I know vendors love marketing aphorisms like "Security is everyone's business." (Oh wait… maybe that's these guys.) But the shape-shifting nature of threats to enterprise data and users actually breathes some life into an otherwise tired tag line.
And with that, let me welcome you to the Security Clan of Internet Evolution. While we expect that CIOs and IT security pros will comprise the bulk of members in our newest clan, we built Security Clan with the knowledge that security touches everyone these days. We also wanted a place for our readers to tap into the latest thinking and dialogue on security challenges that will shape the future of the Internet. You can join the Security Clan just by clicking here.
Regardless of where you sit in the organization or how much you’re paid, it's clear that the threat or risk from hackers, spammers, and identity thieves hasn't gone away. It's more a matter that "C" level executives (and, by extension, IT security pros) have awakened to the threat posed by their own employees.
But user negligence isn't the only internal threat; malfeasance runs in parallel here and is usually discovered long after the fact, if it's discovered at all. From cellphones with cameras to multi-gigabyte portable hard drives (you may know them better as iPods), there's plenty of opportunity (and disk capacity) for end-users to walk away with all sorts of proprietary information. Maybe they take it to their next employer; maybe they sell it to a competitor or to some broker with ties to organized crime; maybe they just lose it.
Small wonder, then, that many companies have a policy of disabling USB drives on laptops and desktops, or that they keep close tabs on the volume of individual downloading or copying, all to guard against fraud, theft, and other malfeasance.
Security Clan bloggers will be looking at where technology, business, and regulations collide, and they'll be predicting and prognosticating to divine how companies will protect networks, systems, data, and end-users. They'll be making assessments of different threat vectors, and they'll be suggesting areas and issues that require the attention of everyone from the CIO down to the newest admin. Got ideas about what the future of Internet security looks like? Write us and tell us more. After all, security's everybody's job now.
This blog is part of Internet Evolution's Security Clan, which examines the future of Internet security and the changing nature of risks and vulnerabilities. Register here to join the Security Clan and for a chance at all kinds of free stuff.
Job descriptions are used especially for advertising to fill an open position, determining compensation and as a basis for performance reviews. Not everyone believes that job descriptions are highly useful. Read Dr. John Sullivan's article listed at the end of the following links. He points out numerous concerns about job descriptions that many other people have as well, including, e.g., that too often job descriptions are not worded in a manner such that the employee's performance can be measured, they end up serving as the basis for evaulation rather than performance, etc. Read the following links to buid your own impression.
Thanks for flagging that Vancouver conference, RPR. While I don't think they'd necessarily be the best fit for that event, there are lots of different Best Security Practices papers we could tackle in the Security Clan on:
--Wireless
--Password protection
--Portable hard drives (USB drives, iPods, smartphones, etc.)
Where are other clanners and regular posters with their biggest security issues/concerns? We'd love to hear from others about their security pain points.
Ideally the posts and related dialogues help make things increasingly better; perhaps even as soon as Dec 2008. Maybe the Clan can generate a paper for an upcoming conference (e.g.). It is good in any event that this Internet Evolution Clan is now in (and about) progress. Well done IE!
Security is everyone's concerned. Even Charities are being hacked. But sometimes they fail to mention it in order not to threaten "online donors" and prevent them from giving. It was reported by the New-York Times that Hackers have recently Cracked Charities’ Addresses and Passwords. And " some charities might have been reluctant to inform donors about the breach out of fear that it would affect donations". Instead of exposing donors to the risk of being stolen, "Charities need to be more open with donors about security" said Allan Benamer, who writes for a Non-Profit Tech Blog. Security should also be in the "job description" of Charity Organizations and they should not only be concerned about getting donations.
Interesting link Paul. Social Engineering is one of the most effective ways to gain information and you don't even need to know what a computer is.
Kevin Mitnick, who is actually a TN, was once one of the best known social engineers. He published a very famous book: The Art Of Deception which talks about what he did (not as a tutorial or anything but to prove how useful and dangerous it is),
IMHO, that's where the biggest threat is. You can protect and firewall your data center all you want but if the administrator gives you the password, it's game over.
Did you know about the recently concluded HOPE Conference? I have been following proceedings from this hackers conference and i really want to confess that we are pathetically vulnerable security- wise. As we continue to mop all of our activies online even to the mudane issues of ordering pizza , there is no disputing of the facts that we are opening ourselves to more security problems. Even the prudent ones has to be more prudent in order to have a very healthy and safe online experience. One really can't afford to be that callous again when it comes to security issues. Let's hope this new clan will prepare us better for the security challenges ahead.
