Thursday, July 26, 2007

Web 2.0 – Hype, Reality and Security

I have been reading a lot lately on Web 2.0. There are numerous articles and commentaries that range from “Its hype” to
“It’s changing the world” to “Its YouTube”.

There is no doubt that today, millions of people put content on the Web using sites such as Myspace, Facebook and Linkedin. There are numerous Blog sites such as this one, and then aggregation services like Technorati and Feedburner.

The scale is astounding. If I read it correctly, there are close to 8 million Blogs on Technorati, and on Myspace it says that more than 700,000 Blogs have been updated today!

These sites are much more than hype – they are phenomenally successful at attracting users.

So is there a security implication if they are used in a business environment?

Security company Sophos seem to argue that there is. Sophos publish a Security threat update, and if you haven’t read it, I recommend it.

www.sophos.com/pressoffice/news/articles/2007/07/securityrep.html

This Sophos report states that virus writers are placing malware on third-party web sites – and they suggest that about 80% of all web-based malware is being hosted on innocent, but compromised, sites.

Sadly, malicious code is also placed on the social networking sites. Sophos quote that in March 2007 the SpaceStalk spyware Trojan was discovered embedded in a QuickTime movie on a Myspace page.

So, how do you protect your users and resources from this malicious code? Do you block these sites?

Monday, July 23, 2007

Taking Care of Business

Information Technology can empower a business. So, why, in many organisations is it seen as a basic service?

There are many theories. Perhaps the CEO is not a supporter of investing in technology.

Perhaps IT has over-promised and under-delivered in the past. There are many stories of over-time and over-budget ERP implementations that disrupted the business and resulted in very little business improvement (we don’t read too much of the quality implementations that have delivered value).

Perhaps also, the fact that IT is a service organisation confuses the role of IT. The IT Group supports the systems we all use, which is a challenging role. When a system or PC goes offline, end-users get frustrated and nothing short of instant restoration is seen as “quality service”.

While there are many factors like these, I believe the core issue is language. IT people speak IT.

Running an IT operation is complex, and most business managers don’t understand it. Yet, there is too little effort from IT to demystify the acronyms and explain what is going on.

Equally, IT people don’t have day-to-day exposure to the business so are not in a position to offer technology solutions. IT isn’t a magic wand, but it will add value if properly engaged.

IT needs to take the lead.

The IT group needs to lead a planning process where their activities are explained to the business, and the business challenges and drivers are explained to IT. As the IT group get closer to the detail of the business issues, the more likely it is that good solutions will emerge.

This happens in many successful organisations, and the results contribute to the success.

Wednesday, July 18, 2007

Mobile Security

Mobile computing is important. The proliferation of notebook computers has changed the way we work, and that change has been accelerated by mobile-connected PDAs. They are great business tools, but are they opening a gap in your security?

Wireless mobile computing found popularity in real-time data collection, often customer-facing (sales order taking, delivery confirmation, logistic tracking) and at the senior executive level, with mobile email as the driver. We are now seeing more applications, often from a Web interface, being available to mobile devices, with an example being CRM.

So back to my original question – are these devices creating a hole in your security? I must declare my hand here – I am a big fan of mobility. Making information and functionality available at the point where it is of most benefit, is a good thing. So, this isn’t about slowing mobility, its about making mobile computing as secure as possible (within the risk parameters of the organisation), and working to review and improve that security on a very regular basis.

To state the obvious, these devices are computers even though they sit in your hand. They run operating systems and applications, so they should be secured like other computers. In addition, they are using wireless connectivity, which itself requires more security focus.

For example, devices retrieving email are virtually connected (through the outbound connection) to the internal network and will remain in an always on, always connected state. This is not how other remote access devices would connect, and this could create a vulnerability if a rogue user, wirelessly connecting to the PDA, used the PDA’s connections to enter the Corporate LAN.

The good news is that there are some innovative tools available to help; they just need to be deployed and managed.

This is a quick checklist to get started;
• Anti-Virus – would you have a Notebook without AV? Do you have AV on your mobile computing fleet?
• Firewall – is the device protected from wireless attack?
• Lost or Stolen – what can you do to protect the data if the device is lost or stolen? What process do you have in place?
• Encryption – is the data encrypted in transmission? Is it encrypted on the device?
• Authentication - is the data/access important enough to be protected by two-factor authentication?
• Device change – what process do you have in place to securely remove data when the device is returned, or passed on to another user?

Tuesday, July 17, 2007

I may be late to the party, but Acrobat 8 is great!

I don’t know about you, but I tend to stick with the software versions I have, unless I get compatibility issues or someone points me to a better option. That was the case with PDF creation until I was shown Adobe Acrobat 8 Professional.

If your response is “I knew about this months ago”, then forgive me, but products that exceed expectations are worth recommending.

I use PDF as a smaller, controllable file format when emailing documents. What I didn’t know was that the PDF creator I used (in my Printer Driver) actually makes documents larger, especially Powerpoint files. Also, the control (copying, printing etc.) was non-existent. Enter Acrobat.

The files are small, the security is great (and flexible), I can now combine various documents into a single PDF and, even when clients are using the free Acrobat Reader, they can make comments on the document without changing the original. This works on everything, including diagrams, pictures.

Last but not least, with Acrobat Professional I can create forms which other users can complete using the Acrobat Reader.

If you haven’t already, Acrobat Pro 8 is worth a look.

IT Skills Shortage

From memory, the topic of “IT skills shortage” began occupying IT publications in the late 1990s. I suppose this made sense, as Y2K created a surge in demand, so, why, 8+ years later, is the topic still current?

The resources occupied on Y2K projects were released for other activities. Is the demand still that strong, and if so, what are we doing to address it?

Is it hype, poor training, a gap in tertiary education or something else?

Hype –the comments I read that seem designed to fuel this topic come from recruitment companies. Yes, they would have first-hand experience of the shortage, but they also have an interest in promoting the concept of a “candidate-short market”.

Poor Training – are organisations doing enough to develop people? I know of many organisations that want to hire people who are “ready to go”, which means that someone else is expected to make the investment to develop their skills and experience. If we all leave it to someone else, it won’t get done.

Gap in Tertiary Education – are the courses producing graduates who are employable, with the right skill set? The biggest challenge of IT is matching it to the business needs. A researcher from Gartner suggests renaming IT to Business Technology, which seems smart to me. Is this where tertiary courses are going?

Hiring people costs time and money. How many IT Departments or IT Companies have staff development programs that are designed to make the department more effective, the staff-member feel more valued with the result of reduced staff turnover?