Did The Wall Street Journal sabotage businesses by publishing tips on how to circumvent IT?

In the Monday, July 30, edition of The Wall Street Journal, there was a special section on technology that led with the article “Ten Things Your IT Department Won’t Tell You” by Vauhini Vara. If you haven’t read the article, you should take a look because some of your users may have have already seen it, and as a result they may be engaging in activities that put themselves and your IT department at risk.

The Journal Report front page for Monday, July 30, 2007

Here is the list of the 10 items in Vara’s article:

1. How to send giant files
2. How to use software that your company won’t let you download
3. How to visit the Web sites your company blocks
4. How to clear your tracks on your work laptop
5. How to search for your work documents from home
6. How to store work files online
7. How to keep your privacy when using Web email
8. How to access your work email remotely when your company won’t spring for a BlackBerry
9. How to access your personal email on your BlackBerry
10. How to look like you’re working

Vara breaks down each item into four sections — The Problem, The Trick, The Risk, and How to Stay Safe.

Make no mistake, this article was extremely popular. The Wall Street Journal publishes its list of the Most Viewed and Most Emailed articles on WSJ.com for each day, and for July 30, “Ten Things Your IT Department Won’t Tell You” was one of only two articles that made the top five on both lists. It was No. 1 on both.

Sanity check

The problem is that the information in this article is unequivocally damaging for businesses and their IT departments, as well as for the users that The Wall Street Journal is supposedly trying to serve.

While I am generally a fan of The Wall Street Journal — and its tech coverage is typically rock solid — I was very disappointed by this piece. Although it did not reveal any information that couldn’t be found elsewhere, I don’t like the fact that the Journal spoon-fed a bunch of dangerous tips to users and all but encouraged a quiet revolt against the IT department.

A few of Vara’s tips are fairly innocuous, such as “How to send giant files” and “How to clear your tracks on your work laptop.” In fact, many IT pros could pass those items to users along with some tips of when and how to use them. The large file issue can ease the burden on e-mail attachments and storage and the “clear your tracks” tip can be turned into a good privacy and security practice.

However, several of the other tips are dangerous to the point of idiocy, especially “How to use software that your company blocks,” “How to visit Web sites your company blocks,” “How to search your work documents from home,” and “How to access your work email remotely when your company won’t spring for a BlackBerry.”

The issue of showing users how to access software and sites that the company has filtered is a recipe for disaster. Often the stuff that is banned is banned because it can introduce spyware and malware to the system or it can bog down the computer and/or the network. When users find ways around that, they introduce significant security and privacy risks to the company, and they can potentially decrease their own productivity by clogging up their machines with spyware and adware.

In terms of “How to search your work documents from home,” Vara recommends using Google Desktop to sync documents between a work PC and a home PC. That might be okay for a few consultants and small businesses, but it’s a terrifically bad idea for anyone in the corporate world (The Wall Street Journal’s core audience). The implications for privacy, confidentiality, and compliance are severe and serious, especially if any of the files involved contain customer or financial data. Plus, there are easier ways to handle the issue that preserve security, such as a VPN connection and Remote Desktop from a home PC to a work PC.

And then there’s the issue of “How to access your work email remotely when your company won’t spring for a BlackBerry.” Forwarding work e-mails to personal e-mail accounts and devices — as the Journal article advises — is another potential disaster waiting to happen. It raises the same issues of confidentiality and compliance because when you forward all mail, it is very likely that you’ll end up sending customer data and corporate financial information to your personal accounts.

While the Journal article ostensibly shows some responsibility and restraint by including sections on “The Risks” and “How to Stay Safe” for each of the 10 items, the author either does not fully understand all of the security and compliance risks involved or simply chose to make light of many of them. Either scenario is a strong indictment against the article.

The compliance issues, while mentioned in the article, are much more serious than Vara seems to realize because they can expose a company to major financial risk (in the form of fines, lawsuits, and legal fees). Likewise, the security issues are much more serious than the Journal article presents them. Hackers have gone professional (and in some cases joined forces with organized crime) and are out there looking for employees and companies to steal data from and use for blackmail or money laundering. The TJX security scandal could serve as a sober warning to that effect, once all of the details come to light.

While users often get frustrated with the IT department and the restrictions that it puts in place, the answer is not to train people how to make an end run around IT. In many companies, there’s already too much of a disconnect between IT and the rest of the organization because of the fact that IT often plays the role of a police officer — to serve and to protect.

The root problem that The Wall Street Journal was trying to address is that many users want and need to do some personal computing on their work machines and/or access work apps and data from their home machines or devices. That’s a reality that businesses and IT must face, and they must come up with some workable solutions.

Since many of today’s users access their e-mail and work during “off hours,” it’s certainly reasonable that they should also be able to do a little bit of personal computing during company time. There simply needs to be a safe and relatively easy way for them to do it. Some companies have solved this with separate virtual machines, using VMware or Virtual PC or a Web-based solution like G.ho.st. Other solutions need to be explored, and big players such as Apple and Microsoft, as well as small vendors with creative solutions, need to all be involved. This will be an important part of the next generation of operating systems, devices, and a borderless information security strategy.

