Data Security - Part 3: Interview with Edwin Fager of Kensai International Ltd.
What security problems do you find at book publishers?
Larger publishers with their own MIS department will have a solid backup and network security system in place.
The problems mostly occur with smaller publishers, those under about $7M in sales, where the system administrator position is part of another job and they do not assign data security a high priority and/or they do data security on the cheap. Here we find that they do not always make regular make data backups, they do not test their backups, and often do not know how to restore data files.
They also lack any type of internet security. Passwords are very simple and if they do have a hardware firewall most often it is the cheapest firewall on the market. It's something you would buy to protect a personal computer at home, not a $4M or $7M business.
Why do publishers ask for a security review?
We do a security review when we are installing a new publishing software system, the client experienced a catastrophic security failure, or the client is launching a new e-commerce site. In which case we have to secure the hosting server, in addition to the client's local network.
Why is security so important for book publishing software systems?
Two reasons. First, an intruder can shut down your business. This means that you can not process sales or ship out books or pay bills. Second, these systems often store the customers' credit card information. If the intruder can access the server and your data files they can access the credit card information, in most cases.
In most cases?
Some publishing programs store all of their data in separate unencrypted ASCII text files with descriptive file names. This makes it easy for hackers to steal credit card information. Imagine you are a hacker and you see a small 100K to 10mb file named: creditcard.txt or invoice092000.txt. That's an open invitation to steal.
Other programs are more secure. All of their data tables are combined into one massive password protected file of an unknown file type that would take hours to download, and you would need special software and the password to access the information in it without corrupting the data. A hacker might see this huge file, but he would not know what it is, or how to access it. Many software vendors also encrypt the credit card information as an added security measure.
What is the biggest security problem that you find at large publishers?
Their MIS department employees talk too much. I can have a friend call them up and conduct a survey. She finds out what email software they use, what brand of firewall they use, what word processing program they use, and what operating system is used on their file servers in about 20 minutes on average. This makes the job of a hacker much easier, as software and hardware specific instructions are posted on web sites and newsgroups that hackers frequent, in books you can buy from Amazon.
Every system has security flaws. You just have to know what those flaws are. Hacking a system blind is a pain, and time consuming. Hacking a system whose flaws you know is a lot easier.
