Be on the wave or under it
News – 04/21/03
Organizational Security: When People Are Involved
I recently gave a talk with the above title
at a day-long seminar sponsored by the Minnesota Information
Professional Society. I focused on the human elements of security,
stressing that the most buttoned up, state of the art security
system still is vulnerable because people tend to do things
such as posting their system passwords on their monitors or
opening email attachments from strangers. In fact, attendees
at the seminar got a good laugh from one speaker’s assertion
that Minnesota is the home of the maker of the world’s largest
security information repository – 3M, manufacturer of the Post-it®
security encompasses the people, policies, and procedures of
your enterprise. It’s not enough to have tremendous firewalls,
fantastic intrusion detection systems, and a vigilant security
staff. The people in your company have to recognize their role
in securing the enterprise.
of the primary ways that bad guys breach company security is
through a technique known as social engineering. Renowned ex-hacker
Kevin Mitnick estimates that 60 to 70 percent of his hacking
was due to social engineering, which involves getting people
to give up sensitive information that can be used in a hack.
may be familiar with some types of social engineering, such
as when crackers call up a user posing as a system administrator
and spin some yarn about needing to get the user’s password.
But another speaker at the seminar mentioned a technique I hadn’t
heard of, called “I’m Selling My Boat.” The way this works is
the miscreant calls a company’s receptionist and tells him or
her that he’s selling his boat. A company employee had been
out to see it and had made an offer that was too low. The cracker
says he’s reconsidered, but has lost the man’s card. He remembers
that the potential buyer was a system administrator at the company,
and he’s sure he’d recognize the name if the receptionist would
just read off a list of sysadmins.
most people want to help, this type of social engineering is
very often successful, and the cracker gets a list of the company’s
system administrators. He can then use that information in a
“Hi, this is Joe Doakes
from the IS Department. We just got in a new corporate screensaver
and since you’re the VP’s secretary you will get it first. It’s
really cool; wait ‘til you see it. All I need is your password
so I can log on to your PC from the computer center and install
“Oh Great! My password
is Rover. I can’t wait to see that new screen saver!"
secretary’s response reveals another area of vulnerability:
insecure passwords. Chances are, the secretary’s dog is named
Rover. When left to themselves, users will create passwords
that are either single English words or the name of a loved
one. With a little research (perhaps a publication has done
a profile on an executive in your firm, for example, and mentioned
his or her pets), a bad guy can glean personal information to
use in a crack attempt. (For more information on how to create
a secure password, see the white paper, How to
Create a Secure Password You Can Remember.)
are some measures your company can take to improve the human
elements in your security effort. First, go to the Human Firewall
Web site and take the Security Management Index
survey. You can also have employees take the Security Awareness
You can also follow Human Firewall’s Eight
Steps to Better Organizational Security:
Get top management buy-in and commitment
- More than 40 percent of CEOs, CFOs,
company presidents and managing directors involved setting
- That includes your board – security is
Assign and clarify roles and responsibilities
- Set up an information security task force
- Include rank and file
Create an Action Plan with a budget
- Asset assessment
- 40 percent of companies don't
classify the sensitivity of their data
- Risk assessment
Develop and/or update information security policies
- 50 percent of companies
don’t have written security policies
- 7 percent have no information
security policies at all
Develop an organization-wide Inforation Security Awareness
- Heighten awareness, change attitudes and
6. Measure the progress of your Security
Awareness/ Education efforts
- Need to measure it to manage it
Adapt and improve according to progress/feedback
- It’s not just one and done
- Revise, revise, revise
- Stay current on latest threats
- Security is a process, not a destination
Develop a Security Incident Response Team (SIRT) and plan
- It’s too late when the crisis hits
- A multi-disciplinary, multi-departmental
response team provides a structured, formal capability to
respond to actual or attempted intrusions
It’s like an old mainframer once said to me
(I think he was joking): “The system would run great
if it wasn’t for all these doggone users.” Users don’t like
formalized systems, whether it’s security or supplies requisitioning.
“The general conclusion is that there is no ‘silver bullet’
for security,” writes Dr. Andrew Odlyzko, Director of the Digital
at the University
of Minnesota. “In
a society composed of people who are unsuited to formally secure
systems, the best we can hope to do is to provide ‘speed bumps’
that will reduce the threat of cyberattacks to that we face
from more traditional sources.”
This is not to say we shouldn’t try to improve
the human component of our security systems. On the contrary,
improving employee awareness and encouraging the practice of
good information security hygiene is the easiest and cheapest
way you can improve the security of your organization.
- Shameless Self-Promotion
Dept.: Watch for an article I wrote in a
new magazine from Fawcette, Enterprise Architect, coming
in May. It's entitled Grid Computing Takes Off and it examines
the recent developments in peer-to-peer distributed computing.
I was quoted extensively on future tech in a recent issue
of the Minneapolis
magazine, Upsize, which is aimed at growing businesses.
A couple issues ago I debuted SNS Begware, an opportunity
for you, gentle reader, to express your appreciation by tipping
your server via PayPal. See the sidebar for more info. Total
in the kitty so far: $38.48.
I’ve reworked the TrendSpot
and Opinion sections, adding a Prediction
Tracking page to track the various predictions I’ve made,
and also added a Stuff I Said page with some quotes of things I said a
decade or so ago on the Net.
