<img alt="dcsimg" id="dcsimg" width="1" height="1" src="//www.qsstats.com/dcs8krshw00000cpvecvkz0uc_4g4q/njs.gif?dcsuri=/index.php/c/a/Projects-Management/What-You-Can-Do-for-Your-Country/1&amp;WT.js=No&amp;WT.tv=10.4.1&amp;dcssip=www.baselinemag.com&amp;WT.qs_dlk=XtIiNYTTIwK53YvPQ5gxewAAABE&amp;">

Three Warning Signs

By Sean Gallagher Print this article Print

National security now depends on corporate security. Watch for the threat within.

Three Warning Signs

The important things are always simple. If Autotote had simply kept software development separate from the "production" version of its system—the one handling active bets—this whole mess might have been avoided.

Harn's job was to write software for the system, not maintain operations of it. Yet, he had access to data he shouldn't have had; he had access on a day he shouldn't have (his day off); and the company had no way of telling what he was doing with the data.

"Those are three big, and very popular, strikes," says Jerry Brady, the chief technology officer at Guardent, a security consulting and services company based in Waltham, Mass. Brady says that the same gaps in security can be found in many industries, including banks, investment brokers and other financial firms. Developers are given access to production systems out of expediency to keep systems up and running. That expediency will haunt companies. Even relatively innocuous data changes, such as a change of address, can be used to exploit or disrupt systems if they're not audited, says Brady.

These gaps aren't technological—they're cultural. That makes them fairly straightforward to solve. But the simple things are always hard. Even with awareness of computer security issues at an all-time high, according to Brady, executives at many companies still think of security in terms of "a fourteen-year old kid hacking their Web site."

There's technology on the way to help mind the store. Companies like Guardent and eEye of Aliso Viejo, Calif., will ship products next year that keep closer tabs on the behavior of insiders; Guardent's tools will aggregate information from audit trails and log files of applications and servers, while eEye is focusing on controlling access through policy enforcement at the desktop.

But the real push for security has to come from the top. Sachs says the White House's plan for national cyber-security hinges on security being treated as a boardroom issue as well.

So heed Murphy, and get serious about the simple things. Doing nothing might seem like the easy way—but the easy way almost always is full of mines.

Sean Gallagher is Technology Editor at Baseline.

This article was originally published on 2002-12-11
Sean Gallagher is editor of Ziff Davis Internet's enterprise verticals group. Previously, Gallagher was technology editor for Baseline, before joining Ziff Davis, he was editorial director of Fawcette Technical Publications' enterprise developer publications group, and the Labs managing editor of CMP's InformationWeek. A former naval officer and former systems integrator, Gallagher lives and works in Baltimore, Maryland.
eWeek eWeek

Have the latest technology news and resources emailed to you everyday.