As always, a nice post, Mary. I absolutely agree that it is imperative to guard intellectual property, especially any time you're sharing storage or pipes with non-aligned companies. Two instances come to mind. The first was years ago, when the world was new, and dinosaurs roamed the Earth. A colleague was playing around with monitoring software, remotely checking our servers, and wondered whether we could do the same with a competitor's servers. Long story short, they hadn't blocked that port correctly, and (unbeknownst to management) my colleague was monitoring THEIR servers for six weeks before they noticed. Did they thank us for finding that hole in their security? They did not. Now, fast-forward a few years, and the installation of an MPLS link between Los Angeles and Dallas, Texas for a different client. When the vendor brought up the link, I was pleased to see that we could easily reach and access our Dallas assets. I was less pleased to see that we could also access assets in Rio de Janiero, Brazil, especially since our company had no such assets. After a couple hours of poking about, we finally found the offending lines in the unconfigured security device, and Rio was gone forever, but it serves as a screaming warning to anybody contemplating the use of outside vendors that they really don't have the same level of interest in assuring your security as internal assets do. If you take nothing else away from Mary's post, take the idea that any path into or out of your infrastructure is a potential attack path. I could just be paranoid, but then again, I could be absolutely right. Would you take that chance?
Email This