I repurposed and adapted an article about the wireless service
known as Short Messaging Service (SMS) for the Reside newsletter.
It’s entitled, Wherever they go, there you are and it points out
how marketers can use – carefully – this new way to contact
I’m featured in Manyworlds’ Thought Leader Showcase, which lists a few of the white
papers I’ve done. I’ve also added their fancy icon to the
Finally, the CTOMentor wireless white paper, You Can Take
It with You: Business Applications of Personal Wireless Devices,
is available at ITPapers.
- Cell Phones and Post-War
Iraq: A southern California congressman has called for the adoption
of the CDMA (Code Division Multiple Access, used by Sprint,
Verizon and others) mobile technology in post-war Iraq, to
ensure the rebuilding efforts don't benefit European vendors
at the expense of American industry. Congressman Darrell Issa
wrote a letter to US Defense Secretary Donald Rumsfeld and
the US Agency for International Development, urging them not
to back the building of a cellular phone system in Iraq based
on GSM (Global System for Mobile communications).
It’s no surprise to find out that Issa, who in a fit of jingoistic
fervor terms GSM an “outdated French standard,” represents
the 49th District of California, north of San Diego, which
is home to Qualcomm, the US vendor that owns most of the patents
to CDMA and who is also a contributor to Issa's political
coffers. It’s true that GSM used to be called Groupe System
Mobile, and was originated by the French. Calling it a French
standard so it can be tarred with the same nationalistic brush
as “freedom fries” is disingenuous at best. Parochial pride
aside, it would make more sense for Iraq to adopt the GSM
standard used in countries around it such as Turkey, Israel,
Kuwait and Saudi Arabia.
More sanguine observers may feel that the congressman is just
doing his job, sticking up for his constituents. While this
may be, one hopes he would not stoop to fighting dirty. GSM
equipment is sold and used by many US companies, including
AT&T, Cingular, and the German-owned T-Mobile.
- Wi-Fi in the Sky (With Diamonds): By early next year, more than 100 Boeing jets are scheduled to
be equipped with Wi-Fi wireless LAN connections. Passengers
will be able to connect to the Internet for $25 or so per
flight. I personally won’t pay that much, but I’m sure many
busy executives will.
- The Traveling Wi-Fi:
During two trips to Florida
in March, I had the opportunity to gauge the reach of the
Wi-Fi revolution. Before going down to Vero
Beach, FL, I
tried to scout for wireless hotspots via the Web, but turned
up nothing. That benighted community (spring training headquarters
for the LA Dodgers) barely has broadband. While there, I did
some war driving, but turned up nary a whiff of a private
hotspot. Plus, I found the local BestBuy was charging 10 percent
more for the same gear I bought in Minnesota.
On the way back, I found that, not only don’t Orlando and
O’Hare airports have hotspots (except the unsecured O’Hare
baggage network I reported on in a previous
SNS), Dulles doesn’t even have a place to plug in and dial
up. I had to spend $7 to send a single email on the lone meshugina
Internet phone/terminal I was able to find.
Back home, I accessed public hotspots by parking outside the
Pickled Parrot restaurant and a Dunn Bros. Coffee spot. Certainly
this is not the intent of the providers of these WLANs. They
want me to come in and buy something. But one of the characteristics
of Wi-Fi is it’s very hard to confine within the borders of
Meanwhile, I met one of the organizers of a project to wire
in downtown Minneapolis
with free, public Wi-Fi access. The effort is modeled on a
similar one that unwired
Bryant Park in New York City.
Makes you wonder how T-Mobile and others are going to make
money selling Wi-Fi access.
- Benetton to Tag 15 Million
Items: Benetton, the Italian clothing retailer, has begun tagging
clothes produced under its Sisley brand with wireless labels
that will enable the clothes to be tracked from the time they
are made to the time they are sold. The technology, called
RFID (Radio Frequency ID) has been adopted by Gillette and
other manufacturers, as reported in a previous SNS.
Return to Mike’s
Copyright © 2000-2008, StratVantage Consulting, LLC. All rights
Please send all comments to
Looking to light up your office, your business, or your city?
The WiMAX Guys™ can help you easily provide secure wireless Internet to your customers.
The WiMAX Guys specialize in designing and running wireless networks. We're experienced, we're quick, and we won't cost you an arm and a leg. Give us a call today provide your users a wireless Internet experience tomorrow.
Alert SNS Reader Hall of Fame
About The Author
a New Service from StratVantage
Can’t Get Enough of ME?
In the unlikely event
that you want more of my opinions, I’ve started a Weblog. It’s the fashionable
thing for pundits to do, and I’m doing it too. A Weblog is a datestamped
collection of somewhat random thoughts and ideas assembled on a Web
page. If you’d like to subject the world to your thoughts, as I do,
you can create your own Weblog. You need to have a Web site that allows
you FTP access, and the free software from www.blogger.com.
This allows you to right click on a Web page and append your pithy thoughts
to your Weblog.
I’ve dubbed my Weblog
entries “Stratlets”, and they are available at www.stratvantage.com/stratlets/.
Let me know what you think.
Also check out the TrendSpot for ranking of
the latest emerging trends.
14, 1928 - July 5, 2003
Jane C. Ellsworth
20, 1928 - July 20, 2003