translated by hopefully2333

translated by hopefully2333

sources/talk/20190805 Is your enterprise software committing security malpractice.md

@@ -7,52 +7,53 @@
 [#]: via: (https://www.networkworld.com/article/3429559/is-your-enterprise-software-committing-security-malpractice.html)
 [#]: author: (Andy Patrizio https://www.networkworld.com/author/Andy-Patrizio/)
 
-Is your enterprise software committing security malpractice?
+你的企业软件在安全方面玩忽职守了吗？
 ======
-ExtraHop discovered enterprise security and analytic software are "phoning home" and quietly uploading information to servers outside of customers' networks.
+ExtraHop 发现企业安全和分析软件正在“打电话回家”，悄悄地将信息上传到客户网络外的服务器上。
 ![Getty Images][1]
 
-Back when this blog was dedicated to all things Microsoft I routinely railed against the spying aspects of Windows 10. Well, apparently that’s nothing compared to what enterprise security, analytics, and hardware management tools are doing.
+这个博客专注于微软的一切事情，我常常抱怨、反对微软的间谍活动方面。嗯，很明显的，微软的这些跟企业安全、分析和硬件管理工具所做的相比，都不算什么。
 
-An analytics firm called ExtraHop examined the networks of its customers and found that their security and analytic software was quietly uploading information to servers outside of the customer's network. The company issued a [report and warning][2] last week.
+一家叫做 ExtraHop 的分析公司检查了其客户的网络，并发现客户的安全和分析软件悄悄地将信息上传到客户网络外的服务器上。这家公司上周发布了一份报告来进行警示。
 
-ExtraHop deliberately chose not to name names in its four examples of enterprise security tools that were sending out data without warning the customer or user. A spokesperson for the company told me via email, “ExtraHop wants the focus of the report to be the trend, which we have observed on multiple occasions and find alarming. Focusing on a specific group would detract from the broader point that this important issue requires more attention from enterprises.”
+ExtraHop 故意选择不对这四个例子中的企业安全工具进行点名，这些工具在没有警告用户或使用者的情况发送了数据。这家公司的一位发言人通过电子邮件告诉我，“ExtraHop 希望报告的重点能成为趋势，我们已经多次观察到了这种令人担心的情况。这个重要问题需要企业的更多关注，而只是关注一个特殊群体会阻止它成为一种更广泛的观点”
 
-**[ For more on IoT security, read [tips to securing IoT on your network][3] and [10 best practices to minimize IoT security vulnerabilities][4]. | Get regularly scheduled insights by [signing up for Network World newsletters][5]. ]**
+**[ 有关物联网安全方面的更多信息，请阅读网络上保护物联网的提示和最小化物联网安全漏洞的 10 个最佳实践。| 通过注册 Network World 时事新闻来定期获取见解期刊。][5]. ]**
 
-### Products committing security malpractice and secretly transmitting data offsite
+### 产品在安全提交传输方面玩忽职守，并且偷偷地传输数据到异地
 
-[ExtraHop's report][6] found a pretty broad range of products secretly phoning home, including endpoint security software, device management software for a hospital, surveillance cameras, and security analytics software used by a financial institution. It also noted the applications may run afoul of Europe’s [General Data Privacy Regulation (GDPR)][7].
+ExtraHop 的报告中称发现了一系列的产品在偷偷地传输数据回自己的服务器上，包括终端安全软件，医院设备管理软件，监控摄像头，和金融机构使用的安全分析软件。报告中同样指出，这些应用涉嫌违反了欧洲的通用数据隐私法规（GDPR）。
 
-In every case, ExtraHop provided evidence that the software was transmitting data offsite. In one case, a company noticed that approximately every 30 minutes, a network-connected device was sending UDP traffic out to a known bad IP address. The device in question was a Chinese-made security camera that was phoning home to a known ​malicious IP address​ with ties to China.
+在每个案例里，ExtraHop 都提供了这些软件传输数据到异地的证据，在其中一个案例中，一家公司注意到，大约每隔 30 分钟，一台连接了网络的设备就会发送 UDP 数据包给一个已知的恶意 IP 地址。有问题的是一台中国制造的安全摄像头，这个摄像头正在访问一个已知的和中国有联系的恶意 IP 地址。
 
-And the camera was likely set up independently by an employee at their office for personal security purposes, showing the downside to shadow IT.
+出于保护个人安全的目的，摄像头很可能由其办公室的一名员工独立设置，这显示出 IT 阴影一面的缺陷。
 
