Risks bedevil new technologies
Technological advances can bring significant improvements in the way we do our jobs, manage information and collaborate with others, but be careful: Almost every step forward comes with a new set of risks.
Technological advances can bring significant improvements in the way we do our jobs, manage information and collaborate with others, but be careful: Almost every step forward comes with a new set of risks.
Federal agencies are introducing several new technologies, and experts say most of them have benefits that outweigh their risks. But the dangers exist, and agencies need to be aware of the pitfalls.
Federal Computer Week examined five of the top emerging technologies to shine light on their dark sides.
SERVER VIRTUALIZATION
What is it?
Running multiple virtual servers on only one physical server.
What’s the good?
Virtualization minimizes wasted computing power. Traditionally, each server in a data center runs only one application, often requiring only 20 percent of its memory and a fraction of its processing power. Virtualized servers consolidate several applications on each server, while letting users manage the applications as if they were on independent machines. Having fewer physical servers also lowers energy costs, reduces data center size requirements and makes management easier.
What’s the dark side?
The key technology that makes virtualization possible is a hypervisor, which is management software that oversees the operation of the virtual servers. Virtual server users expect hypervisors to be impenetrable, keeping the virtual servers fully separated from one another. That’s not true, said Eric Greenberg, vice president of security and risk solutions of Integralis. The vulnerability can put applications at greater risk of security breaches than they would be if they were running on their own physical servers.
The problem arises when organizations mix applications with different trust levels on a single physical server. Hackers who could not penetrate the higher security applications directly can break in to the less secure ones and, from there, work their way in to the more secure ones, Greenberg said.
“I’m seeing organizations place their eggs in one basket,” Greenberg said. “We’re seeing a domino-effect risk because if a breach occurs, it could be many orders of magnitude greater than what would have happen in a traditional, nonvirtualized world.”
To avoid the risk, Greenberg said, agencies should not put applications of mixed security levels on the same physical server. While that might require more hardware than would be necessary if they combined applications without considering security levels, most organizations should still be able to vastly reduce the needed number of machines.
CLOUD COMPUTING
What is it?
Computer software, processing power and data storage is provided as a service via the Internet.
What is the good?
It frees organizations from having to buy network infrastructure and manage systems. Users can access applications from any location and on any device connected to the Internet. Management is easier because individual computers do not need client software to run an application. Security improves because data is stored in the cloud, not on an individual computer that can be lost or stolen.
What is the dark side?
As applications and data migrate to the cloud, hackers and cyber thieves may target the centralized infrastructure, said Rob Douglas, an identification theft expert and editor of IdentityTheft.info. Centralization also means that a breach can be more devastating than one in a decentralized network.
“A dedicated staff protecting a cloud infrastructure is an improvement over some networks found in government agencies, but no security system is perfect,” Douglas said. “When you look at the attractiveness of cloud computing to cyber criminals and the size and scope to the potential breach in the cloud, then I think we might be moving too quickly in that direction.”
Agencies should use only cloud services that allow penetration testing by third-party experts. And users should evaluate what data is stored on the cloud and when it should be deleted, Douglas said.
“If there is any lesson learned with the Internet, it is that once we put something on the Web, we leave it there forever,” Douglas said. “That has to change.”
IPv6
What is it?
It is the new protocol for connecting devices to and moving data around the Internet that is gradually replacing the most recent protocol, IPv4.
What is the good?
With IPv6, administrators can create a practically unlimited number of IP addresses, whereas with IPv4, the list of addresses is mush smaller and quickly running out. That’s important because the number of Internet servers and computers that connect to them, including mobile phones and other devices, is increasing rapidly.
IPv6 also has built-in security tools not available with IPv4. For example, the new protocol makes it easy to create a local network connection that does not have a global connection to the Internet.
What is the dark side?
Many new IT products such as network switches and server operating systems are IPv6-capable, so in some cases, agencies are unknowingly opening doorways into their systems that are not blocked by firewalls designed for IPv4. Agencies need IPv6-specific firewalls to protect IPv6 networks, said Joe Klein, an expert IPv6 security researcher at Command Information.
Also, intrusion detection and scanning tools designed for IPv4 do not work with IPv6 networks, so agencies might think they are safe when they’re not, Klein said.
When organizations turn on IPv6 components intentionally and do use the right firewall and intrusion detection tools, they also use a mechanism called tunneling to let IPv6 components communicate across network segments still running IPv4. Such mixed environments are common during the migration to IPv6.
“Tunnels become harder for firewalls to find because they look like regular Internet packets,” Klein said. “So if the person didn’t set up those tunnels correctly, very easily those tools can open a connection out to the Internet with no firewalls for protecting inbound transactions.”
MOBILE TECHNOLOGY
What is it?
Handheld devices such as BlackBerrys and iPhones.
What is the good?
They make workers more efficient because they have greater access to applications such as e-mail. Mobile devices are cheaper than full-powered laptop computers and desktops.
What is the dark side?
Controlling what data resides on a mobile device is difficult. If someone sends an e-mail containing a confidential document to several people in an organization, it can easily end up on a handheld device, which is comparatively easy to lose or have stolen.
“We have to remember we are essentially creating copies at that point of ultra-sensitive data,” said Fred Langston, global product manager for global security consulting at VeriSign.
“While the data is very safe inside our network behind firewalls and all the antivirus [software], when it is on a mobile device, it is sitting out there in the real world,” Langston said. “The only thing between an attacker and the information is whether or not the device is password protected.”
Agencies should also recognize that it is difficult to use a virtual private network with today’s mobile devices. That makes data and passwords going between a mobile device and a network vulnerable, Langston said.
Until the technology improves, Langston said, mobile devices are like a printed report and should be treated like something that needs physical protection.
PERSISTENT COOKIES
What is it?
A persistent cookie is a small piece data file that an Internet browser stores on a user’s computer on behalf of a Web site.
What is the good?
Cookies allow Web sites to store user data. Most Web sites use them to recognize users and personalize the experience. Web mail, online shopping sites and many other applications depend on them. Session cookies allow the Web site to recognize the users as they move from page to page within the site but disappear when the user closes the browser. Persistent cookies do not disappear until a preset expiration date or manual removal.
What is the dark side?
Services such as YouTube use persistent cookies that are stored in the hard disk and last until the expiration date indicated by the Web site, which can be anything from a few seconds to several years.
Persistent cookies can be used to track the Web surfing habits of people without their knowledge. A 2003 directive bans federal agencies from using cookies or other technology to track Web site visitors.
“In sites with a lot of content like YouTube, they only need its own cookies to track user habits, in this case the videos that each user watches,” said Alberto Martinez Perez, a software developer who created the cookie movement utility Cookie Monster. “Amazon uses cookies to track the product pages that users visit so they can offer related products, such as books by the same author.”
Individuals should know that cookies can be used for tracking their habits in the same way that some raffles announced in a magazine or on TV collect personal data in a marketing database.
Agencies should know how their partners are using persistent cookies and reflect that in their user-privacy policy.