I.T. Best Practices for Small & Medium Sized Businesses

Small Business: Hackers' Low-Hanging Fruit

2007-10-18T12:48:00.000-04:00

Small and medium sized business owners often find themselves between a rock and a hard place:

They have confidential information such as customer information, financial and employee information on-site but lack the resources to understand and address the risk. As this article points out: "...more than 75 percent of companies with fewer than 1,000 computers have an IT staff of less than 10, and 61 percent say they have never sought information about how to protect employee or customer data." Scary.

To address the risks, there are affordable options. In fact, in the long run, these options are not only affordable but could provide long term advantages such as:

IT cost predictability
Less money spent on emergency recovery services after a breach occurs
Competitive advantage vs. larger, more entrenched organizations

The answer lies in being able to augment your existing capabilities where it makes - and do so for a price that is affordable. There are numerous organizations in the Toronto market that can help. The key is to select an organization that is right for you. Some things to look for:

Do these providers have the tools, expertise and processes to help you with their specific challenges?
Do these organizations provide remote support capabilities? On-site service capabilities? Typically most I.T. challenges can be addressed remotely increasing response times and decreasing cost due to less time spent traveling.
Will these companies provide advice on strategic issues: How should I.T. dollars be spent to best support your business objectives? What are your business priorities?
Do these third parties have access to a variety of skill sets? If you choose to work with an independent, this person cannot possibly know everything there is to know about I.T. - do they have resources available to augment their skill sets when they need help?

Finding a partner to help your small/medium sized business support it's I.T. needs is not only a viable option but may be the best option. It alleviates the need to hire full time time staff, provide training and retraining, purchasing the tools needed to properly manage I.T. and invest in the management framework necessary to prevent problems from happening in the first place, responding to the problems that could not be prevented and planning for future business & I.T. priorities.

High Dollar May Hit Wages

2007-10-18T12:37:00.000-04:00

This article, "High Dollar May Hit Wages" is geared mainly towards those in the manufacturing sector. It seem that the manufacturing sector continues to wrestle with the impact of an appreciating Canadian dollar by attempting to pass risk along to unionized employees. Seems that the push to increase productivity, reduce costs, address risk has never been higher.

IT muscles in on the business

2007-09-26T15:44:00.001-04:00

In this article, IT Muscles in on the Business, IT World Canada discusses how businesses are beginning to make progress in aligning business & technology related decisions. IT and business managers are finding better ways to communicate - but we still have a long way to go.

IT World makes some great suggestions on how to further the cause. Good read.

IT managers may become 'directors of processes'

2007-08-30T20:03:00.000-04:00

This article provides further evidence that business managers and owners are increasingly looking to IT Practitioners to deliver more than just technical services. The tides are changing, IT practitioners need to understand how technology supports and enhances business processes - and business objectives - in order to earn a spot within the IT organization, and the boardroom table.

http://www.itworldcanada.com/Pages/Docbase/ViewArticle.aspx?id=idgml-84388921-ea7d-4654&Portal=1fa35bf9-d296-4571-8fff-c665a851ec1d&sub=1517075

Cutting Costs, Inproving I.T. Efficiency During Lean Times

2007-07-25T11:18:00.000-04:00

There are times when business need to make very difficult decisions. How do we cut costs? Do we remove people, put off spending on important projects? Most balk at the suggesting of spending some money now, in order to save much money later - particularly during difficult times.

This article offers some excellent insight on how to approach such circumstances - and achieve measurable results.

What is the bottom line and key to success: Focus on the needs of the business and the people that make the business run. I.T. administrators and executives alike must make a concerted effort to fully understand exactly how technology support each and every function of the business - then intelligent decisions can be made on how best to apply technology to achieve business objectives.

How a Mid-Sized Textle Maker Used I.T. to Compete Globally

2007-07-25T10:09:00.000-04:00

Glen Raven, headquartered in Burlington, N.C. is one of the few textile manufacturing organizations that are excelling in an environment where overseas outsourcing predominates.

How have they done it? Relentless focus on applying information technology to support innovative business processes. These investments have focused on two key things:

- enabling new sources of revenue
- enabling more efficient business operations

This article provides an excellent case study to any manufacturer struggling to compete in a highly competitive business, during highly competitive times.

Doctors Poor Penmanship Have Deadly Results

2007-06-29T10:48:00.001-04:00

Not sure why technology hasn't been introduced sooner and currently more widespread than it is in order the address the issue of not being able to read the doctors writing. One interesting point though - the technology is not the cure all. Like all security problems - policy, process & people also need to be carefully considered.

read more | digg story

A Warning to Retailers Everywhere

2007-06-27T10:18:00.001-04:00

In order to prevent identity theft in retail organizations the PCI data standard states that credit and debit card information cannot be stores by point of sales applications/terminals. Unfortunately, most point of sale providers never got the memo. Corporations have to sensitive protect data all the time - why is this any different?

read more | digg story

When Computers Attack

2007-06-25T08:50:00.001-04:00

ANYONE who follows technology or military affairs has heard the predictions for more than a decade. Cyberwar is coming. But how bad would a cyberwar really be — especially when compared with the blood-and-guts genuine article? Whatever the answer, governments are readying themselves for the Big One.

read more | digg story

High Profile Data Theft - Yet Again

2007-06-22T09:41:00.001-04:00

Another high profile breach has been reported - with over 225,000 personal records being stolen. The breach happened when an intern in the Ohio State Government was given the responsibility of storing back-up data - off-site, in her home. Unfortunately, it was stolen from her car before she even got it home.

This has happened many times over the past few years - yet I am not surprised to hear that these types of practices continue - seemingly unabated. Here is a tiny sampling:

Feb. 25, 2005: Bank of America lost a backup tape with 1,200,000 records on it.
March 11, 2005: Univ. of CA, Berkeley lost a laptop with 98,400 records on it.
Jan, 12, 2006: The People's Bank lost backup tapes with 90,000 records on it
Jan. 25, 2006: Providence Home Services had backup tapes stolen with 365,000 records on it
Feb. 13, 2006: Ernst & Young employee had laptop stolen from car containing 38,000 records
March 2, 2006: Hamilton County Clerk of Courts posted information improperly to their website leading to the exposure of 1.3 million records. Of note: An identity thief was sentenced to 13 years in prison for the crimes. She stole 100 identities and nearly $500,000.
Feb. 8th, 2007: St. Mary's Hospital lost a laptop containing 130,000 confidential records

This is just a very, very small fraction of the total number of incidents reported over the past two years. For a complete list, please refer here.

These types of security breaches point to the fact that information security is not all about technology. A comprehensive, "best practices" security program takes into consideration 4 key things: Policy, Process, People & Technology. Here's an example of how consideration of these 4 key areas could have prevented this breach from ever happening:

Policy: All back-up information is to be stored off-site in a secure facility and managed by authorized representatives only. (no interns, no storing in your house or car!)

Process: All back-up media are to be delivered to and from secure facilities via secure encrypted links or bonded, tier-1 couriers. Even this is not enough because couriers can be stolen from too. This is why we need to consider multiple layers of defense.

People: Only select people shall be responsible for back-up media safe keeping (managing the process). This person must be trained on what is the security protocol & risks are!

Technology: All back-up information shall be encrypted such that if it is stolen or lost, information will be rendered useless.

In a recent report, Forrester concluded that the cost of a data breach varies widely, from about US$90 to $305 per customer record, depending whether the breach is “low-profile” or “high-profile” and the company in a non-regulated or highly regulated area, such as banking. These costs are related to the money spent to cover legal fees, notification costs, increased call centre costs, marketing and public relations expenses.

Implementing mechanisms to prevent this type of data loss does not have to be expensive and certainly not cost prohibitive. Just implementing changes to policy, process and people significantly reduces the risk. Unfortunately, it is obvious that the reporting of hundreds of similar breaches is not enough for many organizations to act and reduce the risk. Our advice is to not wait till it happens to you - reducing the risk does not have to be expensive or complicated - just well thought out.

NAC Gaining Momentum

2007-06-21T10:40:00.000-04:00

The Challenge:

Permitting internal & external users with secure access to resources. Secure access mean:

properly authenticated & authorized
free of spyware and viruses
access only to information users need to do their job

NAC: Securing access to information

The Network Access Control space has received much press over the past few years. Many companies have been leary of making the jump citing implementation complexities, lack of standards and the inability to source a product that met all company requirements.

However, a recent report by Network Computing based on a broad survey stated that; "most said NAC is easier to deploy, is less disruptive and requires fewer changes to network configurations, and has less of an impact on productivity than was expected."

This is not to say that there are no longer difficulties or complaints. There are over 30 vendors in this space with 4 - 6 competitors occupying the lions share. The proliferation of proprietary standards poses challenges to interoperability. Word to the wise, understand your requirements thoroughly before jumping in - NAC implementations can be expensive with the mean average of survey respondents having spent 12% of their entire enterprise IT budget on the project.

Additional NAC Points of Interest:

Infrastructure Impact:

NAC deployments are notorious for demanding infrastructure changes - on average, respondents expected to have to change up to 30% of their infrastructure for NAC readiness
Understanding what the impact on the network is is critical to accurate budgeting and product selection processes.

Productivity Impact:

There have been concerns that NAC might keep legitimate users from doing their jobs - and add work for IT. These concerns may be unfounded given the opportunity for productivity enhancements, i.e. allowing infected systems to be quarantined and remediated in an automated fashion.

Interoperability, Frameworks & Standards:

Here is a general pictorial of the NAC standard
Cisco and Microsoft have announced an initiative to ensure interoperability between their platforms - putting a wrench into the Trusted Computing Group's attempt to create an open standard based on non-proprietary technologies.
Cisco and Microsoft are coincidently "most trusted" in this space

In spite of their being numerous proprietary methodologies in place, there are a number of "common" enforcement techniques, as this article explains well.

Suggestions for NAC consideration:

Measure twice, cut once: plan, plan plan first - this is critical to success. Understand exactly what you'd like to accomplish.

Choosing a NAC vendor is largely dependent on the primary issue you want address, since vendors now tend to be either good at posture assessment, quarantine, remeditation and ongoing threat assessment, or identity-based policy enforcement--but not both. If you're like most respondents, you want it all--in which case you may want to wait until best of breed solutions emerge.

Set expectations with senior management: the ROI on NAC is difficult to quantify - but regarded by those who have implemented NAC as worthwhile
Evaluate impacts to existing infrastructure

Security & Health Care-Enter the Privacy Commissioner

2007-06-15T17:18:00.000-04:00

A recent security breach at a clinic in Sudbury has prompted a fleury of activity from the provinces Privacy Commissioner Ann Cavoukian. Evidently, an unsecured wireless access point allowed someone driving by to pick up a signal from a feed used to monitor Methodone addicts in the clinic while in the washroom.

While they did have consent to conduct this monitoring - they did not have consent to broadcast it out to the world. Wireless and wired networks need to be secured. The principles and philosophies behind securing both are exactly the same.

The incident has prompted the commissioner to issue a fact sheet illustrating the precautions to be taken when implementing and utilizing wireless networking technologies. Good advice for us all.

I would however like to take issue with one comment in the article made by Ms. Cavoukian:

"I don't expect that level of tech expertise on the part of healthcare providers," the Privacy Commissioner said. "But it's got to be incumbent on people who provide this technology to tell their customers how insecure such wireless surveillance systems can be."

Lets see here, our Privacy Commissioner is sending the direct message that the organizations that are in possession of highly private information are not responsible for securing it, it is their providers. Hmmm.....I see. Shame on you Ms. Cavoukian, in my humble opinion, this is exactly the opposite message of what we should be sending.

Work Force? What Work Force?

2007-06-15T10:45:00.001-04:00

There has been significant press over the past few years about declining labour rates as a result of reduced fertility rates and an aging population in Canada. This article puts a pretty fine point on the extent of the issue and what we might expect in future.

The repercussions can be significant and affect many aspects of a companies ability to conduct business. From servicing customers, order entry to I.T. management - shortages can have major impacts. The business case to start thinking about this looms large:

What employee retention strategies are in place? Are there plans to change? This article provides an excellent overview what companies are and are not doing in regards to recruitment & retention strategies.
How do you plan on adapting recruitment practices to adjust to changing circumstances?
How does your organization plan on augmenting skills gaps where talent cannot be readily found?

Outsourcing is one major consideration that has received much attention over the years. Offloading "non-core" competencies sounds great in theory - but history has shown that outsourcing is fraught with peril if not approached pragmatically. Here are a couple of things to consider before deciding whether outsourcing is right for you:

Is the process under consideration for outsourcing easily extractable from the organization? An example of "easily extractable" is payroll processing.
Is your company experiencing a skills shortage now? Has this resulting in service deficiencies?
Is there a plan to better use internal resources to achieve business objectives?
Are current costs and service levels well understood?
Is there an opportunity to add value beyond just dollars and cents?? (improved employee and customer experiences, etc)
Does everyone involved understand how outsourcing can improve the organization's performance and their roles in the new arrangement?

While outsourcing will prove to be a viable strategy to address skills shortages now and into the future - it will not ever be a panacea for all that ails. This is especially true if organizations do not consider the fine tactical details of the approach. After all, as they say, the devil is in the details.

Innovation in 2-Factor Authentication, Finally...

2007-06-15T09:27:00.001-04:00

Implementing strong authentication just got much more affordable. A new company on the scene called TriCipher just announced the introduction of a USB authentication device capable of authenticating to multiple sources (say for example, multiple banks if you are a consumer) - for around $2 - $3 per device. Encumbents such as Vasco and RSA have been accused of lethargy in this space - and offering little in regards to innovation in improving cost competitiveness. In fact, in the last 10 years - a dogs age in the technology space - the price or basic capabilities of the hardware token have changed very little.

This move by TriCipher will bring into reach much better authentication methods - and therefore much stronger security capabilities to the small and medium sized business owner. Weak passwords have long been criticized as the bane of the security practitioners existence. Hopefully, we will see more and more organizations addressing authentication deficiencies and move one step closer towards a best practices approach to securing their company's critical information.

SonicWall Acquires Aventail

2007-06-14T14:10:00.000-04:00

SSL VPN provider Aventail was acquired by SonicWall yesterday. SonicWall has been a well known force in the mid-range firewall market (predominantly for SMB and retail). Firewall vendors have been struggling to add capabilities as new entrants and approaches have increased competition in the space. Vendors such as Fortinet have come to market with appliances that have multiple security capabilities such as network appliance based anti-virus, intrusion prevention, firewall, VPN, content filtering and traffic shaping creating the so-called UTM space.

The security industry seems poised for a new round of consolidation after a period of inactivity. Watch for more announcements to come.

BotNet Armies Uncovered

2007-06-14T11:20:00.000-04:00

It's disturbing to know that the FBI recently uncovered over 1 million computer systems under the control of botnet operators. Even more disturbing is that these are only systems that:

1. Have been found - surely there are way more.
2. These are only systems found in the U.S. - certainly a small proportion of the amassed botnet armies worldwide.

For the average citizen and small / medium sized company - the threat of being the recipient of such a botnet attack is small - unless of course, you are in the public forum - particularly a controversial one. However, as this article points out - the need for citizens, and anyone who owns a network for that matter, must be diligent about protecting their systems from being compromised - and exasperating the problem.

How you ask? Following network and security management best practices is a start. From a high level, here is how such a process might work:

1. Assess: the world around us changes constantly and so must our protection mechanisms. Continuous efforts to identify and assess the risk of new and existing threats leads us to an understanding of what needs to change and why.

2. Be Proactive: constantly assessing what is going on around us is a good first step. It is also 'best practice' to: (a) apply preventative maintenance measures to reduce the threat of exploitation; (b) monitor the network for unusual activity so that reactive measures can be taken immediately at the first sign of trouble.

3. Continuous Improvement & Change Management: by instituting a process that forces us to plan changes to our network we are able to make sure that security is taken into consideration early on. Secondly, the information we glean from monitoring and maintaining the network enables us to identify potential issues that might later cause grief - and address them ahead of time.

There is one additional benefit to following this approach: it costs less in the long run! Unnecessary downtime, lost productivity, emergency service calls and unplanned capital expenditures can all be reduced or eliminated leading to much improved returns on IT capital investments - not to mention less gray hair and aggravation.

Securing Web Applications: An Overview

2007-06-13T11:03:00.000-04:00

As this article implies, organizations are increasingly being attacked via web applications. This trend is expected to proliferate as organizations both:

1. Deploy increasing numbers of web applications (especially customer apps).

2. Deploy extensive network based security mechanisms (IPS, firewalls, Anti-Virus, etc.) - ensuring the path of least resistance will no longer be your network - but rather web applications themselves.

What are the specific and most notable threats to our Web Applications? There is a well respected organization called OWASP that has for many years been a leader in bringing these issues to light.

There are a number of options to addressing these threats:

1. Better Coding Practices / Code Review Processes
2. Layer 7 Protection Mechanisms to Block Web Exploits entirely.
3. Don't deploy web applications!

This remainder of this post will address the second option. Web Application Firewalls have been around since early 2000 - 2001 when products from Teros, Magnifire and other start up companies began introducing products. Like any nascent industry, understanding exactly what the products do, and how they do them - is difficult to ascertain. There are signs that the market is maturing though, as this overview by the Burton Group suggests.

This article by Network Computing offers an excellent overview of how web application firewalls work, how web application firewall architectures vary and what the ramifications are from an implementation perspective.

Another article from Network Computing evaluates various players in the space, from F5 Networks to SecureSphere and NetContinuum. Offers good insight as to the relative strengths and weaknesses of each approach.

This article by the Web Application Security Consortium offers good insight into how to evaluate web application firewall products & vendors.

Lastly, an interesting consideration is that ICSA Labs has only certified two players in this space: F5 Networks & Citrix Systems. This is a copy of the document describing the criteria that has been applied in evaluating products for certification.

There is no question that web application firewalls will play an increasingly important role in securing our environments. I hope this post provides some good insight into how to proceed with a project of this nature.

Please let us know if there is something else you'd like to discuss on this issue. Feedback is welcome.

Quick Ref: Identity Management Solution Components

2007-06-13T10:42:00.000-04:00

Identity Management Components

Virtual Directories: A Disscussion - What is is? Who's supplies it? Who needs it?

Network Access Control: A Dissertation

How does NAC fit in? What are the key considerations? What is the framework? What are the risks, what are the potential benefits?

I.T. Automation: Identity Management Overview

2007-06-13T10:10:00.000-04:00

Identity Management has received much - mostly bad - press over the past several years. It is not something to be taken lightly to be sure - and promises many benefits if implemented correctly. Potential benefits include:

improvements in security / achieve cost reductions by automating activities associated with provisioning / deprovisioning
improvements in security by reducing the number of passwords users have to remember across multiple applications
improve help desk efficiency by automating password reset activities

While these benefits can be significant to many an organization, we must keep in mind, as this article points out, "there are many dead bodies along this highway". Identity Management initiatives are not to be taken lightly to be sure. They often require multi-disciplinary teams comprised of members of the I.T., Security, & Human Resources departments - to name a few.

This article by Network Computing is an excellent dissertation on the key issues, benefits and risks associated with Identity Management options.

What is your option? Please feel free to share your stories (both successes and failures) - as you are in a position to help others not make the same mistakes...

Technorati Registration

2007-06-12T17:26:00.001-04:00

Technorati Profile

Identity Theft in Florida

2007-06-12T10:57:00.001-04:00

Most of us that read the latest in security news heard about this high profile breach a number of months ago. Great that they tracked down the offenders, but do you think TJX is feeling better about it? Doubt it.

TJX Security Breach

The CIO's Role is Evolving

2007-06-12T10:31:00.000-04:00

The CIO's Role is Ramping up...

Good article on what role today's and tomorrow's I.T. leaders will be expected to play.

Does there remain a dearth of I.T. leaders in executive positions with business acumen?

Web Exploit

2007-06-12T10:26:00.000-04:00

http://www.darkreading.com/document.asp?doc_id=126169&WT.svl=news1_4

Yet another university has been hit in the U.S. for identity theft. Increasingly, attackers are moving up the stack and going after web applications.

Welcome

2007-06-11T21:21:00.000-04:00

Welcomes you. Please feel free to leave your comments about how we can make this resource more useful and relevant. Or, if you cannot find the answers you are looking for, feel free to blow off some steam and leave a rant on our wall. I know it will make you feel better.

Excellent Source of Best Practices Information

2007-06-11T20:29:00.001-04:00

http://www.sans.org/

Good Network Management Posts & Links

2007-06-11T20:24:00.000-04:00

http://www.networkcmdb.com/category/value-added-resellers/