Blogging on corporate laptops is risky business

By Bill Brenner, Senior News Writer 10 May 2007 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Many people blog from work and mobile platforms and that's very bad ... Blogs are one of the bad guys' tools. Don Ulsch, risk management director,, Jefferson Wells International Inc.

Such activities illustrate how important it is for companies to keep close tabs on what their workers are doing on corporate devices, Don Ulsch, technology risk management director in the Boston office of Jefferson Wells International Inc., told security executives during a lunchtime presentation on emerging threats Wednesday.

"Many people blog from work and mobile platforms and that's very bad," he said. "Blogs are one of the bad guys' tools."

He noted there are approximately 100 million blogs across cyberspace and many of them are used by organized criminal outfits to push gambling and pornography. When an employee does personal blogging on a company machine and corporate email account, blog databases are able to suck in a wealth of email data. Digital miscreants can then use sophisticated data mining software to scan the blogs for proprietary information that may be sitting in some of those stored messages, he said.

"They can analyze millions of messages and use what they find -- trade secrets, for example -- for hostile purposes," he said.

Understanding the insider threat: DuPont case highlights insider threat: A former DuPont scientist who admitted trying to steal $400 million worth of information illustrates the seriousness of insider threats, a security expert says. Five common insider threats and how to mitigate them:  Users can be an enterprise's best defense or its worst enemy. They have access to valuable network resources and information that can be used for ill-gain, be it accidentally or intentionally. This tip explains five common insider threats and offers ways to address them. Insider Risk Management Guide: Audit: This article explores the audit function in the insider risk management process.

Over time, he said, online thieves can take seemingly unimportant details from those blog messages and piece them together in a way that allows them to see the big picture of what a company may be up to.

Ulsch said companies need to start taking the blogging phenomenon more seriously from a security perspective, and that a good starting point is to put a blog restriction policy in place.

"Employees must be told they can't use work email extensions for activities like this," he said. "If they have to blog, make them use an alias email address, communicate the risks and monitor for compliance."

Ulsch used the recent DuPont case as an example of what can happen when companies don't pay attention to what their employees are doing.

In that case, former DuPont senior chemist Gary Min stole approximately $400 million worth of information from the company and attempted to leak it to a third party.

Min joined DuPont in 1995 but began exploring a new job opportunity in Asia in 2005 with Victrex, a DuPont competitor. Shortly after opening the dialog with Victrex, Min reportedly proceeded to download approximately 22,000 abstracts from DuPont's data library and accessed about 16,700 documents. After Min gave his notice, DuPont discovered what he was up to and brought in the FBI. He eventually pleaded guilty to the crime and he is expected to be sentenced soon. He faces up to a decade in prison and a $250,000 fine.

"He was doing things DuPont should have seen as red flags, like downloading 22,000 abstracts and documents from the secure DuPont database," Ulsch said. "He was doing this 15 to 20 hours at a time. Had the company better understood the trust but verify concept, this might not have happened."

Ulsch said the proliferation of mobile technology among employees is increasing the likelihood that something bad will happen to the companies they work for. The bad guys are more likely to exploit employee activities like blogging to get at company secrets, and more data breaches are likely to result from the loss or theft of mobile devices.

"You're looking at a greater distribution of targeted information and there isn't as much monitoring of mobile devices because it's a lot more difficult than monitoring office-based PCs and servers," he said. "People are also less likely to observe company security policies and procedures when they're outside the office, and it's more difficult for employees to observe risky behavior among their colleagues when they're not there."

Tags: Security Awareness Training and Internal Threats,  Emerging Information Security Threats,  Enterprise Risk Management: Metrics and Assessments,  Information Security Policies, Procedures and Guidelines,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Security Awareness Training and Internal Threats How to write a risk methodology that blends business, security needs Risk management must include physical-logical security convergence Tabletop exercises sharpen security and business continuity Security policies need simplifying, expert says Microsoft IE 8 security only benefits educated users Security book chapter: The Truth About Identity Theft How to integrate the security of both physical and virtual machines Laid off workers likely to steal company data, survey warns Information security book excerpts and reviews How to block adult websites from enterprise users by logging content Emerging Information Security Threats Antispyware buying guide for Indian enterprises ATM malware lets attackers take over machines FTC shutters rogue ISP for hosting malicious content, botnets The failing war against cybercriminals White House cybersecurity czar faces major hurdles Cybercrime and threat management The Pipe Dream of No More Free Bugs Face-off: Who should be in charge of cybersecurity? Federal efforts to secure cyberinfrastrucure Adobe working on patch to correct new zero-day flaw Enterprise Risk Management: Metrics and Assessments The basics of enterprise GRC project management RSA council addresses growing security risks in the cloud How to write a risk methodology that blends business, security needs Mature SIMs do more than log aggregation and correlation Risk management must include physical-logical security convergence New partnerships, creative thinking help security bust recession Security budgets take hit in media, tech industry, survey finds Service-focused security offers best value to organization Ease the compliance burden with automation Forensic accounting success depends on information security support Enterprise Risk Management: Metrics and Assessments Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary dumpster diving  (SearchSecurity.com) Honeynet Project  (SearchSecurity.com) insider threat  (SearchSecurity.com) National Computer Security Center  (SearchSecurity.com) pretexting  (SearchCIO.com) shoulder surfing  (SearchSecurity.com) single-factor authentication (SFA)  (SearchSecurity.com) social engineering  (SearchSecurity.com) Total Information Awareness  (SearchSecurity.com) trusted computing  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary