Security Blind Spot

Some of our readers objected strongly last week to Dan Verton's front-page story about the potential dangers of sensitive company information posted on corporate Web sites ["Online Data a Gold Mine for Terrorists," QuickLink 48662]. They felt it was irresponsible to call attention to the problem and accused us of showing poor judgment in identifying specific examples from corporate Web sites.

"Please, spread the fear," one reader sarcastically suggested. "Is this Computerworld or Fox News?"

"You do more harm than good," wrote another manager. "If there are people out there that didn't know about it before, they do now!"

"Although it raises some awareness," said a systems engineer, "now you've added some details and hyperlinks that allow the terrorists to see more data. Something to think about."

I certainly agree it's worth thinking about. But I still believe it's far better to recognize potential dangers than to ignore them. The Department of Homeland Security thinks so, too. Amit Yoran, director of the National Cyber Security Division at the DHS, encouraged our reporter to write about this issue. "Not thinking through the security implications of some of the information put online can be a very dangerous mistake," Yoran said. Another senior intelligence official at the DHS gave us a real example of that danger, pointing to the recent capture of an al-Qaeda computer engineer whose laptop contained photographs and floor diagrams of U.S. buildings.

Unfortunately, this story could have been headlined "Online Data Still a Gold Mine for Terrorists," since we called attention to the exact same issue more than two years ago ["Web Sites Seen as Terrorist Aids," QuickLink 27059]. In that story, we cited a security audit that turned up startling amounts of sensitive internal information made available on corporate Web sites, such as building plans and schematics, elevator system specs, wireless network details and infrastructure diagrams.

Why on earth does the public Web site for Entergy Corp.'s Indian Point nuclear power plant still post details about its reactor design , including the thickness of the reactor's various layers and the types of steel reinforcement bars? For school science projects?

Not surprisingly, security analysts and consultants lined up in favor of calling attention to such lapses. "I thought the piece on the building plans was great," one security consultant wrote to our reporter. "This is an area that just does not get considered."

But the issue isn't restricted to corporate entities. One security manager at a technical services company in the Midwest wrote in about a U.S. government Web site that freely distributes a software package that, in his view, could help terrorists plot "a chemical or biological weapons attack." The software is actually intended for emergency response teams, he said, "but after seeing it, I would say it could be used by terrorists quite easily."

The problem, of course, is that most of us think like the good guys, not the bad guys. We don't look at a sharpened pencil on a desk and see a deadly weapon. Who wants to live that way?

There's also an argument to be made that this isn't an IT problem at all. The content of most large company Web sites is usually managed by marketing and communications departments, and they're more worried about presenting a good image than about the implications of posting a photo of the underground parking garage.

So you tell me: If IT and security managers don't pay attention to this corporate security blind spot, who will?

Maryfran Johnson is editor in chief of Computerworld. You can contact her at maryfran_johnson@computerworld.com.

Copyright © 2004 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon