|
What would you
consider the value of your company’s data to
be?
Consider your organisation’s research
and develop data, marketing strategies,
client database, and all your financial
data. What would it be worth to you to have
that data returned if you discovered that
the only up to date copy had “left the
building”? Would you consider offering a
public reward to anyone who could supply any
information relating to apprehending the
people responsible for the theft of every
piece of valuable and confidential data that
your organisation possess? Would you
actually still have a job? Would you know if
it happened? The reality is that in many
organisations senior management are totally
oblivious to the extent to which sensitive
information is being leaked outside.
.... continued from
news section ....
Would you know if your head of finance is so
paranoid that he or she keeps all the
company’s financial data on his company
notebook just to be sure that no one can
access it? And yet recently a
multi-national, publicly traded company
discovered this to be the case when the hard
disk crashed on the notebook!
The reality is that most of you are sitting
on a ticking bomb and are totally oblivious
to the risks being taken with your business
by your employees, and frequently it is
those in the most responsible positions that
represent the biggest risk. .
The area that represents one of the major
risks to your well being is your IT
department. Everything that your
organisation does today will use IT in one
way or another. In fact the operation of
your business is effectively in the hands of
your IT department, and in some cases in the
hands of staff working for some company to
whom you outsourced your IT services.
Outsourcing has become a very popular
approach because it allows you to reduce
your costs and in many cases reduce head
count by moving your IT staff to your
outsourcer. Attractive as this might be, it
frequently is resented by staff who are
forced to move and these same staff
undoubtedly are still doing the same job as
they were when they were your employees,
with the same access to your confidential
information. Investigations over the past
year by a number of independent bodies have
identified that as much as 90% of business
sabotage is perpetrated by IT staff.
Who Is Looking After Your Infrastructure?
Behind every successful use of your PC
or connection to your email, or access to
some application that gives you critical
data about the state of your business
there’s an IT person who is making it all
possible. And to make it possible it means
that they can access any of your systems,
including your PC at any time and look at
anything that might be on that system. In
fact not so long ago I met with a company
where a director was exposed for using his
notebook to visit porn websites after one of
the IT staff connected to the director’s PC
during the day without the user’s knowledge.
After all in order to do his job, the IT
administrator had the administration
password for every PC in the company! Unless
there are proper controls such as Privileged
Password Management, everything you have on
your PC including your email, saved
passwords in your browser, and even files
that you have opened in your PC are fair
game to the person with the Administrator
account – and this is while you’re working
and you wouldn’t even know it was happening!
Every system and application has at least
one privileged account. And these accounts
are shared by many people. The privileged
account, in the form of administrator
accounts and operator accounts are a
requirement for every system and
application, and this is what makes it
possible to keep your systems running. And
it is the privileged account that provides
the largest exploit opportunity in today’s
enterprises. A compromise of the right
privileged account, or set of accounts, may
create an unknown “puppetmaster” atmosphere
where a third party has total control over a
computing environment – unfettered access to
programs, services, and data. And you can’t
just “turn off” privileged accounts because
they perform critical functions. Deleting or
disabling a privileged account would lead to
computers running themselves (or not
running) with no human control and no
possibility of management. A complete
rebuild of these systems becomes a likely
consequence.
For Your Eyes Only
It may be for “your eyes only” but if
it’s on a company computer system then you
can be sure that there are others who are
able to use their IT privileged status to
have a look. In the banking world, payment
files are usually exposed to system
administrators. And since these files are
used between applications they are not
secured. So as a result a systems
administrator can easily access a payment
file, make a “slight adjustment” and you’d
probably never know until the postcard
arrives from Paraguay!
The day to day needs of information transfer
with users who are not part of the
enterprise are growing. Distributing data
from back-end systems to customers, or
sharing information with partners and other
3rd parties - these types of communications
are becoming vital for e-Business.
Financial reports need to be distributed to
business customers; legal and financial
information needs to be shared with lawyers
or board members who are located out side of
the enterprise; highly-sensitive Clinical
trial information is shared among research
laboratories, medical professionals and
federal institutions. Payment or salary
wire-transactions are also examples of
day-to-day file transfer needs, as well as
contracts, patents and other types of
sensitive information that is exchanged or
shared on a regular basis with external
entities.
It could also affect the party with whom
this information is concerned, and damage
the organization's reputation. For example,
imagine the results of an M&A agreement
exposed before the deal is closed, or a
sensitive design file shared with a
manufacturer or supplier that has leaked.
Other than the implications on the
organization itself, there are also
regulation issues of personal liability for
mismanaging sensitive information.
You can use digital vaulting to eliminate
this risk using a unified solution to secure
both privileged access and highly sensitive
data. It means you can put all your
sensitive documents under a virtual lock and
key, only making the information accessible
to those who have permission to access that
information. It’s a product the auditors and
IT security people love because you know
exactly who has access to the information
and when. It also means that the IT
department no longer have total control over
every person’s computer systems! So unless
you’re like Croucher Brewing Company in New
Zealand that is offering Free Beer for Life
for the return on their corporate secrets,
then its time to take control otherwise the
monkey will continue to be the organ
grinder!
■
www.cyber-ark.com
|
In-Depth 001:
Anyone for a
Free Beer?