The News – 04/21/03

In this Issue:	Recommended Reading
Organizational Security: When People Are Involved Shameless Self-Promotion Dept. Cell Phones and Post-War Iraq Wi-Fi in the Sky (With Diamonds) The Traveling Wi-Fi Benetton to Tag 15 Million Items	I realize this is the only newsletter you’ll ever need, but if you want more in-depth detail, check out: Stan Hustad’s The Coaching Connection Management Signature's The Express Read

Organizational Security: When People Are Involved

I recently gave a talk with the above title at a day-long seminar sponsored by the Minnesota Information Professional Society. I focused on the human elements of security, stressing that the most buttoned up, state of the art security system still is vulnerable because people tend to do things such as posting their system passwords on their monitors or opening email attachments from strangers. In fact, attendees at the seminar got a good laugh from one speaker’s assertion that Minnesota is the home of the maker of the world’s largest security information repository – 3M, manufacturer of the Post-it® Note.

Organizational security encompasses the people, policies, and procedures of your enterprise. It’s not enough to have tremendous firewalls, fantastic intrusion detection systems, and a vigilant security staff. The people in your company have to recognize their role in securing the enterprise.

One of the primary ways that bad guys breach company security is through a technique known as social engineering. Renowned ex-hacker Kevin Mitnick estimates that 60 to 70 percent of his hacking was due to social engineering, which involves getting people to give up sensitive information that can be used in a hack.

You may be familiar with some types of social engineering, such as when crackers call up a user posing as a system administrator and spin some yarn about needing to get the user’s password. But another speaker at the seminar mentioned a technique I hadn’t heard of, called “I’m Selling My Boat.” The way this works is the miscreant calls a company’s receptionist and tells him or her that he’s selling his boat. A company employee had been out to see it and had made an offer that was too low. The cracker says he’s reconsidered, but has lost the man’s card. He remembers that the potential buyer was a system administrator at the company, and he’s sure he’d recognize the name if the receptionist would just read off a list of sysadmins.

Since most people want to help, this type of social engineering is very often successful, and the cracker gets a list of the company’s system administrators. He can then use that information in a subsequent call:

“Hi, this is Joe Doakes from the IS Department. We just got in a new corporate screensaver and since you’re the VP’s secretary you will get it first. It’s really cool; wait ‘til you see it. All I need is your password so I can log on to your PC from the computer center and install it.”

“Oh Great! My password is Rover. I can’t wait to see that new screen saver!"

The secretary’s response reveals another area of vulnerability: insecure passwords. Chances are, the secretary’s dog is named Rover. When left to themselves, users will create passwords that are either single English words or the name of a loved one. With a little research (perhaps a publication has done a profile on an executive in your firm, for example, and mentioned his or her pets), a bad guy can glean personal information to use in a crack attempt. (For more information on how to create a secure password, see the white paper, How to Create a Secure Password You Can Remember.)

There are some measures your company can take to improve the human elements in your security effort. First, go to the Human Firewall Web site and take the Security Management Index survey. You can also have employees take the Security Awareness assessment.

You can also follow Human Firewall’s Eight Steps to Better Organizational Security:

1. Get top management buy-in and commitment

• More than 40 percent of CEOs, CFOs, company presidents and managing directors involved setting security policy
  
  
• That includes your board – security is mission-critical

2. Assign and clarify roles and responsibilities

• Set up an information security task force
• Include rank and file

3. Create an Action Plan with a budget

• Asset assessment
• 40 percent of companies don't classify the sensitivity of their data
• Risk assessment

4. Develop and/or update information security policies

• 50 percent of companies don’t have written security policies
• 7 percent have no information security policies at all

5. Develop an organization-wide Inforation Security Awareness
    Program (ISAP)

• Heighten awareness, change attitudes and influence behavior

6. Measure the progress of your Security Awareness/ Education efforts

• Need to measure it to manage it

7. Adapt and improve according to progress/feedback

• It’s not just one and done
• Revise, revise, revise
• Stay current on latest threats
• Security is a process, not a destination

8. Develop a Security Incident Response Team (SIRT) and plan

• It’s too late when the crisis hits
• A multi-disciplinary, multi-departmental response team provides a structured, formal capability to respond to actual or attempted intrusions

It’s like an old mainframer once said to me (I think he was joking): “The system would run great if it wasn’t for all these doggone users.” Users don’t like formalized systems, whether it’s security or supplies requisitioning. “The general conclusion is that there is no ‘silver bullet’ for security,” writes Dr. Andrew Odlyzko, Director of the Digital Technology Center at the University of Minnesota. “In a society composed of people who are unsuited to formally secure systems, the best we can hope to do is to provide ‘speed bumps’ that will reduce the threat of cyberattacks to that we face from more traditional sources.”

This is not to say we shouldn’t try to improve the human component of our security systems. On the contrary, improving employee awareness and encouraging the practice of good information security hygiene is the easiest and cheapest way you can improve the security of your organization.

MnIPS Presentation

Briefly Noted

• Shameless Self-Promotion Dept.: Watch for an article I wrote in a new magazine from Fawcette, Enterprise Architect, coming in May. It's entitled Grid Computing Takes Off and it examines the recent developments in peer-to-peer distributed computing.
  
  I was quoted extensively on future tech in a recent issue of the Minneapolis magazine, Upsize, which is aimed at growing businesses.
  
  A couple issues ago I debuted SNS Begware, an opportunity for you, gentle reader, to express your appreciation by tipping your server via PayPal. See the sidebar for more info. Total in the kitty so far: $38.48.
  
  I’ve reworked the TrendSpot and Opinion sections, adding a Prediction Tracking page to track the various predictions I’ve made, and also added a Stuff I Said page with some quotes of things I said a decade or so ago on the Net.
  
  I repurposed and adapted an article about the wireless service known as Short Messaging Service (SMS) for the Reside newsletter. It’s entitled, Wherever they go, there you are and it points out how marketers can use – carefully – this new way to contact their customers.
  
  I’m featured in Manyworlds’ Thought Leader Showcase, which lists a few of the white papers I’ve done. I’ve also added their fancy icon to the StratVantage site.
  
  Finally, the CTOMentor wireless white paper, You Can Take It with You: Business Applications of Personal Wireless Devices, is available at ITPapers.

• Cell Phones and Post-War Iraq: A southern California congressman has called for the adoption of the CDMA (Code Division Multiple Access, used by Sprint, Verizon and others) mobile technology in post-war Iraq, to ensure the rebuilding efforts don't benefit European vendors at the expense of American industry. Congressman Darrell Issa wrote a letter to US Defense Secretary Donald Rumsfeld and the US Agency for International Development, urging them not to back the building of a cellular phone system in Iraq based on GSM (Global System for Mobile communications).
  
  It’s no surprise to find out that Issa, who in a fit of jingoistic fervor terms GSM an “outdated French standard,” represents the 49th District of California, north of San Diego, which is home to Qualcomm, the US vendor that owns most of the patents to CDMA and who is also a contributor to Issa's political coffers. It’s true that GSM used to be called Groupe System Mobile, and was originated by the French. Calling it a French standard so it can be tarred with the same nationalistic brush as “freedom fries” is disingenuous at best. Parochial pride aside, it would make more sense for Iraq to adopt the GSM standard used in countries around it such as Turkey, Israel, Kuwait and Saudi Arabia.
  
  More sanguine observers may feel that the congressman is just doing his job, sticking up for his constituents. While this may be, one hopes he would not stoop to fighting dirty. GSM equipment is sold and used by many US companies, including AT&T, Cingular, and the German-owned T-Mobile.
  80211 Planet
  
  
• Wi-Fi in the Sky (With Diamonds): By early next year, more than 100 Boeing jets are scheduled to be equipped with Wi-Fi wireless LAN connections. Passengers will be able to connect to the Internet for $25 or so per flight. I personally won’t pay that much, but I’m sure many busy executives will.
  Business Week
  
  
• The Traveling Wi-Fi: During two trips to Florida in March, I had the opportunity to gauge the reach of the Wi-Fi revolution. Before going down to Vero Beach, FL, I tried to scout for wireless hotspots via the Web, but turned up nothing. That benighted community (spring training headquarters for the LA Dodgers) barely has broadband. While there, I did some war driving, but turned up nary a whiff of a private hotspot. Plus, I found the local BestBuy was charging 10 percent more for the same gear I bought in Minnesota.
  
  On the way back, I found that, not only don’t Orlando and O’Hare airports have hotspots (except the unsecured O’Hare baggage network I reported on in a previous SNS), Dulles doesn’t even have a place to plug in and dial up. I had to spend $7 to send a single email on the lone meshugina Internet phone/terminal I was able to find.
  
  Back home, I accessed public hotspots by parking outside the Pickled Parrot restaurant and a Dunn Bros. Coffee spot. Certainly this is not the intent of the providers of these WLANs. They want me to come in and buy something. But one of the characteristics of Wi-Fi is it’s very hard to confine within the borders of an establishment.
  
  Meanwhile, I met one of the organizers of a project to wire Loring Park in downtown Minneapolis with free, public Wi-Fi access. The effort is modeled on a similar one that unwired Bryant Park in New York City. Makes you wonder how T-Mobile and others are going to make money selling Wi-Fi access.
  
  
• Benetton to Tag 15 Million Items: Benetton, the Italian clothing retailer, has begun tagging clothes produced under its Sisley brand with wireless labels that will enable the clothes to be tracked from the time they are made to the time they are sold. The technology, called RFID (Radio Frequency ID) has been adopted by Gillette and other manufacturers, as reported in a previous SNS.
  RFID Journal