Data Leak Prevention, Data Loss Prevention - all the same thing, very important these days, yet do we really take it serious? Do you really understand what DLP is? Do you want to block, do you want to monitor - and everyone needs a formal incident response.
Successfully using DLP to find & defend sensitive data is depending on a few key items. First - get a handle on your data storage - get it organized and maintained. I would recommend some group policy and operational policy on data storage. I would also highly recommend data classification, data retention, and a robust archive solution.
DLP can help you reduce the number of incidents of data loss, fewer audit findings, and potential financial exposure. But more important - it maybe the tool to let you know you had an incident. Will help you enforce established policies, but show other exposures so you can keep the policies accurate and effective.
DLP is not the cure all to data loss. It is a tool to help you manage this huge effort, but it still comes down to monitor, due diligence, employee honesty and integrity. I would also propose that many times data loss is not intentional acts, but by error. Employees not knowing where to store their data, putting a sensitive PowerPoint presentation out on FTP so they can get it from home to work on, and the list goes on. Keep your employee educational programs active and when you find these procedural errors - force the training issue.
I am amazed at times how unstructured data management really is in many companies today. One of the greatest assets is your data, yet we put very little effort in maintaining it. Now is the time!
DLP takes resources, commitment, financial investment and HR policy(s). It is not a plug and play tool - don't make that mistake.
Keep positive!
Scott Arnett
scott.arnett@charter.net
About Me
- Scott Arnett
- Scott Arnett is an Information Technology & Security Professional Executive with over 30 years experience in IT. Scott has worked in various industries such as health care, insurance, manufacturing, broadcast, printing, and consulting and in enterprises ranging in size from $50M to $20B in revenue. Scott’s experience encompasses the following areas of specialization: Leadership, Strategy, Architecture, Business Partnership & Acumen, Process Management, Infrastructure and Security. With his broad understanding of technology and his ability to communicate successfully with both Executives and Technical Specialists, Scott has been consistently recognized as someone who not only can "Connect the Dots", but who can also create a workable solution. Scott is equally comfortable playing technical, project management/leadership and organizational leadership roles through experience gained throughout his career. Scott has previously acted in the role of CIO, CTO, and VP of IT, successfully built 9 data centers across the country, and is expert in understanding ITIL, PCI Compliance, SOX, HIPAA, FERPA, FRCP and COBIT.
Tuesday, August 24, 2010
Thursday, August 19, 2010
CIO's can quickly become overwhelmed
IT Management have their hands full these days. IT organizations have a lot on their plates, and keeping the data center humming is only part of the equation. Factor in the threats coming at IT from every direction, and you can see why IT pros have ample reason to be paranoid. The invasion of consumer devices into the workplace, the rush toward cloud computing, the constant vigilance to prevent data spills, all while managing a meager budget in an era when your career can be cut short at any time can cause even the most level-headed IT pro to start looking over his shoulder. How do you keep sane?
Having your data center go down - can impact the business - hurt the entire organization. From natural disasters to massive power outages, loss of connectivity, server meltdowns, cyber espionage, insider sabotage, cyber attacks, burglaries, and more. Having a solid DR plan and incident response team is essential. How do you do that with budgets being cut at alarming rates?
You have gadget fever impacting the IT organization, you have executives reading trade magazines and all hyped up on cloud computing, and the list is long. So there are reasons many CIO and IT Executives feel it is all out of control.
I propose to you to keep a level head. You have to manage up, down, and peer levels, but don't let it consume your life. You work to live, and don't live to work. Delegate consumer electronic issues to your Director of IT Services - get a handle on what is acceptable and what is not, and let the business make the decision based off your assessment, risks identified, and security threats. This needs to include data leak prevention. Your DR plan should be managed by your governance delegate and have your team keep you in the loop, and up to date in your executive team meetings.
I would also leverage your relationships and business partnerships to do a check/evaluation of your environment and processes. Check and adjust will ensure you are heading in the right direction and that all paddles are in the water. I would also keep all the technology hype in check - don't get carried away on the technology march - but ensure you are delivering value to the organization.
Have a regular scheduled meeting with the business to evaluate how IT is doing, the value they are delivering, and most important - determine the capabilities the business seeks. Keep engaged and close to the business to make sure IT is bringing value to the organization.
It is easy to get overwhelmed and consumed in all the chaos going on. Deal with that which is important and some things - you just have to let go.
Keep positive!
Scott Arnett
scott.arnett@charter.net
Having your data center go down - can impact the business - hurt the entire organization. From natural disasters to massive power outages, loss of connectivity, server meltdowns, cyber espionage, insider sabotage, cyber attacks, burglaries, and more. Having a solid DR plan and incident response team is essential. How do you do that with budgets being cut at alarming rates?
You have gadget fever impacting the IT organization, you have executives reading trade magazines and all hyped up on cloud computing, and the list is long. So there are reasons many CIO and IT Executives feel it is all out of control.
I propose to you to keep a level head. You have to manage up, down, and peer levels, but don't let it consume your life. You work to live, and don't live to work. Delegate consumer electronic issues to your Director of IT Services - get a handle on what is acceptable and what is not, and let the business make the decision based off your assessment, risks identified, and security threats. This needs to include data leak prevention. Your DR plan should be managed by your governance delegate and have your team keep you in the loop, and up to date in your executive team meetings.
I would also leverage your relationships and business partnerships to do a check/evaluation of your environment and processes. Check and adjust will ensure you are heading in the right direction and that all paddles are in the water. I would also keep all the technology hype in check - don't get carried away on the technology march - but ensure you are delivering value to the organization.
Have a regular scheduled meeting with the business to evaluate how IT is doing, the value they are delivering, and most important - determine the capabilities the business seeks. Keep engaged and close to the business to make sure IT is bringing value to the organization.
It is easy to get overwhelmed and consumed in all the chaos going on. Deal with that which is important and some things - you just have to let go.
Keep positive!
Scott Arnett
scott.arnett@charter.net
Thursday, August 12, 2010
Home Office Security - Who's Responsibility?
So, you have the ability to work from the home office, sounds like a great opportunity, in many ways. Having the ability to work remote for your company doesn't mean that you no longer have security or environment concerns. Those items are now YOUR responsibility as a teleworker. Know what you are responsible for?
Let me share a few items with you, but would highly recommend you contact your manager for a teleworker guideline. Here are Scott's top items:
Security
Remote access from a company owned device must be by secure VPN
I would also take some time to check out the government readiness websites and know how to build a home DR plan, incident response, and family planning. Important stuff.
Security is EVERYONE's responsibility.
Scott Arnett
scott.arnett@charter.net
Let me share a few items with you, but would highly recommend you contact your manager for a teleworker guideline. Here are Scott's top items:
Security
Remote access from a company owned device must be by secure VPN
- You still need to practice password protected screensavers, and physical security
- If you walk away from your computer - lock it. Will keep the kids or guests from using it or looking at it.
- You done working for the day, turn the computer off, and lock it up.
- Company data is confidential. Not to be shared with family and friends who happen to stop by for a visit. Don't leave sensitive data sitting on the kitchen table or end table. Put it away or shred it. Having a paper shredder in the home office and using it is good security for your company data, and your personal data. Every home these days need a shredder.
- If you are using your personal computer for work, make sure you have:
- Current anti-virus protection
- Personal firewall - software or hardware
- Wireless network locked down
- Backup your files
- I would have a folder on your computer to keep all work related information
- I would also recommend you have a computer for work use, and a computer for the family
- Make sure your work space is a comfortable space, functional and safe
- Have a fire extinguisher in the home
- Have a DR plan. If you are a full time work from the home employee, if your home is no longer available, what is your DR plan? Power is out, what do you do? Network is down? - work out your plan now, document it and practice it.
- Security Systems - if you have company sensitive information or data - how are you protecting it? Are you responsible if it is lost or stolen? Do you have a system to alarm on fire, break in, water, smoke?
- Public exposure - Sensitive company information must not be read, discussed, or otherwise exposed in restaurants, on airplanes or trains, or in other public places. If you require frequently working from public places, a privacy shield should be utilized for your laptop screen.
- Telephone Discussions - Sensitive information must not be discussed on speaker phones unless all participating parties first acknowledge that no unauthorized persons are in close proximity.
- I would track your expense(s) for tax purposes.
I would also take some time to check out the government readiness websites and know how to build a home DR plan, incident response, and family planning. Important stuff.
Security is EVERYONE's responsibility.
Scott Arnett
scott.arnett@charter.net
Wednesday, August 11, 2010
Manager Upgrade?
I got an interesting email from a colleague with some questions seeking some management guidance. Here are some of the details:
The colleague is a Director in IT, has a manager direct report that is not performing as expected or needed. The manager is not leading his/her team, does not give direction, the team is not performing, and the complaints are coming in. The CIO is now coming down on the Director to fix the problem, and unsure how to handle the problem, as several meetings have taken place and no change.
Not to sound like Dr. Phil, let me give some suggestions and insight from my real life experiences. It sounds like the Director has had a few meetings already with the manager and nothing has changed. So that would be step one - have another meeting with the manager. Sit down with the manager and give direct instruction, feedback and expectations. Document the meeting, and send a copy to the manager and keep a copy. Be sure your documentation clearly states expectations, actions, and a timeline. Much of this is going to have to work in parallel, as the CIO is now watching the Director.
Next step is to start attending the manager's team meetings. If there are no team meetings happening, get them started. The manager should run the meeting, set the agenda and communicate to the team on the key issues. You are there to support and help field questions, but not to take away from the manager's position. Take notes during the meeting, and then that day have a follow up meeting with your manager to provide feedback on the team meeting. It is important that the manager is communicating to the team about the performance and concerns of productivity. If that is not happening, you need to make sure the manager understands this is essential. Without having all the background information, perhaps a urgent meeting with the team and manager is in order to start addressing the concerns. I would also take a few of the team members to lunch and get some direct discussion and feedback going.
Keep in mind that many times we put these IT technical folks into management position that can't handle it or have the ability to handle management positions. Find out the details around the person in the position. If things are not changing, have a second meeting with the manager with an HR representative and put together either a correction plan or an exit plan. There are times you may need to make an immediate change. Letting this go on to long can have an impact on the team, and other teams within IT. You need immediate improvement and change, and waiting months for a correction plan make yield nothing. In the meantime, your team members are frustrated and leaving the company.
The otherside of the coin, and I have seen this a couple of times when a team member was promoted to team manager, the team is the issue. Have some one on one meetings with team members and the manager present and set expectations and action items. If the team is walking all over the manager, not listening or working as a team - time for some quality time with the Director. It is the Director's role to bring the hammer and start addressing the behaviors and problems with the team. Sometimes you have to make some changes to the team to change the chemistry or personalities.
As the Director, you also need to keep the CIO updated on your action items you are taking to correct the problem and turn this around. If it is not the manager, be sure to commuicate this to the CIO, as you don't want your manager to have an unearned label. Be decisive, direct and take charge - letting this issue dwell to long can have an impact on your long term position in the company.
I propose to you, as the Director, to address the bad, praise the good, and communicate. Build a better relationship with your manager if you can, and the team. Follow up, even when you think it is resolved and going ok, keep close tabs for awhile - make sure it wasn't just a sweep under the rug, but a true resolution.
Keep positive!
Scott Arnett
scott.arnett@charter.net
The colleague is a Director in IT, has a manager direct report that is not performing as expected or needed. The manager is not leading his/her team, does not give direction, the team is not performing, and the complaints are coming in. The CIO is now coming down on the Director to fix the problem, and unsure how to handle the problem, as several meetings have taken place and no change.
Not to sound like Dr. Phil, let me give some suggestions and insight from my real life experiences. It sounds like the Director has had a few meetings already with the manager and nothing has changed. So that would be step one - have another meeting with the manager. Sit down with the manager and give direct instruction, feedback and expectations. Document the meeting, and send a copy to the manager and keep a copy. Be sure your documentation clearly states expectations, actions, and a timeline. Much of this is going to have to work in parallel, as the CIO is now watching the Director.
Next step is to start attending the manager's team meetings. If there are no team meetings happening, get them started. The manager should run the meeting, set the agenda and communicate to the team on the key issues. You are there to support and help field questions, but not to take away from the manager's position. Take notes during the meeting, and then that day have a follow up meeting with your manager to provide feedback on the team meeting. It is important that the manager is communicating to the team about the performance and concerns of productivity. If that is not happening, you need to make sure the manager understands this is essential. Without having all the background information, perhaps a urgent meeting with the team and manager is in order to start addressing the concerns. I would also take a few of the team members to lunch and get some direct discussion and feedback going.
Keep in mind that many times we put these IT technical folks into management position that can't handle it or have the ability to handle management positions. Find out the details around the person in the position. If things are not changing, have a second meeting with the manager with an HR representative and put together either a correction plan or an exit plan. There are times you may need to make an immediate change. Letting this go on to long can have an impact on the team, and other teams within IT. You need immediate improvement and change, and waiting months for a correction plan make yield nothing. In the meantime, your team members are frustrated and leaving the company.
The otherside of the coin, and I have seen this a couple of times when a team member was promoted to team manager, the team is the issue. Have some one on one meetings with team members and the manager present and set expectations and action items. If the team is walking all over the manager, not listening or working as a team - time for some quality time with the Director. It is the Director's role to bring the hammer and start addressing the behaviors and problems with the team. Sometimes you have to make some changes to the team to change the chemistry or personalities.
As the Director, you also need to keep the CIO updated on your action items you are taking to correct the problem and turn this around. If it is not the manager, be sure to commuicate this to the CIO, as you don't want your manager to have an unearned label. Be decisive, direct and take charge - letting this issue dwell to long can have an impact on your long term position in the company.
I propose to you, as the Director, to address the bad, praise the good, and communicate. Build a better relationship with your manager if you can, and the team. Follow up, even when you think it is resolved and going ok, keep close tabs for awhile - make sure it wasn't just a sweep under the rug, but a true resolution.
Keep positive!
Scott Arnett
scott.arnett@charter.net
Friday, August 6, 2010
Mailbag
The emails are coming in, and I said I would do a mailbag post each month. Being that it is Friday, what better way to end the week, than to answer some of your questions. Has been a busy week, and I know all of you are keeping busy with work, family and summer fun.
Our first question comes to us from Florida.
Q. Scott, we have some really old servers in our data center. The company thinks as long as they are running, we are saving money not replacing them. My concern is not only an eventual hardware failure do to age, but that we are missing other opportunities. What do you think is the benefits to keeping up on server hardware, and how often should we replace them?
A. My rule of thumb has been 4 or 5 years should be the max. Most warranties are done around 3 years, and beyond that the maintenance costs are going to go up. Rather than keep older servers beyond their asset life cycle, one company we spoke to opted for a full replacement of its servers to drop energy costs 60%, while increasing overall performance beyond 500%. Newer hardware now have power saving technology, faster/better performance, so you may be able to have a smaller footprint to provide resources for those applications. There are some great studies out there on this topic, and I would put together your case for why this old hardware is costing money, not saving money.
Q. Jackie Fenn’s Hype Cycle for Emerging Technologies is one of Gartner’s most referenced research notes. The Hype Cycle provides a cross-industry perspective on potentially transformative technologies - what do you think about the Hype Cycle and is it of value?
A. What is all the Hype? Ok, serious - I do find it of value. Senior executives, CIOs, strategists, business developers and technology planners will want to consider these technologies when developing emerging business and technology portfolios. But again, it is one person's research and guess work. Much of it is just that, Hype or vendor driven "make a market" approach. It is of value to see what is going on out there, but you have to keep in mind which of these technologies will bring value to your organization. What will help drive value, capability and game changing business objectives. Don't get caught up in the Hype, or the keep up with the Jones. Many of these technologies come onto the market 1 year and leave the next. Short lived technologies can hurt your organization or put you in a tough spot. Do your homework.
Q. If you had to do it over again, would you go into IT? Knowing what you know now, would that change your career? How will your career change going forward?
A. Great question, one that makes me stop and think. The rear view mirror is a great thing isn't it? You can see what just happened, but you can't do anything about it, but use it as a reference for what you seeing coming at you. If I had to do it over again, I would probably go into IT, I love the technology, and the challenges, love figuring out the tough crisis. I would probably do some of it different, but all in all IT has been good to me. The politics is what will kill you. I still encourage high school kids to take a serious look at IT and Technology as a career choice. What will my career look like going forward - that is a good question. My dream job would be a technology focused attorney. That means someday I have to get back to school and get a law degree. Taking all I know in technology, business, and data and apply that to legal challenges seems like a great career version 2.0.
Q. Do you think there will be another revolution in our country in the future? Are we heading to another civil war?
A. I am keeping this blog focused on Information Technology, and try to stay out of politics, religion and kitchen wars. I do find this question interesting, and I know a great deal of folks are talking about this these days. We went to a family reunion some weeks back and this topic came up as well. I do think our country is heading in a bad direction, enourmous debt, to much foreign influence. Our relationship with China should bother everyone, this is a relationship that will come back to hurt us. They own to much of our debt, they have a huge military build up, and have a retail store in every US town - Walmart. I think civil unrest is happening today and will possible increase in the year to come. I think we have to deal with the immigration issues, lock down the borders, and get a handle on these terror groups. Will the South rise again - maybe, but will it be against the north or another group? I think the current administration has done more harm than good, and Washington has become so corrupt that the wheels have come of the little red wagon. It is a dark cloud future for us, and I fear for the world our kids will have in 20 years. We need to make changes now, before it is to late.
Have a great weekend - keep the emails coming.
Scott Arnett
scott.arnett@charter.net
Our first question comes to us from Florida.
Q. Scott, we have some really old servers in our data center. The company thinks as long as they are running, we are saving money not replacing them. My concern is not only an eventual hardware failure do to age, but that we are missing other opportunities. What do you think is the benefits to keeping up on server hardware, and how often should we replace them?
A. My rule of thumb has been 4 or 5 years should be the max. Most warranties are done around 3 years, and beyond that the maintenance costs are going to go up. Rather than keep older servers beyond their asset life cycle, one company we spoke to opted for a full replacement of its servers to drop energy costs 60%, while increasing overall performance beyond 500%. Newer hardware now have power saving technology, faster/better performance, so you may be able to have a smaller footprint to provide resources for those applications. There are some great studies out there on this topic, and I would put together your case for why this old hardware is costing money, not saving money.
Q. Jackie Fenn’s Hype Cycle for Emerging Technologies is one of Gartner’s most referenced research notes. The Hype Cycle provides a cross-industry perspective on potentially transformative technologies - what do you think about the Hype Cycle and is it of value?
A. What is all the Hype? Ok, serious - I do find it of value. Senior executives, CIOs, strategists, business developers and technology planners will want to consider these technologies when developing emerging business and technology portfolios. But again, it is one person's research and guess work. Much of it is just that, Hype or vendor driven "make a market" approach. It is of value to see what is going on out there, but you have to keep in mind which of these technologies will bring value to your organization. What will help drive value, capability and game changing business objectives. Don't get caught up in the Hype, or the keep up with the Jones. Many of these technologies come onto the market 1 year and leave the next. Short lived technologies can hurt your organization or put you in a tough spot. Do your homework.
Q. If you had to do it over again, would you go into IT? Knowing what you know now, would that change your career? How will your career change going forward?
A. Great question, one that makes me stop and think. The rear view mirror is a great thing isn't it? You can see what just happened, but you can't do anything about it, but use it as a reference for what you seeing coming at you. If I had to do it over again, I would probably go into IT, I love the technology, and the challenges, love figuring out the tough crisis. I would probably do some of it different, but all in all IT has been good to me. The politics is what will kill you. I still encourage high school kids to take a serious look at IT and Technology as a career choice. What will my career look like going forward - that is a good question. My dream job would be a technology focused attorney. That means someday I have to get back to school and get a law degree. Taking all I know in technology, business, and data and apply that to legal challenges seems like a great career version 2.0.
Q. Do you think there will be another revolution in our country in the future? Are we heading to another civil war?
A. I am keeping this blog focused on Information Technology, and try to stay out of politics, religion and kitchen wars. I do find this question interesting, and I know a great deal of folks are talking about this these days. We went to a family reunion some weeks back and this topic came up as well. I do think our country is heading in a bad direction, enourmous debt, to much foreign influence. Our relationship with China should bother everyone, this is a relationship that will come back to hurt us. They own to much of our debt, they have a huge military build up, and have a retail store in every US town - Walmart. I think civil unrest is happening today and will possible increase in the year to come. I think we have to deal with the immigration issues, lock down the borders, and get a handle on these terror groups. Will the South rise again - maybe, but will it be against the north or another group? I think the current administration has done more harm than good, and Washington has become so corrupt that the wheels have come of the little red wagon. It is a dark cloud future for us, and I fear for the world our kids will have in 20 years. We need to make changes now, before it is to late.
Have a great weekend - keep the emails coming.
Scott Arnett
scott.arnett@charter.net
Tuesday, August 3, 2010
Computer Hackers - Targeting Power Plants?
