26 June 2009 by Jeff Hayes.

I have worked at home for part of each week for over ten years. I have never had any guidance from my employer on security practices, mandates or recommendations (less the case where I am the employer or part-owner). I think I do a pretty decent jobs at securing my home and mobile computing environment.

I was interested in how I fared after reading a recent article entitled Seven Deadly Sins of Home Office Security. Let’s consider them:

1. Failing to physically secure the office.
2. Failing to install the most basic computer security measures.
3. Forgetting Wi-Fi security.
4. Failing to separate your business from your home.
5. Failing to remember your office is a place of business and is held liable as such.
6. Forgetting to back up data.
7. Failing to consider bigger business continuity issues.

Probably my biggest mistake, according to this list, is separating my business from non-business activities as it relates to my computer. For me, who works in a small business environment, my business is very much part of my life and working at home is what I do.

If I want to watch a Netflix streaming video on my computer, I will do so without hesitation.

I back-up regularly but probably not regular enough. I am thinking strongly about a remote backup system to bolster my business continuity posture.

This list is a good checklist. But the better solution is for the management team to insist upon a prudent yet reasonable approach to remote and home computing with clear policies backed by consistent audits and enforcement.

Posted in Physical Security, Remote Access, Privacy | Print | 1 Comment »

1 June 2009 by Jeff Hayes.

On Friday, President Obama made some remarks on securing our nation’s cyber infrastructure. Some highlights are:

• It’s the great irony of our Information Age — the very technologies that empower us to create and to build also empower those who would disrupt and destroy.
• America’s economic prosperity in the 21st century will depend on cybersecurity.
• Cyber threat is one of the most serious economic and national security challenges we face as a nation.
• This status quo is no longer acceptable — not when there’s so much at stake.
• Protecting this infrastructure will be a national security priority.  We will ensure that these networks are secure, trustworthy and resilient.  We will deter, prevent, detect, and defend against attacks and recover quickly from any disruptions or damage.

All accurate. All worthy comments. Obama then went on to describe his strategy in five key areas:

1. Working in partnership with the communities represented here today, we will develop a new comprehensive strategy to secure America’s information and communications networks
2. Working with all the key players — including state and local governments and the private sector — to ensure an organized and unified response to future cyber incidents.
3. Strengthening the public/private partnerships that are critical to this endeavor.
4. Continuing to invest in the cutting-edge research and development necessary for the innovation and discovery we need to meet the digital challenges of our time.
5. Beginning a national campaign to promote cybersecurity awareness and digital literacy from our boardrooms to our classrooms, and to build a digital workforce for the 21st century.

So will it work? Will an Internet czar help protect against cyber attacks? Is the praise being heaped upon the new cybersecurity direction merited? Can a cybersecurity czar make a difference in a government full of turf wars, departmental budgets, and various opinions on what to do and how to do it?

A cyber defense should be part of our military defense. For the most part, it is. Key to most information security programs and policies is to promote the confidentiality, integrity and availability of information. The problem is that collectively, we have done a poor job ensuring this is collectively the case. This is not because of a lack of effort or expenditure. There are smart IT and security personnel working in the various agencies. They know what they are doing. The question we must ask is:  What makes Obama think that having a czar that reports to him — but who has no budgetary or personnel control over the various agencies — will be successful in making cyber space safer for the nation? Are we just adding another bureaucrat that returns and reports, but accomplishes little?

Government is rarely the answer. Obama has already established his own record of how not to use goverfnment for the betterment of all. In order for cybersecurity to work as a nation, it will be up to each agency, state, city, country, industry and private firm to defend its portion of cyber space. Having a solid, national cyber security blueprint with funding hooks and accountability might help the various entities get on the same page.

Posted in Homeland Security | Print | 1 Comment »