It boggles my mind to think about the lack of security in the workplace. Forget the hazards of simply plugging in an iPod or external hard drive, or Gmailing oneself sensitive files... what about the fact that most employees are carting their laptops around town, to and from work, on the train, etc.? How many employees have left these laptops behind somewhere, whether intentionally (in a car) or on purpose (in a cab). Or, how many employees are carelessly using their company laptop to connect to WiFi hotspots -- or even their own unsecured network at home? None of the above bodes well for the safety of the enterprise. I'm curious to see the outcome of the first security clan reader poll (Virtual Self Defense). It would also be interesting to note the precautions readers take on their personal machines vs. the precautions they take on their work machines.
The concept of "security is everyone's business" in itself is self defeating as anything that is everyone's business is not secure. That said, I had the experience of examining a published technology security policy from a local business with about 250 electronic seats and probably 350 devices that have access internally and externally. The security policy for the average users and managers consisted of about two pages of documentation. There were no policies or procedures outlining the most basic of best practices, no guidelines listed for sequence of action in the event of some sort of failure, and not even a phone number to call in the event of a suspected breach. I was simply amazed this extremely successful and multi generational, growing and profitable, family based business has survived this long into the technology age without some sort of major catastrophic failure related to security practices.
I also noticed upon trying the simple task of installing a CD into an accessible drive bay, that it loaded and installed, with no administrator priviledges required. During a break I noticed a couple of the managers updating their personal stock portfolios and bidding on items for sale. I noticed another department was utlizing the web for the first indurty to utilize it's power of commerce (the same industry that jump started the mail order industry)... Basically pictures of ladies with less clothes on than a g-string...
Now "security" is a big word and even larger topic. It covers everything from what not to say, to what not to click, to doorlocks, paper shredders, mute buttons, and today it covers anything that can be transmitted from cell phones, GPS data, broadband, modem, the various wireless technologies, and even bluetooth communications with your vehicle computer system. No hard drive is safe from forensics short of a nuclear blast, and nobody truly knows who has been tracking what, for how long, why, and nobody can predict how any accumulated data will eventually be utilized.
I do know enough about the general topic of security so that when I start to go beyond basic policies outlined in operating system manuals, router instructions, and basic common sense it is time to call in "experts", yet even the input from the best in their disciplines cannot provide a true secure environment as someone beyond reproach and beyond reasonable corruptability (yes I saw the Dark Knight this past weekend), must somehow be able to architect, design, flowchart, streamline, and accomodate the ever present "exceptions" that must be maintained so a company can maximize profitability.
Great topic. I joined the clan and am looking forward to learning a lot and based on my hopefully increased knowledge becoming even more cautious than I have already become.
Just last week, the HP vice-president indicted for leaking trade secrets from his former employer, IBM, pleaded guilty.
With the widespread use of 2.0 technologies, anyone (unintentionally or not) can leak secrets. There are some cases of bloggers finding out about mergers seeing someone's Facebook's status and a couple of Tweets.
Companies normally don't offer enough information on the topic, as sometimes not even know where to draw the line. But as you mention, it's in everyone's job description.
The ThinkerNet does not reflect the views of TechWeb. The ThinkerNet is an informal means of communication to members and visitors of the Internet Evolution site. Individual authors are chosen by Internet Evolution to blog. Neither Internet Evolution nor TechWeb assume responsibility for comments, claims, or opinions made by authors and ThinkerNet bloggers. They are no substitute for your own research and should not be relied upon for trading or any other purpose.
There's good reason CFOs (and everyone else who signs off) chafe when it comes to enterprise security spending -- it's not just a cost center, it's a gigantic, budget-sucking vortex. And now the numbers are in to back up what 'til now had been mostly just suspected or anecdotal.
Propaganda has a bit of a taint -- it's what the other side does, and is associated with political opponents, typically communists. So why did someone in the U.S. intelligence community leak the story about Chinese electronic eavesdropping on both 2008 presidential campaigns on the eve of Obama's visit to China next week?
The temptation to turn this column into some sort of police blotter for cyber crimes is always tough to resist. But the rich fodder from headlines around the Web this week pushed me over the edge, offering as it does a nasty little peephole into the seamy underside of the Internet.
Spend less on cyber-defense, not more, the RAND Corp. advises in a recent position paper prepared for the U.S Air Force that also concludes that the best defense is not a good offense -- just a really good defense. But wait... won't that cost money?
In the words of that famous enterprise IT security expert from the early '70s, Roger Daltrey, "Who are you?" Like the lead singer from The Who, I really wanna know.
While Google introduces its new Chrome OS (which I'm hearing will be widely available in one year? Did I mishear that?), IBM announced 10 new products today to help companies using IBM System z mainframe technology.
Smarter Collaboration: How to Thrive in a Challenging Business Environment Market conditions are changing faster than ever, and organizations need to improve their agility and adaptability in order to provide better service and improve processes. The ability to work with customers, business partners, and employees as effectively as possible - while at the same time holding down costs - is a key to success. READ THIS eBOOK
your weekly update of news, analysis, and
opinion from Internet Evolution - FREE! REGISTER HERE
Wanted! Site Moderators Internet Evolution is looking for a handful of readers to help moderate the message boards on our site – as well as engaging in high-IQ conversation with the industry mavens on our thinkerNet blogosphere. The job comes with various perks, bags of kudos, and GIANT bragging rights. Interested?
To save this item to your list of favorite Internet Evolution content so you can find it later in your Profile page, click the "Save It" button next to the item.
The US loses about $20 billion a year on pirated software, movies, and music. But public policy can help stem the tide of digital theft. For example, France has recently passed a 'three strikes and you’re out' law, whereby if after two warning letters an individual continues to download pirated software then his Internet access will be cut off. US policy makers should consider adopting similar policies.
The release of Microsoft's newest OS raises the question of the company's relevance in an era when Google dominates applications and search, and Apple runs circles around Redmond with its gadgets and user interfaces.
Is there such a thing as complete anonymity on the Internet? It is something of a philosophical question, but the consensus among experts seems to be 'No.' However, there are degrees of anonymity, which might be more practical for most people – and more necessary than ever before.
In the final episode of this series about the death of Internet anonymity, Saunders describes how the Internet of the future will start to attain a level of intelligence that requires no human intervention. Scary.
What can users today do to protect their online privacy? The simplest and most obvious option is to not use the Internet – at all. However, once all digital information is consolidated over the Internet, trying to protect digital identity by simply unplugging from the Internet becomes impossible – a fact that has manifest implications for civil liberties, Saunders says.
By 2011 the number of Internet-connected sensors will exceed 1 trillion, making your chances of doing anything or going anywhere unnoticed pretty much zero. Saunders talks about how the 'sensortization' of the Internet is eliminating the traditional divide between online and offline populations.
The 20th Century Internet was characterized by the ability to interact with other people and information on the Internet largely without anyone knowing who you were. The Internet of this century, conversely, will be defined by identity. Saunders explains how Internet users are unwittingly contributing to the demise of the anonymous Internet.
Earlier this year, Heartland Payment Systems was breached by Russian hackers who had also hit 300 other financial institutions. The scope of the Russian operation is mind-blowing and points to a new era in cyber attacks.
Industry initiatives and government stimulus funds are giving enterprise software vendors a great opportunity to help build out and manage smart grid technologies.
The problem with telepresence is that it's not universally accepted, because video calling isn't. While we can all do video calling, we also apparently worry too much about how we look. If we want HD telepresence in our future, we have to dress down, mess up our hair, and dive into our online life.
The US loses about $20 billion a year on pirated software, movies, and music. But public policy can help stem the tide of digital theft. For example, France has recently passed a 'three strikes and you’re out' law, whereby if after two warning letters an individual continues to download pirated software then his Internet access will be cut off. US policy makers should consider adopting similar policies.
Financial management planning does not need to include Voodoo economics, but it does help to tap into the knowledge base of your team through some sort of real-time system. We explore your options.
When Reiter gets incensed over incompetent Verizon FiOS order-taking and support, he broadcasts it via Twitter. Did it do any good? How should your company offer Twitter support? Watch this for all the answers.
The successor to the BlackBerry Bold 9000 – the Bold 9700 – will be available soon in the US. Is it worth upgrading? Reiter's got one, and offers advice.
Digg
Del.icio.us
Reddit
Email This
TWEET THIS
