IT Security Policies and enforcement March 9, 2006Posted by fukumimi in IT, Japan.
Since last year there have been numerous reports of confidential data from corporations and bureaucratic organisations and more, due to a P2P network-borne virus which proceeds to upload data on the infected PC’s HDD on to the P2P network (the P2P app is a domestically produced application called Winny, designed for file swapping – the creator of this software was prosecuted as he had proclaimed his intent to undermine the current intellectual property framework).
The latest confessions comes from NTT, where thousands of customer records were exposed. Before that, it was the police, where the person in charge of IT security! had installed the P2P software on a machine which led to the exposure of case files. Files relating to nuclear power plant data had been exposed in another high profile case. This is just another example of shoddy IT security infrastructure at these organisations.
[Historically, Japanese corporations have been lucky to avoid the brunt of big global computer virus outbreaks. One of the reasons is that the vast majority of Japanese email usage is limited to Japan and Japanese. Because most users only use Japanese, the global virii (which usually have some message tempting users to open attachments) have messages usually written in some other language (often English), are often ignored, or understood to be suspicious.]
There are two scenarios leading to files getting exposed on Winny. Firstly, someone takes home files from work (on a CD-R or a USB memory stick or similar, or even emailing to their own personal account) so they can work at home. For extremely sensitive material, unauthorised transfer of data outside of the corporate network is a major security risk. Why don’t these organisations have solutions in place to address this risk?
The other scenario is where someone installs the P2P software on a workplace PC. This is laughable. Organisations with thousands of employees and PCs are allowing users to install applications freely?
1.Apart from the security risk, just think of the potential copyright infringement issues. And the fact that these PCs got infected would indicate that the PCs did not have security software installed.
2. The fact that the problem only came to light when other users on the P2P network found these files would indicate that the networks are not being monitored effectively either.
3. No doubt the client PCs are not being scanned either for a software inventory check.
I would suspect that most large organisations are incapable of managing their network and PC infrastructure, and increasingly outsource this work. The people who are doing this work are amateurish beyond comprehension.
Why don’t large corporations and governmental and bureaucratic organisations have half decent security measures? They need to get the people responsible for IT security out, and put in a decent team to lock down PCs and networks. It isn’t that hard, and standardising configurations makes maintenance and support easier as well. These orgs really need a decent CIO to get their houses in order. It really isn’t that hard. (From a former network infrastructure consultant)
In a recent case where thousands of case files were found their way out into the open from Okayama Prefecture Police, the police force announced that they had “banned” the installation and use of Winny. I guess that was a internal circular sent out, and that the force expected people to remove the software of their own volition. That is one screwed up way to run IT security, by leaving it in the hands of the users.