Security StrategiesThis newsletter is sponsored by QualysNetwork World's Security Strategies Newsletter, 08/28/07Hacker tips published in Wall Street JournalBy M. E. KabayOn July 30, Vauhini Vara published an article in the _Wall Street Journal_ entitled, “Ten Things Your IT Department Won’t Tell You.” The author explains that office workers like to use corporate-supplied equipment to “keep up with our lives. We do birthday shopping, check out funny clips on YouTube and catch up with friends by e-mail or instant message.” Alas, she continues, “Our employers sometimes don't like it. Partly, they want us to work while we're at work. And partly, they're afraid that what we're doing compromises the company's computer network - putting the company at risk in a host of ways.” Therefore, she explains, she has asked various experts for ways “to get around the IT departments.” The 10 topics she investigates are as follows:
1. How to send giant files. Vara provides each topic with these sections: * The Problem I don’t want to get into a discussion of full disclosure of security vulnerabilities here, nor to claim that what Vara has done is in any way illegal. What she and her publication have done, however, is beyond my personal standards for publication in a legitimate, respected newspaper. The motivations behind her detailed instructions are much closer to the dreck published in criminal-hacker publications than in any professional publication I can imagine. The author’s focus is on escaping the consequences for violating security policies. For example, in the section on visiting forbidden Web sites using corporate systems, she writes that “the main risk is getting caught by your boss.” As a second-rank risk, she mentions the possibility that “Online bad guys sometimes buy Web addresses that are misspellings of popular sites, then use them to infect visitors' computers.” Her priorities are to protect people who put the organization at risk and only secondarily to warn the potential rule-breakers of threats to their employer’s data security. Vara’s “How to Stay Safe” sections are astonishing in their insouciance. For example, her “safety” measures for violating appropriate-use policies include this advice for attempting to wipe audit trails: “Clear your private data as often as possible. Better yet, don't use your work computer to do anything you wouldn't want your boss to know about.” The first sentence clearly condones the misuse of corporate equipment and encourages dissimulation and dishonesty as a safety measure. The second defines the issue entirely in terms of self-protection, with no hint that there might be issues of rights and duties involved. I invite readers to read Vara’s article for themselves and then to join me in a short series of columns as I analyze her work from an ethical standpoint. I will take the opportunity to illustrate a straightforward process for making ethical decisions that I think would have ensured that Vara’s article not be published - if the editors of the Wall Street Journal actually care about ethical decision-making. My editor kindly pointed out a vigorous Network World blog entry on Aug. 3 by Linda Musthaler about the Vara article bluntly entitled “At the WSJ, the idiots are running the asylum.” Musthaler points out that the Wall Street Journal published a follow-up article by Vara that could conceivably be an attempt to compensate for her scandalous “Ten Tips,” but I’ll let you judge for yourselves. More next time.
|
Contact the author: M. E. Kabay, Ph.D., CISSP-ISSMP, is Associate Professor of Information Assurance and CTO of the School of Graduate Studies at Norwich University in Northfield, Vt. Mich can be reached by e-mail and his Web site. This newsletter is sponsored by QualysARCHIVEArchive of the Security Strategies Newsletter. BONUS FEATUREIT PRODUCT RESEARCH AT YOUR FINGERTIPS Get detailed information on thousands of products, conduct side-by-side comparisons and read product test and review results with Network World’s IT Buyer’s Guides. Find the best solution faster than ever with over 100 distinct categories across the security, storage, management, wireless, infrastructure and convergence markets. Click here for details. PRINT SUBSCRIPTIONS AVAILABLE International subscribers, click here. SUBSCRIPTION SERVICESTo subscribe or unsubscribe to any Network World newsletter, change your e-mail address or contact us, click here. This message was sent to: security.world@gmail.com. Please use this address when modifying your subscription. Advertising information: Write to Associate Publisher Online Susan Cardoza Network World, Inc., 118 Turnpike Road, Southborough, MA 01772 Copyright Network World, Inc., 2007 |
No comments:
Post a Comment