On a previous blog posting Blogging from work back in May, I talked about employees posting to blogs from inside the office.
I apparently raised the hackles of MacDonnell Ulsch who is the Director of Technology Risk Management & Privacy at JEFFERSON WELLS, INC.
MacDonnell emailed me a pretty nice comment (I've disabled comments for the time being on this blog due the quantity of comment spam that the site was getting - some time I'll get around to fixing it with a Turing test - in the meantime it's mail).
Hi Danny,
I saw your posting regarding my comments on blogging. I actually enjoyed reading your comments. I always enjoy a good discussion. Here are some points that I would like to make and have made in the past regarding my view of blogging. Thanks in advance for reading this and the very best to you.
With respect to blogs being a vulnerability and not a threat: you are right. But the hacker or terrorist exploiting it is a threat, so the existence of a blog threatens the integrity of the enterprise. I have been widely quoted out of context on this issue. I have worked with clients who have experienced serious problems as a result of uneducated workers blogging indiscriminately. I have attached an article that will likely be of interest to you. I am not saying that people should not blog. I am not saying that companies should not allow blogging. This would be ludicrous and ridiculous. That’s like advising people not to use the Internet. I understand that you were not at the talk I gave, so you could not have heard everything that I had to say. Here are a few points that I would make to you:
1. The US Army now restricts blogging in forward combat areas because of the disclosure of sensitive information that would endanger our troops.
2. One client was socially engineered through blogging into disclosing sensitive IT architecture information that enabled a hacker from Germany to illegally access company systems. The IT professional was terminated. He wishes he had had a policy in place that would have educated on the risks associated with blogging. Had management made him aware of the risks, perhaps he would still be employed by the company. His actions were not malicious. He simply wasn’t aware there was cause for concern. A lot of people still believe that. They are sadly misinformed.
3. Organized crime, from around the world, are behind some blogs, particularly those associated with pornographic content. Organized crime is, in concert with international narcotics traffickers and certain terrorist factions, using technology to commit ID theft crimes, part of the money laundering problem that we have. There is a reason that Russian banks, and other banks chartered by nations with deficient banking regulations, engage with organizations such as the Black Peso Market Exchange and other such money laundering operations. And then there is the issue of Eastern European companies organizations that use technology, including blogs, to acquire email addresses for spammers. These companies also use emails for phishing for ID theft and for socially engineering employees of dual-use technology companies and defense companies. The intelligence and investigative agencies are well aware that these conditions exist.
4. The infiltration of organized crime is not a product of my imagination but based on information from the US Secret Service (Treasury), the Department of Justice, the Drug Enforcement Administration, the Center for Strategic and International Studies, and other institutions.
5. My advice is not to eliminate blogging at companies. It is to regulate blogging much as email is regulated. As a J.D., you understand the liability concerns over inappropriate email use and Internet use. Internet and email use require corporate policies. Companies also need to regulate the use of blogs.
6. Also, I did not say or in any way indicate that the Gary Min/DuPont case involved blogging. However, Min did have stolen trade secrets on his laptop, which was issued by Victrex PLC. My point was simply that mobile technology enabled Min to more easily transfer some 180 files to his Victrex laptop and then carry those trade secrets with him. He could have accomplished this with other mobile technology, too. But my point was about the mobility of information and not blogging in this case.
Everyone is entitled to express an opinion (at least those of us who live in a free society). You obviously have yours and I have made mine very public. In my opinion, the outright rejection of these concerns contributes to a false sense of security. In the interim, I am going to plead with my management not to make me blog everyday on my corporate issued laptop. However, if management does decide to accept your advice to punish me accordingly, I will first advise them on the appropriate policies and procedures necessary to managed the risks of that decision accordingly.
Don,
Thank you for you so much for taking the time to write such a detailed and well thought-out response. I must first of all apologize to you if my comments were a bit pointed but I also enjoy a good discussion and I totally appreciate the time you took to respond.
I could not agree more with your comments. Clearly the vulnerability posed by notebooks/mobile devices/USB drives is different than blogging. It is also clear that there is a huge difference between employees blogging from the office and employees blogging from home.
Blogging from home can only be dealt with at the behavioral level and while this works in normative situations, when an employee gets into a negative situation with an employer - bad things can happen.
In the case of postings from the office (or military unit...), two tools can mitigate most of the risk in my experience:
1) Have and enforce a company AUP - it constantly amazes me how many companies of all sizes just don't bother.
2) Use extrusion detection to monitor blog/web postings and email. I don't necessarily buy into various vendor (Tablus, Websense etc...) claims for precise content mapping that enables extrusion prevention. In my experience, monitoring outbound http traffic from insiders and outsiders can mitigate threats from two classes of attackers:
a) Outsiders that trawl corporate web servers in the DMZ and
b) Insiders that HTTP POST to an external Web server.
We have had considerable success with a number of clients in Israel and Europe doing this sort of monitoring. Read my articles on extrusion prevention for more information on how we do it.
