Monday, September 24, 2007

Top IT Security Threats &
10 Practical Counter-Measures

Here are the top IT security threats that your organization faces:
  • Your people. The "inside job" has always been and remains the biggest security threat you face. While innocent mistakes more frequent than deliberate malfeasance, the results are often the same.
  • Your equipment.
    • When your equipment fails (when, not if) you may be out of business. It may be for only an hour or a day or a week or forever if you lose all your accounting and customer data.
    • Portable devices are especially prone to failure, and they are easily lost or stolen.
  • Your software. Remember the Y2K bug? You know how Microsoft is constantly releasing security patches and upgrades to its products? If you don't keep up with patches and upgrades, you may be visited with viruses and/or potential attacks from hackers. If you do apply patches and upgrades, one of them may interfere with your normal operations in an unforeseen fashion. (The iPhone's recent patches issued by Apple disabled many 3rd party applications.)
  • Email.
    • Emails are almost never encrypted, and they are being "read" and stored at various points en route. The government, your Internet Service Provider, your email service provider and others are able to monitor your message traffic.
      • Dissidents were jailed after Yahoo! turned over email correspondence to the Chinese government.
    • After your messages reach their intended recipients, there is nothing technologically to prevent any message from being forwarded to other people, friends or foes.
  • Web surfing. Web technologies have advanced in recent years. Many web sites now provide personalized content from many different sources for users (mash-ups). News, entertainment, data analysis, advertising, games, etc. are commonly brought together by web sites today. Black-hat hackers are using these new web technologies in clever ways, exploiting browser capabilities/holes to execute scripts, and infecting user machines with viruses, adware and spyware.
  • Human nature presents a host of security problems.
    • Some people/organizations expect to buy a product that they can install that will solve all their IT security concerns. If/when they don't have the latest and greatest products, they may suffer excessive fear. If/when they do have the latest and greatest products, they probably have a false sense of security.
    • Some people/organizations are happy to hide their heads in the sand when it comes to IT security. Bad things happen to other people, not them. Nothing's going to happen if they don't do their backups one day.
    • Using SPAM, phishing, and other high- and low-tech schemes, hackers exploit human nature in a variety of ways to get them to reveal valuable information like usernames and passwords, account numbers, customer data, trade secrets, etc.

Here are the 10 practical security measures that I recommend you take to deal with security threats:
  1. Articulate policies and procedures related to the appropriate use of information technology (data, hardware, software, the local network, email and the Internet).
  2. Educate employees regarding IT and their responsibilities. Monitor employee compliance with policies and procedures. Reward compliance and/or punish non-compliance.
  3. Provide continuing education/training to employees to keep pace with changing technology and changing policies and procedures.
  4. Replace older systems (hardware and software) with newer systems. Anything over 5 years old should be replaced because systems that old are likely to fail soon.
  5. Re-engineer business processes to apply new information technologies to enhance security and improve your product/service quality.
  6. Establish the business case for providing portable equipment to an employee. Require strong passwords and disk encryption on portable computers, in case they are lost or stolen.
  7. Develop and implement an automated process for backing up your systems and data.
  8. Apply patches and upgrades as they become available on all non-mission-critical systems. Test patches and upgrades prior to applying them to mission-critical systems.
  9. Develop contingency plans to deal with various possible scenarios (server failure, employee terminated, power blackout, snowstorm, fire, pandemic, etc.). Run tests to validate plans. Update plans as circumstances change.
  10. Every organization beyond a certain size needs to have a Chief Information Officer reporting to the President or other top executive with the mandate to make IT security a top priority for the organization. Otherwise, the President and other top executives may not have the technical knowledge they need to make good IT decisions.

Thursday, September 20, 2007

What?! More...

Lots of hearing aids are "Telecoil (T-coil) equipped." T-coils are designed to pick up electromagnetic signals, as opposed to microphones which register acoustic signals.

Certain telephones, cell phones, and assistive listening systems in public places (theaters, museums, etc.) produce electromagnetic signals. T-coil equipped hearing aids are supposed to "inductively couple" with such electromagnetic devices/systems to provide clear, amplified sound through the hearing aids. If you want to learn more about the technology, click here.

Few in North America know much about T-coils -- Europeans are said to know and use them more. My audiologist knew virtually nothing about the technology, and she has a Au.D.

Few of the hearing-impaired in the USA are using their T-coils. In my own case, I initially tried to use the T-coils in my new hearing aids with several different telephone handsets at home and at work. In each case, when I switched my hearing aids to T-coil from microphone, I couldn't hear the caller.

In retrospect, my hearing aides were not coupling inductively, probably because the electromagnetic signals in the ear cups were too week. At the time, I didn't know better; I just thought that T-coil technology sucked.

When I questioned my audiologist about my experience, she gave me a small, rare-earth magnet to put in the ear cup which she said would boost the electromagnetic signal. Not! It turns out that what the magnet is supposed to do is switch certain automatic hearing aids from microphone mode to T-coil mode, not boost the telephone's electromagnetic signal.

In spite of the misadventures and misinformation, I struggled on, albeit with lowered expectations. Based a few glowing testimonials that I came across in the course of my research, I decided to try an inductive loop. Luckily, my new cell phone is a Nokia 6086 (remember the Europeans know about T-coils). Furthermore Nokia makes an inductive loopset (LPS-4) that fits the cellphone model I have. Online, people are selling the Nokia LPS-4 for anywhere between $35 - $100. I paid $35, which included shipping.

When the unit arrived, there was a fat instruction book, with 3-4 pages of instructions written in just about every language on earth. The device is very simple; almost idiot-proof. Plug it into the cellphone, put the loop around your neck, and it should work. Switch your hearing aids to T-coil (one ear or two), place a call and the sound comes through loud and clear. A voice pick-up and call-answer button are located on the loopset, so your phone can stay in your pocket, except to dial.

My cellphone has a radio on board so I can listen to it during meetings and nobody is the wiser. While I can listen to music on my cell phone, the loopset only plays monaural sound.

In certain places, electromagnetic interference caused by certain electronic devices and/or machinery is a problem. Interference creates a buzzing sound in the ears which ranges from barely audible to somewhat distracting, depending on the call.

I was in love with my new Nokia 6086 cellphone before because of the Hotspot@Home feature. Now with my inductive loop, I am ready to marry it.

Wednesday, September 12, 2007

WiFi Nightmares

If you like a good fright, here are a few of my worst WiFi nightmares for you.
  • Homeowners sometimes feel that they have nothing to steal and nothing to hide on their home computers, and so they install WiFi networks without any security measures. But there is a wealth of information on any computer that bad guys can use to steal someone's identity, and thats only the beginning.

    Homeowners who leave their WiFi networks unprotected may have their data and applications erased. They may have spambots or other malicious hacker applications installed. Their machines may be employed to share illegal music files or distribute kiddie porn. Then, one day, the FBI will come knocking.

  • Students spend a lot of time on the Internet, much of that connected to wireless networks at school, at home or anywhere else they happen to be. Music file sharing, like underage drinking, is illegal, but it happens. When it does, students can compromise the performance and security of the networks they are using and they can get arrested and/or get kicked out of school.

  • Business executives usually need to have file and print sharing enabled on their laptops for when they are in the office. On the road, many of these men and women check their email and surf the web in airport lounges, at Starbucks, in their hotel rooms, or anywhere else they find an open WiFi network.

    Unless a road warrior takes steps to protect him/herself, anyone else on an open WiFi network can scan his/her shared files and folders, looking for credit card numbers, usernames and passwords, trade secrets, and other confidential information. On line and on the road, opportunities for identity theft, insider trading, industrial espionage, blackmail or just plain embarrassment abound.

  • Professional people -- doctors, lawyers, accountants, investment managers, etc. -- have ethical responsibilities to exercise care and judgment in the conduct of their affairs. If they don't, they may face sanctions including disbarment, client outrage, fines, and even jail.

    Down the street from me, near a hospital, there is "Professional Building" with offices for doctors et al. Standing outside the office building, wardriving, you can pickup several unencrypted, open network signals. Doctors' offices have lots of valuable information that bad guys would love to have for the purposes of committing identity theft, credit card fraud, prescription forgery, et al.

    WiFi security is a dicey proposition. It is not something that many lay-people understand. All they know is that implementing security complicates matters both in terms of initial network setup and ongoing operation So, many people forgo security entirely, preferring to think that nothing bad is going to happen to them.

  • Troubleshooting WiFi networks is a time-consuming process which does not always yield a positive outcome. A positive outcome is defined as a happy ending that doesn't cost a lot. A happy ending is fast, reliable Internet/network access.

    But, if there are dead spots in your WiFi coverage area or if your Internet access is slow or intermittent, it could cost you a lot in terms of dollars and frustration to identify the cause and resolve the problem.

    Let's say you live in an apartment and one of your neighbors has an old cordless phone that operates in the 2.4 GHz frequency range. Whenever that phone is in use, your WiFi network crashes. Let's assume that you know nothing about the neighbor's phone. You only know that your network keeps crashing.

    So you summon a technician to resolve the problem. The first (and only?) thing a technician can do is undertake a process of elimination to isolate any hardware or software issues that might be causing the problem.

    Imagine that the network crashes while the technician is there because the neighbor makes a phone call. While the network is down, the technician swaps out your access point. Meanwhile your neighbor gets off the phone, so when the new access point is installed, your WiFi is working. The technician declares victory, gives you a bill and leaves. This temporary "solution" has cost you a couple of hundred dollars.

    There are tools (radio frequency spectrum analyzers) that can identify WiFi interference from cordless phones, Bluetooth devices, microwave ovens, radio jammers and other sources of electromagnetic noise. But these tools are expensive, and they work better in the lab, in the hands of radio engineers, than they do in the field, operated by your average computer technician.

WiFi, when it behaves, it is a pleasure to be around. But very often, WiFi is like a difficult child who does not always behave. It doesn't care who you are, or how much you've spent on your laptop. "You are not getting an IP address from me today, mister!"

If you have a WiFi nightmare you want to share, please post it here. TIA.

Friday, September 07, 2007

Attention Nats fans...

Thursday's 12:30 PM flight from Portland, Maine to BWI was full. Every seat was taken on this mid-week, mid-day, post-Labor Day flight for one simple reason. Red Sox fans in Maine were making the trip to Baltimore to watch their team play the woeful Orioles Thursday evening.

Baseball was absent from DC for a generation, so we are still gaining a taste for the game and the Nationals. It is amazing to us how it is some days that there are almost as many fans at RFK stadium rooting for the Tigers, Mets, et al. as there are Nats fans. We have also come to expect that good seats will always available at game time and that nobody has to pay full price for admission.

Meanwhile, the ups and downs of people like Dimitri Young, Ryan Zimmerman, Brian Schneider, Jesus Flores, Nook Logan, Christian Guzman, and Austin Kearns have been highly entertaining. It has been gratifying to see young pitchers like Matt Chico, Joel Hanrahan, Jason Bergmann, Levale Speigner, Chris Schroder, Mike Bacsik, et al. come up and perform better than anyone expected. It has been inspiring to watch the Nats play tough in almost every game, win or lose. And when they do win, it is heartwarming to see the players celebrate as a team like a bunch of boys having fun.

The crowd at RFK most days is pleasant, relaxed and well-behaved. Women and children probably outnumber the men. It's good, clean family fun. It's not Yankee Stadium or hockey or the NBA.

So kudos to the Lerners, Stan Kasten, Jim Bowden, and Manny Acta. Build it (the team), and they (the fans) will come. Who knows, maybe one day plane-loads of Nats fans will travel far and wide to watch their team play.

Wednesday, September 05, 2007

T-Mobile delivers a surprise.

In a recent post, I pointed out that T-Mobile says on its web site that the Nokia 6086 hotspot@home phone is "Temporarily Out of Stock." At the same time, existing customers can login and order the phone from T-Mobile as an upgrade.

In my post, I speculated that perhaps T-Mobile had a stash of these phones which they were rationing to their existing customers. But then I asked myself, "What would T-Mobile do?" And I concluded that they probably were going to take my money and tell me to get in line. They'd fill the order at some distant future date.

After placing the order late last week, I got a text message from T-Mobile on my old phone, acknowledging the order/upgrade. A good sign, but no shipping info. Over the weekend, I tried to track a shipment as per T-Mobile's generic instructions (UPS tracking code = phone number), but UPS had no data. Not a good sign.

Then, on Tuesday, following the Labor Day holiday, the UPS truck pulls up and delivers the Nokia 6086 phone to me. Five minutes later, I'm on my new phone, calling T-Mobile to upgrade my service to hotspot@home. Five minutes after that, I'm on my wireless network making and receiving calls. VERY SWEET!

So, for now, I regret the aspersions I cast towards T-Mobile. I am a satisfied customer.