Top 10 IT News Stories of the Week: IT Admins Are Security Risk

Techworld, Feb. 7

If you need something else to keep you up at night, a new analysis shows that employees who sabotage corporate systems are nearly always IT staff who have some kind of mental problem. Looking on the bright side, though, it should be relatively easy to figure out the potential saboteurs, according to an analysis by the U.S. military and Carnegie Mellon University’s Software Engineering Institute Computer Emergency Response Team, commonly known as CERT. When cybercrimes are investigated, it usually turns out that the miscreants are “disgruntled, paranoid, generally show up late, argue with colleagues, and generally perform poorly.” Of those who commit such crimes, 86 percent had technical jobs and 90 percent had system administrator or privileged system access. Among those who sabotaged IT systems, 41 percent had their jobs at the time, although most of the crimes were committed by people who had been fired. A whopping 64 percent of incidents involved VPNs and old passwords that hadn’t been eliminated. Carnegie Mellon has developed a methodology to help detect insider threats that involves management, IT, human resources and security.

CIO.com, Feb. 9

Companies and the federal government need to fix security problems in computer networks, said Gregory Garcia, the assistant secretary for cybersecurity and telecommunications at the U.S. Department of Homeland Security in a speech at the RSA Conference. “This proliferation of applications and devices within the converged network is going to create a breeding ground for security problems,” he warned. “Our networks and our systems are vulnerable and they are exposed.” Garcia’s position was created in 2005 as a way to turn more attention to computer security at DHS, which has been primarily focused on physical threats. But that post remained empty for more than a year. Now that he’s in place, Garcia said his office is working with other federal agencies on security policies and practices, and he also intends to work with the private sector on the National Infrastructure Protection Plan, which aims to evaluate computer security risks by industry and then detail the steps needed to address those risks. Because the private sector owns and operates 90 percent of the nation’s critical infrastructure, Garcia made it clear that participation in the plan and ensuring security isn’t optional.

Computerworld, Feb. 8

In a week dominated by security news, much of it coming from the RSA Conference in San Francisco, it was revealed that the antivirus scanning engine in nearly all of Trend Micro’s products have a critical flaw that cybercriminals can use to crash or hijack PCs. The risk was rated as “extremely critical” or “critical,” depending on the security organization issuing the warning. The flaw can cause a buffer overflow on systems running various security software products from the company and lead to an attacker taking “complete control of the affected system,” VeriSign iDefense found. Attacks taking advantage of the flaw could come from an e-mail message or a website. Trend Micro issued a patch and said that all of its customers that have automatic updating enabled got the fix for the flaw.

Network World, Feb. 8

As baby boomers retire from positions that involve IT-purchasing decisions, Generation X and Y will take over those jobs, forcing vendors to change the way they package and deliver their wares, according to Ovum Summit. Presumably, the vendors also will increasingly be staffed by employees of those generations, but Ovum Summit nevertheless sees big changes coming within the next five years as those who grew up with instant messaging and globalization—among other tech trends—take over IT buying. Consumer computing, online gaming, instant messaging, social networking and mobility all are expected to affect how the younger crowd of IT buyers make decisions. More reliance on third-party service providers will lead to different licensing models and revenue-sharing deals. Vendors should start to move toward this new approach to IT buying among customers this year and next, with test programs related to personalization, search, social networking and the like, and be ready to “use these technologies to gain competitive advantage by 2009.” 

Computerworld, Feb. 8

The Payment Card Industry, or PCI, data security standard got a lot of attention at the annual RSA Conference, although those in attendance gave mixed comments regarding how effective the standard seems to be. PCI includes 12 security controls, including encryption, access management and transaction logging, that should be used in the processing of online payments. PCI went into effect 18 months ago, but many companies weren’t spurred to pay attention to the standard until credit card companies warned in December that they will levy heavy fines for noncompliance starting in October of this year. Part of the problem is that there isn’t an enforcement mechanism, and other issues are that it’s difficult to implement and takes a lot of time, according to security executives attending RSA.

Network World, Feb. 8

In a good-news, bad-news study, a Forrester Research report that will be published later this month finds that CEOs believe the IT in their companies performs as expected, and so CIOs get kudos for that. But CEOs don’t have high expectations for IT in their companies, particularly regarding business innovation. Laurie Orlov, the analyst who wrote the report, said the surprising part is that CEOs are “generally satisfied” with IT, but they also find that IT departments aren’t proactive when it comes to innovation, cost improvements or asset management. Of those surveyed, 28 percent of CEOs said that IT provides proactive leadership, while 34 percent said that department is “poor or mediocre,” with 24 percent saying that IT is innovative “when forced to do so.” Some of the low marks have to do with disappointments in IT since the dot-com glory days ended, as well as CIOs “being more risk averse.”

Also, check out CIO.com’s

for more on the CIO/CEO relationship.

Network World, Feb. 8

The attack that hit at least three of the Internet’s root servers this week wasn’t major, but security experts say it underscored the vulnerability of corporate websites and IP networks, which wouldn’t be able to take that level of attack. The Internet proved yet again to be resilient and able to withstand attack, but even so, the attack got a lot of attention simply for the fact of being carried out on the Internet’s root servers. The Domain Name System, which matches domain names with corresponding IP addresses and so is crucial to route Internet information, has withstood attacks over the years, and this one was no exception even though it was the largest since a huge February 2002 attack. Security experts warned that the lesson to be learned from the latest attack is that companies need to shore up their computer networks rather than become complacent.

CIO.com, Feb. 7

IBM is giving business partners free access to sales, marketing and technical help to encourage use of its open-source, low-end application server and entry-level database. Partners using WebSphere Application Server Community Edition or DB2 Express-C database will be able to get advice on integration, scalability, testing and support.

PC World, Feb. 8

Lenovo wants to sell more notebook computers to small businesses, so it is expanding the deal it has with the Best Buy retail chain. The company will sell a widescreen ThinkPad and a notebook series in 300 Best Buy for Business stores in the United States, with the aim of giving small business and home office users the opportunity to see the notebook PCs, which isn’t something they can do if they buy through business sales channels.

CIO.com, Feb. 8

Amid all of the security news out of the RSA conference and word that hackers had attacked three of the Internet’s 13 root servers, Microsoft issued its monthly advance notice so that IT departments can steel themselves for patch Tuesday next week. The company plans to release 12 sets of security patches that fix critical vulnerabilities in Windows, Office, the company’s new security software and other products. The patches for Office have been expected, as exploits of unpatched flaws in Word and Excel have been ongoing (though Microsoft says the exploits have been limited).

-Nancy Weil, IDG News Service

Check out our CIO News Alerts and Tech Informer pages for more updated news coverage.