You have heard me say before, if you want a secure network, unplug it. Right? Do we really need our critical infrastructure on the public internet? Can they not have a private network - sure they can. Many organizations are not taking Information Technology (IT) security serious.
Computer hackers have begun targeting power plants and other critical operations around the world in bold new efforts to seize control of them, setting off a scramble to shore up aging, vulnerable systems. You know, those items that come up every year during the budget process, that we put off another year..........
Cyber criminals have long tried, at times successfully, to break into vital networks and power systems. But last month, experts for the first time discovered a malicious computer code _ called a worm _ specifically created to take over systems that control the inner workings of industrial plants.
In response to the growing threat, the Department of Homeland Security has begun building specialized teams that can respond quickly to cyber emergencies at industrial facilities across the country. In addition, we need to start holding corporation internet users accountable. If you plug in - you be secure. If you can't pass the Homeland Cyber Security Audit - you are unplugged. Simple isn't it?
As much as 85 percent of the nation's critical infrastructure is owned and operated by private companies, ranging from nuclear and electric power plants to transportation and manufacturing systems. Many of the new attacks have occurred overseas, but the latest episode magnified worries about the security of plants in the U.S.
"This type of malicious code and others we've seen recently are actually attacking the physical components, the devices that open doors, close doors, build cars and open gates," said Sean McGurk, director of control systems security for Homeland Security. "They're not just going after the ones and zeros (of a computer code), they're going after the devices that actually produce or conduct physical processes." I think that is crucial point, don't you?
Officials have yet to point to any operating system that has been compromised by the latest computer worm. But cyber experts are concerned that attacks on industrial systems are evolving.
In the past, it was not unusual to see hackers infiltrate corporate networks, breaking in through gaps and stealing or manipulating data. The intrusions, at times, could trigger plant shutdowns. The threat began to escalate last year, with cyber criminals exploiting weaknesses in systems that control what the industries do. What about HealthCare? Patient data secure? Key life support systems that sit on the network and report to the nurse station - secure?
The latest computer worm, dubbed Stuxnet, was an even more alarming progression. Now hackers are creating codes to actually take over the critical systems.
In many cases, operating systems at power plants and other critical infrastructure are decades old. Sometimes they are not completely separated from other computer networks used by companies to run administrative systems or even access the Internet. Who is being held accountable? What about annual audits? Vulnerability scans? Seems to me there should be some wake up calls here.
Those links between the administrative networks and the control systems provide gateways for hackers to insert malicious codes, viruses or worms into the programs that operate the plants. There needs to be appropriate network design, check points, monitoring and prevention.
I propose to you that the wake up call will not happen till we see major power grid failure due to a computer hack from a foreign interest. Computer security has not been taken serious, it is always a budget line item that is cut, and there is no one being held accountable. If a corporate or enterprise network compromised - there needs to be an investigation and determination of what happened, and why. To many times we sweep these under the rug, hope it will go away to save face, and hackers are benefiting. If your company has a network, plugs into the internet backbone - you better have security, monitoring and a response team. If you can not pass a security check - random check, you get unplugged. You are compromising all organizations.
Security is everyone's responsibility!
Scott Arnett
scott.arnett@charter.net
Computer hackers have begun targeting power plants and other critical operations around the world in bold new efforts to seize control of them, setting off a scramble to shore up aging, vulnerable systems. You know, those items that come up every year during the budget process, that we put off another year..........
Cyber criminals have long tried, at times successfully, to break into vital networks and power systems. But last month, experts for the first time discovered a malicious computer code _ called a worm _ specifically created to take over systems that control the inner workings of industrial plants.
In response to the growing threat, the Department of Homeland Security has begun building specialized teams that can respond quickly to cyber emergencies at industrial facilities across the country. In addition, we need to start holding corporation internet users accountable. If you plug in - you be secure. If you can't pass the Homeland Cyber Security Audit - you are unplugged. Simple isn't it?
As much as 85 percent of the nation's critical infrastructure is owned and operated by private companies, ranging from nuclear and electric power plants to transportation and manufacturing systems. Many of the new attacks have occurred overseas, but the latest episode magnified worries about the security of plants in the U.S.
"This type of malicious code and others we've seen recently are actually attacking the physical components, the devices that open doors, close doors, build cars and open gates," said Sean McGurk, director of control systems security for Homeland Security. "They're not just going after the ones and zeros (of a computer code), they're going after the devices that actually produce or conduct physical processes." I think that is crucial point, don't you?
Officials have yet to point to any operating system that has been compromised by the latest computer worm. But cyber experts are concerned that attacks on industrial systems are evolving.
In the past, it was not unusual to see hackers infiltrate corporate networks, breaking in through gaps and stealing or manipulating data. The intrusions, at times, could trigger plant shutdowns. The threat began to escalate last year, with cyber criminals exploiting weaknesses in systems that control what the industries do. What about HealthCare? Patient data secure? Key life support systems that sit on the network and report to the nurse station - secure?
The latest computer worm, dubbed Stuxnet, was an even more alarming progression. Now hackers are creating codes to actually take over the critical systems.
In many cases, operating systems at power plants and other critical infrastructure are decades old. Sometimes they are not completely separated from other computer networks used by companies to run administrative systems or even access the Internet. Who is being held accountable? What about annual audits? Vulnerability scans? Seems to me there should be some wake up calls here.
Those links between the administrative networks and the control systems provide gateways for hackers to insert malicious codes, viruses or worms into the programs that operate the plants. There needs to be appropriate network design, check points, monitoring and prevention.
I propose to you that the wake up call will not happen till we see major power grid failure due to a computer hack from a foreign interest. Computer security has not been taken serious, it is always a budget line item that is cut, and there is no one being held accountable. If a corporate or enterprise network compromised - there needs to be an investigation and determination of what happened, and why. To many times we sweep these under the rug, hope it will go away to save face, and hackers are benefiting. If your company has a network, plugs into the internet backbone - you better have security, monitoring and a response team. If you can not pass a security check - random check, you get unplugged. You are compromising all organizations.
Security is everyone's responsibility!
Scott Arnett
scott.arnett@charter.net
Monday, August 2, 2010
Windows? Linux? Need to switch?
Talk about a hot button - Linux or Windows. You have to also ask yourself, we talking desktop or server? There are some great appliances out there using a custom harden Linux kernel - and they work great. I know there is a great debate taking place about which operating system is better. Jack Wallen, host of the Linux and Open Source blog, started a lengthy discussion asking the question: Why would you choose Windows over Linux? I thought that was kind of funny, because recently I have been asking myself the opposite question: Who would choose to switch to Linux? You have Windows at home, kids use it at school, and I have a great productive office suite called MS Office 2010.
I could go through a litany of complaints I have about Linux. I could complain about the confusing number of distributions. I could complain about the propensity of Linux proponents to cause unnecessary confusion by abbreviating or using acronyms for Linux-only functions. I could complain about the silly confusing names they give applications. I could go on about the support structure, and the endless "experts" out there.
I could complain about cryptic command lines, nonexistent instructions, obscure references, and septic responses from the “open source community” to novices and their questions. I could reiterate that a multi-step process that takes an hour to work through to get Linux to put music on to my iPod is not EASY. I could point out that I receive security patch notices almost weekly for SUSE Linux, which indicates that as an operating system Linux is not anymore safe than Windows. We all love to bash Microsoft of the weekly updates or patches - is it really different in the Linux world?
But all of that is not addressing the correct issue, is it?
Digging deeper - The debate about operating systems is a senseless debate about something that, in the long run, makes no difference. An operating system exists only to create an environment for applications; nothing more, nothing less. Most people sit down at a computer and just start using it without worrying about what operating system it is running. I want to make sure my applications work, that the computer works, and is painless. Right?
I have no knowledge of the operating system that runs my microwave oven. I don’t have to install the popcorn application — it is already there, and it works just fine. I don’t care who made it, I don’t care if it is open source, and I don’t spend time on PopcornRepublic discussing the merits of one popcorn application over another. It doesn’t matter — what matters is that I get a good bag of popcorn.
What matters in a personal computer is that I can run the applications that I want to run without having to worry about whether I have the correct operating system. You can argue that we are not quite there yet, but I think outside of the information technology industry, at the user and consumer level, they are there already. Consumers buy a personal computer for the applications; they know what they want a computer for. Much of the time, the operating system is Windows, but do you really think they care?
Why Windows? Jack wanted to know why Windows and not Linux. At the base level the answer is simple: Because that is what came with my PC when I bought it and there is ABSOLUTELY NO COMPELLING REASON to go through the trouble of switching operating systems just so I can run applications that are similar (or even identical) to the applications I already have. Plus, I can point and click and get to what I need.
The whole mythology that Linux is perfectly safe and never crashes is just wishful thinking. I have seen Linux crash — I’ve watched John Sheesley crash Linux over and over again. Viruses and worms exist that take advantage of Linux bugs and security lapses just like Windows. Those kinds of problems are not exclusive to any one operating system. So did we really benefit from switch to Linux? You will always have the IT guru wanting something cool, better, new - but for the average user - worth it? Probably not.
The real security weakness lies with users and their willingness to click on a link, any link, just to see where it leads. The nefarious among us take advantage of this aspect of human behavior — that has nothing to do with the operating system. Those emails, those text messages - even the phone scams - we have to be on guard at all times.
Need to switch? So why Windows — why not? That is what the user knows and, so far, no one has offered any compelling reason for them to change their operating system. For the part of the population not engaged in the raging operating system debate, the question is meaningless — they just want to run applications
I propose to you, that Windows is still a solid operating system, meets the needs, has great applications that perform well on it, and is getting better every year.
Keep positive!
Scott Arnett
scott.arnett@charter.net
I could go through a litany of complaints I have about Linux. I could complain about the confusing number of distributions. I could complain about the propensity of Linux proponents to cause unnecessary confusion by abbreviating or using acronyms for Linux-only functions. I could complain about the silly confusing names they give applications. I could go on about the support structure, and the endless "experts" out there.
I could complain about cryptic command lines, nonexistent instructions, obscure references, and septic responses from the “open source community” to novices and their questions. I could reiterate that a multi-step process that takes an hour to work through to get Linux to put music on to my iPod is not EASY. I could point out that I receive security patch notices almost weekly for SUSE Linux, which indicates that as an operating system Linux is not anymore safe than Windows. We all love to bash Microsoft of the weekly updates or patches - is it really different in the Linux world?
But all of that is not addressing the correct issue, is it?
Digging deeper - The debate about operating systems is a senseless debate about something that, in the long run, makes no difference. An operating system exists only to create an environment for applications; nothing more, nothing less. Most people sit down at a computer and just start using it without worrying about what operating system it is running. I want to make sure my applications work, that the computer works, and is painless. Right?
I have no knowledge of the operating system that runs my microwave oven. I don’t have to install the popcorn application — it is already there, and it works just fine. I don’t care who made it, I don’t care if it is open source, and I don’t spend time on PopcornRepublic discussing the merits of one popcorn application over another. It doesn’t matter — what matters is that I get a good bag of popcorn.
What matters in a personal computer is that I can run the applications that I want to run without having to worry about whether I have the correct operating system. You can argue that we are not quite there yet, but I think outside of the information technology industry, at the user and consumer level, they are there already. Consumers buy a personal computer for the applications; they know what they want a computer for. Much of the time, the operating system is Windows, but do you really think they care?
Why Windows? Jack wanted to know why Windows and not Linux. At the base level the answer is simple: Because that is what came with my PC when I bought it and there is ABSOLUTELY NO COMPELLING REASON to go through the trouble of switching operating systems just so I can run applications that are similar (or even identical) to the applications I already have. Plus, I can point and click and get to what I need.
The whole mythology that Linux is perfectly safe and never crashes is just wishful thinking. I have seen Linux crash — I’ve watched John Sheesley crash Linux over and over again. Viruses and worms exist that take advantage of Linux bugs and security lapses just like Windows. Those kinds of problems are not exclusive to any one operating system. So did we really benefit from switch to Linux? You will always have the IT guru wanting something cool, better, new - but for the average user - worth it? Probably not.
The real security weakness lies with users and their willingness to click on a link, any link, just to see where it leads. The nefarious among us take advantage of this aspect of human behavior — that has nothing to do with the operating system. Those emails, those text messages - even the phone scams - we have to be on guard at all times.
Need to switch? So why Windows — why not? That is what the user knows and, so far, no one has offered any compelling reason for them to change their operating system. For the part of the population not engaged in the raging operating system debate, the question is meaningless — they just want to run applications
I propose to you, that Windows is still a solid operating system, meets the needs, has great applications that perform well on it, and is getting better every year.
Keep positive!
Scott Arnett
scott.arnett@charter.net
Subscribe to:
Posts (Atom)