Stopping Data From Flying Off to Google

Computerworld - My state agency’s intrusion-detection systems were showing some undesirable activity on our network. Upon investigation, we found that several desktop systems were communicating with Google via Google Desktop. I ran a network security scan and found at least 50 computers set up to do this. How was that possible?

All 50 were new Dell machines. I called down to the lab where desktop system images are created. A tech answered, and I asked him if he knew why Google Desktop was installed on the new systems. “Yes,” he said. “The new Dell systems came with it installed. We thought it was a useful tool, so we included it in our standard image.”

The question that immediately reverberated in my head was, Why weren’t the security implications considered? What I said was, “This is a security problem for us, and we have to uninstall it as soon as possible. I’ll put together a meeting.”

Problem Caught in Time

The good news is that I caught this security lapse before all agency desktops were replaced in our current system refresh. In fact, since desktops are being replaced about 50 at a time, I had caught it pretty early. The realization that the problem could have been worse cheered me up a bit.

Admittedly, the person who decided to leave Google Desktop on the new computers had no reason to suspect that the program could cause a serious security vulnerability. The root of the problem lay in our quality assurance processes. And that means that if I was going to be irritated at anyone, it would have to be me.

I am in charge of all IT processes and had failed to make sure that we had a certification process for new systems. I was focused on auditing the environment. And in the meantime, I made assumptions — one of the surest ways to get myself into trouble. I assumed that the image had not changed. I assumed it would not change. I assumed I would be asked before someone made a change. No way around it, this was my fault.

Several staffers came knocking at my door, having heard about the situation and wanting to know why it was a big deal. I printed out some articles on Google Desktop for their edification. I had filed in my brain the factoid “Google Desktop = security vulnerability” at least a year ago.

But apparently, my staffers don’t read the security news. I don’t want to make them do that; they work hard as it is. But I wondered whether I should put together for them highlights of the latest in security vulnerabilities on a weekly or monthly basis to prevent this kind of thing from happening again.