July 2008 Archives

The countdown has begun. The excitement is building. Millions of people across America and the globe are turning their attention to China for the 2008 Summer Olympics. On August 8, the games begin, and the Internet is full of articles on every aspect of this topic. 

So how are the Olympics related to your personal computer or your network at work? These games can be streamed right into the office, if your network adminstrators allow that to happen. NBC, which has the rights for broadcasting the games in the USA, has announced their tentative schedule which runs for two weeks. While many companies and governments block streaming video, numerous others do not. Risks to essential business functions could result from employees using up bandwidth into the Internet. 

While this topic is not new, there are unique aspects to the Olympics this year. For starters, the 12-hour time difference between Beijing and the US eastern coast puts many evening sporting events (and opening and closing ceremonies) during the US workday.

Second, many government networks and even homes with teleworkers now have high speed connectivity which makes watching sports online a much more realistic activity than in years past. 

Third, Americans have grown accustomed to reading their news online. Articles and video  clips on politics, sports, and more are often not blocked, even if live streaming is blocked.  As world records fall and Americans win medals, many will watch and keep coming back for more.   

NBC has announced that live events will not be available online at their websites, but it remains to be seen if savvy web surfers will be able to get international online feeds at home or work.

Besides network bandwidth and productivity issues, there will be other threats coming our way. Back last December, Websense predicted that the Olympic games will be the number one threat for this year - bringing new cyber attacks, phishing, and fraud.

"Event-based attacks and scams are popular, and with the whole world watching, the 2008 Olympics may fuel a surge in cyber attacks. As the Olympic torch burns, Websense researchers predict the possibility of large scale denial-of-service (DoS) attacks on Beijing Olympic-related sites as political statements and fraud attempts through email and the Web surrounding the Olympics. Additionally, Websense predicts compromises of popular Olympic news or other sports sites --attacks designed to install malicious code on end-users' machines and steal personal or confidential business information."

Addressing this topic may sound to some as if the technology organization is taking the fun out of the office. I have written against security organization consistently playing this negative role in government enterprises. As a matter of fact, I plan to watch quite a bit of the Olympics - but at home in the evening with my family.

Ever since my wife and I visited China three years ago to adopt our youngest daughter, I have been looking forward to these games more than any other. China is a wonderful place with an amazing history and culture. I'm probably more excited about these Olympics than most readers. Still, we need to think through the security and network issues facing the workplace. Each business area needs to decide what is appropriate and what is not for their situation.


There will be other aspects to this topic that I will discuss next time, but the primary message is for CIOs, CISO, network and security professionals to prepare now. Get ready at work over the next ten days by discussing various scenarios regarding the Olympics. What is blocked and what is allowed. Ask the "what if" questions. 

What are your thoughts on watching or reading about the Olympics at work?  

   

Earlier this week, I described an "aha" moment that has helped me understand how millennial workers think (and approach life and work). That experience happened over two years ago - just a few weeks after attending a seminar on the demographic challenges that are heading our way with both retiring baby boomers and an incoming workforce with new values and expectations.

But before I started writing, I did quite a bit of homework. What did I find? Here are two examples: John Leo from US News and World Report proclaimed, "Authenticity and integrity are prime values (for millennials). ... Enron should have hired millennial executives."

In 2005, Zogby International conducted a poll of young Americans entering the workforce. "...75% said the people they work with and live near are trustworthy. Almost everyone (97%) said they consider themselves to be trustworthy, and 85% said they think their personal goals in life are less important than acting with honesty and integrity..."

You may be thinking, "I'm not seeing it. The young staff I work with don't behave properly online. Even when clear directions are given, they...."

I don't disagree. Living with integrity is hard (in the real world). It is even harder in the virtual world of cyberspace where many activities are being renamed. The "aha" part of this was that millennial workers value integrity and strive to defend it. That is certainly more than can be said about security (for most staff), which is often seen as an impediment to getting things done.

Earlier this year, The Washington Times reported "Millennials show respect for values" with data from J. Walter Thompson, the nation's largest advertising agency. The surprising findings: "a generation brimming with adultlike respect for American institutions, family values and work ethics, despite a few quirks. "

However the same report also stated, "... the workplace was open to interpretation. A minority -- 46 percent -- said they felt obligated to adapt to the workplace environment. Most thought the workplace 'should adapt to me.' They also crave some amusement at the office."  

