Some Insight (Incite?) on the WSJ IT Security Controls Article

Alex at RiskManagementInsight noted that the Wall Street Journal (WSJ) published an article explaining to users how they can circumvent their organization’s IT security controls.

The other night I met an individual who was very close to the creation of the WSJ article linked above. Said individual told me that the article pitch was not the same as the final result. While I do not have any hard documents to support this, it makes sense to me based on some personal experiences dealing with major media outlets.

My feeling is that the WSJ wanted to digg-ify their content. They use the “top 10” approach, they “reveal” things you shouldn’t know, etc.

On a different note: when I spoke at a networking the other night, I asked a number of professionals — approximately 40 — whether they thought the WSJ should publish these types of articles. Unlike the response on the blog-o-sphere, the overwhelming opinion was that the WSJ should continue these types of articles and that Information Security Managers should bring these articles to their executive management to show the threats to their infrastructure are real.

Personally, I was not happy with the article for a few reasons:

1. The premise that management “asked their information-technology departments to block us from bringing our home to work” is due to increased risk is not correct.

Our goal as information security managers and practitioners is that employees should be enabled to do their work in a safe and secure manner. If management feels that the gains in productivity do not outweigh the investment in the technology (of lets say purchasing and distributing laptops with full disk encryption, etc) it should be them you address.

2. There were technical inaccuracies giving the end user a false sense of security:

* When describing how to transfer large files, the WSJ suggests using a number of third party services. To know one is secure they suggest to “Look for a “secure” icon — in Internet Explorer, it’s a little lock on the bottom of the screen — which signifies that the site is using encryption to protect its visitors’ confidential information.” Unfortunately this does not protect the data at rest. The correct answer is that the large document should be encrypted before it is sent outside the organization.

* The WSJ writes, “When you receive personal email on your BlackBerry, it’s coming to you without passing through your company’s firewall. That means viruses or spyware could sneak onto your BlackBerry via a personal email.” Technically, most firewalls do not run anti-virus: could we consider a UTM appliance an exception? It’s the anti-virus that runs on the email server that will be bypassed and one needs to hope that the workstation anti-virus catches the potential issue. Also, the network IPS devices are bypassed that could potentially trip a signature and send an alert.

3. It insinuates that breaking policy for productivity reasons is OK.

This one is self-evident.

4. It’s aim is more along the lines of full-disclosure than responsible disclosure.

While I believe that full-disclosure is justified in certain instances, I do not believe that this was one of them. Full-disclosure is justified when one is trying to ultimately create a more secure environment and when one has exhausted most other options for creating the greater good. The aim of the article was to attract the readers attention: if it bleeds, it reads! Unfortunately, the ones bleeding are the WSJ’s constituents and the information in the article teaching users how to bypass controls generally does not contribute to the greater good.

I also realize that this article certainly would not have had the same impact if it was more informative than a how-to, as dictated under the responsible disclosure model.

One Comment

  1. Alex Aug 6, 2007 at 7:34 am | Permalink

    “the article pitch was not the same as the final result.”

    I’m not surprised that this would be the case.

    I think it’s interesting that you had so many folks who saw the article as a “good” thing. I can see their point, as it may be useful in a more mature IRM department that has political viability.

    The folks that I spoke to briefly about this were one 50,000 seat organization with about 250 in IRM, and a 2,000 seat organization with 2 in IRM. The larger one wasn’t happy, because neither the reach of their awareness program nor their political influence were large enough to successfully combat such an article. The smaller one had a much better reach with their awareness program, but, outside of “compliance”, their ability to really influence management culture was limited. Their response was something along the lines of “All Sr. Mgmt is given a WSJ subscription, and I’m sure at least two of them will try some of these.” The policy breaking isn’t what angered them, it was the fact that if it did lead to an incident, they had no doubt that they, not the senior managers, would be the ones looking for a job.

Post a Comment

Your email is never published nor shared. Required fields are marked *