It’s a rocky landscape lately, what with Sony taking over headlines and Lockheed Martin’s recent breach. We wanted to know how our members were setting up a strong offense against hacks and breaches at their own companies, as well as tips on setting up a sufficient defense in the case of a successful breach. We threw out the line, and the IT Knowledge Exchange community responded with some priceless opinions and advice. Does your company have a vague security policy or some recent red flags in your security log? Don’t waste any more time…
Batye suggests a more “proactive approach” to security, such as internal and external testing for security holes; a system for downloading, installing, and configuring updates and patches; and regular security hardware upgrades. Does your budget value security? It will show in your vulnerabilities…
Because they think you have the system well protected, they don’t care where they browse, or what they download. They are, in the main, non technical, and think it’s covered, or have not been made aware of the dangers. The attitude being, I haven’t had a problem at home, so what harm can it do. I have seen many small companies who regard the user as a minor consideration when making security decisions.
He also warns against social networks, which often create a back door entry point into companies. His suggestion? “Aggressive methods.” Company policy should reflect possible vulnerabilities, and internal methods such as penetration testing could be done without too high a cost.
While ErroneousGiant agreed with Chippy on some things, he was willing to take responsibility, as an administrator, for either “preventing users from putting the company at more than accepted risks or to educate the users about the risk. The IT team are just as responsible for any breach by either not verify[ing] security properly, not having the correct security in place, or not shouting loudly enough if it’s not in place.”
Newer member Ekardris presents an interesting argument and plan of action:
We all know that users inside and outside the organization are going to attempt to breach security. (Whether they meant to or not) Therefore we have to plan that it will happen, and not be surprised afterwards that it did happen. Our job is to devise systems that will keep 98% of attempts made by amateurs and the ignorant from being effective.
Then plan contingencies for the 2% who we can’t stop from breaking through our security.
He says that most users assume they’ll be kept out of places they shouldn’t be, and so when they discover access to off-limits places, the blame for what happens next falls on IT. It doesn’t take a sophisticated hacker for the most part; there are gaping holes in enterprise security in most places. Some of the most obvious mistakes Ekardris finds:
- Administrative accounts being used by multiple people
- Common knowledge within the organization or IT department of the Admin password
- Tracking turned off on corporate data files
- Service accounts that are compromised or are the Administrator
- No Security Policy documented
- No documentation on security groups, policies and/or explicit rites
- Inconsistent backups
- Poor understanding of router and firewall ports
- Only one security wall between the corporate data and the internet
In answer to these d’oh! moments, he included some tips for companies avoiding Sitting Duck syndrome:
- Continuous auditing with the IT groups. Focusing specifically on corporate requirements, industry best practices, corporate policies and procedures.
- Reviewing contingency plans in case of failure and security breaches.
- Assigning a “security” role that focuses specifically on the organization’s security. This role would be responsible for reviewing corporate security policy, continually gathering security requirements from departmental stake holders, managing security audits within the organization, and maintaining a discussion around these issues within the entire business organization
For more from Ekardris and some of the red flags he’s come across during audits, check out his full response here.
How is your company handling the heightened awareness of security these days? Have you seen some of these vulnerabilities or implementations in your own industry? Let us know in the comments section or email me at Melanie@ITKnowledgeExchange.com.
Just in time for the newest Transformers movie, Google announces its latest attempt at crushing the behemoth that is Facebook. Focusing on Facebook’s Achilles heel – user privacy – Google’s new Google+ Project may have a fighting chance. That is, unless you’re taking into account their social networking track record. As Claire Miller at the NY Times pointed out, it may be too late for Google to defend its title as the most popular entry point on the Web.
Bradley Horowitz and Vic Gondutra, the masterminds behind Google Buzz, have come together again with Google+. Despite the familiar names on the ticket, the project aspires to be the phoenix out of Buzz’s ash. The two told the NY Times that Buzz “chastened” them and they’ve since learned the value users place on their privacy.
In limited field trial for now, Google+ advertises that it’s expected to change and evolve with each user’s feedback. The tool aims to mimick real-life relationships and discard the potentially awkward aspects of other social networks (ahem, poking, ahem). Perhaps the most refreshing update to this take on social networking is the ability to receive others’ updates without sharing your own. Google plans to spread the reach of Google+’s features across mobile platforms and websites.
What do you think? Is there room for more takes on the same idea?
Last week at Enterprise 2.0, I sat down with David Sacks, CEO of Yammer. In the description of his panel discussion, Platform vs. Product, was a mention of the fault line between traditional software offerings and platform solutions with a wide range of capabilities. However, the conclusion the panel arrived at was that these days more and more products are presented as both. Even Sacks described Yammer as technically a product with an open API, allowing customers to build applications on top of it.
I asked Sacks why someone would choose Yammer or Salesforce’s Chatter above an intranet system, and he cited the distaste for accessing a “social network embedded inside a line of business tool.” Rather than separating departments, products such as Yammer offer “private, secure social network for the entire company.”
I was curious about how IT departments feel toward products such as this, given its usual suspicion for anything “social” or consumer in the network. Sacks pointed out that IT has been embracing the cloud. During his panel, another panelist accused Yammer of being insecure because of its position in the cloud. Sacks’s response was that he “hoped we’d moved past the point where anything cloud-based is considered insecure,” prompting applause from the audience.
With announcements of expanding communities, Yammer has moved beyond internal, allowing companies to create groups for each of their clients or customers. Future plans are to integrate a social layer atop and across all areas of the enterprise, from content management to finance.
What are your thoughts on socializing the enterprise? Would you prefer using a product such as Yammer that includes an API or build your own?
Leave your thoughts and questions in the comments section or email me directly at Melanie@ITKnowledgeExchange.com.
In a session entitled “Real Time Collaboration Across the Firewall,” one member of the audience raised his hand to ask how to deal with end-users who don’t care that their company is deploying a huge system like Sharepoint. Once outside the firewall, he lamented, these users will use the simplest option, like Google Docs.
So how does IT keep from being seen merely for its costly deployments that nobody cares to use? Deploy another product that helps you use your major deployments more easily! Well, sort of.
I spoke with David Lavenda of Harmon.ie, who makes a product whose goal is to reduce the steps of utilizing Sharepoint’s central repository from about nine to one. It appears as a sidebar in your email client, allowing you to view the documents you’ve been working on. One Google-esque feature includes reminding a user who is trying to attach a document (old habits die hard) that they can send a link to where the document lives in Sharepoint. (Harmon.ie also offers a similar product that deals with documents in Google docs.) An upcoming announcement includes a view of a list of people you are currently collaborating with along with which documents they’ve edited.
Often products such as these flaunt the business benefits without ever exploring the effects, or obstacles, for IT. When I asked Lavenda about how a company’s IT department might feel about deploying it, he responded positively. “It’s centrally deployed by IT. We do not add another layer of security, and we don’t circumvent security. We allow users to continue using what they’re comfortable with,” he said. While it may seem silly to add a program to do what a major deployment such as Sharepoint should have the capability to do, there are benefits to showing the higher ups a growth in your adoption rate.
One of the inspirations for this tool was the array of digital distractions reported in the workplace, compounded by the inability for users to disconnect from work and work devices even when off-duty. A little bit of work here, and a little bit of email there, can sometimes mean that users employ solutions outside of the network with data that’s supposed to be secure within the network. How do you handle end-users deploying rogue solutions over big budget deployments such as Sharepoint?
Today’s my first day at the Enterprise 2.0 Conference in Boston. I’ve listened to a couple keynotes and attended a couple sessions. What struck me most was the hostility being paraded toward IT departments. I caught the first half of Kevin Jones’s Enterprise 2.0 Failures session, where he stressed that in order to learn, we must fail. More trust means more room to fail which means more learning, innovation, and progress. After twenty minutes of fluff, I decided to head to the panel discussion on realtime collaboration across the firewall.
After less than a minute of sitting in the session, Brandon Savage of Box.net was in the middle of addressing the point of “IT as a bottleneck.” IT causes reluctance to move despite the opportunity for improvement. A woman in the audience who works for a pharmaceutical company on the IT side, asked about building solutions rather than buying a massive, large-scale solution. Her company, she said, prefers to implement bit by bit, testing and measuring (and beating dead horses) along the way. The panel’s treatment of IT departments was suddenly proven correct.
But not all IT departments want to throw a wrench in the productivity wheel. Another man in the audience questioned what to do when faced with end users who couldn’t care less about major systems like SharePoint. “When they’re outside the firewall, they just want the simplest option,” he said. Google Docs was named as the main rogue weapon of choice for those in no-firewall’s-land, but Savage dropped DropBox’s name as another form of employees going rogue. Savage took his opportunity to explain how Box.net is a better option than DropBox, with its ability to track files once they’re out in the wild, whether it’s who’s looking at what, how many times, and from what IP address.
Is IT fighting a losing battle?
Capabilities such as Box.net’s tracking features provide some hope that IT isn’t on its own. The search for a simple, user- and IT-friendly solution isn’t completely in vain, as long as IT departments keep some tips in mind.
- Don’t just say “no.” Just because you know all of the reasons that sending the clients’ account information via Google Docs doesn’t mean that Bill from sales will know. One of the audience’s voiced complaints about IT departments is that they’re not helpful enough. Explaining why the extra steps to access SharePoint instead can save you headaches now and later.
- Be proactive. Savage says that the majority of sales leads at Box.net are incoming from IT departments. While it may be a thorn in your foot that consumer applications are shiny, attracting every Joe Schmo at your company, they are necessary for pushing enterprise vendors. Savage pointed out that as long as there are consumer application start-ups with fewer obstacles for their end-users, they will outpace enterprise solutions. “As consumer applications become more accessible and used, it opens the end users’ eyes to the ease that’s possible, but also opens IT’s eyes to the vulnerabilities.”
What are your concerns when it comes to outside perceptions of IT? How does your company keep communications open amongst departments?
We cast the net, asking where IT Knowledge Exchange members get their latest technology news. Whether you prefer Twitter updates or your RSS feed is packed with tech blog posts, we wanted to hear from you. Add your own picks in the discussion area here, or in the comments section below.
Whether you’re looking for a top of the line security podcast, job listings, or opinions of like-minded tech folks, ErroneousGiant recommends you pay a visit to Risky Biz. With over 170 podcasts published since February 2007, Risky Business has quite the archive, as well as forums and a second podcast, RB2. Looking for some reading material? ErroneousGiant also keeps up with Sophos’s Naked Security blog, where you can find updates on the latest Facebook phishing scam (probably updated hourly) and hacking or security issues from courtrooms all over the world.
Carlosdl suggested a couple Twitter accounts whose shortened URLs it’s probably safe to click: @helpnetsecurity and @FSecure. Help Net Security’s Twitter stream is managed by Mirko Zorz, editor in chief of Help Net Security and (IN)SECURE Magazine. F-Secure’s Twitter stream highlights the latest headlines in security.
There is an impressive array of Twitter accounts and blogs to follow, no matter what area of IT your focus is.
Windows 7: Blogs
Did we miss anyone? Let us know in the comments section or in the forums.
My friends sometimes tease me about having to enter a passcode just to play games on my iPhone. But the truth is, Angry Birds isn’t the only thing hanging out on my home screen, so I need to be extra careful with who can access that information. Granted, a measly little four-digit passcode won’t stop even most amateur hackers, but it can buy a little time for me to report my phone missing or to wipe the sensitive information from my phone.