Some experts are even calling for us to rename security and focus on trust, saying that "security and privacy have bad names and bad connotations."  My response agreed with John Reece's problem statement, but disagreed that "trust" (alone) was the answer.  We can't forget about security, but authenticity, transparency, inclusion, integrity and trustworthiness may be better words to guide virtual lifestyles.

This discussion is more than new semantics or spin that tries to rename important terms. Of course, we still need (better) security and privacy. We also require end user training and awareness on topics such as avoiding phishing scams. But staff usually want to go around or even "defeat" security measures. On the contrary, most people will make an extra effort to defend their personal or their team's integrity. Numerous published stories have shown, even the best trained go over to the dark side, so technology training alone cannot be the answer.

Talk to your staff about online integrity - now more than ever in a Web 2.0 world. There are powerful forces that tempt us all to water-down the commitments we make (such as signing acceptable use policies) at work. I call this character-robbing activity "Integrity Theft" - the covert brother to identity theft. I tell staff about (true) stories of those who have damaged their reputations and careers with inappropriate behaviors in cyberspace.

It may come as a surprise to many boomers, but millennial staff will actually appreciate the fact that you took time for the discussion. Use those mentoring moments to help young workers become part of the office solution.  

By the way, the book: Virtual Integrity is coming out this fall from Brazos Press. 

According to numerous press reports, the San Francisco cyber coup has ended. After San Francisco Mayor Gavin Newsom met with Terry Childs (the senior network admin), Childs handed over the network passwords to the mayor who was "the only person he felt he could trust" acording to his lawyer.

In case you missed this last week, I wrote a blog on how the cyber coup started.

 

Earlier this week, InfoWorld ran a detailed story on the latest developments.  Here's an excerpt:

 

Childs' attorney has asked the judge to reduce Childs $5 million bail
bond, describing her client as a man who felt himself surrounded by
incompetents and supervised by a manager who he felt was undermining his
work. "None of the persons who requested the password information from Mr. Childs ... were qualified to have it," she said in a court filing.

 

Over the past week, many stories have surfaced regarding potential motives and the wider circumstances around this case. A ComputerWorld blog claimed to have an insider who told all. Here's a quote: "Like many network administrators who work in the rarified air of enterprise network architecture and administration, Childs apparently trusted no one but himself with the details of te network, including routing configuration and log-in information."  

No doubt, we will hear many different versions of this story over the coming months (maybe years). I can't help thinking that we'll all be watching this story on a big screen a few years from now ... 

Government Technology Magazine's cover story for July 2008 described the challenges posed by millennial workers. Here's a short excerpt from the end of article Younger Employees May Bring New IT Security Challenges:

...[Samir] Kapuria thinks coaching younger employees on the security environment as it relates to Web 2.0 and existing risks might be a better approach than leaving things to IT policy alone.

   [Dan] Ross agrees that training all employees as security officers would also mitigate risk. He referred to this approach as "part of the most modern way of thinking about security...."

After reading that excellent article, you may be asking: OK, so how do we do coach younger employees? How do we train them - when they already know plenty about the Internet? 

 

Over the past six years as Michigan's Chief Information Security Officer (CISO), I've had a few "aha" moments regarding work, but they rarely come when I'm on the job. One inspiring situation eventually led me to write a book. Really. 

 

The date was May 27, 2006. I sat in the Calvin College Chapel in Grand Rapids, Michigan, and watched my (millennial) nephew Sam offer his wedding vows. "I take you Michele to be my wife for the rest of our lives. I will be faithful to you, loving you with my every thought, word, and action. I commit myself to this marriage. I will love and serve you ..."

 

Michele reciprocated with her wedding vows to Sam, the congregation and God.  The wedding moved me. While all eyes focused on Michele, I remembered the similar vows I made to my wife Priscilla in 1989.

 

After that wedding, the importance of helping the 21st-Century "good guys" traverse cyberspace with integrity became somewhat of a personal obsession. As I led computer seminars and gave speeches at conferences around the country on responding to global security threats with "Cyber Best Practices" and "Ten Things that Keep Me Up at Night," I realized that the real Internet cultural change at home and work required digging much deeper into personal values.

 
I thought about the friends and colleagues I knew who had lost marriages or were struggling in numerous other ways as a result of poor cyber ethics. Yes, many made bad decisions, but was there more we could have done? What happened to those promises that people made when they interviewed for the job or signed acceptable use agreements? Could we have warned staff that online activities at work will certainly affect their reputations, careers and important relationships? These were "good" people who passed background checks and seemed to have it all together.

 
I asked around, and my colleagues all over the country saw similar business trends in the public and private sector. Many of our best and brightest, some graduate-degree trained, were getting into personal online trouble that negatively impacted their business. What was going on? I started rethinking the role of our office and my job.

As I spoke with large numbers of recent college grads about their goals, ambitions, and hopes, one thing became clear: Millennials value their integrity. Some used different words, like trustworthiness, but everyone I spoke with was looking to make a difference in the world, to have authentic interaction on talented teams that exhibit honesty and integrity.

 

Could this be an essential key to interacting with the next generation? Was this just "talk" or something more important? I was curious, so I did some homework. 

 

The conclusion of this story will appear later this week. 

It might be the ultimate insider-threat scenario.  The Internet is full of stories from San Francisco where a computer network administrator has gone bad. As of Tuesday night, Terry Childs was sitting in a city jail and not handing over the computers passwords required to properly administer city networks. If this situation wasn't so serious, I'd be tempted to think this was a movie promo.

The San Francisco Chronicle ran a series of stories on the situation from an initial description of what happened  yesterday to another late Tuesday update on the situation. He's an excerpt from the first article:

"Prosecutors say Childs, who works in the Department of Technology at a base salary of just over $126,000, tampered with the city's new FiberWAN (Wide Area Network), where records such as officials' e-mails, city payroll files, confidential law enforcement documents and jail inmates' bookings are stored.

Childs created a password that granted him exclusive access to the system, authorities said. He initially gave pass codes to police, but they didn't work. When pressed, Childs refused to divulge the real code even when threatened with arrest, they said."

SC Magazine was one of many technology sources online that analyzed the situation yesterday. "The systems affected continue to work, though with only limited or no access." They pointed out how most of us grant access based upon staff trust.

This situation is a harsh reminder to each of us that separation of duties is not just an audit requirement - but an essential operational process for every IT organization.     

 


 

Over the past week, there are have been numerous calls from all over the technology industry to update your Domain Name System (DNS) software on numerous platforms.

Computerworld was one of many publications that ran a serious of articles on this topic such as:

Microsoft confirms WSUS patch problem - "Microsoft Corp. yesterday acknowledged that it may have to re-release a recent fix for a flaw that stymied some users' ability to grab security patches through Windows Server Update Services (WSUS)."

DNS researcher convinces skeptics that bug is serious - "Once-skeptical security researchers now agree that the critical bug in the Internet's Domain Name System (DNS) protocol is the real deal."

Back on July 8, SC Magazine described how multiple vendors worked together to cooperate and solve a major industry problem. Here's an excerpt:

"A massive domain name system (DNS) design vulnerability that could permit cache poisoning - effectively allowing an attacker to direct users to the website of his choosing - is set to be fixed by an unprecedented synchronized series of multivendor patches."

So what are governments doing? Many are quickly rolling out the required patches to critical DNS servers using emergency procedures. In Michigan, we issued orders to implement our fast-track patching process to get DNS servers updated over the weekend.

We are rolling out desktop patches using our normal patch distribution process. After the US-CERT, MS-ISAC and others sent out alerts, we have also send the word out to our local partners to make this a high priority to get resolved now.

If you haven't rolled out these patches yet, this should be an urgent matter for this week's calendar. Make sure that every system in your enterprise can handle this flaw, otherwise, customers may end up going to the wrong websites.  
  

The National Institute of Standards and Technology's (NIST's) 800-series publications have long been the gold standard for not only federal agencies but also local and state government security. Their Computer Security Resource Center (CSRC) website provides an essential library full of security guidance, best practices, legal requirements, security checklists, sample plans, and more. While adopting this information is mandatory for most federal agencies, NIST documents have become standards for many state and local governments.   

 

Now NIST has released updates to three special publications on security. The updates include:

1) NIST calls SP 800-79-1, titled "Guidelines for the Accreditation of Personal Identity Verification Card Issuers."

2)  NIST SP 800-53A, an addendum to the "Guide for Assessing the Security Controls in Federal Information Systems." 

3) NIST SP 800-67 Version 1.1, titled "Recommendation for the Triple Data Encryption Algorithm Block Cipher." 

 

Government Computer News recently ran a story on various aspects of these security document updates.  

 

For those who are in government IT security and are not familiar with the NIST security offerings, I recommend spending an hour or more visiting their site. They have templates to help in so many areas, and they can save you thousands of dollars not to mention precious time in developing security plans that comply with federal standards. Since many of us get federal dollars fo IT, the benefits should be fairly obvious.

 

Back in 2007, my friend and colleague Dr. M. E. Kabay from Norwich University wrote an article for Network World describing the many benefits to the NIST security site.  I typically visit the site at least once a month to check out what's new and updated. 

 

So what sites do you find most helpful for security documentation? What NIST documents have your government tailored for local use?

     

For many in government technology, virtual worlds still equate to the games people play. Well you'd better start to adjust your thinking. Despite the fact that many are blocking Second Life (SL) and other virtual worlds, some version of the "The Matrix" is coming to a government near you, and you'll probably have an avatar in your future.

Don't believe me? Check out this 2-minute video out from Xerox on Second Life. (Oops, better check first to see if you're allowed to watch YouTube videos at work.) That's right this is the new Xerox - that copier company.

Want to learn more on virtual worlds now? There are plenty of recent articles and guidance on the web right now, and this topic was very popular at recent Spring IT conferences. Here are some good articles to become informed on this topic:

1) This is Not a Game: Virtual Worlds Coming to Your Business, Forrester Predicts.

2) Virtual (Global) Office  

Here are two quotes from that Business Week article: "Cisco is among companies that recruit in Second Life. "My extended team uses Second Life primarily to recruit new talent," says Andrew Sage, a marketing vice-president at Cisco, adding that Second Life is good for finding workers under the age of 25.

"Sun Microsystems also wanted to be able to run a virtual world that could connect to its own databases and user-verification systems. "When we started experimenting with Second Life, we quickly realized it wasn't an appropriate environment for business collaboration," says Sun's Yankelovich. So Sun created Project Wonderland, freely available 3D software for creating a virtual world, as well as the avatars and animations within that world."

Missouri has received great coverage  for their Second Life activities, including their education recruiting.

Government Technology ran a piece on Missouri's recruiting effort. 

So what are the Security Risks? They are deep and wide ....

Gartner lists five main areas: 
1. IT-Related Security Risks
2. Identity Authentication and Access Management
3. Confidentiality
4. Brand and Reputation Risk Management
5. Productivity

No, I'm not advocating a big jump to open up Second Life on your government networks, but get educated now. Virtual Worlds are coming - along with new security issues. I'll be blogging much more on this topic in the future.

What are your thoughts on Virtual Worlds in government offices anytime soon?

 

Get ready for the end of the "dot com" era. No, I'm not predicting the demise of the Internet. To the contrary, eGovernment is alive and growing rapidly. But our names may change - specifically the domain names.

According to USA Today, get ready for a "scramble for desirable addresses, called top-level domains...." Popular domain names may even be auctioned off.

As mentioned in the article, this issue has many security implications, such as the filtering of URLs that may eventually be created and any ethical issues that may surround this topic.

ICANN's press announcement describes the historic decision made in late June in Paris and answers some typical questions. The final implementation plan is expected out in early 2009. Contact information is also provided to get more details.

Need help picking website names for home or work? Websites have popped up to help us choose the best names. Although this advice applies to the entire URL, it is also an interesting starting point for the domain name discussion. Advice includes making site names: meaningful, uniquely identifying, memorable, manually reproducible and special.

So should governments stick with the ".gov" domains or the older "state.xyz.us" format or join in the new domain name revolution? I expect this debate will start to heat up over the coming months. On one side, a trusted ".gov" domain can help ensure the site is official. On the other side, more specific domain names for various topics that may more accurately address citizen needs and offer public/private alternatives that help e-Government in new ways.

This issue is not entirely new. In Michigan, we have www.Michigan.gov for most e-Government interaction, but www.Michigan.org for travel. Hundreds of other examples like this exists all over the country, along with specific redirects from various names to the official government domains.

My gut reaction: we will gradually get government domain names joining other categories over the next decade, but adoption will be slow. Plenty of questions abound, but get ready for more change in this brave new web.

What are your thoughts?