Privacy Watch: The Dangers of Do-It-Yourself Security

Vulnerability scanners exist to tighten up your company's security. Essentially, these new software packages put hacking tools into a commercial wrapper so that administrators can use them to probe their own systems and look for holes that a bad guy could use to steal information or break into unsecured machines. But what if one of the administrators turns out to be a bad guy?

You guessed it--all your company's data is at risk, along with any personal data stored by or about you and your fellow employees on company systems.

These "hack-in-a-box" programs, like Network Associates' Cybercop Scanner and Bindview's Hacker Shield, were developed so that companies could get some peace of mind on the cheap. Traditionally, corporations concerned about their digital borders would hire security consultants, at a cost of tens of thousands of dollars, to engage in "penetration testing" of their networks. The process usually involved a number of security specialists attempting to discover all your network's vulnerabilities while your company's IT staff looked on. Even though these consultants had access to the most sensitive areas of your network, their actions were observed and logged carefully.

Vulnerability-testing software automates many of the tasks a security consultant would perform, allowing a company employee to test network security for a fraction of the cost of hiring an outsider. But along with the decreased cost can come decreased oversight. With access to vulnerability-testing software, just about any reasonably savvy IT administrator could be up and probing systems in almost no time--with or without someone else looking on.

That presents more of a risk to your company and fellow employees than you might guess. FBI crime statistics from 2001 show that nearly 40 percent of reported data theft cases are the result of company insiders stealing information.

But, you might ask, don't people in my company's IT department already have unfettered access to the system? Not necessarily. Most IT staffers at many companies have only limited access to an employee's PC. If they need more access, companies usually have procedures to prevent unauthorized tampering with other people's computers.

Robert Wright, a computer security expert with the FBI's National Infrastructure Protection Center, says that software like these vulnerability scanners could make malicious insiders into better thieves who are harder to detect.

At a time when businesses are increasingly concerned with both security and cutting costs, it's clear that vulnerability scanners won't go away. And there's no reason that they should. But companies that use them must exercise responsible oversight. They should restrict access to the software to only those employees involved in penetration testing or security auditing, and the companies should have several layers of oversight for the staff that uses the software. In addition, IT managers must let everyone who uses the company network know about their use of vulnerability scanners, both before and after they run these programs.

Andrew Brandt is a senior associate editor for PC World. E-mail him at consumerwatch@pcworld.com. Click here for more Privacy Watch columns.