Enterprise IT Watch Blog


September 30, 2010  3:12 PM

Loosen the reigns: Telecommuting in 2010

Kevin Beaver Kevin Beaver Profile: Kevin Beaver

I’ve been commuting into downtown Atlanta a good bit recently and I’m about done…not with my projects but with the traffic, and even more so, the nasty air. It seems I can’t catch a break from the diesel trucks sputtering their filth, smokers with their cigarettes hanging out their windows, and old junker cars burning oil (I guess a lot of people missed “cash for clunkers”). Having a family member who suffered from lung cancer, I’m extra sensitive to this stuff.

All the traffic and filth in the air reminded me of telecommuting. Where the heck are all the telecommuters? It seems like everyone who has a job is driving into work. Why!!?? It’s 2010, for crying out loud!

I think it’s crazy not to let people work from home as long as the security issues that come along with it (i.e. unsecured home computers, unsecured wireless network usage, weak passwords, and unencrypted laptops/mobile devices) are addressed. Telecommuting helps morale. It helps productivity. You can’t tell me no one is goofing off at the office anyway. I see people doing that all the time. Furthermore, research has shown that when you’re interrupted it takes 20 minutes to get back into the groove of what you were doing. Interruptions occur in the workplace about every 20 minutes; does that mean no one is really getting anything done?

I’ve been ranting about telecommuting for a while, and unfortunately there’s a huge double standard. It’s okay for management to do it but not for regular employees. I have a good friend who has been subjected to this at multiple companies. Does management not trust its employees enough to let them work from home at least a few days a week? Why? If you ask me, this is an HR problem – managers not hiring the right people – more than anything else.

It’s time to step into the 21st century and use some of these technologies we’ve paid so much to put in place. Make telecommuting work for your business and be done with it. It’s not only a matter of thinking things through to do it right – it’s also a matter of choice.

Kevin Beaver is an independent information security consultant, expert witness, author, and professional speaker with Atlanta-based Principle Logic, LLC and a contributor to the IT Watch Blog. You can reach Kevin through his website at www.principlelogic.com and follow him on Twitter at @kevinbeaver.

September 29, 2010  6:01 AM

Policies for the sake of policies

Kevin Beaver Kevin Beaver Profile: Kevin Beaver

Security policies are those “talk is cheap” enablers of compliance and risk management. The problem is they’re often poorly written, disjointed, inaccurate and so on – often creating the very risks they’re supposed to mitigate.

Everyone treats policies differently, so your needs and mileage will no doubt vary. For what it’s worth, I wrote an article for SearchEnterpriseDesktop.com regarding Windows desktop security policies. If you need to create your own policies or revamp your existing ones, I included a security policy template which  can be tweaked to suit your business needs.

Keep in mind that you don’t want to create policies just for the sake of having policies. This practice can end up creating more problems than it solves. You need to understand where your business is at risk and then shape your policies around those risks. Once you understand where the focus is needed, you can go about building out your policy documents into something that truly enables information security in your business.

For further reading including common oversights and mistakes, check out my security policy articles, podcasts and webcasts.

Kevin Beaver is an independent information security consultant, expert witness, author, and professional speaker with Atlanta-based Principle Logic, LLC and a contributor to the IT Watch Blog. You can reach Kevin through his website at www.principlelogic.com and follow him on Twitter at @kevinbeaver.


September 28, 2010  6:00 AM

Would you like some snake oil with that network assessment?

Kevin Beaver Kevin Beaver Profile: Kevin Beaver

There are many IT services firms – including some run by friends and colleagues of mine – that perform something called “network assessments.” The purpose of these assessments, which are usually aimed at SMBs, is to determine the overall health of your network and computing environment, supposedly including security.

First, let me be clear that these are legitimate services to see where your network stands. That’s fine and dandy – a useful service indeed. The problem is that these network assessments are being pushed/sold under the guise of security assessments that, at least on paper, would compete with more in-depth security vulnerability assessments. But they’re not the same.

