Vulnerability scanners exist to tighten up your company's security. Essentially, these new software packages put hacking tools into a commercial wrapper so that administrators can use them to probe their own systems and look for holes that a bad guy could use to steal information or break into unsecured machines. But what if one of the administrators turns out to be a bad guy?
You guessed it--all your company's data is at risk, along with any personal data stored by or about you and your fellow employees on company systems.
These "hack-in-a-box" programs, like Network Associates' Cybercop Scanner and Bindview's Hacker Shield, were developed so that companies could get some peace of mind on the cheap. Traditionally, corporations concerned about their digital borders would hire security consultants, at a cost of tens of thousands of dollars, to engage in "penetration testing" of their networks. The process usually involved a number of security specialists attempting to discover all your network's vulnerabilities while your company's IT staff looked on. Even though these consultants had access to the most sensitive areas of your network, their actions were observed and logged carefully.
Vulnerability-testing software automates many of the tasks a security consultant would perform, allowing a company employee to test network security for a fraction of the cost of hiring an outsider. But along with the decreased cost can come decreased oversight. With access to vulnerability-testing software, just about any reasonably savvy IT administrator could be up and probing systems in almost no time--with or without someone else looking on.
That presents more of a risk to your company and fellow employees than you might guess. FBI crime statistics from 2001 show that nearly 40 percent of reported data theft cases are the result of company insiders stealing information.
But, you might ask, don't people in my company's IT department already have unfettered access to the system? Not necessarily. Most IT staffers at many companies have only limited access to an employee's PC. If they need more access, companies usually have procedures to prevent unauthorized tampering with other people's computers.
Robert Wright, a computer security expert with the FBI's National Infrastructure Protection Center, says that software like these vulnerability scanners could make malicious insiders into better thieves who are harder to detect.
At a time when businesses are increasingly concerned with both security and cutting costs, it's clear that vulnerability scanners won't go away. And there's no reason that they should. But companies that use them must exercise responsible oversight. They should restrict access to the software to only those employees involved in penetration testing or security auditing, and the companies should have several layers of oversight for the staff that uses the software. In addition, IT managers must let everyone who uses the company network know about their use of vulnerability scanners, both before and after they run these programs.
Andrew Brandt is a senior associate editor for PC World. E-mail him at consumerwatch@pcworld.com. Click here for more Privacy Watch columns.Would you recommend this story? YES NO
-
Lenovo IdeaPad
See why the IdeaPad tablet is optimized for ultimate entertainment.
-
Master Windows 7!
Our expert guide will help you get the most out of Windows 7.
-
ThinkPad Edge E420 Lenovo Style in an Affordable Package
Buy now direct from Lenovo -
ThinkPad X220 Fast and light, with great input ergonomics and battery life, this powerhouse ultraportable is best-of-breed.
Buy now direct from Lenovo -
ThinkPad X120e One of the best netbooks ever, X120e has the best netbook keyboard ever--nothing else comes close
Buy now direct from Lenovo
- Sony NSZ-GT1 Wi-Fi Blu-ray Player, $203 Amazon has the Google-TV enabled Sony NSZ-GT1 Blu-ray player on sale for only $203, with free shipping.
- Bioware Releases Mass Effect 3 Demo; Happy Valentine’s Day! The 40 minute demo of the eagerly anticipated sci-fi action/RPG is out now for the PlayStation 3, Xbox 360 and PC.
- zAPPed Makes Your iOS Gadgets Part of the Board Game Hasbro plans to release new editions of three of its classic games this year. The spin? The zAPPed games will use iOS devices to help bring them to life.
- Kinect Hack Helps You Park Your Car, Can't Help Drive It Yet This hack uses a Kinect as an extra set of eyes to help you back up as you park your car.
- 12 Criteria for Selecting the Best ERP System Replacement An ERP system is your information backbone and reaches into all areas of your business and value chain. Replacing it can open unlimited business opportunities. This white paper explains the 12 criteria that allow you to identify and select the solution that will meet these expectations.
- Leveraging Social Computing Technologies for ERP Applications This white paper details how Web 2.0 technologies support business strategies by improving efficiency, productivity, and collaboration.
-
FBI Says Social Media Monitoring Won't Infringe Privacy Rights
-
How to Block Websites
-
Is Your Definition of Security Holding You Back?
-
How Do I See Who's Been Using My PC?
-
Piracy Driven by Overseas Film Release Lag Time, Researchers Say
-
Kill Web Trackers Dead
-
Online Dating Sites: Seek Love, Find Privacy Violations
-
Anti-Piracy Concerns Spread to Europe
-
Microsoft Readies Valentine's Day Windows Patches
-
Cybercrooks Sell Stolen Facebook, Twitter Log-ins
-
Hack Attacks Proliferate with CIA, State of Alabama Latest Victims
-
Google Accused of Not Being Forthright in Report to Feds
Ad Choices