Willie (IBM Senior Certified Consulting IT Software Specialist)
Let's start out the new year with some advice that shouldn't be necessary for most of my readers. However, as you read today's post, you may discover that even the best amongst us mess up sometimes and may not be as security conscience as we should.
What inspired me to document my issues with using the Internet this fine 24 degree (Fahrenheit) morning? Well, a few weeks ago I was reading Jim Rapoza's blog "Comment Here". He did a little thing based on a few of his previous blog entries called "12 Ways to Be a Security Idiot: The Calendar!". Mr. Rapoza states in this blog entry "And that's people who don't put any thought into how they use their computers and the Internet, and who through their actions expose themselves and others to potentially dangerous security threats." A few months ago my reaction to this statement would have been "Thank goodness I'm not one of them". It turns out though, that I am. And because I am, I believe my family is also. I'm going to explain in just a second. To quote Mr Rapoza's blog entry again "In some ways, security idiots are the gift that keeps on giving.".
To get things started, you need to first go out and download Mr. Rapoza's calendar and you can pair up which months match up with my "events".
What does the Favero family do to contribute to Mr Rapoza's blog entry.
Enter the Christmas holiday season. Flying around the Internet are all sort of e-mail greeting cards wishing well and merriment. Unfortunately, hidden in a few of those holiday greetings is something sinister and very Scrooge like; a virus. Open the card and instead of a friendly Christmas greeting, you get to spend the next few hours cleaning you machine. I know because it happened to me. I get a lot of those e-mail greeting cards. It seems that most of my friends are remote or think they are remote and use e-mail for everything. A eCard arrived from a very reputable electron greeting card site from an e-mail address that at first looked familiar. Being in the holiday spirit, I opened it. Not a good idea because it was infected. All the warning signs were there, I just chose on this occasion to ignore them. In retrospect, the e-mail was not address to me, it was generic. The first give-away that it was phony. On further examination, the FROM e-mail address was also bogus. It was tagged with "Dorothy". I have a good friend named Dorothy that loves to send eCards so I made a bad assumption. Fortunately, I know how to clean up after being stupid.
Let's leave my office and venture into other rooms in my house.
My youngest daughter uses an Apple MacBook Pro. I mention youngest because the oldest uses an IBM ThinkPad. One of the interesting things about Mac uses, they think they are virus impervious. People just don't hack Macs. Well that used to be true. Although she runs Apple's virus protection software and Norton (yes, we installed both on her Mac), she was still nailed with "something". Unfortunately, in her case, her hard drive took the brount of the pain and she ended up reformatting to fix whatever happened. Details are sketchy at best, after all she is a teenager and we she's not trained to document her problems and resolutions. We can only hope it doesn't happen again.
If you are into Mac, you need to read the article "End of innocence for Mac fans".
Moving upstairs to my desktop. This thing also has firewalls and virus protection. The virus protection is set for automatic updates to insure it is always up to date. However, this machine doesn't get used that often so it is possible that you can get on it, start to do something, have a virus update start, and manage to get into to trouble before the update completes. Because it is automatic, it is kind of out of sight, out of mind. we lost a machine this way a few years ago.
Work is notorious for this kind of stuff. At least once a month I will get an e-mail at my IBM address (Lotus Notes) from someone internally that has a virus attached. My virus software catches it so I'm safe. But it does make you wonder how someone at IBM could (would) forward an virus infected e-mail. What really breaks me up is when they send out a note apologizing for sending out the virus and the apology note has the same virus attached to it also.
I have seen stuff like this actually shut down an entire e-mail system for days in an effort to clean it up completely.
Phishing is another story. My favorite e-mail pastime, when I have the time, is forwarding weird looking e-mails to the organization they are attempting to impersonate. In my address book I have the spam/phishing e-mail addresses for most banks, E-Bay, Amazon, PayPal, and dozens of other online companies. When I get something that looks suspicious, I expand all headers and forward to the appropriate corporate spam/phishing e-mail address copying a federal spamming e-mail address (I have two: reportphishing@antiphishing.org and spam@uce.gov). What you NEVER EVER want to do is reply or click on the REMOVE link. That's just a sure fire way of validating your e-mail address for them, making your e-mail address even more valuable to the spammer market. (BTW, I still find it hard to believe that people fall for the the e-mail were someone in another country wants to share their $500 million with you just for a small investment on your part.)
A word about spam also. I have some pretty sophisticated spam software that detects and eliminates spam. It works so well, that I discovered ti was also getting rid of real mail for me also. For example, about twice a year, it flags my mail from DB2-L as spam. I do get a lot of it on occasion and it des seem to fit its criteria for spam. So now, I still use the software, I just don';t turn on the automatic portion. I examine what it flags as spam and I decide if it should be deleted or not. That works out to be so much safer for me.. LOL
Even just plain safe computing in general is a big issue in my opinion. Look at me. I'm supposed to be very knowledgeable about thing like backup and recovery. However, you may remember a few months back I had an issue with my notebook that could have been easily circumvented IF I had a backup of my hard drive. I didn't and had to play all kinds of games to solve my problem. Should I have know better? Absolutely. Have I since remedied the basis for my problem? Again, absolutely. But it should have never happened in the first place. I was complacent and sure it could (would) never happen to me. It did, I paid the price, and now I backup my entire machine at least once a week, sometimes even more often.
And just to tie this all back to the title of my blog, the stuff discussed here just doesn't happen on the mainframe. We fixed most of these issues 30 years ago to create maybe the most secure processing platform available. Have there been data issues recently. Yes,but they occur AFTER the data has been removed from the mainframe and moved to some other platform or media.
Sunday, January 6, 2008
Better Web Page Design
Craig Borysowich (Chief Technology Tactician)
Use this technique to design and build better Web pages.
Method
Guidelines
Using Typography in Web Page Design
Friday, December 21, 2007
Email solution for sme
Industry giants help SMBs
KUALA LUMPUR: Telecommunications giant Maxis Communications Bhd has introduced two new solutions that target small- and medium-sized businesses (SMBs).
In partnership with Microsoft Malaysia, it kicked off a campaign to take technology to SMBs through its Maxis Push Mail and Maxis Mail services.
Tom Schnitker, Maxis chief marketing officer, said the new services are affordable solutions for SMBs that do not have the type of IT funds that their larger counterparts enjoy.
He said that only 5% of SMBs in the country have fully automated their IT and communications operations.
"The smaller enterprises cannot afford the IT service fees, so our solutions are made to encourage them to embrace IT," he said. Maxis Mail allows SMBs to personalise their e-mail addresses so that they can set themselves apart from other companies.
"Instead of having an e-mail address from a free web-based e-mail service, SMBs can now have their own domain in their addresses, for example, yourname@yourcompany.com.my" Schnitker said.
Maxis will operate the servers, thus relieving SMBs of maintenance costs. Instead, SMBs just need to pay a monthly access fee of RM38 for the service for every e-mail address they apply for.
"SMBs (usually) don't give every employee an e-mail address but we expect this to scale," said Jeff Chong, head of small- and medium-sized businesses at Maxis.
He said there are no limits to the number of e-mail addresses a company can have because the servers can always be scaled up to meet the demand.
Maxis Push Mail is a value-added option for Maxis Mail subscribers. This service allows users to access their e-mail from anywhere.
Joint efforts
Yasmin Mahmood, Microsoft Malaysia managing director, said the partnership with Maxis will help SMBs settle comfortably into the latest technologies.
"I see this partnership as part of an effort to 'Malaysianise' Microsoft by engaging the local SMBs with the new working world," she said.
She said SMBs in developed countries have their employees communicating via e-mail from anywhere in the world on mobile devices, but this is a rare occurrence in this country.
Maxis and Microsoft, she said, are working to change this scenario.
The release of the new services is just the beginning of the Maxis and Microsoft partnership, according to Yasmin.
Both companies are also working together on a unified communications service, that will be launched by March next year.
The service delivers multiple forms of communication, including e-mail, instant messaging and Internet access, through a single device.
Maxis and Microsoft will also be expanding their suite of services to help more businesses take advantage of new technologies.
Wednesday, December 19, 2007
Web marketing pitfalls
Reading the websites of similar businesses can be a great way of recognising the weaknesses in your own.
Metrici are marketing a new method for ongoing IT management and assurance. We are currently building up a network of businesses who use our products and services, and businesses who provide IT review services into us.
To do this, we scour the web for potential partners. We read their websites, understand their business, and introduce ourselves by email. 30-40% of the people we contact want to meet us, which is very respectable for cold-call emails.
Our marketing approach depends on getting to know businesses from their websites. Over the past few weeks I have read hundreds of websites. If you provide IT strategy, IT review or IT audit services, the chances are I've read your website. This is what I found.
- Many websites emphasise style at the expense of basic usability. Flash animations taking up half the page. Impossible to use drop-down menus. Pictures of beautiful people staring at laptops and pointing. The worst was a live chat pop-up that obscured the site and which would not go away, making the website completely unreadable.
- Many websites forget the basics. Tell me what country you are in. I got excited about some businesses, but then found they were in Zambia or New Zealand. If you use a .com domain name and are not global, say where you operate.
- Many small business dilute their offer with minor services. "We are experts in IT security. And we also do web design and VB programming." Which do you really do? Sounds like you are an IT security specialist who can't get enough work.
- Some large businesses confuse their readers with dozens of complicated-sounding services like "Strategic architecture alignment maturity process review". I have no idea what that means. Just tell me that you do project management and architecture consultancy.
- Everybody hides behind info@ and sales@ email addresses and behind contact forms. A personal email address is so much friendlier and shows that you really do want people to contact you. Give a picture of yourself. I don't care that you look awkward in front of the camera. (If I wanted pictures of beautiful people, would I start by searching for "IT auditor"?)
- Specialists with unique offers do not provide enough context. For example, you might have special expertise in holistic security awareness, but nobody understands what that means. You have to start by saying that you provide "IT end user security training", and then explain your unique angle.
We all know how important it is to present ourselves clearly. Reading hundreds of websites has made me realise how difficult this is in practice, and helped me recognise weaknesses in my own websites. So before I criticise any more, I think I should go and put my own house in order.
© Copyright 2007 Minimal IT Ltd. See the Minimal IT website for the original newsletter and copyright information.
Top ten Information Security issues to tackle now
Top 10 lists generally help summarize things that people should be doing, or put in context issues and ideas that are going into a nicely bulletized set of things that a company can be doing to beef up their information security program or projects.
Unfortunately, with changes in the ways that companies are being managed, via Software, Hardware, Web 2.0, wikis, blogs, and other ways that businesses are adopting to the changing user landscape that business needs to adjust to. Balancing the legitimate needs of regulation such as SOX and HIPAA against business requirements means that the information security department needs to be flexible in addressing legitimate business and legal needs.
Get an Evangelist - find a diplomat that will help liaison between Business, Legal and IT. The only job this person should do is helping bridge the gaps between the three groups for understanding, ability, concepts, and language. This person is the most important person that can be hired today to help the company work with the ramifications of business decisions, legal requirements, and IT's ability to execute.
Train IT - one of the top 7 reasons that a project fails in IT is because the IT department is not trained to deal with the new technology. If you can't train, hire for particular skills for new projects. If the company is developing an internal wiki, hire a wiki guru. If your employees blog, hire a person to oversee the effort and help new internal bloggers. Have someone who understands the setup, running, and maintenance of the blogging systems or wiki systems.
Decide on a minimum set of qualifications for a position - consistency in Job Descriptions is important, if social skills are mandatory for a position, make sure that those expectations are well described in the Job Description. If they are nice to have that is one thing, but if they are mandatory, then the behavioral expectations should be discussed on interview, with a clean approved way of determining the right personality type for the job.
Take a risk - all IT is risky to some point or another, determine what is and what is not acceptable risk when it comes to an IT project, develop a risk matrix, and use it.
Determine what skills are needed 2 years and 5 years down the road - while it is generally hard to predict where the company is going, there should be a group of IT folks that track and trend new technology and new business ideas. Develop a group that will help set out a minimum skill set for people who are coming in to the company years down the road. Have them work with Training, the Executive Staff, and Business staff to work out a suitable long range plan and have it approved by the senior executives. Using Gartner's magic quadrant can help work out where technology is going, and what skills will be needed. Then train or hire accordingly.
Start Google hacking your company - do this on the same schedule you would do for any other form of audit. Add to that blogs, wikis, and other sources of data that go beyond the traditional Google hack. Odds are most likely initially you will be very surprised at what you will find out about your company.
Develop a defense in depth program for the company - insiders, outsiders, and general policy avoidance have lead to some of the biggest hacks of 2007. Start a plan, make it happen, fund it within reason; use the risk management table to help determine what the greatest threats to the company are. Listen to your IT department; they know where the bodies are buried. If they have nothing to add, or your security department has no idea what to start with, time to reevaluate the security department and their effectiveness.
Reevaluate everything - risks, trends, and times change, how old is the backup plan, the risk management plan, do they reflect where the company is, and where they are going? Or do the plans exist as a snapshot of the company two years ago.
Learn Web 2.0 and Web 3.0 - the massive changes brought about by social bookmarking, social networks, blogs, wikis, and other data points have altered the nature of information security. It has fundamentally altered how people and companies need to address security issues. While the attack vectors might be the same, the data in them, the way that people are socially engineered, and how they talk about where they work has altered. This change is permanent; there is no way to go back, start planning on data security around these kinds of technologies now.
Teach your users - the internet is not a fun happy safe place in which to work, play and shop. It is a cesspool, but one that we need to do our jobs now. Teach users to be defensive, just like you teach defensive driving, self protection, and due care. Users are still the weakest link in any security program, time to take them in hand and work out easy digestible brown bag lunches to talk about all the things that are happening now.
If a company can do all these things, and work out the processes so that the company can be proactive, they might actually stand a chance in staying on top of things. Some of these positions need to be hired for, and need to be diplomats, technicians and evangelists to make some of these changes happen. Others in this list just require that companies stay on top of the shifting changes in technology, policy and people issues. All of this needs to be managed against acceptable risk as the company sees it. Starting fresh in 2008 might make 2008 a safer year for everyone.
Personality is more important
"Skills can be taught, personality is forever"
Employers are putting an increasing focus on employee personality to ensure that they can work within the team framework, and have a better understanding of the job requirements. An excellent write up in the SeattlePI goes in detail on the subject, and is something that I have noticed that more and more clients are doing. They want people who can hit the ground running, work within the confines of the job, and get along with people.
The standard IT problem of knowledge hoarding and non sociability is quickly becoming a liability even if you are absolutely brilliant. Something that I am fond of telling all the people that I interview with is to tell me what this statement means:
"It does not matter how brilliant you are, if you cannot communicate effectively no one will know how smart you really are".
"We'd rather miss a good one than hire a bad one," said Rackspace Chief Executive Lanham Napier. The 1,900-person computer server hosting company is divided into 18- to 20-person teams. One team is so close, the whole group shows up to help when one member moves into a new home, Napier said. Job interviews at the San Antonio-based company last all day, as interviewers try to rub away fake pleasantness. Source: SeattlePI
Team interviews that last all day are not just a Microsoft institution anymore; these kinds of interviews actually work because people on both sides of the interview table learn a lot about the job. The requirements for the job and the team can see if there is going to be a good fit.
The flip side to that is the idea of "Like hires like", so if you are a non sociable person, odds are pretty well given that if the department is made up of people with a non social way of doing business, then odds are good that you will be hired.
The key to finding a job is to make sure that your personality, goals, wants and needs match the needs of the group hiring you. While some focus on the team as a source of innovation and work environment, some companies do not have the same focus. They are looking for people who can fit in to whatever environment is the one that the company has developed for itself. Personality is important, and fit is very important, finding the right kind of fit goes a long way in job stability.
When interviewing for a job, it is important to find a place that you are comfortable in, and employers have the same right. They need to know that however your personality has formed, that it fits in well with the rest of the people on the team. Time spent in reducing the friction of a group is time lost when good things could be done. The whole point, make sure that you and the company you are hiring with have the same outlook, good or bad, to ensure that you will fit into the group, regardless of personality type.
But with businesses ever increasing focus on being likable, approachable, and smart, computer geeks of all stripes are going to have a harder time finding a job, in a company that emphasizes the "likable and approachable" part of the job interview.
ERP for all ?
| alokechakravartty writes: | 12/6/2007 # |
The main problem is that ERP is dominated by IT professional where as it should be dominated by people having business experience and knowledge.
The operating people know what they require and how the IT professional will have to understand or fallow what the consumers actually need then only that ERP will get accepted by all the companies. Most of the ERPs fail at post implementation and on implementation stage.
ERPs will have to be easy to handle and the user should be able to customise it they way they want. The manufactures of ERP should just make the basic structure and all customer specific requirements should be customised by the user. I think this change in coming sooner the ERP manufactures acknowledge it better it will be. Days of standardisation are over. No company or organisation can be cloned. Every organisation is different hiving different style of operation. Regulations also vary from county to country to country and region to region which is difficult to incorporate in one single product.
ERP keeps an organisation tight. One has to also look at the cost of ERP. In the world the percentage of small and medium companies are more and they can not afford large ERP solutions. Most expensive part is the implementation cost. I think if this part is transferred to the customer/user by giving them more training will give accelerated growth to ERP.
I do not think ERP has yet gone down below the elite level yet but need of the hour is to make it affordable for all .
Dr.Aloke Chakravartty
Dean -TIG Business Schools, Calcutta, India
Subscribe to:
Posts (Atom)
Posts
