The Price of Security Is Constant Vigilance

By Wayne Rash  |  Posted 2010-12-17 Print this article Print


You have to assume that portions of your computing environment aren't safe, as Plunkett says. This means that your Windows computers have the same vulnerabilities as other Windows computers. Although you can be sure that the Windows machines at the NSA are a LOT more locked down than the machine on your desk, there is still an element of risk-that unknown vulnerability that first shows up when someone uses it to gain access to the NSA. 

Since you can't completely trust your infrastructure, what do you do? You make the infrastructure as safe as you can and then you use multiple technologies to keep any breach contained. You also track every access or attempted access to sensitive data so you can go back and reconstruct the breach if it happens. To do this, you need all of those old standbys-encryption, active security management, audits and the like. They may be old technology, but they can still work. 

In reality, most companies with sensitive information should be making these same assumptions. If you have customer credit card numbers, for example, you need to have them stored somewhere else besides your public-facing Web server. If you have your accounting data or medical information or anything else that might be of value to your competition or to someone who can sell what you have, then you can't just assume that you're secure. You need to have the access controls, the vulnerability testing and all of the other security tools you can find. 

And then you need to be vigilant. If PFC Manning's supervisors had decided to check on what he was doing with a CD in a secure computer (which isn't supposed to have a removable media drive), they would have short circuited that data breach. While your data may not be as sensational as those State Department messages, I'd be willing to speculate that your information is a lot more important to you. While WikiLeaks may be interesting to watch on the news, seeing a news story that your company has just lost 50,000 credit card numbers will certainly seize your attention-it could mean the survival of your business.

So the bottom line is to pay close attention to Plunkett's assertion that your systems are probably not secure, and find a way to adjust your way of doing business so that an intruder doesn't cost you everything.

Wayne Rash Wayne Rash is a Senior Analyst for eWEEK Labs and runs the magazineÔÇÖs Washington Bureau. Prior to joining eWEEK as a Senior Writer on wireless technology, he was a Senior Contributing Editor and previously a Senior Analyst in the InfoWorld Test Center. He was also a reviewer for Federal Computer Week and Information Security Magazine. Previously, he ran the reviews and events departments at CMP's InternetWeek.

He is a retired naval officer, a former principal at American Management Systems and a long-time columnist for Byte Magazine. He is a regular contributor to Plane & Pilot Magazine and The Washington Post.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel