3/31/10

The Never-ending Battle

I remember in the late 1950 and early 60s watching the television program "The Adventures of Superman." In the famous opening credits, ("Look up in the sky! It's a bird! It's a plane! It's Superman!"), the narrator goes on to say, "and who, disguised as Clark Kent, mild-mannered reporter for a great metropolitan newspaper, fights a never-ending battle for truth, justice, and the American way!" Superman had his never-ending battles and we have ours. One of those is relying on reviewing log files, and associated port- and site-blocking as an important part of your network security. (I bring this up in Old security flaws.)

I know of a large network installation, that is fairly secure, but does rely on port- and site-blocking. Recently, someone tried using a file-syncing service, called Dropbox. As it's description says, "Dropbox allows you to sync your files online and across your computers automatically." You know? One uses it instead of carrying around a thumb-drive. There is a web interface and applications on Windows, Mac OS X, and iphone/iPod touch.

Now, as one can imagine, it is against many corporation's security policy. Why? Here is the picture. At one end is a home computer. That could be "secure enough." At the other end is a work computer. Same story. In between is a web site, in this case, inbox.com's web site. I am not suggesting that their server and service is insecure. I don't know. Did you catch that? Those three words are very significant when we are discussing network security matters. You are extending your security perimeter to include a web site belonging to someone else, administered by someone else, and under the corporate (command) management of someone else. Three strikes.

Someone tried to use dropbox, and could between his home and the web site, and between his iPhone and the web site, but not between his desktop at work and dropbox.com website, neither by the web site, nor from the dropbox application program. To him, it was no big dea. He did not have a business need for it; he was just trying it out.

A few days later, he received an email from someone in the company IT department of his company, who asked what I was doing? The log files showed repeated attempts to connect to dropbox from his IP address! He asked what policy was it against, and he was pointed to a policy that talked about proprietary, sensitive, and "for official use only" information. That is a good policy, but it did not apply. There was no sensitive information involved.

He also told the person from IT, that he had successfully used SugarSync, a program that does the same exact thing on the same platforms. IT did not flag that or block that. It didn't know about it. SHould it be blocked? What about EverNote? Similar attributes. Potentially, similar risks.

Do you see the problem? Either this sort of thing is permitted or it is not. It cannot be permitted when we do not know enough to block access to a site, but denied when we do. If we cannot affectively block it, we block it when we can and we create, publicize, and enforce a well-vetted policy. The policy plus enforcement is key. And by enforcement, I don't just mean mitigation. I mean following through with consequences when the policy is ignored. And possible consequences will be spelled out in the policy as well. Otherwise you are involved in a never-ending battle.

No comments: