News Item: Security experts are warning that it is sometimes possible to retrieve files containing credit card numbers and other personal information using nothing more complex than commercially available search engines. These engines are designed to retrieve only information on the Internet that is not in any way blocked or protected, which indicates that these files are not even minimally protected. The experts warn that, as search engines introduce new features, such as a capability Google provides that enables searchers to specify file types and makes it easier to find these files, users must be increasingly careful to avoid inadvertently leaving information in the public domain that is not intended to be accessed by the world at large.
| |
Situation Analysis: This security issue is not new, and search engines are certainly not to blame. Anything that a search engine can find, a hacker can write a more sophisticated and targeted program to find as well. Companies need to ensure that all private data is protected. This means ensuring that all private information, including information generated by one-off projects, is protected behind a corporate firewall.
| Other Recent META Reports |
Novell Faces a Critical Year The Nirvana IT Organization Value-Based Collaboration Strategies Portfolio Management Helps Manage Through Uncertainty The Hidden Costs of Handheld Devices
|
Telecommuters using DSL or cable modem connections are another area of exposure. Many users do not realize that an always-on DSL or cable link often includes a permanent IP address, making the hard drive of an unprotected desktop computer connected with such a link accessible to the Internet. That means that personal information, as well as sensitive corporate information stored on a telecommuter’s computer – is available to hackers, some of whom actually run their own programs on unsuspecting home users’ computers. Companies need to help their telecommuters protect their hard drives adequately with personal firewalls and other appropriate security.
Telecommuters using a wireless LAN connection in conjunction with a broadband service have the added concern of securing their wireless LAN link. Most organizations will favor a VPN/remote-access approach to securing telecommuter access over wireless LAN connections external to the enterprise. However, this approach does not secure the home network itself (especially when the user is not accessing corporate resources). Despite the deficiencies associated with Wired Equivalent Privacy (WEP), it remains the only viable option for encrypting wireless LAN connections in the small-office/home-office environment. Enabling basic WEP is still a magnitude better than leaving it disabled. Users should couple their wireless LAN security (e.g., WEP) with personal firewalls and additional techniques (e.g., NAT, DHCP) to add layers of protection.
The more sophisticated search features on Google are good news for legitimate users, giving them better tools to find the precise information or services they want. It can also be good news for companies, making it easier for them to distribute public documents in PDF and other formats. Some documents – marketing information, for instance – gain value by being exposed more effectively to the broadest possible audience.
User Action: Over time, commercial search engines will become increasingly sophisticated, making it easier for users to locate what they want. Companies and individuals must ensure that the information available to those search engines is what they intend to make public. They should also review their Web sites to ensure that no sensitive information has been inadvertently posted and that links do not open security doors. Although commercial sites have the greatest exposure, individual hard drives also need protection, particularly if they are connected to the Internet via a DSL or cable modem and are running a wireless LAN within their home or small office.
META Group analysts Val Sribar, Chris Kozup, David Yockelson, Jack Gold, William Zachmann, and David Cearley contributed to this article.