Newsroom Home · Emerging Security Trends

SDS Newsroom

FISMA, PCI, Safe Harbor, SAS70 (SSAE16), EU Directives, ISO27001, GLBA, HIPAA, Telecommunications Act, Fair Credit Reporting Act (FCRA), COPPA, Privacy Act, CAN-SPAM, and many more regulation requirements are now being used to vet and add, keep, and more importantly remove companies from approved vendor or company lists as a way to eliminate companies from consideration to reduce their own risk of doing business with companies that don’t have viable security and privacy programs. 

The only companies that will be around in the future currently have, or are now investing in, comprehensive security and privacy compliance program initiatives.

Up until just a few years ago, it seemed many companies relied on using outdated methods, and the internet, for finding and creating their security and privacy policies to get them through their business partners/vendors security and privacy audits. They would exchange a few e-mails and attachments with the general inclination of, “it’s all good” and all would be fine for another year. 

That used to be okay, until security and privacy, through legislative (the increasing number, and scope, of laws, and increasing enforcement of those laws) and market forces (the rise of breaches, internal threats, black hats, external threats, external hacking and major incidents) see Sony, began to change these business as usual practices.

Today, companies cannot afford to do business with other companies that do not have effective and “real” security and compliance programs in place. 

Based on numerous administrative rulings, legal cases, class action lawsuits, and 100’s of consent decrees, it should be apparent that a company that does business with another company that does not have a sound security and privacy compliance program may end up being liable for some, and possibly all, of the costs of any problems that result. 

The general message if it is not clear is this: you cannot afford to be a business that doesn’t have a real security and privacy compliance program in place; and, you cannot afford to do business with a company that doesn’t have a sound security and privacy compliance program.

“We need to look into why we lost our vendor contract with xyz corp” states a client. One reason may be that the legal, reputational and financial costs of doing business with companies without good security and privacy compliance programs is no longer worth the risk.

Business is going away and not coming back to companies unprepared in the area of security and privacy compliance.

Finally, a question that often comes up often is, “do we need a security/privacy compliance program for our small business?”   I posit that if you are a company and want to do continue to business and/or grow your business to work with other companies, you must have a security and privacy program (of appropriate scale) in place.

Joshua Carlson, Esq., CISSP

 

Joshua Carlson is an attorney and a security and privacy professional who has worked with numerous companies, including some of the largest retailers and global manufacturing companies, he performs privacy and security audits for companies of all sizes as well as providing guidance in security and privacy program development.

Chad Boeckmann, CISSP, GSEC

More than 30 million business people nationwide use instant messaging to chat with customers and colleagues in a real-time manner. The Radicati Group Inc., a Palo Alto-based consulting and market research firm predicts the number of corporate IM accounts is expected to grow to 687 million in 2004. These accounts are not approved accounts by corporations but rather accounts created for public Instant Messaging tools offered up by organizations such as Yahoo!, MSN and AOL.

The Pro's

Instant Messaging can be a very valuable tool simply because of the real-time response that users of the tool can have with other users. This quick communication is often times faster and more efficient than email or phone calls. The typical user of an Instant Messaging program uses the tool for quick answers to business questions or to just simply chat with a coworker or friend. Some organizations also use instant messaging to talk with clients and customers to get real-time feedback and responses to their inquiries. For this purpose instant messaging can be very valuable if implemented correctly in an organization. However, there are some drawbacks to using a public instant messaging service, particularly in the corporate environment. For best practices to be followed, instant messaging should be implemented in a standardized and secure fashion.

Exploits for Instant Messaging

Because of the inherent vulnerable nature with public instant messaging applications, there are some vulnerabilities that have been exploited in recent past that may have you second-guessing your own use of an instant messaging application.

Currently, there are about 60 published IM vulnerabilities, according to Eric Chien, chief researcher at Symantec Security Response in Dublin, Ireland. Those range from security holes that could be used to crash IM clients in denial-of-service attacks to flaws that could allow attackers to remotely install and run malicious code on computers running the vulnerable IM clients.

Some exploits for IM's are written to grab the users buddy list in an effort to infect and spread to other IM users. Symantec states that even with a scenario in which the buddy lists of infected and target machines were identical except for just one IM user, an IM worm could infect 500,000 machines in just 31 seconds. This is not quite as fast as the MS Slammer worm and Code Red II but many of the worms and viruses for instant messaging are in their infancy and will soon be strengthened.

The Con's

When a coworker wishes to communicate with another coworker via instant messaging and the IM is not a corporate mechanism, it doesn't go from one computer right next door to the other one. It goes out of the corporate network and across different networks and then back to the other person's desk. Whatever is being transmitted is being transmitted in the clear to those other unknown networks.

Instant messaging tools that are not implemented by the company, allow the same kinds of problems that email can cause. Users of IM’s may receive messages from people who are not in their buddy list; this is the equivalent of spam. Some of these messages may contain viruses that can infect the users computer and corrupt their files. When an instant messaging application is not standardized by the business the users are exposing themselves and everyone else to potential risks which otherwise could have been avoided. The instant messaging application creates an open hole in the company’s firewall and no virus or hacker precautions are in place to prevent attacks against users of instant messaging programs.

For these reasons it is a good idea to not use an instant messaging application unless one has been tested and approved by the company. You may not believe that you will be the next victim of an instant messaging attack, but the chances of this occurring are only getting greater. Gartner recently released a report about the threats to instant messaging products. They found that more malicious viruses are being written specifically for IM’s and these viruses are becoming more destructive. Also, more of the blackhat hackers are focusing on new ways to exploit IM’s to their advantage.

Instant Messaging can be used for very good reasons but currently it should not be used for reliable, confidential or safe communications. It should not be used in the workplace unless the company has approved a standard in which to use an instant messaging application.