Many federal agencies have just instituted a draconian, keep-quiet security policy that should probably be adopted in your company. The move makes a lot of common sense, and we all know how uncommon common sense really is in business!
Don’t ask, don’t tell
I learned about this policy change a month ago. I was reporting on a new security software release and needed to verify that a government agency was, in fact, using the product. The vendor was anxious to get this information to me, but its public relations department ran into stone walls at every agency using the software.
No one in the government would discuss this product on the record. Only one user would even confirm that he knew what the software was used for, let alone whether his agency actually used it.
Up until a few months ago, the situation was very different.
During many years of reporting on government computer installations, I routinely telephoned or e-mailed various agency contacts and chatted about their latest hardware and software acquisitions. Not only did agency workers freely discuss generalities, they would often explain how the entire system was configured and which versions of programs were being used. I've even been offered tours of the Central Intelligence Agency's CD-ROM library.
Such open discussion of computer-related topics made it easy to track the latest developments. However, when I published the information, it inadvertently made it easier for crackers to attack Web sites and servers, as they now knew which operating systems, applications software, and even firewalls an agency was using at a particular location.
The new policy in many agencies, which absolutely forbids any discussion of many network products on pain of demotion or dismissal, makes my life as a consultant and columnist more difficult. But, I applaud the change, since it plugs an incredibly large security hole.
The question for you is, just how talkative are the members of your MIS and public relations department? How about your vendors?
I bet you have a policy about not disclosing company secrets or taking confidential files home on floppy disk, but have you ever considered just how useful even general information (such as your operating system version) can be to potential computer vandals?
Whether you are discussing new acquisitions with reporters or just talking at home where little ears can overhear and pass the information along to local cracker groups, do your computer people know just how much important information they are making available to potential computer vandals?
Don’t be a target
Even without this information a dedicated cracker can get into your system and snoop around or plant a virus, but why make it easier?
It's the same principle as home or automobile security. If your car is the only one in the parking lot without an alarm sticker, guess which driver's window the car thief will break first? When all your neighbors have security lights and trim their hedges, but your darkened house offers a nice place for a burglar to hide while breaking in, who do you think will get robbed first?
The same goes for your computer systems. If you institute a general policy of not discussing company operating systems, servers, and security programs, but others issue press releases (or allow vendors to do so), then guess which company will be the first cracker target?
This secrecy will displease your vendors, who like to promote the use of their products. But what's more important: your system security, or some vendor's image? You make the call.
If your company is big enough to have a PR department, its personnel will chime in with objections, too. Once again, someone must decide where your priorities lie. Seeing that you're reading a column about computer and network security, my guess is you’ll decide protecting your files and keeping your network online is more important than distributing 1,000 press releases.
John McCormick is a consultant and writer (five books, 14,000-plus articles and columns) who has been working with computers for more than 35 years.
Have a comment?
If you'd like to share your opinion, please post a comment below.