Skip to Content

Its been quite sometime, since I blogged last on SAP, partly due to my professional obligations which did not let me allocate the necesary time to make a blogpost.

Information security is something that I have felt quite strongly about in most of the organizations that I have come across. The security system is strong, there is sufficient manpower to protect the systems, but still there are lapses. What causes these lapses? Most of the time, the security lapses are not from the usual sources that the organization comprehend. It comes from the most unlikely of sources. 

An organization which is paranoid about information security usually goes overboard with security cameras, physical access restrictions, complex password criteria and lot of other monitoring places.

The few places where I have found that security is most likely to lapse were

Network data

Users share their data with someone else who is required to work on the same data. But, then forget to turn off the share. The data remains shared forever, until the data itself is deleted or moved. Users should be educated to disable shares once they are done with it. Another option could be to only allow read only access as and when required.

Internet

The single and most powerful network tool is also the best manner for data to leak out of an organization. The data leaks out through web based mail services and online file storage services.

Users sharing a computer

This is relevant in all those cases where more than one person shares a single PC. Sure, the individual gets access to the system only using his authorised user name and secure password, which create separate documents & settings for his user ID. But, what happens to the files on the other drives, other folders on the primary drive which could be accessed by all users accessing the computer.

Antivirus updates

This is not too much of a risk, since in most cases; the system updates itself. But where there is manual intervention involved and the user has to update the definitions there is always scope for procrastination and resultant outdated antivirus updates.

Recycle bin

Most computers do not have a data shredder and users tend to use the ordinary recycle bin instead. This is not ideal for highly confidential documents

Weak passwords

This is an ever present evil among all types of users, corporate or home. Passwords which have characters like abc, 123, names etc. are used even as administrative passwords in many cases. Reusing passwords and sharing passwords only makes the security hole larger.

To report this post you need to login first.

5 Comments

You must be Logged on to comment or reply to a post.

  1. Lars Breddemann
    Hi Rohid,

    the most interesting part of your blog entry (which unfortunately only reiterates well known issues) really is the comment invitation line.

    How can security be improved?

    As today most users have access to tools that provide many options to handle data in various forms – like file explorers, office programs, email/communication programs etc.

    A specific piece of information is not identifiable or traceable (like, say, a book you borrow from a public library).
    Also the tools available poorly support enforcing/supporting proper processes to share data with respect to data security and company governance.

    The users have to find their way themselves how to work effectively, efficient and (presumably) secure with their daily data. Thus many of them decide for the way of the least resistance.

    Teaching users, collegues, your boss, your customers, your family and everybody else how to share information the ‘right’ way is really no option. Everybody will have different views on what ‘right’ does mean in this context.

    Therefore it’s the tools we use that have to change.
    Is it really a good idea that everybody needs to work with low-level tools like the Windows Explorer to handle it’s business files (that often consist of folders instead of single files)?

    Is it  really a good idea to manage data access permissions along the security facilities of file systems, operating systems or database engine?

    Is it clever to enable copy&paste of data through the clipboard and cutting all connections to the source by this?

    Is it the most clever thing to do to protect *really* business critical information (that kind of information for that your competitors would pay much money for) just in a way that the CEO only has to type in a password (weather or not the password is just ‘123’ or ‘#Ott!635279_xx_wew”) to fully access it?

    It’s not the people that do wrong here – most of them are just trying to do their jobs.
    It’s the tools they/we are forced to use.

    Metaphorically speaking we’ve been given hammers and chisels to write whole novels and now everybody wonders about misspelling and working accidents.

    As long as there are no tools available that provide this kind of process oriented access control and logging there will be violations of security recommendations.

    A different aspect of this problem is the classification of information.
    ‘INTERNAL’, ‘CONFIDENTIAL’ or ‘TOP SECRET’ are used far too often today. The ‘paranoid’ companies welcome this abuse (since it’s seems to tbe better to protect more information than less) and the employees can feel more important when they tag ‘their’ documents as critical for the companies business.
    In reality – how many of such tagged documents will lead to a loss of profit if they can be accessed by an unauthorized person?

