may the force be with you

Following a spate of reports about Bluetooth and iPods devices being used to steal sensitive data from organizations, businesses are now urging to be vigilant as hackers use digital cameras to sidestep security measures.

‘Camsnuffling’, the latest IT managers headache being used to computer attackers to extract and store data with the help of digital camera. The digital camera device, just like iPod and Bluetooth, is a simple digital storage devices. Hence, simply plugging it into a computer’s USB can allow hackers to obtain sensitive data.

Ian Callens, Icomm Technologies, explains: "This is a very difficult issue to manage and a real threat to business continuity and data security. If someone is seen in the workplace using an iPod it’s more than likely that it’s for the wrong reasons – either podslurping or downloading music without permission. This is relatively easier to police."

Many companies use digital cameras as part of their working day. This fact makes it difficult at first glance to determine if cameras are being used for work, or for hacking. In these businesses it’s very hard to enforce USB usage policies and not feasible to simply block USB port.

"There are, however, steps that can be taken to reduce rogue behaviour," said Callens. "Firstly, regularly change system passwords that employ both letters and numerals. Secondly, issue internal memo’s to ask all to be vigilant, stating that observations are being undertaken. Thirdly, consider adopting specific software to monitor activity to actively manage the access rights to removable storage devices. This should ensure that business productivity is not affected, while actively guarding against the removal of data or the introduction of inappropriate or malicious content to the network."

source:http://www.it-observer.com/articles.php?id=966

Getting the most out of knowledge workers will be the key to business success for the next quarter century. Here's how we do it at google.

Issues 2006 - At google, we think business guru Peter Drucker well understood how to manage the new breed of "knowledge workers." After all, Drucker invented the term in 1959. He says knowledge workers believe they are paid to be effective, not to work 9 to 5, and that smart businesses will "strip away everything that gets in their knowledge workers' way." Those that succeed will attract the best performers, securing "the single biggest factor for competitive advantage in the next 25 years."

At Google, we seek that advantage. The ongoing debate about whether big corporations are mismanaging knowledge workers is one we take very seriously, because those who don't get it right will be gone. We've drawn on good ideas we've seen elsewhere and come up with a few of our own. What follows are seven key principles we use to make knowledge workers most effective. As in most technology companies, many of our employees are engineers, so we will focus on that particular group, but many of the policies apply to all sorts of knowledge workers.

• Hire by committee. Virtually every person who interviews at Google talks to at least half-a-dozen interviewers, drawn from both management and potential colleagues. Everyone's opinion counts, making the hiring process more fair and pushing standards higher. Yes, it takes longer, but we think it's worth it. If you hire great people and involve them intensively in the hiring process, you'll get more great people. We started building this positive feedback loop when the company was founded, and it has had a huge payoff.
• Cater to their every need. As Drucker says, the goal is to "strip away everything that gets in their way." We provide a standard package of fringe benefits, but on top of that are first-class dining facilities, gyms, laundry rooms, massage rooms, haircuts, carwashes, dry cleaning, commuting buses—just about anything a hardworking engineer might want. Let's face it: programmers want to program, they don't want to do their laundry. So we make it easy for them to do both.
• Pack them in. Almost every project at Google is a team project, and teams have to communicate. The best way to make communication easy is to put team members within a few feet of each other. The result is that virtually everyone at Google shares an office. This way, when a programmer needs to confer with a colleague, there is immediate access: no telephone tag, no e-mail delay, no waiting for a reply. Of course, there are many conference rooms that people can use for detailed discussion so that they don't disturb their office mates. Even the CEO shared an office at Google for several months after he arrived. Sitting next to a knowledgeable employee was an incredibly effective educational experience.
• Make coordination easy. Because all members of a team are within a few feet of one another, it is relatively easy to coordinate projects. In addition to physical proximity, each Googler e-mails a snippet once a week to his work group describing what he has done in the last week. This gives everyone an easy way to track what everyone else is up to, making it much easier to monitor progress and synchronize work flow.
• Eat your own dog food. Google workers use the company's tools intensively. The most obvious tool is the Web, with an internal Web page for virtually every project and every task. They are all indexed and available to project participants on an as-needed basis. We also make extensive use of other information-management tools, some of which are eventually rolled out as products. For example, one of the reasons for Gmail's success is that it was beta tested within the company for many months. The use of e-mail is critical within the organization, so Gmail had to be tuned to satisfy the needs of some of our most demanding customers—our knowledge workers.
• Encourage creativity. Google engineers can spend up to 20 percent of their time on a project of their choice. There is, of course, an approval process and some oversight, but basically we want to allow creative people to be creative. One of our not-so-secret weapons is our ideas mailing list: a companywide suggestion box where people can post ideas ranging from parking procedures to the next killer app. The software allows for everyone to comment on and rate ideas, permitting the best ideas to percolate to the top.
• Strive to reach consensus. Modern corporate mythology has the unique decision maker as hero. We adhere to the view that the "many are smarter than the few," and solicit a broad base of views before reaching any decision. At Google, the role of the manager is that of an aggregator of viewpoints, not the dictator of decisions. Building a consensus sometimes takes longer, but always produces a more committed team and better decisions
• Don't be evil. Much has been written about Google's slogan, but we really try to live by it, particularly in the ranks of management. As in every organization, people are passionate about their views. But nobody throws chairs at Google, unlike management practices used at some other well-known technology companies. We foster to create an atmosphere of tolerance and respect, not a company full of yes men.
• Data drive decisions. At Google, almost every decision is based on quantitative analysis. We've built systems to manage information, not only on the Internet at large, but also internally. We have dozens of analysts who plow through the data, analyze performance metrics and plot trends to keep us as up to date as possible. We have a raft of online "dashboards" for every business we work in that provide up-to-the-minute snapshots of where we are.
• Communicate effectively. Every Friday we have an all-hands assembly with announcements, introductions and questions and answers. (Oh, yes, and some food and drink.) This allows management to stay in touch with what our knowledge workers are thinking and vice versa. Google has remarkably broad dissemination of information within the organization and remarkably few serious leaks. Contrary to what some might think, we believe it is the first fact that causes the second: a trusted work force is a loyal work force.

Of course, we're not the only company that follows these practices. Many of them are common around Silicon Valley. And we recognize that our management techniques have to evolve as the company grows. There are several problems that we (and other companies like us) face.

One is "techno arrogance." Engineers are competitive by nature and they have low tolerance for those who aren't as driven or as knowledgeable as they are. But almost all engineering projects are team projects; having a smart but inflexible person on a team can be deadly. If we see a recommendation that says "smartest person I've ever known" combined with "I wouldn't ever want to work with them again," we decline to make them an offer. One reason for extensive peer interviews is to make sure that teams are enthused about the new team member. Many of our best people are terrific role models in terms of team building, and we want to keep it that way.

A related problem is the not-invented-here syndrome. A good engineer is always convinced that he can build a better system than the existing ones, leading to the refrain "Don't buy it, build it." Well, they may be right, but we have to focus on those projects with the biggest payoff. Sometimes this means going outside the company for products and services.

Another issue that we will face in the coming years is the maturation of the company, the industry and our work force. We, along with other firms in this industry, are in a rapid growth stage now, but that won't go on forever. Some of our new workers are fresh out of college; others have families and extensive job experience. Their interests and needs are different. We need to provide benefits and a work environment that will be attractive to all ages.

A final issue is making sure that as Google grows, communication procedures keep pace with our increasing scale. The Friday meetings are great for the Mountain View team, but Google is now a global organization.

We have focused on managing creativity and innovation, but that's not the only thing that matters at Google. We also have to manage day-to-day operations, and it's not an easy task. We are building technology infrastructure that is dramatically larger, more complex and more demanding than anything that has been built in history. Those who plan, implement and maintain these systems, which are growing to meet a constantly rising set of demands, have to have strong incentives, too. At Google, operations are not just an afterthought: they are critical to the company's success, and we want to have just as much effort and creativity in this domain as in new product development.

Schmidt is CEO of Google. Varian is a Berkeley professor and consultant with Google.

source:http://www.msnbc.msn.com/id/10296177/site/newsweek/

"Without accepting blame Google has quickly patched the vulnerability, without requiring users to download a patch. Previously covered by Slashdot, the flaw allowed people to access files and passwords on a computer via any website when viewed with IE while running Google Desktop." From the article: "'Google was able to address the problem quickly because it didn't require changing any code at the user's desktop,' MacDonald said. 'Google applied more stringent security controls on its main site, which shut down the exploit.' The incident does raise important questions about Google as a desktop software vendor and its plans for rolling out future security fixes, said MacDonald. "

source:http://it.slashdot.org/it/05/12/06/1349244.shtml?tid=217&tid=113&tid=218

By Richard Black Environment Correspondent, BBC News website

When it comes to security, most IT departments are underfunded, understaffed, and underrepresented, IT security pros say.

URL: http://www.informationweek.com/story/showArticle.jhtml?articleID=174900279

Resourceful I.T. security professionals are getting the job done, but their efforts have been hampered by undersized staffs and underfunded budgets that limit choices ranging from what products they buy to the vendors they work with.

The third annual Strategic Deployment Survey conducted by Secure Enterprise, an InformationWeek sister publication, polled more than 1,500 IT-security pros about their companies' security and their tactics for dealing with challenges. Follow-up interviews provided even more details on the state of IT security.

Shortfalls in security staffing and budgets aren't new, of course. But what makes the situation more nerve-racking are the regulatory risks and compliance requirements that fall to the IT security department, adding cost and work at a time when budgets are growing only moderately, if at all. Case in point: One multibank holding company with 500 employees and assets of almost $2 billion recently implemented monitoring, encryption, and intrusion-prevention technologies to assist its adherence to the Sarbanes-Oxley Act, the Gramm-Leach-Bliley Act, the Bank Secrecy Act, and the Health Insurance Portability and Accountability Act. But the company's chief information security officer, who asked to remain unidentified, still has a bleak security outlook.

"Our staffing levels are inadequate and have an impact on our ability to maintain systems in accordance with our policies and standards," he says. "This problem won't improve. Hopefully, we can do more automation and less hands-on administration and monitoring."

He's not alone in his pessimism. The survey shows IT security staffing almost unchanged from last year--and, in a word, deficient. Forty-four percent of this year's respondents describe their security groups as moderately understaffed, with 21% saying they're severely understaffed. Last year, those numbers were 45% and 20%, respectively.

"I've yet to meet anyone who has all the staff and money they need," says Peter Clissold, information security manager at the Edmonton Police Service, one of Canada's largest law-enforcement agencies. The agency lacks well-segregated IT security roles and doesn't have the staff to carry out demonstrable audit or review exercises, Clissold says. However, he adds, the organization has identified its security gaps and has managed to get support from executives to address those shortfalls.

Managing expectations is important for handling staffing inadequacies, Clissold says. It's vital to define what should be expected from IT security groups--and what they expect from management--to deliver an expected level of service. Security managers must know their business and be innovative and resourceful. "We must be skilled communicators and negotiators with those in senior positions," he says.

Being resourceful often means having users take more responsibility for security measures, says Justin Bell, a security specialist at a Wisconsin engineering consulting firm. Bell's IT staff sends out a monthly security newsletter and E-mail messages that get users to perform tasks that IT might normally handle. For example, during a recent switch from static IP addresses to the Dynamic Host Configuration Protocol, Bell's group took advantage of users' efforts and cut its workload to 30 machines from 360.

Linked to frustration about understaffing is concern that not enough IT dollars are earmarked for security. And sometimes, IT-security managers say, that translates directly to greater organizational vulnerability.

Shrinking Dollars
The survey shows shrinking numbers at both the high and low ends of IT security budgets. Significantly, only 16% of this year's respondents say less than 1% of their IT budget is spent on security, down from 19% who made the same claim last year. However, the portion of readers who put their security budgets at 16% or more of their IT spending shrank as well, down to 7% this year from 9% last year.

"Budgets are increasing, but they're still a sliver of the overall budget," says Kelly Hansen, CEO of information-security consulting firm Neohapsis and a columnist for Secure Enterprise.

Around 38% of respondents say 1% to 5% of their IT dollars go to security. But the majority of security professionals aren't satisfied with their budgets--to the point of sometimes feeling helpless.

For Jody Simmonds, IT security architect at the Washington state Department of Health, part of the problem is that her security office doesn't have its own budget. Instead, security must draw money from the agency's network-services budget. "Security should have its own budget," she says. "We're at the mercy of another section, and they may have different priorities."

Although Neohapsis' Hansen sees security budgets increasing somewhat, she acknowledges the compliance onus that has fallen on security managers. Moreover, she says, vulnerabilities unrelated to compliance are increasing. External attackers, for instance, "used to be 15-year-old kids but are now sometimes linked to organized crime."

Several diverse factors influence how security managers spend the money they have based on a diverse set of drivers. The top five drivers in this year's survey were improved business practices, auditing regulations, industry standards, security breaches from external sources, and legislative regulations.

Despite staffing and budgetary shortfalls, IT security managers continue to implement new security procedures and dedicate staff specifically to security. Twenty-nine percent of respondents, up 1% from last year, describe their IT security structure as a formal dedicated team. The portion of organizations that use individuals within IT to carry out security as only a secondary part of their jobs fell to 35%, down from 40% last year.

Other organizations are building an overall "culture of security." Even when a dedicated security staff exists, the job often involves educating IT and non-IT staff about security risks and needs.

"Everyone plays a role in security, and security is everyone's responsibility," says Kim Milford, information security officer at the University of Rochester. Training and awareness are critical aspects of the school's security program. Part of the university's IT security staff's work is helping employees understand their roles and responsibilities, providing guidance on risk assessment, and implementing controls.

Complex But Secure
Sometimes security managers find themselves working within complex security structures, answering to various supervisors and drawing on myriad sources of assistance. That's the situation for Tim Donahue, security manager for the U.S. Army's Distributed Learning System, which conducts online training for soldiers.

"Our structure is complex, but it's complex in that the Army places extraordinary emphasis on information security," says Donahue, who is the sole person dedicated to security within the learning system. A contracting firm runs the enterprise-management center, however, and lends its own security engineer. Various entities in the Department of the Army handle information security, and Donahue can reach out to them as necessary on issues from troubleshooting to compliance monitoring.

Survey results also show a growing commitment to put higher-level people in charge of security. Last year, only 12% of survey respondents reported that their organizations had a chief security officer. This year, that number rose to 18%. Similarly, only 12% of last year's respondents said they had a chief information security officer; this year, that figure climbed to 22%.

One pronounced shift from last year: the importance of compliance issues for assessing risk before information-security purchases. Regulatory compliance and noncompliance issues ranked fifth among methods for assessing risk in 2004, with just less than half of respondents saying they look at compliance before making security purchases. This year, compliance ranked first at more than 60%, leapfrogging input from peers, internal audits, informal risk analyses, and penetration as a method for gauging risk.

Neohapsis' Hansen isn't surprised that compliance hit the top spot as a risk-assessment driver. Rather, she's perplexed it took this long. "There's a general lack of awareness among IT security professionals about what role they're going to play in compliance," she says.

Part of the problem is that IT security pros still haven't learned how to "talk the talk" of compliance, Hansen says. Once they do, they'll find they have a bigger voice when it comes to getting budget outlays and the support they need to do their jobs. IT gets more clout when it's the company arm delivering adherence to regulations for which executives are sometimes held personally responsible.

"The emergence of HIPAA and other laws that regulate security and privacy also has helped to move information security from a technical control to a business control," says the University of Rochester's Milford. "Prior to HIPAA, info security was considered a binary switch: 'Just make it secure.' But now it has become part of the risk assessment an organization must go through to determine how best to conduct business."

The Sarbanes-Oxley Act leads the way when it comes to regulations with which organizations must comply. About 42% of readers say they have to adhere to Sarbanes-Oxley, followed by HIPAA at 38%; the Federal Privacy Act of 1974 at 35%; and the USA Patriot Act at 26%.

Winner: Integration
It's not surprising that, strapped as they are for resources and time, security professionals want products and suppliers that let them do their jobs with minimal hassle.

Integration with existing networks is the capability survey respondents say they most look for in a product. Tools that don't work well within an existing architecture can be worse than ineffective--they can create new risks.

The next-most-sought-after features were performance, second; and high availability, third.

When it comes to choosing a vendor, reliability is again key. The most highly desired quality in a vendor is responsiveness to product security problems, followed by reputation.

Readers rank E-mail-borne viruses and worms as carrying the highest risk among the threats listed in this year's survey, followed by unknown vulnerabilities in commercial products and Web and custom applications. Hansen is surprised that E-mail viruses and worms rank so high. Most antivirus software does a good job, she says, though browser-based attacks present a major and growing problem.

Perceived Threats
Respondents rank internal attacks as a relatively low threat, despite the plethora of research that shows that internal attacks, or those committed by employees, are a major threat. Last year's poll showed similar results, with external attacks being ranked riskier than internal ones by a wide margin.

While internal threats may in fact be a greater risk than external threats, Donahue says that's only because the organization has managed to eliminate or mitigate serious external threats.

"We've spent so much time and effort on containing external risk that we have brought it down to the point that it's become more likely that we'll be exposed to an internal risk," he says. There's a level of trust that's part of the IT-employee relationship, he says, and if background checks come back clean, Donahue has done his due diligence and it's reasonable for him to assume the best from his staff.

There's more than that at work in security managers' thinking, Hansen says. Quite often, it's the external breaches, not the internal ones, that get IT security professionals fired. Other times, IT security staff might not even be made aware of how serious internal threats can be. Also, security managers sometimes tend to see internal threats as more of a human-resources problem than an IT one.

Download: More Reader Survey Results Third Annual Strategic Deployment Survey Results

Among the technologies deployed by readers, antivirus ranks highest on the perimeter, on internal networks, on desktops, and for messaging security. Antivirus software and similarly older, more-robust applications are common within organizations because they're "low-hanging fruit," Hansen says. Moreover, they present good metrics that can be shown to higher management. "Those are the kinds of things that allow you to say, 'Hey, I'm providing value to the organization,' " she says.

And to a large extent, being able to show value is the name of the game for IT security managers who are struggling to meet intensifying threats and surging compliance requirements with inadequate staff and budgets. Still, most IT security experts continue to find workarounds and fixes to handle their security needs, despite the lack of support they sometimes receive from executive management.

"Channel 9 has an interesting video interview with Chris St.Amand and Jeff Stucky who test and debug Microsoft.com. They reveal some of the big problems they used to face such as recycling processes every 5 minutes due to memory leaks and 32 bit limitations, and being unable to push more than 10 Mbits of data to their datacenters due to Windows' networking stack limitations."

source:http://it.slashdot.org/article.pl?sid=05/12/05/2359225&tid=109&tid=218