Gartner II: Security through Obscurity Doesn?t Work Anymore

Google is the world’s largest data aggregator, and so (excluding its users) it has the most to lose from a "great hack,” Gartner Research Vice President Whit Andrews told attendees at Gartner’s Compliance & Risk Management Summit 2008 in Chicago this week.

But Google is not the only target out there. Thousands of companies have implemented search engines for their enterprise data, while thousands of others enable employees to create blogs that describe corporate and personal matters. Millions of individuals use Google search on their desktops, and many of those individuals are indexing corporate as well as personal information, a tempting target for hackers.

While Google’s sheer size makes it a visible target, less visible enterprises should not assume that they are invisible, Andrews said. “Automated tools for search and analysis make security through obscurity less viable every day. And the same tools make it easier for a malicious actor to assess when a newly discovered server contains valuable data.

In short, this is not Google’s problem. It is an environmental problem.”

With “search” such a business critical function and hackers propensity to go after big targets, Andrews expects to see a major denial of service attack against one of the major search providers by the end of this year. He also predicts that by the year 2010 criminals will demand to be paid not to damage search-related content.

Andrews recommends that a firm question its technology vendors whether its information access technology can combat denial-of-insight attempts. Any successful hacks will lead to negative publicity in addition to any immediate financial loss, resulting in the loss of customer accounts.

Therefore, firms should treat security as a strategic part of product selection, installation planning and ongoing execution, Andrews said. Additionally, firms shouldn’t implement an enterprise search engine before developing acceptable use and risk control policies and processes.

Among other ways to strengthen security at an enterprise that employs search technology, Andrews said, are:

• Locking down the search logs and the administration rights.
• Establishing a policy that employees may not have personal blogs that have anything to do with the company.
• Assigning a corporate security or compliance officer.
• “Hardening” search logs.
• Informing users of the capabilities of the search engine and tell them how to hide information.
• Using content monitoring and filtering tools.