Spying is
now a hot topic and a lot of people must be wondering: "What can be done
to stop a spy?" Before answering this question, I invite the reader to
know a case recently published by several newspapers in Brazil about an
American photographer who got the right to take pictures of whomever he wants,
so that the only option that remained to his neighbors was to close their
curtains. Likewise the photographer's neighbors, who feel aggrieved , trying to
stop the spy is the biggest mistake a company can make, and it refers to a
golden rule of IT security: You can not mitigate the non-controlling. As residents
of the photographer's neighboring building in New York , we have no way to
prevent someone from spying us. We have , in fact, to expect the opposite.
People, business and government have been doing it for centuries and there is
no reason for them to stop. To us, the only option is to close the curtains,
which may seem inconvenient, but, unfortunately, security does not suit
convenience, and there are some choices to make.
The good
news is that the curtains are available for everyone and most of them are
trivial. In fact, most of the required security solutions are already installed
in our companies. The main resource for data protection is still encryption.
Everything that is confidential should be encrypted, both in storage and
communication. A particular problem is the data stored in employee devices,
often out of the radar of the company. Laptops should always be encrypted.
Even
encrypting cell phones and calls, previously restricted to governments , is now
available to companies. But its reputation was affected by the news that the
U.S. Security Agency (NSA) is able to open encrypted messages. It is known that
considered weak keys can be broken easily, but the same does not apply to
state-of-the-art encryption. To unravel considered safer keys can cost millions
of dollars in processing time, not to mention hardware. The big revelation is
that the American agency obtained cryptographic keys and planted
vulnerabilities that allow NSA agents to read the messages directly. Despite
the U.S. government apparently having all this power, the same does not apply
to others.
Data can
also be compromised via the invasion of networks and servers, and here it comes
to the well known firewall systems, intrusion prevention, content analysis,
etc.. There is currently a lot of discussion about the need to replace
installed products by others from the "next generation ". In general
, this is not necessary - unless the product currently installed is really
obsolete or the company needs some new layers, such as monitoring of social
networks, not available on the device already used . The major problem of
systems for protection of networks, servers and applications is not the
installed product or technology, but rather, its configuration and management.
Many companies poorly manage their products, so that they become inefficient .
Changing them would not solve much. A survey published by Verizon and performed
in 27 countries found that 78 % of initial attacks were of low difficulty,
therefore detectable by systems already in use. For these companies it is more
worthwhile to invest in management than in new technologies.
But there
is another very common problem beyond the flawed management: the human being.
It may be a cliché to say that the human being is the weakest link in the
chain, but it is true. After all, what were the causes of the leaks of
Wikileaks and the NSA? Humans. No ordinary users, but employees with access to
data. For ordinary users, awareness programs usually work fine, but, for the
later users, a special process of surveillance and monitoring is required,
specifically regarding access and changes. Yes, the spy can be at home and have
an administrator password.
Nenhum comentário:
Postar um comentário