Computerworld - The most important document a security professional can write isn't a policy document; it's his resume.
I've been checking resumes lately because we need to replace a member of my staff who's moving to our New York office.
One went on at length about the applicant's ISO 7799 skills and experience, but ISO 7799 is the international standard for "Metallic materials -- sheet and strip 3mm thick or less -- Reverse-bend test." I imagine the candidate meant ISO 17799, "Code of practice for information security management." Reject.
Even candidates who managed to avoid resume errors fell by the wayside. One decided to give up during the phone interview because he felt he'd blown it; he hadn't until he told me he wanted to give up. Another merrily told me his corporate LAN password during the interview.
Between filtering resumes and arranging interviews, I have to do my real job. This week, it involved getting approval for a lightweight secure remote-access system.
Last month, I wrote about the full virtual private network (VPN) that we're launching . But that requires a company machine at the remote end with layers of hardware and software, so many users are excluded from using it because of the cost. But many users who lack a company machine and connection would like to access e-mail and other applications. Increasing numbers of staffers have broadband connections. If we had a lightweight remote-access system, they would be able to work longer.
Our IT group has designed a Secure Sockets Layer (SSL) VPN from Fort Lauderdale, Fla.-based Citrix Systems Inc. that lets users access our network over the Internet using only a Web browser.
However, there are security problems with any remote-access method. In this case, by opening our corporate network to the outside world, we might leak important data or allow attackers to get past our defenses. We use Bedford, Mass.-based RSA Security Inc.'s SecurID technology to authenticate each remote user. We also use SSL to encrypt data in transit.
This all sounds properly secure, but what if the remote end is infected with a worm or a virus? An infected remote machine could hijack the session or record keystrokes of internal passwords. This can happen in the period after the initial authentication and before the system encrypts the data to be sent.
We're very keen not to be caught in that way, and yet we can't rely on remote users to install, configure, update and maintain decent antivirus software. Home users, like corporate IT, get sloppy and
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
