A Nigerian man has been sentenced to 12 years in prison for sending out fraudulent e-mails offering victims big bucks in exchange for moving cash to the United States.August, 2008
Web filtering - who and what to block?
Who and what should the web filter block?
Obvious
malicious, lewd and illegal content aside.... should mental diversions
be limited or blocked from users? Social networking, youtube, gaming,
news, etc can be very distracting and hamper production, but when used
sparingly can boost morale, enhance creativity and act as an employee
perk in the organization.
My question is, which(if any) of these activities should be blocked?
Should everyone be affected by this policy or should engineering and
executives be excluded? As a bonus, how does your company handle web
filtering?
I like Angelos answer because it points to where the challenge really is - the humans. With the technology, we can do everything we can imagine. But humans. Now, that is a totally different manner. It takes a very non-technical manner to deal with those people.
In all my humbleness (right), I post my own answer below (as it is found on LinkedIn).
My LinkedIn answer:
In my experience, blocking access to internet resources soon turn your employers into a negative, less-productive bunch of unhappy sheep (lots of negativity in there, huh?)
Nothing is obvious when it comes to humans, and just blocking whatever one person finds obvious may very well upset someone else. As long as we are using technology to deal with human behaviors, we need to teach the same humans the reasons we choose to use technology instead of juts enlightening them.
There are only a few occasions I suggest using these kinds of controls:
* in controlled / secure environments where you must ensure 100% control of what is entering and leaving the area (then I always advice to set up a set of computers with access - as Internet now is a vital part of our communications)
* in restricted areas like jail and schools where motivation to follow policies are not that evident. But - this is also a very narrow path, as many kids today outsmarts the local IT-resource.
* in short time frames in departments dealing with sensitive information like annual results. Then we may close down all communication within a particular time - but never forget that there are phones, facsimiles and other techs you cannot control (that easy)
I am not a fan of closing down access. I believe that most employees are going to do their job as expected - as long as they get their perceived value in return. And face it - in today's workspace, most people will expect access to the Internet at their discretion.
Now, I am an advocate for employer controlled work environment - ie. the company set's the rules, and when you sign your contract, you agree to follow those very rules. But. As long as we are dealing with humans, we will reach much better results by understanding how psychology and organizations work and function. By using a mixture of positive incentives and negative incentives, and doing this in a clever manner, you will see much better results over time.
Face it, if you force a block, someone will be unhappy. You will start see people trying to work around those barriers. Your management will scream and expect totally different rules. Your day will become a nightmare. And what do you achieve? Less motivated, less productive employees.
I suggest the following approach that has worked a dream in the past:
* set up a QoS on your network, and on your outbound link. Tune down everything you do not like entering (streams, P2P, Skype etc). Set it so low that it is still possible to use it, but not practical anymore.
* Inform your employees regularly about how computers is a time thief (I mean, even for me now - I spend time writing this on the Internet instead of doing any productive work...), and give them tips on how to deal with it. Consider them humans and grown up, and it is amazing what you can get them to accept.
* Set up a network monitoring device, analyzing and capturing data traffic. These devices are able to tune in on, and capture only relevant data - triggered by rules and patterns you can define. Use this to figure out what is really going on, and to find that one or two rouge employees that you know are out there. Now you have evidence you can use to force this person to either follow the rules, or to kick him/her out of the organization.
In the end, you have a very efficient setup that does not intervene with day to day business, that does not make you vulnerable to updates and new "things to block", and that as a bonus makes you the hero of everyone in the organization (except the rouge ones, though...)
I have very good experience with this type of setup. Just keep in mind that you are dealing with humans - so treat them like humans to get the to do what you want!
----
What are your thoughts on webfiltering?
When failure is unavoidable - learning is required!
If your venture fails, it is vital to look back and evaluate what went wrong. It may be painful, but if you do not try to learn from the mistakes, you are likely either to never try again, or to create another failure.
It is a common mistake to forget about evaluating your mistakes. But, Roger Ehrenberg, former CEO at Monitor110, does not forget. In his post, he analyzes the different aspects - from leadership and management, to money issue - who would have thought that too much money actually would cause the failure of a venture?
I found this post very valuable, and did recognize failures I have made too.
For any business, failure is an option. It is a possibility. And ultimately, risk management is about reducing that possibility to the barest minimum. But, as any entrepreneur will know, failure is knocking on your door constantly unless you keep focusing. And many entrepreneurs simply does not have enough time to do it all.
How can you avoid failure? What are the steps you can take to ensure success?
What do you think about entrepreneurs?
I have decided that this blog - the Roer.com Information Security blog will change and narrow it's focus a bit, and focus on information security for entrepreneurs and start-ups. I hope that this small change in focus will not drive away my current readers, while continue to grow my readership.
By doing this change, I hope to fill what I think is a gap in the Security blogging arena - to help start-ups and SME's to adequate security. As far as I see it, most security bloggers out there are in one or more of these three groups:
- vendor or service provider, focusing on promoting their own products/services
- (enterprise) risk management, focusing on what many SMEs will consider theory and not very relevant to their everyday focus
- IT-security, focusing on technology, hacking, and "geek" stuff
I think they all have an important role to play, and that they are needed. But for myself, I do not belong directly in any of the categories, plus I am very interested in entrepreneurship. Thus, I will try to fill this gap :)
But worry not, my readers! I will continue to dish out my opinions on global security, TSA, other bloggers and whatever else even remotely securtiy related that I feel an urge to comment upon!
On a side note, I have also established a new blog, focusing on another area I love - trainings!
Do you think this is a good move? Or am I walking into a dead end? Your thoughts are highly valued!
Airport security - when will this end?
Branding starts when you pick up your phone!
I just called a company - or so I thought. I was researching, looking for some particular information, and now just calling competitors of my client in order to gather intelligence.
And as I call around, the phone is answered (no surprise there) with:
Me: "Have I reached ABC corp?"
Her (sounding unsure): "Yes..."
Me: "Am I talking to ...?"
Her (suspicious this time): "Yeees..."
Then: "Who am I talking to?"
I realize that I have made up my mind already in her first "Hello...?". This is not a company I would want to deal with.
Her: "Excuse me a second..." and the line goes on hold.
I start wondering what I am dealing with here. Obviously, this is no professional company. My mind wonders off, and I seriously consider just hanging up.
But, I brace myself, and continue - I am on a mission, after all:
Me: "So, listen...I was wondering, do you deal with ...?" (Insert the service/product name here).
Her (hesitating): "Yes, I could do that."
Wow. So, this company is her. No-one else, it seems. And obviously she is not used to customers rushing down her phone.
We continue our conversation, which continues to break up with "Please hold a sec..." every 30 seconds or so. As I have gathered the information I wanted, I start to wrap up. And now she has changed her approach, and starts to seem desperate.
Me: "So, let me get back to you."
Her: "Please do. I can do this. I really can, I assure you. Really."
I hung up.
Imagine, I wrote one third of this post while on hold - during the conversation - with this company. I posed as a potential client. I would pay. I would be a long term client of hers.
But it is all ruined by the first impression. The first "Hello...?". The lack of a presentation. The total lack of professionalism and commitment. It just makes me sick.
And this reminds me that branding is a full time commitment. Your company's public image is created by that first phone call. And if you drive potential clients away, you will end up with a broken back before you know it!
SQL-Injection How-To
In order to better control and protect yourself against such attacks, it is always nice to know more about how they work. Kassaras has made a very nice How-To, where he explains in detail how you can set up a test system and then try to manipulate it.
The post is well worth a read!
My new training blog
One of my passions is training - as in teaching others new skills, helping others find their potentials and being a motivator. I love this so much that I decided to make a new blog - focusing only on trainings, preparations and presentations.
My new blog is called BeBetter, and the URL is: http://www.bebetter.no
Although most trainings and tips focuses on motivation, presentation skills and personal development, I also include tips and thoughts on security trainings from time to time. If at all interested in training and motivating others, please pay my new blog a visit!
Thanks!
Jamparii update
According to Jim Tuffin, CEO and founder of Jamparii, they have now put the project on hold due to lack of funding. He says that all funds received are returned. I have no reason not to trust his words.
Jamparii serves as an example of how good (or bad) ideas need a critical mass to survive. Building a business is hard work and high risk. I usually see two main reasons young business fails:
- Lack of funding
- Lack of patience
Lack of funding is usually due to the fact that things takes much more time, and costs more money than first imagined. I have seen, and been part of, this kind of failure. It hurts, and it is not fun. The only way to deal with this is to get the funds in time, and enough of it.
Lack of patience is different - this happens if investors, or key members, stop trusting the product. This creates a downward spiral where all energy in the venture goes away, and takes with it the passion that is required to succeed.
Happily, way too few business creators know this. And if they know, they are able to push it aside and get their venture going anyway.
Jamparii - so, was it a scam, or what?
One year ago, I wrote about my thoughts on Jamparii, and I asked if it was just another scam.
Back then, Jim Tuffin, the CEO and founder, claimed that this would be the next great success within social networking. In a comment to my blog post, he also said that he did not want to involve professional venture capital, as they would require a high number of shares in exchange of their cash. Who would blame them?
Anyway, I would be very interested in knowing what happened to Jamparii, and their founder members. Do you know anything? Did you join? What are the prospect of getting your cash back? If you did not join, what where your reasons not doing it? Any news you have, please share!
TJX - over reaction?
First things first: let me welcome you to the blogosphere! Taking your expertise as a laywer, I probably should just shut up and not start to argue, but then again, what is the point of a discussion if we cannot share our opinions?
To you comment, I do not agree that there has been an over reaction. I think this depends on your point of view. If you consider only the known theft of money, you might be right.
However, if you consider the theft of privacy, the costs related to renewing CCs and the potential threat to the CC holder, I think the reactions so far has been anything but over reaction. I also think it is necessary to consider the time frame of the attack - this went on for quite a while, and I think it is important to consider that this was an important "wake-up" call to many shops.
You say that the Credit card issuers over reacted. I disagree. Their alternatives where:
- say nothing (and wait for the press to find out...ticking, expensive bomb)
- say "your credit card info is just lost, but hey, who cares? It is way too expensive to issue a new card" (and wait for customer to yell, call the press and cancel their cards manually; adding potential expensive law suits to the cost)
- do as they did - cancel all cards, issue new ones. High initial cost, but low cost & risk in the long run. Just imagine the cost of loosing the trust of the credit card user...
Recent comments
2 weeks 3 days ago
2 weeks 3 days ago
2 weeks 3 days ago
8 weeks 3 days ago
9 weeks 1 day ago
10 weeks 5 days ago
10 weeks 6 days ago
22 weeks 1 day ago
22 weeks 4 days ago
22 weeks 6 days ago