Computerworld - Shortly after we dealt with the "Operation Aurora" malware outbreak that I talked about in my previous column, I had to travel to Asia. It seemed like a good time to address some concerns that had arisen from that incident.
I had stops in Hong Kong and several cities in China and India. When I visit China, I tend to emphasize the protection of intellectual property more than I do in other places. There are two reasons for this. First, much of the engineering of our products is done there, as is the manufacturing. Second, we have suffered IP theft in China, and there is consensus within the industry, backed up by reports in the press, that China and Russia are the worst places for IP violations (although I've seen plenty of cases right here in the U.S.).
At issue: The CEO is concerned that the company's product could become infected.
Action plan: Educate the employees on the front lines.
As for India, my company has many sorts of operations there. We outsource some engineering to India, and much of our support is located there, including our help desk. But the main reason India interests me is that we outsource some of our security work to third parties in that country. I have several security analysts and engineers in India who are crucial to the protection of the company's infrastructure. They are responsible for things like monitoring our intrusion-detection sensors, driving our incident response process, evaluating security patches, making changes to our content filtering engines and operating some of our vulnerability management tools.
So for the India-based infosec team, I'm not just that security guy from headquarters; I'm the boss. I think they appreciate that the company is willing to spend the time and money to send me there in person as often as it does. It makes them feel like they really matter. And they do. My message to them is that they play a critical role in the success of our company, and their continued attention to detail is imperative to the success of the infosec program and the protection of our intellectual property.
Of course, on every site visit, I do certain things, many of which I have mentioned before. I usually start with a physical site inspection, checking out access systems, data center security and security guards. I then conduct a standard network and infosec assessment that includes vulnerability scans of desktops, servers and network devices, and searches for unauthorized wireless access points and other rogue equipment. There's some awareness training to highlight the importance of patches, antivirus software and the ramifications of falling prey to phishing attacks. And I give a stern lecture about IP protection.
The reason why Operation Aurora was given special attention during this trip is that our products have the Windows operating system incorporated in them. I don't want to get too specific, in the interest of remaining anonymous, but it is needed to run an application that controls the mechanics of the products. This allows our customers to perform very sophisticated operations on our products.
The operating system and application are loaded via a "gold" image, which lets us certify that both are installed exactly as they should be. The danger is that postinstallation procedures are required that involve connecting the completed product to our corporate network. Naturally, then, any malware that has infiltrated the network can get into our product. That worries me, and it worries our CEO, who never wants to hear from a customer that we sold them a Trojan horse. And therefore, I stressed to the engineering and operations teams the importance of developing code securely and ensuring that our tools are certified clean upon delivery to our customers by properly deploying antivirus and security patches. It's a message whose importance I can't overemphasize.
This week's journal is written by a real security manager, "Mathias Thurman," whose name and employer have been disguised for obvious reasons. Contact him at mathias_thurman@yahoo.com.
To join in the discussions about security, go to computerworld.com/blogs/security
Read more about Security in Computerworld's Security Topic Center.
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
