[ISN] Security vetting of IT staff on the way, says Unisys
isn at c4i.org
Thu Feb 16 05:42:03 EST 2006
By Stephen Bell
16 February, 2006
The phrase "security clearance" will become more common in general
business as well as sensitive government agencies, says Unisys
security consultant Terry Shubkin.
"The weakest link in the security chain is still people," she told a
Computer Society meeting last week.
Increasingly, companies will insist that ICT support staff and
client-facing staff must be security cleared, ensuring that they have
no suspicious incidents in their past and are likely to abide by the
company's security standards.
Increasing concern with security, she says, will provide one more
disincentive in the already delicate decision whether to outsource ICT
work overseas. If the staff working on software are too far from
vetting and control by head office, vulnerabilities could
intentionally or inadvertently be introduced to its ICT systems.
Identity management, "still in its very early days for most New
Zealand companies," will get more attention in the near future,
Shubkin says. The means by which an employee identifies him/herself to
the company network will become increasingly advanced, and will more
often include biometrics of some kind, she says.
Increased sophistication will also come into identity management's
logical partner, authorisation.
Shubkin also refers to the growing fear of weaknesses in mobile
equipment, which emphasises security as a whole-of-company
business-oriented policy, reaching to the highest directors. It's
difficult to countermand the chief executive who demands a BlackBerry
or similar PDA which will access the company's network and also be
connected to unknown other equipment, she concedes, but everyone must
observe security disciplines.
Some more inert devices, such as flash-memory chips with a USB
connection may be just as dangerous, Shubkin says. There have been
cases of them being infected with viruses and spyware which copied all
open files on the system and then "phoned home" as soon as the chip
was plugged into an internet connected machine.
Plans for business continuity in the face of a natural disaster are
another worry. At least half the audience indicated they had given
some thought to the ICT consequences of a bird - flu pandemic. Plans
typically include people working from home or elsewhere off-site and
the security risks of this mode of operation must be scrupulously
evaluated, she says.
Increasing skill in the population and more advanced development tools
are allowing viruses and other exploits to be developed more easily
and quickly. The number of exploits for Unix-type operating systems,
including Linux, is increasing and, some sources suggest, now exceeds
exploits for Windows. Exploits no longer attack the operating system
only; some target the network infrastructure, Shubkin says.
Formal tools are evolving to help companies evaluate their security
"maturity", with diagrams and dashboards able to identify how mature
the organisation is in this respect and where specific failings are.
Copyright © 2005, IDG Communications New Zealand Limited
More information about the ISN