For The Wall Street Journal, which depicted itself as a “public trust” during its recent acquisition tug-o-war with News Corp, fueling a turf war between IT and its users is not the kind of journalism that meets the high mandate it has set for itself.

For IT departments, the genie is out of the bottle on many of these tips and tricks that allow users to circumvent IT procedures. As a result, IT departments need to aggressively partner with employees, educate them on the severity of security and compliance risks, and find ways to meet the needs of users whose computing experience now overlaps between work and home.

What do you think about The Wall Street Journal’s list? How do you think IT can help users bridge work computing and home computing while still maintaining data security?

courtesy @TechRepublic

10 services to turn off in MS Windows XP

As I pointed out on 19 October, in point number four of the article 10 security tips for all general-purposes OSes, an important step in the process of securing your system is to shut down unnecessary services. As long as Microsoft Windows has been a network capable operating system, it has come with quite a few services turned on by default, and it is a good idea for the security conscious user of Microsoft’s flagship product to shut down any of these that he or she isn’t using.

Each version of MS Windows provides different services, of course, so any list of services to disable for security purposes will be at least somewhat particular to a given version of Microsoft Windows. As such, a list like this one needs to be identified with a specific Microsoft Windows version, though it can still serve as a guide for the knowledgeable MS Windows user to check out the running services on other versions as well.

If you are running Microsoft Windows XP on your desktop system, consider turning off the following services. You may be surprised by what is running without your knowledge.

• IIS – Microsoft’s Internet Information Services provide the capabilities of a Webserver for your computer.
• NetMeeting Remote Desktop Sharing — NetMeeting is primarily a VoIP and videoconferencing client for Microsoft Windows, but this service in particular is necessary to remote desktop access.
• 
  
• Remote Desktop Help Session Manager – This service is used by the Remote Assistance feature that you can use to allow others remote access to the system to help you troubleshoot problems.
• Remote Registry – The capabilities provided by the Remote Registry service are frightening to consider from a security perspective. They allow remote users (in theory, only under controlled circumstances) to edit the Windows Registry.
• Routing and Remote Access – This service bundles a number of capabilities together, capabilities that most system administrators would probably agree should be provided separately. It is rare that any of them should be necessary for a typical desktop system such as Microsoft Windows XP, however, so they can all conveniently be turned off as a single service. Routing and Remote Access provides the ability to use the system as a router and NAT device, as a dialup access gateway, and a VPN server.
• Simple File Sharing – When a computer is not a part of a Microsoft Windows Domain, it is assumed by the default settings that any and all filesystem shares are meant to be universally accessible. In the real world, however, we should only want to provide shares to very specific, authorized users. As such, Simple File Sharing, which only provides blanket access to shares without exceptions, is not what we want to use for sharing filesystem resources. It is active by default on both MS Windows XP Professional and MS Windows XP Home editions. Unfortunately, this cannot be disabled on MS Windows XP Home. On MS Windows XP Professional, however, you can disable it by opening My Computer -> Tools -> Folder Options, clicking the View tab, and unchecking the Use simple file sharing (Recommended) checkbox in the Advanced settings: pane.
• SSDP Discovery Service – This service is used to discover UPnP devices on your network, and is required for the Universal Plug and Play Device Host service (see below) to operate.
• 
  
• Telnet – The Telnet service is a very old mechanism for providing remote access to a computer, most commonly known from its use in the bad ol’ days of security for remote command shell access on Unix servers. These days, using Telnet to remotely manage a Unix system may be grounds for firing, where an encrypted protocol such as SSH should be used instead.
• Universal Plug and Play Device Host – Once you have your “Plug and Play” devices installed on your system, it is often the case that you will not need this service again.
• Windows Messenger Service – Listed in the Services window under the name Messenger, the Windows Messenger Service provides “net send” and “Alerter” functionality. It is unrelated to the Windows Messenger instant messaging client, and is not necessary to use the Windows Messenger IM network.

On your system, these services may not all be turned on, or even installed. Whether a given service is installed and running may depend on whether you installed the system yourself, whether you are using XP Home or XP Professional, and from which vendor you got your computer if MS Windows XP was installed by a vendor.

With the exception of Simple File Sharing, all of the above listed services can be disabled from the same place. Simply click on the Start button, then navigate to Settings -> Control Panel, open Administrative Tools, and from there open the Services window. To disable any service in the list, double-click on its entry in that window and change the Startup type: setting. In general, you should change services you are turning off for security purposes to a “Disabled” state. When in doubt about whether a given service is necessary for other services, check the Dependencies tab in the service’s settings dialog.

Obviously, this is not a comprehensive list of everything running on your computer that you may want to turn off. It is merely a list of ten items that you most likely do not need to have running, and constitute a security vulnerability if left running. Most users will never have need of any of the services in this list, once the computer is up and running. Other services may be disabled without ill effect as well, though you should research each item in the complete services list before you disable it to ensure that you actually do not need it running. Some of them are quite critical to the normal operation of your system, such as the Remote Procedure Call (RPC) service.

Every running — but unused — service on your machine is an unnecessary security vulnerability. If a service is not important at all for authorized users and basic system functionality, turn it off.