Computerworld - My state agency’s intrusion-detection systems were showing some undesirable activity on our network. Upon investigation, we found that several desktop systems were communicating with Google via Google Desktop. I ran a network security scan and found at least 50 computers set up to do this. How was that possible?
All 50 were new Dell machines. I called down to the lab where desktop system images are created. A tech answered, and I asked him if he knew why Google Desktop was installed on the new systems. “Yes,” he said. “The new Dell systems came with it installed. We thought it was a useful tool, so we included it in our standard image.”
The question that immediately reverberated in my head was, Why weren’t the security implications considered? What I said was, “This is a security problem for us, and we have to uninstall it as soon as possible. I’ll put together a meeting.”
Problem Caught in Time
The good news is that I caught this security lapse before all agency desktops were replaced in our current system refresh. In fact, since desktops are being replaced about 50 at a time, I had caught it pretty early. The realization that the problem could have been worse cheered me up a bit.
Admittedly, the person who decided to leave Google Desktop on the new computers had no reason to suspect that the program could cause a serious security vulnerability. The root of the problem lay in our quality assurance processes. And that means that if I was going to be irritated at anyone, it would have to be me.
I am in charge of all IT processes and had failed to make sure that we had a certification process for new systems. I was focused on auditing the environment. And in the meantime, I made assumptions — one of the surest ways to get myself into trouble. I assumed that the image had not changed. I assumed it would not change. I assumed I would be asked before someone made a change. No way around it, this was my fault.
Several staffers came knocking at my door, having heard about the situation and wanting to know why it was a big deal. I printed out some articles on Google Desktop for their edification. I had filed in my brain the factoid “Google Desktop = security vulnerability” at least a year ago.
But apparently, my staffers don’t read the security news. I don’t want to make them do that; they work hard as it is. But I wondered whether I should put together for them highlights of the latest in security vulnerabilities on a weekly or monthly basis to prevent this kind of thing from happening again.
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