I saw recent descriptions of such services that claim to “check the security environment of your network” and “help ensure your sensitive data remains protected.” In discussions with my friends and colleagues, none of them have ever claimed to be security experts, yet they still offer these services. I don’t believe “in-depth security assessments” are their intent, but what exactly are such companies purporting to do? Many are just visual inspections or basic questionnaires and may incorporate rudimentary security scanning tools such as Microsoft Baseline Security Analyzer.

My point is: Be careful. Just because a network engineer “checks” your systems, recommends some software updates or network design changes, and ultimately installs a few new security products in your environment, don’t assume that you’ve had a proper information security assessment or that your information is truly secure. Your best bet is to determine what you want and then ask specific questions to help ensure you’re getting the deliverable you really need before you start the project.

Here are some information security assessment articles, screencasts, podcasts, and webcasts you can peruse to help you fine-tune your requirements the next time this comes up.

Kevin Beaver is an independent information security consultant, expert witness, author, and professional speaker with Atlanta-based Principle Logic, LLC and a contributor to the IT Watch Blog. You can reach Kevin through his website at www.principlelogic.com and follow him on Twitter at @kevinbeaver.


September 28, 2010  5:09 AM

Is a new Obama mandate putting IT security at risk?

Kevin Beaver Melanie Yarbrough Profile: MelanieYarbrough

We’re not here to discuss politics, but one of the big stories today is the Obama administration’s development of plans to require that backdoors be placed on Internet-based communication services, allowing for compliance to federal wiretap orders.

The bill, slated for 2011, would require communication service providers to have the capability to intercept and decrypt messages. The proposal, as related to the Communications Assistance to Law Enforcement Act (CALEA), which requires telecom providers to provide interception capabilities for law enforcement, is an extension into the realm of the Internet. In the New York Times article on the bill, FBI’s Valerie Caproni said:

We’re not talking expanding authority. We’re talking about preserving our ability to execute our existing authority in order to protect the public safety and national security.

But does “public safety and national security” come at the cost of personal and enterprise security? Extending interception capabilities to the Internet could prove disastrous if not executed correctly. Computer science professor at Columbia University Steven Bellovin thinks “it’s a disaster waiting to happen. If they start building in all these back doors, they will be exploited.” Just like in 2005, he cites, when “hackers [took] advantage of a legally mandated wiretap function to spy on top officials’ phones, including the prime minister’s.”

On the flipside, there may be side-effects to adding to the already overwhelming honey-do lists of enterprise IT. Former Sun Microsystems engineer Susan Landau worries that the mandate would hinder the progress of small startups. Engineers would be dedicated to incorporating wiretapping capabilities rather than innovation and product release dates.

Federal response to the privacy community’s uproar is hardly comforting: Service providers would be the sole carriers of the decryption capabilities, for which the agency would need a court order to utilize. Ira Winkler, president of the Internet Security Advisors Group told Computerworld that his main concern isn’t the “government’s ability to intercept communications for legitimate law enforcement purposes, the real concern should be over continued compromise of personal data online.”

Melanie Yarbrough is the assistant community editor at ITKnowledgeExchange.com. Follow her on Twitter or send her an email at Melanie@ITKnowledgeExchange.com.


September 27, 2010  6:15 AM

Two simple but essential steps for all laptop owners

Kevin Beaver Kevin Beaver Profile: Kevin Beaver

Not too long ago I experienced the equivalent of a disaster for larger businesses: My laptop computer died. I’m a technical guy and so I was able to limp along with some workarounds at first. I had an old laptop that I could use for most things, but it wasn’t pretty.

Little did I know that in the process of recovering, I was going to be consumed with other unrelated computer problems. All in all, I lost three full days of work troubleshooting and getting things rebuilt back to normal. I got behind on articles I needed to write. I neglected my blogs. I missed out on some consulting work, and I even missed a book deadline.

But it could’ve been much worse. Through thick and thicker, I saved my rear end by doing two things:

1) Warranty it up: When I purchased my laptop, I paid $295 for an on-site warranty. This not only got me next-day service, but it also kept me from having to spend a couple thousand dollars on a new laptop. I had to have my processor and system board replaced – arguably the best $250 I’ve ever spent. This also kept me from having to send my computer off loaded with sensitive information, something I simply can’t do in my line of work.

2) Back it up: I had a backup; it’s something I do religiously every day. It’d be hypocritical of me, an information security consultant, to not have one, right?

Imagine how much time I would’ve lost had I not done these two things.

So do yourself a BIG, BIG favor and backup your laptop. Do it now. Most laptop users I see in my work are required to do their own backups and guess what? Very few people are backing up their laptops. Use Windows Backup, purchase TrueImage, or just manually copy your data to an external drive (make sure you get everything though!). Just do something.

In the future, spend the extra money for the on-site warranty; pay extra for the drop/spill coverage too. If you’re like me, you will need it (I’ve needed this coverage three times with Dell, IBM, and HP), and you’ll kick yourself for not having it when that day comes down the road.

Even if you work for someone else who’s calling the shots on this stuff, ask for it or buy it yourself. It’s money well invested.

Here’s to planning ahead!

Kevin Beaver is an independent information security consultant, expert witness, author, and professional speaker with Atlanta-based Principle Logic, LLC and a contributor to the IT Watch Blog. You can reach Kevin through his website at www.principlelogic.com and follow him on Twitter at @kevinbeaver.


September 24, 2010  6:58 AM

Security, huh! What is it good for?

Kevin Beaver Kevin Beaver Profile: Kevin Beaver

Not too long ago an ad for a mortgage company on my local radio station said something that caught my ear. The owner of the company was talking about identity theft and the need to be careful with the sensitive information you hand over to people, especially when it comes to getting a mortgage. He said, “You’ve got to differentiate between a mortgage company and a mortgage professional or your information is at risk.”

I’ve always said that information security can be a competitive differentiator, and this business is capitalizing on it. Good for them!! It’s about time some business owners step up to the plate with enough confidence in their information security that they can use it to their advantage. Of course, talk is cheap, so who knows the reality of what they’re advertising. At least their thinking is on the right track.

On a related note, some companies in the financial sector tout their “fraud and identity theft insurance” – something I’m not too keen on since it can be used as a crutch to cover up otherwise poor information security practices. But if your business has gone past the checklist audits and is performing in-depth security assessments of your network, your Web applications, and your IT operations on a periodic and consistent basis, then providing such insurance as an option certainly won’t hurt. Yet another competitive differentiator that’s ultimately good for all of us.

Kevin Beaver is an independent information security consultant, expert witness, author, and professional speaker with Atlanta-based Principle Logic, LLC and a contributor to the IT Watch Blog. You can reach Kevin through his website at www.principlelogic.com and follow him on Twitter at @kevinbeaver.


September 23, 2010  2:21 PM

ISSA International Conference Recap: More of the same

Kevin Beaver Kevin Beaver Profile: Kevin Beaver

The 2010 ISSA International show was just here in my hometown of Atlanta. With the experienced speakers – many of whom work for highly-visible companies and government agencies – I was expecting some new ideas and solutions around security. The quality of the speakers was good; the problem was with the messages that I heard (at least in the keynotes). It was the same old stuff we’ve been hearing since the beginning of “Internet security” as we know it. “You need to have policies,” “You need to train  your people,” “You can’t rely on vendor products completely,” “You need to take a risk-based approach,” “The cloud is our great savior” – blah, blah, blah. Looking around, I could tell that others in the audience were tiring of the same old messages as well.

Is this the way information security is going to be from here on out? I’m not so sure that preaching the same old stuff is viable long-term. Maybe I’m just being impatient; perhaps there is no good solution. Maybe we’re just going to have to keep doing what we’re doing and trust that it’ll eventually sink in. Time will tell.

Although it’s a never-ending and frustrating cycle, it’s good for job security, so I guess I shouldn’t complain.