I was vindicated yesterday when Daniel Amitay, an Apple iPhone developer, published his research into passcode security. Amitay pays homage to past articles about the most common passwords on the Internet, creating a list of the ten most common iPhone passcodes. Here they are, in all their glory, from Amitay’s blog:
After years of waiting, the Associated Press (and other media outlets) finally received the results of their freedom of information request to the state of Alaska: A massive trove of former Governor and Vice Presidential Candidate Sarah Palin’s e-mails from when she was in office.
And so far, love her or hate her, the results are pretty tame: Mother Jones, which has had some of the most aggressive coverage of the e-mails, reported that she did, indeed, regularly use the folksisms she’s become famous for, from “unflippinbelievable,” “what a goof” and “holy flippin A“to “we love the mobster in ya.” Indeed.
Here at the Enterprise IT Watch blog, we try to up with the latest news in enterprise IT to keep you updated on the goings-on in your neck of the woods. Usually our posts focus on our theme month topics, but not everything new in IT follows our schedule (despite our many efforts). To make up for that, I’m going to start compiling the top stories in enterprise tech, to make sure that you know what’s happening (and so that we know what’s happening as well). So even next month, when we’ll be tackling Cloud Storage, you can get a balanced dose of enterprise IT right here. Your one-stop shop, if you will.
So here goes:
Hey, Google! It’s rude to point.
It seems the latest trend of enterprise IT is to adopt whatever’s hot in consumer tech, although usually because of necessity and security rather than by choice. The latest spinoff of the should-we/shouldn’t-we debate over mobile gadgets is the question of online or cloud storage. Google made it a household name with Google Docs and its array of Office-like applications, and more recently pushing it further with Google Music. With similar offerings from Amazon and Apple, the idea of the public cloud is losing its mystery and gaining a more everyday reputation.
Companies such as Dropbox, Box.net, and Mozy are getting in on the online storage trend, gaining attention from the New York Times Technology section, highlighted for their successful foray into the storage industry. As Verne G. Kopytoff reports, “Aaron Levie, chief executive of Box.net, an early online storage company based in Palo Alto, Calif., said that the increased adoption of mobile devices and ubiquity of online connections had created a bigger need for companies like this.” The article cites the decrease in cost of hardware such as servers and data storage devices as one of the main benefits these companies have experienced in the past years. Box.net’s server space leasing cost has decreased about five to eight times since 2005 when the company started.
But these online storage companies are no strangers to the number one deterrent for all things “cloud”: Security concerns. Even casual consumers understand that their photos of last week’s BBQ are at risk, let alone images of their passport or social security card. With the recent horrible stretch for cloud computing, it’s not hard to see why experts urge users to only store non-sensitive information to these platforms. Newer companies are using this skepticism to their advantage. Chief executive of Cx.com Brad Richardson told the New York Times he “was not intimidated by all the competition. Focusing on security will help set his company apart from rivals.” Aside from being a thorn in the IT department’s side, consumer cloud services often serve as a catalyst for innovation in enterprise IT. With Amazon’s Cloud Drive and Apple’s iCloud (announced today and compared here), it definitely seems that further improvements could be headed for enterprise data storage.
The next step up from consumer acceptance? Small- and medium-sized businesses. And as Ron Miller points out, cloud storage seems the most obvious option for SMBs:
Small businesses today are being built for a fraction of the cost of even 5 years ago precisely because these businesses don’t have to make huge investments in hardware infrastructure. By passing off these costs to infrastructure providers, small businesses can concentrate on building the business and not worrying about keeping the Exchange server up and running or adding a new drive to the network to handle increased usage.
So it seems the dividing line between trusting your data to online storage and not falls right where most other IT concerns do: Budget. The bottom line for now seems to be, if you’re just starting your business, taking advantage of cloud storage can diminish your costs and keep you afloat. If you’re a company with enough to invest in the hardware (or something to hide) to host your own data storage, use that to your advantage and keep track of your most sensitive data that way. Unless you’re Sony, then you might just want to bury your head in the sand.