Blogging on corporate laptops is risky business

By Bill Brenner, Senior News Writer 10 May 2007 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Many people blog from work and mobile platforms and that's very bad ... Blogs are one of the bad guys' tools. Don Ulsch, risk management director,, Jefferson Wells International Inc.

Such activities illustrate how important it is for companies to keep close tabs on what their workers are doing on corporate devices, Don Ulsch, technology risk management director in the Boston office of Jefferson Wells International Inc., told security executives during a lunchtime presentation on emerging threats Wednesday.

"Many people blog from work and mobile platforms and that's very bad," he said. "Blogs are one of the bad guys' tools."

He noted there are approximately 100 million blogs across cyberspace and many of them are used by organized criminal outfits to push gambling and pornography. When an employee does personal blogging on a company machine and corporate email account, blog databases are able to suck in a wealth of email data. Digital miscreants can then use sophisticated data mining software to scan the blogs for proprietary information that may be sitting in some of those stored messages, he said.

"They can analyze millions of messages and use what they find -- trade secrets, for example -- for hostile purposes," he said.

Understanding the insider threat: DuPont case highlights insider threat: A former DuPont scientist who admitted trying to steal $400 million worth of information illustrates the seriousness of insider threats, a security expert says. Five common insider threats and how to mitigate them:  Users can be an enterprise's best defense or its worst enemy. They have access to valuable network resources and information that can be used for ill-gain, be it accidentally or intentionally. This tip explains five common insider threats and offers ways to address them. Insider Risk Management Guide: Audit: This article explores the audit function in the insider risk management process.

Over time, he said, online thieves can take seemingly unimportant details from those blog messages and piece them together in a way that allows them to see the big picture of what a company may be up to.

Ulsch said companies need to start taking the blogging phenomenon more seriously from a security perspective, and that a good starting point is to put a blog restriction policy in place.

"Employees must be told they can't use work email extensions for activities like this," he said. "If they have to blog, make them use an alias email address, communicate the risks and monitor for compliance."

Ulsch used the recent DuPont case as an example of what can happen when companies don't pay attention to what their employees are doing.

In that case, former DuPont senior chemist Gary Min stole approximately $400 million worth of information from the company and attempted to leak it to a third party.

Min joined DuPont in 1995 but began exploring a new job opportunity in Asia in 2005 with Victrex, a DuPont competitor. Shortly after opening the dialog with Victrex, Min reportedly proceeded to download approximately 22,000 abstracts from DuPont's data library and accessed about 16,700 documents. After Min gave his notice, DuPont discovered what he was up to and brought in the FBI. He eventually pleaded guilty to the crime and he is expected to be sentenced soon. He faces up to a decade in prison and a $250,000 fine.

"He was doing things DuPont should have seen as red flags, like downloading 22,000 abstracts and documents from the secure DuPont database," Ulsch said. "He was doing this 15 to 20 hours at a time. Had the company better understood the trust but verify concept, this might not have happened."

Ulsch said the proliferation of mobile technology among employees is increasing the likelihood that something bad will happen to the companies they work for. The bad guys are more likely to exploit employee activities like blogging to get at company secrets, and more data breaches are likely to result from the loss or theft of mobile devices.

"You're looking at a greater distribution of targeted information and there isn't as much monitoring of mobile devices because it's a lot more difficult than monitoring office-based PCs and servers," he said. "People are also less likely to observe company security policies and procedures when they're outside the office, and it's more difficult for employees to observe risky behavior among their colleagues when they're not there."

Tags: Security Awareness Training and Internal Threats,  Emerging Information Security Threats,  Enterprise Risk Management: Metrics and Assessments,  Information Security Policies, Procedures and Guidelines,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Security Awareness Training and Internal Threats Creating a HIPAA employee training program Successful rogue antivirus hinges on social engineering External attacks start with unintentional mistakes, survey finds Security technologies fail to address insider threat management Data breach avoidance begins with security basics, panel says Monitoring program data and internal controls for risk management Software security threats and employee awareness training Twitter risks, Facebook threats trouble security pros Social engineering training could disrupt botnet growth How to write a risk methodology that blends business, security needs Emerging Information Security Threats Modern malware, stealthy botnets, adapt quickly, expert says New ransomware Trojan pushes victims to buy software Bruce Schneier on outsourcing, awareness training US-CERT warns of BlackBerry snooping software Marcus Ranum on cyberwarfare, infosec careers Researchers find thousands of flawed embedded devices Enterprise botnets contain thousands of malware variants Nuke and pave to eradicate botnets Rand study urges caution on cyberwarfare attacks Hathaway joins Harvard to contribute to DOD project Enterprise Risk Management: Metrics and Assessments How to avoid Internet liability lawsuits Bruce Jones: Report Security and Risk Metrics in a Business-Friendly Way Bernie Rominski: Communicate Effectively with Management about Risk Best Policy and Risk Management Products Monitoring program data and internal controls for risk management Risk management strategy for an information technology solution provider Align your data protection efforts with GRC The basics of enterprise GRC project management RSA council addresses growing security risks in the cloud How to write a risk methodology that blends business, security needs Enterprise Risk Management: Metrics and Assessments Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary dumpster diving  (SearchSecurity.com) Honeynet Project  (SearchSecurity.com) insider threat  (SearchSecurity.com) National Computer Security Center  (SearchSecurity.com) pretexting  (SearchCIO.com) shoulder surfing  (SearchSecurity.com) single-factor authentication (SFA)  (SearchSecurity.com) social engineering  (SearchSecurity.com) Total Information Awareness  (SearchSecurity.com) trusted computing  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary