Guest lecturing at the Norwegian school of Management
I have received an invitation to do a guest lecture on information security at the Norwegian school of management BI again this year. You may recall that I did this last year too (more, and more).
As I did last time, I would love to have your ideas and inputs as to what I should focus on. Last year, I made it an interactive workshop around the TJX case. It worked great, and I got great feedback. This year I was thinking along the lines of black PR, and how to deal with it from a company view.
What are your thoughts on that? Is i viable security issue from a company view? Are there any well known cases out there?
As I did last time, I would love to have your ideas and inputs as to what I should focus on. Last year, I made it an interactive workshop around the TJX case. It worked great, and I got great feedback. This year I was thinking along the lines of black PR, and how to deal with it from a company view.
What are your thoughts on that? Is i viable security issue from a company view? Are there any well known cases out there?
Seduced by technology...
How can I not be seduced by technology? I am currently sitting in a bus, traveling through Norway. And using the wireless AP of the bus, I am able to work as normal! I check my email, I update my blog, and I even did a Skype call.
How can I not love this?
Security? Well, it is a good idea to use VPN, of course, as the connection is open for anyone...
How can I not love this?
Security? Well, it is a good idea to use VPN, of course, as the connection is open for anyone...
Are you Owned?
Anton posted about Cyber Security Plans.
I follow you 100%, Anton! There has been a large number of these hijacks lately, and it is obvious that being paranoid is not enough.
It is due time to set up your cyber security plan, and as a bare minimum I suggest it should include:
- list of all your profiles online, with your log in.
- list of all your IM/e-mail and other communication tools, with log in
- list of other sites/tools that requires you to log on.
- The lists above should also include each sites URL or contact information for changing passwords, or in worst case shutting them down.
- a friends-list who you trust, and who are willing to help you get back your own life online. The purpose is to have them help you rebuild your internet presence. Make sure you agree some way for them to be certain that they are communicating with you, and not someone else.
- in case you are living in a less secure part of the world, being 0wned online may also mean you are a target in the real world. A friend of mine got attacked online, and then the appartment was broken into. Nothing but memory cards, pins and similar computer storage was stolen. Makes you wonder, right?
The list will grow. Please help me - what should the Cyber Security Plan look like? What would you do if the worst happens?
Playing with old computers
As with many IT-people who are no longer in the 20s, I have been playing around with hardware and software back in the young years. You know, building computers, soldering bits & pieces, hacking code, trying to get Linux running on a MCA-bus IBM...
And as many of my colleagues and peers, I am still getting my hands dirty from time to time. I guess it is the masochist in me.
Last night I was playing around with battered, old computers. Except. They where not that old. One where only 6 months old. And it should not be experiencing hick-ups, halts and driver problems. Usually.
This particular computer was residing in the reception. Many different users - non with any special computer related abilities - would use it over the week. And it had one major, business critical application inside - the booking system.
They had experienced hick-ups over some time now, and although I usually prefer not to get my hands dirty anymore, I decided to step back in time and sniff the dust. And I did the good'ol trick of removing everything (including the mainboard), and blow it all clean. Well, at least I would have if I had had some pressurized air at hand. After giving the components and the box itself a nice clean, the bits and pieces was put back in.
And to no surprise, there where a few things left over. I am a minimalist, and do not believe in using the computer cases as storagerooms, so I removed unused cards and other bits that no longer was of any use.
As I suspected, the computer came back to life, and works a dream. At least for now. Because this very computer was bought by people with no clue when it comes to computers. They had a need, went to the nearest superstore, and just bought a computer. Now, they did decide that this was a business critical computer, and thus made sure not to buy the cheapest one in the store...
But. They had no clue what-so-ever when it came to what makes a good business computer. And as you may have guessed allready, they came back with an overpriced piece of hardware, in combination with Microsoft XP Home edition. I repeat that. Microsoft XP Home edition. For a business critical computer.
I have made them all write one houndred times on a board: "I will never, ever again buy MS XP Home Edition."
And why is that? Why should you not use the home edition for business? It is all in the name. Home is not Business. Not even if you run a home-based business. The Home edition is a cheaper, less reliable and less sturdy OS than its brother XP Pro. Pro == Professional. Business == Professional.
Let me put this into monetary terms for you.
By choosing a cheaper OS like Home Edition, you may save a few bucks. In Norway, you save say 70$. But you buy yourself a large amount of it-related troubles, and will have to rely on an IT-consultant to help sort out all the troubles (face it, if you had the knowledge reqiured in the first place, you would never buy Home Edition. Period). And that IT-consultant does not come cheaply (if he does, he is not worth the money. Another period.). So the calculation I use in Norway is that you save $70, and that will be spent on the first half-hour of your IT-consultant.
By investing in a more sturdy OS, you may have to pay more to get going, but you will save money in the long run as you will not be required to dish out cash to IT-consultants every week.
Particularly when it comes to environments where there are a number of people involved would you do wisely to ensure that you get advises from people who understand the technology, and that can help you make the right decisions. It may cost a bit more to get going, but doing it right the first time is a huge cost and time saver in the long run.
Lets get back to the computer for a second. This computer was bought in February 2008 - so it is what I would call new. But during these months, it has already cost way more to operate and to keep it operating than the cost to buy it. And I have not even considered the cost of lost business when it was not operating, the stress on the not-so knowledgeable users and so on and so forth.
My advice to you if you are considering buying computers for your business are as follows:
And as many of my colleagues and peers, I am still getting my hands dirty from time to time. I guess it is the masochist in me.
Last night I was playing around with battered, old computers. Except. They where not that old. One where only 6 months old. And it should not be experiencing hick-ups, halts and driver problems. Usually.
This particular computer was residing in the reception. Many different users - non with any special computer related abilities - would use it over the week. And it had one major, business critical application inside - the booking system.
They had experienced hick-ups over some time now, and although I usually prefer not to get my hands dirty anymore, I decided to step back in time and sniff the dust. And I did the good'ol trick of removing everything (including the mainboard), and blow it all clean. Well, at least I would have if I had had some pressurized air at hand. After giving the components and the box itself a nice clean, the bits and pieces was put back in.
And to no surprise, there where a few things left over. I am a minimalist, and do not believe in using the computer cases as storagerooms, so I removed unused cards and other bits that no longer was of any use.
As I suspected, the computer came back to life, and works a dream. At least for now. Because this very computer was bought by people with no clue when it comes to computers. They had a need, went to the nearest superstore, and just bought a computer. Now, they did decide that this was a business critical computer, and thus made sure not to buy the cheapest one in the store...
But. They had no clue what-so-ever when it came to what makes a good business computer. And as you may have guessed allready, they came back with an overpriced piece of hardware, in combination with Microsoft XP Home edition. I repeat that. Microsoft XP Home edition. For a business critical computer.
I have made them all write one houndred times on a board: "I will never, ever again buy MS XP Home Edition."
And why is that? Why should you not use the home edition for business? It is all in the name. Home is not Business. Not even if you run a home-based business. The Home edition is a cheaper, less reliable and less sturdy OS than its brother XP Pro. Pro == Professional. Business == Professional.
Let me put this into monetary terms for you.
By choosing a cheaper OS like Home Edition, you may save a few bucks. In Norway, you save say 70$. But you buy yourself a large amount of it-related troubles, and will have to rely on an IT-consultant to help sort out all the troubles (face it, if you had the knowledge reqiured in the first place, you would never buy Home Edition. Period). And that IT-consultant does not come cheaply (if he does, he is not worth the money. Another period.). So the calculation I use in Norway is that you save $70, and that will be spent on the first half-hour of your IT-consultant.
By investing in a more sturdy OS, you may have to pay more to get going, but you will save money in the long run as you will not be required to dish out cash to IT-consultants every week.
Particularly when it comes to environments where there are a number of people involved would you do wisely to ensure that you get advises from people who understand the technology, and that can help you make the right decisions. It may cost a bit more to get going, but doing it right the first time is a huge cost and time saver in the long run.
Lets get back to the computer for a second. This computer was bought in February 2008 - so it is what I would call new. But during these months, it has already cost way more to operate and to keep it operating than the cost to buy it. And I have not even considered the cost of lost business when it was not operating, the stress on the not-so knowledgeable users and so on and so forth.
My advice to you if you are considering buying computers for your business are as follows:
- get someone who KNOWS for real to help you choose the right solution (ie. do not just pop down to the nearest superstore - pay a bit more and use a specialized IT-supplier)
- Saving up front usually only serves to increase the costs in the long run. See the first bullet...
- It is not enough to not buy the cheapest thing in the store - you need to understand what you are getting. See bullet 1.
- Give the users propper training. People who unpluggs the power to get the computer to shut down is a clear indication of the need for training. See bullet 1.
- Have a backup solution at hand. That means that you need a second computer available so you can use that if the main one decides to die in your hands. See the first bullet. Yes, again.
- Restrict the computer. That means someone who knows how to deal with computer (see the very first bullet) should enforce system policies (if you do not know what that means, see bullet one. If the people in bullet one have no clue, then you did not read bullet one, and just picked someone you know/from the top of Yellow pages.). The policies should enable the users to do what they need, and nothing more.
- Before you do this, you need not to worry about virus, spam and other security threats, as you already have your hands full. It will not help to buy a firewall, a nice antivirus solution or a security scanner. You need the basics first. See bullet 1.
- See bullet one.
Laptop security from Lifehacker
This piece of laptop security advice from Lifehacker is a well written, easy to understand (for non-geeks too) list of how to keep your data safe. It also gives you tips on how to track down your computer if the worst should happen.
Microsoft patent of the day
On August 19, 2008, Microsoft was granted a US-Patent:
Dave Lewis claims this means that Page-up and Page-down is hereby patents owned by Microsoft. I think Microsoft now also have patented using arrows to navigate - if you use your arrow-up or arrow-down in MS Word, you are taken one line up or down - or you are "scrolling a substantially exact increment in a document...".
The same happens using the elevator shafts - moving left/right, or up/down. It may also apply to the shortcuts to jump forward/backward to pages, columns, tables and images.
I agree with Dave that the US Patent system is long overdue for a revision. If it continues like this, anyone with a bit of cash and a way with text can claim patents for anything and everything.
What does this mean to your business? You may risk that someone shows up one day and ask you to pay a license fee for using things you take for granted - like your keyboard. But the most likely scenario is for someone to take your technology - the technology you have spent time, money and effort on developing - and register a patent on it. Using that patent, they own the rights to the technology you developed, and they will cash in on it.
How can you avoid this scenario?
Be sure to register your patents as you go. Spend the money - as it is the only way to ensure that no-one else does it. To SME's the cost of patents may seem high, but consider it an investment - if you fail to register, the whole value of your development is gone (since if your technology have any chances for making money, someone will register it as a patent, and you will pay them to use your own technology...).
What are your experiences with patents?
Sources:
ZDNET
Liquidmatrix (Dave Lewis)
"a method and system in a document viewer for scrolling a substantially exact
increment in a document, such as one page, regardless of whether the zoom is
such that some, all or one page is currently being viewed”.
Dave Lewis claims this means that Page-up and Page-down is hereby patents owned by Microsoft. I think Microsoft now also have patented using arrows to navigate - if you use your arrow-up or arrow-down in MS Word, you are taken one line up or down - or you are "scrolling a substantially exact increment in a document...".
The same happens using the elevator shafts - moving left/right, or up/down. It may also apply to the shortcuts to jump forward/backward to pages, columns, tables and images.
I agree with Dave that the US Patent system is long overdue for a revision. If it continues like this, anyone with a bit of cash and a way with text can claim patents for anything and everything.
What does this mean to your business? You may risk that someone shows up one day and ask you to pay a license fee for using things you take for granted - like your keyboard. But the most likely scenario is for someone to take your technology - the technology you have spent time, money and effort on developing - and register a patent on it. Using that patent, they own the rights to the technology you developed, and they will cash in on it.
How can you avoid this scenario?
Be sure to register your patents as you go. Spend the money - as it is the only way to ensure that no-one else does it. To SME's the cost of patents may seem high, but consider it an investment - if you fail to register, the whole value of your development is gone (since if your technology have any chances for making money, someone will register it as a patent, and you will pay them to use your own technology...).
What are your experiences with patents?
Sources:
ZDNET
Liquidmatrix (Dave Lewis)
Web filtering - who and what to block?
Kyle Northcutt posted this question on LinkedIn:
I like Angelos answer because it points to where the challenge really is - the humans. With the technology, we can do everything we can imagine. But humans. Now, that is a totally different manner. It takes a very non-technical manner to deal with those people.
In all my humbleness (right), I post my own answer below (as it is found on LinkedIn).
My LinkedIn answer:
In my experience, blocking access to internet resources soon turn your employers into a negative, less-productive bunch of unhappy sheep (lots of negativity in there, huh?)
Nothing is obvious when it comes to humans, and just blocking whatever one person finds obvious may very well upset someone else. As long as we are using technology to deal with human behaviors, we need to teach the same humans the reasons we choose to use technology instead of juts enlightening them.
There are only a few occasions I suggest using these kinds of controls:
* in controlled / secure environments where you must ensure 100% control of what is entering and leaving the area (then I always advice to set up a set of computers with access - as Internet now is a vital part of our communications)
* in restricted areas like jail and schools where motivation to follow policies are not that evident. But - this is also a very narrow path, as many kids today outsmarts the local IT-resource.
* in short time frames in departments dealing with sensitive information like annual results. Then we may close down all communication within a particular time - but never forget that there are phones, facsimiles and other techs you cannot control (that easy)
I am not a fan of closing down access. I believe that most employees are going to do their job as expected - as long as they get their perceived value in return. And face it - in today's workspace, most people will expect access to the Internet at their discretion.
Now, I am an advocate for employer controlled work environment - ie. the company set's the rules, and when you sign your contract, you agree to follow those very rules. But. As long as we are dealing with humans, we will reach much better results by understanding how psychology and organizations work and function. By using a mixture of positive incentives and negative incentives, and doing this in a clever manner, you will see much better results over time.
Face it, if you force a block, someone will be unhappy. You will start see people trying to work around those barriers. Your management will scream and expect totally different rules. Your day will become a nightmare. And what do you achieve? Less motivated, less productive employees.
I suggest the following approach that has worked a dream in the past:
* set up a QoS on your network, and on your outbound link. Tune down everything you do not like entering (streams, P2P, Skype etc). Set it so low that it is still possible to use it, but not practical anymore.
* Inform your employees regularly about how computers is a time thief (I mean, even for me now - I spend time writing this on the Internet instead of doing any productive work...), and give them tips on how to deal with it. Consider them humans and grown up, and it is amazing what you can get them to accept.
* Set up a network monitoring device, analyzing and capturing data traffic. These devices are able to tune in on, and capture only relevant data - triggered by rules and patterns you can define. Use this to figure out what is really going on, and to find that one or two rouge employees that you know are out there. Now you have evidence you can use to force this person to either follow the rules, or to kick him/her out of the organization.
In the end, you have a very efficient setup that does not intervene with day to day business, that does not make you vulnerable to updates and new "things to block", and that as a bonus makes you the hero of everyone in the organization (except the rouge ones, though...)
I have very good experience with this type of setup. Just keep in mind that you are dealing with humans - so treat them like humans to get the to do what you want!
----
What are your thoughts on webfiltering?
Who and what should the web filter block?
Obvious
malicious, lewd and illegal content aside.... should mental diversions
be limited or blocked from users? Social networking, youtube, gaming,
news, etc can be very distracting and hamper production, but when used
sparingly can boost morale, enhance creativity and act as an employee
perk in the organization.
My question is, which(if any) of these activities should be blocked?
Should everyone be affected by this policy or should engineering and
executives be excluded? As a bonus, how does your company handle web
filtering?
"I do not think that you productivity will increase by throttling the
employee's use of the internet! Slackers will find other ways to slack.
To my experience when people spent an inordinate amount of time with
diversions, is when they are either unhappy with their work or have
lost focus. Both are afflictions caused by management or lack of
thereof."
I like Angelos answer because it points to where the challenge really is - the humans. With the technology, we can do everything we can imagine. But humans. Now, that is a totally different manner. It takes a very non-technical manner to deal with those people.
In all my humbleness (right), I post my own answer below (as it is found on LinkedIn).
My LinkedIn answer:
In my experience, blocking access to internet resources soon turn your employers into a negative, less-productive bunch of unhappy sheep (lots of negativity in there, huh?)
Nothing is obvious when it comes to humans, and just blocking whatever one person finds obvious may very well upset someone else. As long as we are using technology to deal with human behaviors, we need to teach the same humans the reasons we choose to use technology instead of juts enlightening them.
There are only a few occasions I suggest using these kinds of controls:
* in controlled / secure environments where you must ensure 100% control of what is entering and leaving the area (then I always advice to set up a set of computers with access - as Internet now is a vital part of our communications)
* in restricted areas like jail and schools where motivation to follow policies are not that evident. But - this is also a very narrow path, as many kids today outsmarts the local IT-resource.
* in short time frames in departments dealing with sensitive information like annual results. Then we may close down all communication within a particular time - but never forget that there are phones, facsimiles and other techs you cannot control (that easy)
I am not a fan of closing down access. I believe that most employees are going to do their job as expected - as long as they get their perceived value in return. And face it - in today's workspace, most people will expect access to the Internet at their discretion.
Now, I am an advocate for employer controlled work environment - ie. the company set's the rules, and when you sign your contract, you agree to follow those very rules. But. As long as we are dealing with humans, we will reach much better results by understanding how psychology and organizations work and function. By using a mixture of positive incentives and negative incentives, and doing this in a clever manner, you will see much better results over time.
Face it, if you force a block, someone will be unhappy. You will start see people trying to work around those barriers. Your management will scream and expect totally different rules. Your day will become a nightmare. And what do you achieve? Less motivated, less productive employees.
I suggest the following approach that has worked a dream in the past:
* set up a QoS on your network, and on your outbound link. Tune down everything you do not like entering (streams, P2P, Skype etc). Set it so low that it is still possible to use it, but not practical anymore.
