Risks bedevil new technologies

Technological advances can bring significant improvements in the way we do our jobs, manage information and collaborate with others, but be careful: Almost every step forward comes with a new set of risks.

Technological advances can bring significant improvements in the way we do our jobs, manage information and collaborate with others, but be careful: Almost every step forward comes with a new set of risks.

Federal agencies are introducing several new technologies, and experts say most of them have benefits that outweigh their risks. But the dangers exist, and agencies need to be aware of the pitfalls.

Federal Computer Week examined five of the top emerging technologies to shine light on their dark sides.

SERVER VIRTUALIZATION

What is it?

Running multiple virtual servers on only one physical server.

What’s the good?

Virtualization minimizes wasted computing power. Traditionally, each server in a data center runs only one application, often requiring only 20 percent of its memory and a fraction of its processing power. Virtualized servers consolidate several applications on each server, while letting users manage the applications as if they were on independent machines. Having fewer physical servers also lowers energy costs, reduces data center size requirements and makes management easier.

What’s the dark side?

The key technology that makes virtualization possible is a hypervisor, which is management software that oversees the operation of the virtual servers. Virtual server users expect hypervisors to be impenetrable, keeping the virtual servers fully separated from one another. That’s not true, said Eric Greenberg, vice president of security and risk solutions of Integralis. The vulnerability can put applications at greater risk of security breaches than they would be if they were running on their own physical servers.

The problem arises when organizations mix applications with different trust levels on a single physical server. Hackers who could not penetrate the higher security applications directly can break in to the less secure ones and, from there, work their way in to the more secure ones, Greenberg said.

“I’m seeing organizations place their eggs in one basket,” Greenberg said. “We’re seeing a domino-effect risk because if a breach occurs, it could be many orders of magnitude greater than what would have happen in a traditional, nonvirtualized world.”

To avoid the risk, Greenberg said, agencies should not put applications of mixed security levels on the same physical server. While that might require more hardware than would be necessary if they combined applications without considering security levels, most organizations should still be able to vastly reduce the needed number of machines.

CLOUD COMPUTING

What is it?

Computer software, processing power and data storage is provided as a service via the Internet.

What is the good?

It frees organizations from having to buy network infrastructure and manage systems. Users can access applications from any location and on any device connected to the Internet. Management is easier because individual computers do not need client software to run an application. Security improves because data is stored in the cloud, not on an individual computer that can be lost or stolen.

What is the dark side?

As applications and data migrate to the cloud, hackers and cyber thieves may target the centralized infrastructure, said Rob Douglas, an identification theft expert and editor of IdentityTheft.info. Centralization also means that a breach can be more devastating than one in a decentralized network.

“A dedicated staff protecting a cloud infrastructure is an improvement over some networks found in government agencies, but no security system is perfect,” Douglas said. “When you look at the attractiveness of cloud computing to cyber criminals and the size and scope to the potential breach in the cloud, then I think we might be moving too quickly in that direction.”

Agencies should use only cloud services that allow penetration testing by third-party experts. And users should evaluate what data is stored on the cloud and when it should be deleted, Douglas said.

“If there is any lesson learned with the Internet, it is that once we put something on the Web, we leave it there forever,” Douglas said. “That has to change.”

IPv6

What is it?

It is the new protocol for connecting devices to and moving data around the Internet that is gradually replacing the most recent protocol, IPv4.

What is the good?

With IPv6, administrators can create a practically unlimited number of IP addresses, whereas with IPv4, the list of addresses is mush smaller and quickly running out. That’s important because the number of Internet servers and computers that connect to them, including mobile phones and other devices, is increasing rapidly.

IPv6 also has built-in security tools not available with IPv4. For example, the new protocol makes it easy to create a local network connection that does not have a global connection to the Internet.

What is the dark side?

Many new IT products such as network switches and server operating systems are IPv6-capable, so in some cases, agencies are unknowingly opening doorways into their systems that are not blocked by firewalls designed for IPv4. Agencies need IPv6-specific firewalls to protect IPv6 networks, said Joe Klein, an expert IPv6 security researcher at Command Information.

Also, intrusion detection and scanning tools designed for IPv4 do not work with IPv6 networks, so agencies might think they are safe when they’re not, Klein said.

When organizations turn on IPv6 components intentionally and do use the right firewall and intrusion detection tools, they also use a mechanism called tunneling to let IPv6 components communicate across network segments still running IPv4. Such mixed environments are common during the migration to IPv6.

“Tunnels become harder for firewalls to find because they look like regular Internet packets,” Klein said. “So if the person didn’t set up those tunnels correctly, very easily those tools can open a connection out to the Internet with no firewalls for protecting inbound transactions.”

MOBILE TECHNOLOGY

What is it?

Handheld devices such as BlackBerrys and iPhones.

What is the good?

They make workers more efficient because they have greater access to applications such as e-mail. Mobile devices are cheaper than full-powered laptop computers and desktops.

What is the dark side?

Controlling what data resides on a mobile device is difficult. If someone sends an e-mail containing a confidential document to several people in an organization, it can easily end up on a handheld device, which is comparatively easy to lose or have stolen.

“We have to remember we are essentially creating copies at that point of ultra-sensitive data,” said Fred Langston, global product manager for global security consulting at VeriSign.

“While the data is very safe inside our network behind firewalls and all the antivirus [software], when it is on a mobile device, it is sitting out there in the real world,” Langston said. “The only thing between an attacker and the information is whether or not the device is password protected.”

Agencies should also recognize that it is difficult to use a virtual private network with today’s mobile devices. That makes data and passwords going between a mobile device and a network vulnerable, Langston said.

Until the technology improves, Langston said, mobile devices are like a printed report and should be treated like something that needs physical protection.

PERSISTENT COOKIES

What is it?

A persistent cookie is a small piece data file that an Internet browser stores on a user’s computer on behalf of a Web site.

What is the good?

Cookies allow Web sites to store user data. Most Web sites use them to recognize users and personalize the experience. Web mail, online shopping sites and many other applications depend on them. Session cookies allow the Web site to recognize the users as they move from page to page within the site but disappear when the user closes the browser. Persistent cookies do not disappear until a preset expiration date or manual removal.

What is the dark side?

Services such as YouTube use persistent cookies that are stored in the hard disk and last until the expiration date indicated by the Web site, which can be anything from a few seconds to several years.

Persistent cookies can be used to track the Web surfing habits of people without their knowledge. A 2003 directive bans federal agencies from using cookies or other technology to track Web site visitors.

“In sites with a lot of content like YouTube, they only need its own cookies to track user habits, in this case the videos that each user watches,” said Alberto Martinez Perez, a software developer who created the cookie movement utility Cookie Monster. “Amazon uses cookies to track the product pages that users visit so they can offer related products, such as books by the same author.”

Individuals should know that cookies can be used for tracking their habits in the same way that some raffles announced in a magazine or on TV collect personal data in a marketing database.

Agencies should know how their partners are using persistent cookies and reflect that in their user-privacy policy.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.