jump to navigation

IT Security Policies and enforcement March 9, 2006

Posted by fukumimi in IT, Japan.

Since last year there have been numerous reports of confidential data from corporations and bureaucratic organisations and more, due to a P2P network-borne virus which proceeds to upload data on the infected PC’s HDD on to the P2P network (the P2P app is a domestically produced application called Winny, designed for file swapping – the creator of this software was prosecuted as he had proclaimed his intent to undermine the current intellectual property framework).

The latest confessions comes from NTT, where thousands of customer records were exposed. Before that, it was the police, where the person in charge of IT security! had installed the P2P software on a machine which led to the exposure of case files. Files relating to nuclear power plant data had been exposed in another high profile case. This is just another example of shoddy IT security infrastructure at these organisations.

[Historically, Japanese corporations have been lucky to avoid the brunt of big global computer virus outbreaks. One of the reasons is that the vast majority of Japanese email usage is limited to Japan and Japanese. Because most users only use Japanese, the global virii (which usually have some message tempting users to open attachments) have messages usually written in some other language (often English), are often ignored, or understood to be suspicious.]
There are two scenarios leading to files getting exposed on Winny. Firstly, someone takes home files from work (on a CD-R or a USB memory stick or similar, or even emailing to their own personal account) so they can work at home. For extremely sensitive material, unauthorised transfer of data outside of the corporate network is a major security risk. Why don’t these organisations have solutions in place to address this risk?
The other scenario is where someone installs the P2P software on a workplace PC. This is laughable. Organisations with thousands of employees and PCs are allowing users to install applications freely?

1.Apart from the security risk, just think of the potential copyright infringement issues. And the fact that these PCs got infected would indicate that the PCs did not have security software installed.

2. The fact that the problem only came to light when other users on the P2P network found these files would indicate that the networks are not being monitored effectively either.
3. No doubt the client PCs are not being scanned either for a software inventory check.

I would suspect that most large organisations are incapable of managing their network and PC infrastructure, and increasingly outsource this work. The people who are doing this work are amateurish beyond comprehension.

Why don’t large corporations and governmental and bureaucratic organisations have half decent security measures? They need to get the people responsible for IT security out, and put in a decent team to lock down PCs and networks. It isn’t that hard, and standardising configurations makes maintenance and support easier as well. These orgs really need a decent CIO to get their houses in order. It really isn’t that hard. (From a former network infrastructure consultant)

In a recent case where thousands of case files were found their way out into the open from Okayama Prefecture Police, the police force announced that they had “banned” the installation and use of Winny. I guess that was a internal circular sent out, and that the force expected people to remove the software of their own volition. That is one screwed up way to run IT security, by leaving it in the hands of the users.



1. Gen Kanai - March 9, 2006

One of the major Japanese banks is also one of the largest corporate Mac installations in Japan (and perhaps in the world.) My friend manages that installation, which is on the order of multiple thousands of machines.

What’s interesting about that is that they’re network-booting all of these Macs. So the users can’t install any programs. On top of that is the OS X security model which is all ports closed from the beginning and administrator-level access required for port access.

Anyway, I mention it because it’s a model that I don’t think other banks are using and it’s a much more secure model.

2. fukumimi - March 9, 2006

It is pretty basic IT infrastructure management to have all user accounts logging in against a network domain controller and manage all users and groups using a directory. It is much easier to maintain and secure, for sure.

Burn a standard OS (and standard application loadset) image with standard user access removed for any features which pose a security threat (rights to install apps would be #1 on the list).

Remove IE and install FF 😉

Makes management a lot easier.

And the system runs well enough even on a Windows XP/2003 server network. (Used to be a right nightmare in days gone by, for sure)

Then install monitoring software to check internet access logs, make sure you have AV software running and pushing out updates as frequently as they are released. Install application inventory software to monitor software usage and license counts. Perhaps block access to certain internet sites (webmail, chat rooms, web based messenger etc as well as the obligatory porn) from PCs in sensitive areas (or all PCs if you want to be draconian about it). (Rules need to apply slightly differently for IT people, but they should still have their systems monitored as well, as they if anything are a bigger potential security risk with higher level access to many systems)

All of these things I would have thought are corporate IT admin 101.

Yet so many companies and orgs who should have plenty in the IT budget are not implementing basic security practices.

If I am correct in assuming that many such firms are outsourcing, they really need to wise up and get some people who can do the job properly.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: