« Extrusion Prevention Three years after | Main | PCI Data Security, be all you can be »

Is blogging from work a threat or a vulnerability?

CSI Miami, Calleigh Duquesne, Emily Proctor Let us get this straight, even if it appears on CSI Miami, blogging at work is a vulnerability, not a threat.
Gary Min, also known as Yonggang Min, is a former senior chemist for DuPont who faces up to a decade in prison and a $250,000 fine after pleading guilty to stealing trade secrets in November 2006.

OK - another trusted insider who stole data, not nice but I'm sure if we dig deeper we will find a disgruntled employee, no security procedures in place for protecting sensitive digital assets, no monitoring of outgoing data using extrusion detection technology and no awareness training. Big deal - Du Pont are making the same mistakes as everyone else.

But - what irks me is when so-called security consultants take a case like this and try to hype it to their purposes.

Don Ulsch, technology risk management director in the Boston office of Jefferson Wells has made a big deal about blogs being a bad thing - he used the DuPont data theft case as a way to illustrate his point - even though it has nothing to do with blogging.

He noted there are approximately 100 million blogs ; many of them are used by organized criminal outfits to push gambling and pornography. When an employee does personal blogging on a company machine and corporate email account, blog databases are able to suck in a wealth of email data. He said (and I quote) "Digital miscreants can then use sophisticated data mining software to scan the blogs for proprietary information that may be sitting in some of those stored messages."

I guess he saw the same episode of CSI Miami that we did, where the perky receptionist was blogging about office relationships and insider trading using an infrared keyboard and a Pocket PC in her pocketbook under the desk. Plausible but hardly the rule.

Blogging from the office is a vulnerability that is easily mitigated with some practical threat analysis and security best practices:

1. Make a policy and tell your employees that it is not allowed. Period. They can blog on their own time.
2. Install an extrusion detection system like Fidelis XPS and track blog urls and sensitive keywords, once you have that figured out - you can start monitoring sensitive data assets and picking up employees that are posting large files.
3. Understand that blogging is not an isolated security vulnerability - you should download the free Practical Threat Analysis tool and start modeling what's happening in your office.

Posted on May 16, 2007 11:50 AM |

TrackBack

TrackBack URL for this entry:
http://www.software.co.il/mt/mt-tb.cgi/60

Post a comment

Search


About

This page contains a single entry from the blog posted on May 16, 2007 11:50 AM.

The previous post in this blog was Extrusion Prevention Three years after.

The next post in this blog is PCI Data Security, be all you can be.

Many more can be found on the main index page or by looking through the archives.

Subscribe to this blog's feed
[What is this?]
Creative Commons License
This weblog is licensed under a Creative Commons License.
Powered by
Movable Type 3.32