-In the cases of the hospital's device management tool and the financial firm's analytics tool, those were violations of data security laws and could expose the company to legal risks even though it was happening without their knowledge.
+医院设备的管理工具和金融公司的分析工具是属于这种情况，这些工具违反了数据安全法。即使公司不知道这个事，公司也会面临法律风险。
 
-**[ [Prepare to become a Certified Information Security Systems Professional with this comprehensive online course from PluralSight. Now offering a 10-day free trial!][8] ]**
+**[ [
+通过 PluralSight 的综合在线课程成为信息安全系统专家，现在提供 10 天的免费试用!][8] ]**
 
-The hospital’s medical device management product was supposed to use the hospital’s Wi-Fi network to only ensure patient data privacy and HIPAA compliance. ExtraHop noticed traffic from the workstation that was managing initial device rollout was opening encrypted SSL:443 connections to vendor-owned cloud storage, a major HIPAA violation.
+该医院的医疗设备管理产品应该只使用医院的 WiFi 网络，以此来确保患者的数据隐私和 HIPAA 合规。管理初始设备上线的工作站正在打开加密的 ssl：443 来连接到供应商自己的云存储服务器，这是一个主要的 HIPAA 违规。
 
-ExtraHop notes that while there may not be any malicious activity in these examples, it is still in violation of the law, and administrators need to keep an eye on their networks to monitor traffic for unusual activity.
+ExtraHop 指出，尽管这些例子中可能没有任何的恶意活动。但它仍然违反了法律规定，管理员需要密切关注他们的网络，以此来监视异常活动的流量。
 
-"To be clear, we don’t know why these vendors are phoning home data. The companies are all respected security and IT vendors, and in all likelihood, their phoning home of data was either for a legitimate purpose given their architecture design or the result of a misconfiguration," the report says.
+“要明确的是，我们不知道供应商为什么要把数据传回自己的服务器。这些公司都是受人尊敬的 IT 安全供应商，并且很有可能，这些数据是由他们的程序框架设计好给出的并用于合法目的，或者是错误配置的结果” 报告中说。
 
-### How to mitigate phoning-home security risks
+### 如何减轻数据外传的安全风险
 
-To address this security malpractice problem, ExtraHop suggests companies do these five things:
+为了解决这种安全方面玩忽职守的问题，ExtraHop 建议公司做下面这五件事：
 
-  * Monitor for vendor activity: Watch for unexpected vendor activity on your network, whether they are an active vendor, a former vendor or even a vendor post-evaluation.
-  * Monitor egress traffic: Be aware of egress traffic, especially from sensitive assets such as domain controllers. When egress traffic is detected, always match it to approved applications and services.
-  * Track deployment: While under evaluation, track deployments of software agents.
-  * Understand regulatory considerations: Be informed about the regulatory and compliance considerations of data crossing political and geographic boundaries.
-  * Understand contract agreements: Track whether data is used in compliance with vendor contract agreements.
+  * 监视供应商的活动：在你的网络上密切注意供应商的非正常活动，无论他们是活跃供应商，以前的供应商，还是评估后的供应商。
+  * 监控出口流量：了解出口流量，尤其是来自域控制器等敏感资产的出口流量。当检测到出口流量时，始终将其与核准的应用程序和服务进行匹配。
+  * 跟踪部署：在评估过程中，跟踪软件代理的部署。
+  * 理解监管方面的考量因素：了解数据跨越政治、地址边界的监管和合规考量因素。
+  * 理解合同协议：跟踪数据的使用是否符合供应商合同上的协议。
 
 
 
-**[ Now read this: [Network World's corporate guide to addressing IoT security][9] ]**
+**[ 现在开始阅读这篇：Network World 解决物联网安全问题的企业指南][9] ]**
 
-Join the Network World communities on [Facebook][10] and [LinkedIn][11] to comment on topics that are top of mind.
+加入 Facebook 和领英上的 Network World 社区，评论最上方的主题。
 
 --------------------------------------------------------------------------------
 
@@ -60,7 +61,7 @@ via: https://www.networkworld.com/article/3429559/is-your-enterprise-software-co
 
 作者：[Andy Patrizio][a]
 选题：[lujun9972][b]
-译者：[译者ID](https://github.com/译者ID)
+译者：[hopefully2333](https://github.com/hopefully2333)
 校对：[校对者ID](https://github.com/校对者ID)
 
 本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译，[Linux中国](https://linux.cn/) 荣誉推出