – none of mine have achieved this rarefied state yet so I’m still living in hope. For example take the simple concept of locking the back door before they leave the house and you would expect that they could understand the rationale. After all they’ve spent all these years watching their mother go back into the house at least twice just to double check that I did do it before I locked the front door. But somehow it seems that this concept is overly complex. Of course this is just one of a long list of what I consider apparently rational ideas that seem revolutionary to them such as “slow down at speed cameras”, “fill up the tank at least once a year”, etc. However, if we dare enter one of the bedrooms that look as if a hurricane has just passed through it, we might as well have compromised national security.

Somehow it seems that the concept of treating other peoples’ property with the same care that you treat your own seems alien, even in the family. So I guess it should not come as a great surprise that other peoples’ sons and daughters are exactly the same. And every business is full of other peoples’ sons and daughters. So it only seems logical that somebody has to be mother in any business – double checking that the backdoor is locked.

As we discovered in a recent survey not only are backdoors left open but frequently although people know they are open they can’t be bothered closing them – after all they might need access themselves at some point. More than a third of people interviewed admitted that they still had backdoor access to their old employers’ data and a quarter of those interviewed knew that former colleagues could access – and yet they did nothing about it – My family would be proud of them!

How serious can a backdoor be? The recent example of a large global retailer who was "hacked" for several months, maybe a couple of years, resulting in huge amounts of customer data going out the "backdoor" - they may never know just how much the lost – is clearly just the tip of the iceberg – unless the other 99.99% of those with backdoor access are only keeping their backdoor access out of some sentimental reason. One reason why one could suspect that it might have been a former employee is the quote from the company – "We believe that the intruder had access to the decryption tool for the encryption software utilized.." – Now either they are using the worst encryption tool ever invented in which case they have duty to name the supplier, or more likely somebody "accidentally" managed to access the recovery keys – or maybe it was supposed to be encrypted. Like the recent incident with a UK bank, "The disk would usually be encrypted. Unfortunately, due to human error on this occasion the usual policy was not followed."

What these two incidents point is that many organizations need to seriously address the issues of how to protect sensitive data, and how to control privileged access to systems. Simply encrypting sensitive data is of little use if those who manage the systems where the data is kept have uncontrolled access. Conversely, protecting the privileged password is all well and good but if the user can access highly confidential data, without leaving any trace, after gaining access to the password then it defeats one of the major purposes of protecting privileged accounts.


Harnessing artificial intelligence to build an army of virtual analysts

PatternEx, a startup that gathered a team of AI researcher from MIT CSAIL as well as security and distributed systems experts, is poised to shake up things in the user and entity behavior analytics market.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Thu, Feb 4th