After our initial story on Google hacking, you emailed me with some disagreements. Talk about some of the points you disagreed on. That you can use Google to gather a lot of information isn't new. Johnny Long wrote a book on the subject and George Kurtz has similarly done a lot of work on how you can look for proprietary information on the Internet. Examples like the use of Google Earth are also not new. Google Earth is not real-time...
satellite imagery that can provide intelligence data and the same information can be found through a variety of other services, besides the fact that building plans with much more detail are on file at public offices.
What really bothers me is that people are looking at something that has been well established for some time and saying 'Oh my God, I've never heard of this before,' which is really not saying too much about the industry as a whole when something like this makes a lot of news. Isn't there an argument to be made that Google is still a relatively new phenomenon and that there are a lot of smart IT security professionals out there who aren't necessarily going to be privy to this particular problem?
Google is in the dictionary now and is well-established. As far as how it can be used or not used, the fact that there are articles about it is in some ways a good thing, but in other ways it's shocking that there are people who don't know the history of information security who are now security practitioners. The thing is, when you don't know history you will repeat it. What other threats besides Google hacking do you think security practitioners should already know about?
I just read an advertisement from one company that all of the sudden, Word, Excel and PowerPoint can be used to deliver malicious code. Macro problems have been around and known for over a decade now. The thing is there are a lot of people coming in [to the IT security industry] and there must be some core base of knowledge they have to bring to the industry. I'm not saying articles like this don't help people know about it. The shocker is that this is noteworthy and there are people who don't know what's out there and they're theoretically part of the profession. It doesn't say a whole lot about the profession as a whole if something like this is new to them. If this is new to them they have to go back and take some basic courses and read more books on the subject before selling themselves as a security practitioner, in my opinion. Some IT professionals say that if a company's sensitive information makes it into the public domain it's the IT practitioner's fault for not having a layered defense to prevent it from happening. What do you say to that?
I say yes and no. Sometimes things happen accidentally and there's no such thing as perfect security. You'll always have some idiot somewhere who will leak out information and put something on a Web site or email because someone sounded nice on the phone. No matter what you do, someone will always do something dumb or accidentally. At the same time, that doesn't mean you don't go ahead and use a whole bunch of services already out there to look for just this sort of thing. Talk about some of those services and whether you blame individuals or companies in general for not making sure everyone knows the security basics.
There's a company called Cyveillance that's been in the business for more than a decade that has services to let companies search for their proprietary information on a regular basis. The reason something seems stupid is because it defies common sense. But to defy common sense you have to have common knowledge, and if companies aren't giving their people that common knowledge, like what can and can't be put on the Internet, it's not really the fault of the individual. It's the fault of the company, and very few companies have really good Web-posting policies.