* Inform your employees regularly about how computers is a time thief (I mean, even for me now - I spend time writing this on the Internet instead of doing any productive work...), and give them tips on how to deal with it. Consider them humans and grown up, and it is amazing what you can get them to accept.
* Set up a network monitoring device, analyzing and capturing data traffic. These devices are able to tune in on, and capture only relevant data - triggered by rules and patterns you can define. Use this to figure out what is really going on, and to find that one or two rouge employees that you know are out there. Now you have evidence you can use to force this person to either follow the rules, or to kick him/her out of the organization.
In the end, you have a very efficient setup that does not intervene with day to day business, that does not make you vulnerable to updates and new "things to block", and that as a bonus makes you the hero of everyone in the organization (except the rouge ones, though...)
I have very good experience with this type of setup. Just keep in mind that you are dealing with humans - so treat them like humans to get the to do what you want!
----
What are your thoughts on webfiltering?
When failure is unavoidable - learning is required!
If your venture fails, it is vital to look back and evaluate what went wrong. It may be painful, but if you do not try to learn from the mistakes, you are likely either to never try again, or to create another failure.
It is a common mistake to forget about evaluating your mistakes. But, Roger Ehrenberg, former CEO at Monitor110, does not forget. In his post, he analyzes the different aspects - from leadership and management, to money issue - who would have thought that too much money actually would cause the failure of a venture?
I found this post very valuable, and did recognize failures I have made too.
For any business, failure is an option. It is a possibility. And ultimately, risk management is about reducing that possibility to the barest minimum. But, as any entrepreneur will know, failure is knocking on your door constantly unless you keep focusing. And many entrepreneurs simply does not have enough time to do it all.
How can you avoid failure? What are the steps you can take to ensure success?
What do you think about entrepreneurs?
I have a strong interest in entrepreneurship. As my followers know, I am a long-time member of JCI, and I am a serial entrepreneur myself. I developed companies in both Norway, and in France, and I have had my share of success and failures.
I have decided that this blog - the Roer.com Information Security blog will change and narrow it's focus a bit, and focus on information security for entrepreneurs and start-ups. I hope that this small change in focus will not drive away my current readers, while continue to grow my readership.
By doing this change, I hope to fill what I think is a gap in the Security blogging arena - to help start-ups and SME's to adequate security. As far as I see it, most security bloggers out there are in one or more of these three groups:
I think they all have an important role to play, and that they are needed. But for myself, I do not belong directly in any of the categories, plus I am very interested in entrepreneurship. Thus, I will try to fill this gap :)
But worry not, my readers! I will continue to dish out my opinions on global security, TSA, other bloggers and whatever else even remotely securtiy related that I feel an urge to comment upon!
On a side note, I have also established a new blog, focusing on another area I love - trainings!
Do you think this is a good move? Or am I walking into a dead end? Your thoughts are highly valued!
I have decided that this blog - the Roer.com Information Security blog will change and narrow it's focus a bit, and focus on information security for entrepreneurs and start-ups. I hope that this small change in focus will not drive away my current readers, while continue to grow my readership.
By doing this change, I hope to fill what I think is a gap in the Security blogging arena - to help start-ups and SME's to adequate security. As far as I see it, most security bloggers out there are in one or more of these three groups:
- vendor or service provider, focusing on promoting their own products/services
- (enterprise) risk management, focusing on what many SMEs will consider theory and not very relevant to their everyday focus
- IT-security, focusing on technology, hacking, and "geek" stuff
I think they all have an important role to play, and that they are needed. But for myself, I do not belong directly in any of the categories, plus I am very interested in entrepreneurship. Thus, I will try to fill this gap :)
But worry not, my readers! I will continue to dish out my opinions on global security, TSA, other bloggers and whatever else even remotely securtiy related that I feel an urge to comment upon!
On a side note, I have also established a new blog, focusing on another area I love - trainings!
Do you think this is a good move? Or am I walking into a dead end? Your thoughts are highly valued!
Airport security - when will this end?
Big boobs may keep you on the ground.
Content copyright Kai ROER / Roer.Com. Content is provided using the Creative Commons License.
All names and logos are copyright their respective owner(s).
All names and logos are copyright their respective owner(s).
Explore Security Bloggers Network
Recent comments
1 hour 45 min ago
8 hours 51 min ago
5 days 15 hours ago
1 week 23 hours ago
1 week 1 day ago
2 weeks 2 days ago
2 weeks 2 days ago
2 weeks 2 days ago
2 weeks 2 days ago
2 weeks 5 days ago