Opinion: A spring cleaning for security

More

Related

More columns

• Phishing in the backyard
• Four good reasons for Security to talk to HR
• Not where you think they are
• When disaster recovery's down to you
• At the airport, an ID theft takes flight
• Goodbye to the Year of the Fire Pig
• Mixing open- and closed-source, managing risk
• Privacy and piracy: What are we telling the kids?
• Security and the One Laptop Per Child sensibility
• Ghosts in the machine, spooks on the wire
• Find them and fire them: 5 steps
• Hard times on the HIPAA front

• Harvard professor offers new challenge to RIAA anti-piracy campaign
• Don't Shoot the Messenger
• Bad Legislation Opens Web to Corporate Lawyers
• Minnesota woman fined $222,000 for music piracy gets new trial
• RIAA seeks sanctions against defense lawyer in copyright case

Zone

The Security Zone With the mobility of employees and the ease with which external devices can be brought in and out of a network, continuing to build your security plan for network servers and clients is a must. Fortunately, there is much that organizations can do to protect themselves from attacks - internal and external. Having the right policies, procedures and server configurations is critical... Learn more in The Security Zone See All Zones

April 21, 2008 (Computerworld) This month marks two years of "In Security." Over the past year, some of my more popular columns have dealt with data aggregation and theft, the limits of risk management, getting along with human resources, how to spot and handle rogue security staff, encroachments on personal privacy, and the humor we find in the nonsensical things we hear from security consultants and the consulted. Sometimes it's the laugh of recognition; sometimes it's the laugh right before everyone looks away nervously and changes the subject. In either case, it's worth taking a look back before considering what's next.

Get smarter

Progress happens -- though sometimes in slow motion. In response to last week's column about phishing within organizations, Rex Warren, a colleague and a co-founder of Leviathan Security, responded with a related experience, where people in big organizations sometimes forget that sometimes they need to prove their identity. He received a call recently that went something like this:

Caller: "You owe money; I'll take your account number."
Rex: "How do I know you're not a criminal?"
Caller: "I'm not a criminal."
Rex: "A good criminal wouldn't acknowledge being a criminal. In fact, a dumb one wouldn't either."
Caller: "I know your secret authentication information."
Rex: "That proves it's me, not you; how do I know you didn't steal that information?"
Caller: "I'm not a criminal."
Rex: "We've been over that."

How would you make that system work, exactly? Think less tech and more "do unto others." While generally impressed with my own credit union's variable risk-based identification and authentication processes -- this past year, they started asking more authentication questions for transfers than for lower-risk balance inquires, for example -- it would be nice to receive a periodic mailing with a list of authenticators or secret questions I could ask them. This would be useful in the unusual case where they contact me about errors, suspected fraud or other problems. The technology is available; maybe we'll see more implementations next year.

Continuing the thinking-trumps-technology theme, more and more, enlightened managers and educators realized over the past year that filtering software pushed by the likes of SurfControl and Websense doesn't work. It's not because the technology can't pick out words or URLs, but because employees and children intent on pursuing blocked content usually can find a way to retrieve it.

For example, Google arguably performs the foremost and broadest research into filtering. Yet the flexibility provided by search and proxy tools to bypass other filtering systems easily surpasses the sophistication of Google's own SafeSearch technology. Technology doesn't fix social and behavior problems, and filtering is eventually destined to head the way of prohibition, dance-hall bans and the V-Chip.