Tuesday, June 30

Nobody gets fired for buying IBM

I liked this article about how some corporate IT departments are reacting to the economic downturn. "We're using smaller, lighter and cheaper technologies..." says one CIO.

Being that my employer is a small, nimble, innovative software company, I especially liked this quote from CPS Energy CIO Christopher Barron:
"With software from smaller vendors, it can take 20% to 40% less time to implement, and if it works, it could save you between three and eight times as much. The catch, of course, is that it doesn't always work. But even failing seems to be cheaper than going with the big guys."
I've always heard the adage that 'Nobody gets fired for buying IBM', meaning that even if you spend a little more, you're playing it safe by going with a trusted, well-known name. But the only projects I've ever heard becoming a colossal failure involve solutions from big name vendors with multi-million dollar price tags. And the really cool success stories you hear involve someone accomplishing something great with minimal budget.

Don't get me wrong - I know that many large businesses are run on big name solutions from IBM, SAP, Oracle and the like, but I think we need to be clear that the adage is not an axiom. That is, it's not self-evident. In fact, to some, it might even be nonsensical. Why would it make sense to spend 4x the amount of money to decrease your risk of over-expenditure?

What do you think? Does the adage hold up in today's economy? Will it hold up when we recover? Is it simply a question of finding the right solution for the job, or should it be part of a CIO's objective to put cost out in front of the decision?

Wednesday, June 24

Online Identity Privacy - Users Don't Take Precautions

One of my tenets for online privacy is:
Don't do anything online that you absolutely want to keep private.
Case in point:

I was looking through the form submissions to my company's web site. There is consistently some percentage of submissions that are auto-submitted SPAM. Sometimes, it's obvious and sometimes not.

Today, I was researching one submission and googled her name and email. The search brought me to a page that listed a spreadsheet of form submissions to another site - complete with names, email, phone numbers, and comments. Some obvious spam, but others obviously real.

They're showing up because of a technical glitch or security issue on the site. The google search brought me directly to the site's administrative page with no logon.

What makes this story interesting is that the site is a Las Vegas escort service and some of the form submissions read as follows:
  • From a student (@uwec.edu) - "very interested"
  • From a student (@wvu.edu) - "I need a price on ____"
  • From someone claiming to work at Microsoft - "Hi, I'm planning a trip to Vegas with my fiance but I wanna get away from her for one night. What is the limit to your services and who would you recommend? I need a girl with _____. Thank you for your time." (how polite) ...he may not have put his real company, but another quick search found his email address with a profile telling me that he lives in Seattle(!)
  • From a Web Developer in MN - "I am interested in an escort to accompany me to dinner" - (I found his LinkedIn profile because he provided his real company name)
...you get the idea.

Two lessons:
  • First, the obvious one - don't trust web sites to keep your information private.
  • Second, (to the security practitioners who read this blog) - don't underestimate how willing people are to give up their personal information to even the most suspect organizations.

btw - Who thinks this privacy breach will be reported?

Monday, June 15

Quick Reference Guides for Windows and AD admins

Active Directory UserAccountControl – Common values related to access rights.

Windows File System Permissions – As labelled in the Windows Security dialog with descriptions for both folders and files.

Wednesday, June 10

Obama Stimulates Compliance Spend

from HIPAA.com:

A new requirement (one of the HITECH Act provisions of the American Recovery and Reinvestment Act (ARRA), signed by President Obama on February 17, 2009) will have business associates of covered entities required to comply with the Security Rule safeguard standards, beginning February 17, 2010.

from the article:
Covered entities are required to have in place audit controls to
monitor activity
on their electronic systems that contain or use electronic protected health information. In addition, they have to have a policy in place for regularly monitoring and reviewing of audit records to ensure that activity on those electronic systems is appropriate. Such activity would include, but is not limited to, logons and logoffs, file accesses, updates, edits, and any security incidents.

Monitoring and review of audit trails must be as close to real time as possible to be useful. There is no benefit in discovering a problem days or weeks after it has occurred. How a covered entity sets its policies and procedures will be based on outcomes of the covered entity’s risk analysis. If a security incident occurs, failure to exercise this audit control standard may be proof in an inquiry that a covered entity had the capability of knowing what was occurring, but failed to exercise timely corrective action.
(emphasis added)

Interesting. I need to track down the source docs to see what's real and what is interpretation.