[ISN] Security vetting of IT staff on the way, says Unisys

InfoSec News isn at c4i.org
Thu Feb 16 05:42:03 EST 2006


By Stephen Bell
16 February, 2006

The phrase "security clearance" will become more common in general 
business as well as sensitive government agencies, says Unisys 
security consultant Terry Shubkin.

"The weakest link in the security chain is still people," she told a 
Computer Society meeting last week.

Increasingly, companies will insist that ICT support staff and 
client-facing staff must be security cleared, ensuring that they have 
no suspicious incidents in their past and are likely to abide by the 
company's security standards.

Increasing concern with security, she says, will provide one more 
disincentive in the already delicate decision whether to outsource ICT 
work overseas. If the staff working on software are too far from 
vetting and control by head office, vulnerabilities could 
intentionally or inadvertently be introduced to its ICT systems.

Identity management, "still in its very early days for most New 
Zealand companies," will get more attention in the near future, 
Shubkin says. The means by which an employee identifies him/herself to 
the company network will become increasingly advanced, and will more 
often include biometrics of some kind, she says. 

Increased sophistication will also come into identity management's 
logical partner, authorisation. 

Shubkin also refers to the growing fear of weaknesses in mobile 
equipment, which emphasises security as a whole-of-company 
business-oriented policy, reaching to the highest directors. It's 
difficult to countermand the chief executive who demands a BlackBerry 
or similar PDA which will access the company's network and also be 
connected to unknown other equipment, she concedes, but everyone must 
observe security disciplines.

Some more inert devices, such as flash-memory chips with a USB 
connection may be just as dangerous, Shubkin says. There have been 
cases of them being infected with viruses and spyware which copied all 
open files on the system and then "phoned home" as soon as the chip 
was plugged into an internet connected machine.

Plans for business continuity in the face of a natural disaster are 
another worry. At least half the audience indicated they had given 
some thought to the ICT consequences of a bird  - flu pandemic. Plans 
typically include people working from home or elsewhere off-site and 
the security risks of this mode of operation must be scrupulously 
evaluated, she says. 

Increasing skill in the population and more advanced development tools 
are allowing viruses and other exploits to be developed more easily 
and quickly. The number of exploits for Unix-type operating systems, 
including Linux, is increasing and, some sources suggest, now exceeds 
exploits for Windows. Exploits no longer attack the operating system 
only; some target the network infrastructure, Shubkin says.

Formal tools are evolving to help companies evaluate their security 
"maturity", with diagrams and dashboards able to identify how mature 
the organisation is in this respect and where specific failings are. 

Copyright © 2005, IDG Communications New Zealand Limited

More information about the ISN mailing list