    It appears to me that information security requirements that grew in the accounting departments (due to the ever more rigorous accounting regulations) had been adopted for *all* business information without rethinking what ‘secure information’ means in different contexts.

    Seen from this angle there won’t be secure data unless companies really come up with very specific ideas on what information is important, what information is unimportant and how to handle both kinds correctly.

    So, I cannot really agree with your list of security leaks – these are symptoms, not the disease itself.

    best regards,
    Lars

    (0) 
    1. Amol Bharti
      @Lars
      I really enjoyed your comments, specially the following one.

      “We’ve been given hammers and chisels to write whole novels and now everybody wonders about misspelling and working accidents”

      I think the problems may very well occur due to the application flaws, outdated risk definitions or miss-configuration of the application. The first step in any security project should be to carry out a thorough analysis of enterprise wide vulnerabilities and identify their threat level.

      The potentiality of a risk is calculated according to its impact level or probability of occurrence but sometimes low impact risks may become a cause for heavy damage. I think that’s what Rohit tried to explain by mentioning some of the most unlikely sources of threats. (however those were kinda common)

      For example: A few weeks back twitter’s corporate and business expantion plans were leaked by a hacker. However the sources revealed that it wasn’t a real hacking and mere a “password guess” stuff.

      (0) 
  2. Vinay Hiriganahalli
    The Security in an Organization is as strong as its weakest link!
    However, if we were to look at the basics of Security, the first lapse and the most important vulnerability in any Organization is Physical Access control – It is the first compromise and in most cases, the one which has the hardest impact. Secure your physical access and half the battle is won.
    Once the physical access is secured, by and large, the only threat which remains is the internal threat (~70% – Google “biggest security threats” and you see all). History proves that the worst of the frauds are internal – the employees who are in fact aware of the security infrastructure. So internally, both, the most important security officer and the security threat is the employee – and the former disgruntled employee. So a couple of simple yet effective measure to be adopted:

    As a general rule, I recommend to have automated controls to the extent possible. This reduces overhead, ensures stricter enforcement of security policies and safer infrastructure as a whole. (let’s question ourselves – how would our password look like if there are no rules for them?)

    1.
    Access control on a Need to know basis. User access review of applications running core business on a monthly baisis and tier 2 applications on a quarterly basis
    2. Incident management – A mirror to an Organization’s security infrastructure – provided it is encouraged and managed transparently and truthfully. I would say, there exists a linear relationship between the no. of employees and the incidents that occur. It is only required to keep your eyes and ears open and that’s it! Start doing this in your Org and rest assured, you’ll have enough to bother about
    3. Last but not the least – Train or I would say Practice. Managers and Manager’s Managers should DO rather than say. This approach has to be necessarily top-down and Managers should play this role. How many Managers, let me be more particular, have your security managers encrypted their hard disks? – I’ll leave you with that to ponder about.

    The residual threats are Network/Firewall/Encryption/Virus/etc for which we have good standardized procedures and tools available, if not, we anyways have lawsuits:-)

    Vinay.

    (0) 
  3. Amol Bharti
    Rohit: “The security system is strong, there is sufficient manpower to protect the systems, but still there are lapses”

    Commentary:
    Yes that’s true, security can never be assured with a 100% guarantee card but the threat can be minimized with dedicated controls and organized efforts. There are always new risks identified, so continuous monitoring is required to maintain the enterprise wide data and corporate integrity. Every time you change, upgrade, implement a new module or perform any other activity, chances are that you may encounter new risks. But most critical risks are invisible and you need a red-eye scanner for prompt identification. That’s where the security applications come into the picture. There are numerous security applications but sometimes even your strongest weapons slack their target. So even if you have spent millions on a security solution it’s neither a triumph card nor a key to the gold mine. Having a solution in place and using it wisely are two separate things.

    (0) 

Leave a Reply