Kevin Beaver is an independent information security consultant, expert witness, author, and professional speaker with Atlanta-based Principle Logic, LLC and a contributor to the IT Watch Blog. You can reach Kevin through his website at www.principlelogic.com and follow him on Twitter at @kevinbeaver.


September 22, 2010  3:21 PM

Stop fearing your smartphone: Mobile encryption & your security policy

Kevin Beaver Melanie Yarbrough Profile: MelanieYarbrough

From possibly causing cancer to posing a major security risk to the enterprise, the smartphone just can’t cut a break. The truth is, smartphones are here to stay, especially in the enterprise. Like many other IT versus the world conflicts, the solution isn’t a yes or no policy to their usage, but a set of security policies and guidelines just like with any other technology adapted by the enterprise. Smartphone security and encryption can be a tricky road to navigate, so take a few things under consideration before deciding.

Assessing the Situation

Like any other policy, there are several factors that go into the crafting of mobile security. Here are a few points to consider when discussing options amongst your team:

  • Rather than looking for the cheapest (or the free-est) application available, assess your company’s mobile encryption needs before beginning the search. Minimizing time wasted will minimize the frustration and loss when incorporating mobile phone security into corporate policy. If you need support for multiple smartphone operating systems, start your search with that detail.
  • Part of your assessment should include your enterprise’s primary security focus and needs. Whether you need the option of remote data-wiping or authentication, knowing these details ahead of time will help to increase efficiency.
  • Once you’ve decided the features your users and data need, you need to allocate some of your security budget to ensuring the data on and accessed by these smartphones is secure.
  • Just like endpoint security has lowered the risk of laptops remotely accessing networks, smartphone encryption software can help you adapt to the changing nature of the enterprise. To better ensure the smooth incorporation of these devices into your operations, you’ll need to incorporate them into the in-place central management system. Treat mobile devices as normal factors in everyday operations (rather than a device sent solely to cause your headaches) and implement its use and security like any other enterprise-level product.

Some smartphone encryption options after the jump. Continued »


September 18, 2010  10:13 PM

Mobile device security – we keep spinning our wheels

Kevin Beaver Kevin Beaver Profile: Kevin Beaver

It’s been a year since I contributed to a piece on mobile security for the Wall Street Journal and was thinking about how things have changed since then. In a nutshell: They’re gotten more complex and less secure.

It’s amazing – and scary – given all the sensitive electronic information scattered everywhere across any given network. Be it workstations, servers, databases, smartphones, mobile storage devices – you name it – it’s so often they go unprotected. By that I mean there are no access controls to prevent unruly employees from doing bad things with your data and no access controls to prevent outsiders from doing bad things, either.

I’m not just talking about corporate intellectual property either. I’m talking about healthcare records, SSNs, credit cards, and other personal information…personal information belonging to me and you! This isn’t just a business issue – it’s a privacy and identity issue that affects us personally.

This is backed by story after story, breach after breach, and study after study. Just Google “mobile security breach” and you’ll see what I mean. The Privacy Rights Clearinghouse Chronology of Data Breaches reveals such breaches practically every week.

If you’re responsible for information security, audit, or compliance in your organization … this subject/dilemma should be on your short list of priorities for the coming year. Rather than just ranting, let me share with you some solutions and further reading:

..and finally, some of my blog posts on the subject.

Kevin Beaver is an independent information security consultant, expert witness, author, and professional speaker with Atlanta-based Principle Logic, LLC and a contributor to the IT Watch Blog. You can reach Kevin through his website at www.principlelogic.com and follow him on Twitter at @kevinbeaver.


September 16, 2010  8:36 AM

The Seven Deadly Enterprise Security Sins, Part II

Michael Morisy Michael Morisy Profile: Michael Morisy

Last week, the IT Watch Blog took a look at the first three of the Seven Deadly Security Sins. Today, we reveal the other transgressions that are costing companies millions of dollars and putting the privacy and security of their employees and customers at risk.

Continued »


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: