Looking over his glasses with a librarian's stare, an executive recently told me, "You IT people love the word 'governance' but it just seems too..." His voice trailed off as he searched for a way to tactfully convey his sense that "information governance" was a linguistic wedge designed to throw open the doors of board-level access for unkempt geeks and helpdesk managers. Instead of "governance," more comfortable phrases were suggested: "information policy board," "data management" or perhaps "IT steering committee."
When risk is present it calls for treatment, and security is a never-ending process... right? Yes, but as a security professional, it's easy to become focused on the hard problems (download PDF) of security -- falling into the arms race for more, more, more security controls -- and lose sight of the impact of the controls themselves.
Security assessment and deep testing don't require a big budget. Some of most effective security tools are free, and are commonly used by professional consultants, private industry and government security practitioners. Here are a few to start with.
News continues to worsen for business travelers carrying sensitive information. In a troubling ruling by the Ninth US Circuit Court of Appeals, US Customs and Border Protection (CBP) can continue its practice of warrantless searches through computer data held by US citizens and foreigners alike. With no cause or suspicion, the CBP may inspect, copy or seize data devices carried by anyone returning to the US. I'm not convinced that passive compliance is the best response to this situation.
This month marks two years of "In Security." Over the past year, some of my more popular columns have dealt with data aggregation and theft, the limits of risk management, getting along with human resources, how to spot and handle rogue security staff, encroachments on personal privacy, and the humor we find in the nonsensical things we hear from security consultants and the consulted. Sometimes it's the laugh of recognition; sometimes it's the laugh right before everyone looks away nervously and changes the subject. In either case, it's worth taking a look back before considering what's next.
The best phishing e-mail I've seen recently purported to come from none other than the head of the FBI. "Robert Mueller" was offering to ensure the safety of a money transfer from a confidential third party, if only the recipient would provide her or his bank information in an official-looking form.
Neither information technology nor security managers fire people in most organizations. That plain reality seems to escape some in the industry, where offended security administrators declare that disabling the anti-virus program is grounds for demotion or an IT manager finding unlicensed media makes arrangements for someone to make the cardboard box commute.
I can't find much difference between the Motion Picture Association of America (MPAA) members' business model and a band of large-scale ticket scalpers, but lately they and their music-industry cousins in the Recording Industry Association of America (RIAA) are exhibiting the collective cojones of a bank robber demanding change for the getaway car's parking meter.
If you're one of the many people itching to try out a certain funny-looking green portable computer, your moment is at hand. The One Laptop per Child project's OLPC XO device went on sale to the general public on November 12 at 6 a.m. ET -- albeit only for those who want to make a "buy two, donate one" deal in the process and only for a couple of weeks.
On the Internet, there's always a ghost in the room -- watching you, listening, recording your activities and interests, aggregating profiles or categorizing you, and whispering secrets and lies about you to others again and again.
When the "Exchange Ranger" came for a visit at a client site, his advice set the ball rolling for a much-needed upgrade from Exchange Server 2000.
A child with a chocolate-smeared shirt says, "I didn't do it." The phone rings, and Mum assures you, "There's nothing to worry about." A systems administrator carrying a box of tapes says, "We'll have everything back up in a few minutes." Sometimes the first words you hear -- despite their distance from the truth -- tell you everything you need to know.
My heart sank when I first saw Al Gore pull out his BlackBerry. It was in the waning weeks of the 2000 US presidential campaign, and there he was on the TV, tapping away on his then-novel converged device. Though I had no evidence, I was positive that whatever he was reading had already been perused by some conservative skunk works, with his responses scrutinized not long after. Given recent revelations about the opposition's ethics and panting obsession with domestic spying, I still suspect that any eavesdropping technically possible at the time was probably being done.
Multisite and outsourced IT operations are making good use of Multiprotocol Label Switching (MPLS), but strange trouble is turning up more and more. Often in discussion with local network staffers, we come to the point when I ask about backhaul lines or internet service providers over which they presumably run a site-to-site virtual private network (VPN). They happily reply, "Oh, we have MPLS" and provide a network diagram consisting of a suitably inscrutable cloud.
I certainly wasn't expecting a rooster to start crowing as I hit question 50 on my information security certification exam this past Saturday. Then again, not much had gone as I'd anticipated. Soon after number 50, a noisy cow was driven back to the nearby hillside, and the din outside the wide-open school lunchroom windows was reduced to the distant clatter of cars and honking on the nearby outskirts of Pune, India.