Three Warning SignsBy Sean Gallagher | Posted 2002-12-11 Email Print
Modernizing Authentication — What It Takes to Transform Secure Access
National security now depends on corporate security. Watch for the threat within.
Three Warning Signs
The important things are always simple. If Autotote had simply kept software development separate from the "production" version of its systemthe one handling active betsthis whole mess might have been avoided.
Harn's job was to write software for the system, not maintain operations of it. Yet, he had access to data he shouldn't have had; he had access on a day he shouldn't have (his day off); and the company had no way of telling what he was doing with the data.
"Those are three big, and very popular, strikes," says Jerry Brady, the chief technology officer at Guardent, a security consulting and services company based in Waltham, Mass. Brady says that the same gaps in security can be found in many industries, including banks, investment brokers and other financial firms. Developers are given access to production systems out of expediency to keep systems up and running. That expediency will haunt companies. Even relatively innocuous data changes, such as a change of address, can be used to exploit or disrupt systems if they're not audited, says Brady.
These gaps aren't technologicalthey're cultural. That makes them fairly straightforward to solve. But the simple things are always hard. Even with awareness of computer security issues at an all-time high, according to Brady, executives at many companies still think of security in terms of "a fourteen-year old kid hacking their Web site."
There's technology on the way to help mind the store. Companies like Guardent and eEye of Aliso Viejo, Calif., will ship products next year that keep closer tabs on the behavior of insiders; Guardent's tools will aggregate information from audit trails and log files of applications and servers, while eEye is focusing on controlling access through policy enforcement at the desktop.
But the real push for security has to come from the top. Sachs says the White House's plan for national cyber-security hinges on security being treated as a boardroom issue as well.
So heed Murphy, and get serious about the simple things. Doing nothing might seem like the easy waybut the easy way almost always is full of mines.
Sean Gallagher is Technology Editor at Baseline.