Risk Management

Some IT sectors may profit from downturn

Judi Hasson — Wed, 08 Oct 2008 16:27:29 -0400

The economic news has been bad all around, from both a personal and a corporate perspective. But some IT sectors may actually prosper from the economic turmoil and be poised to help clean up the mess from the financial fallout. A story at eWeek.com points out that companies involved in e-Discovery, archiving, enterprise search, risk management and secure file transfers could find their products and services in high demand.

As the government takes over banks and investment houses and tries to unravel the mortgage mess, there will be lots of digital research needed to get records and find out who made the bad decisions. They are also going to be looking for who was cheating and who ended up with money. Prosecutions, indictments, lawsuits and civil actions will be forthcoming, and lawyers will be scouring through disk- and tape-based storage on all levels for documents, emails, spreadsheets, web archives, PowerPoint presentations, IM transcriptions, audio tape and videos.

All this will benefit e-Discovery firms like Kazeon, Autonomy, Clearwell Systems, Attenex, Symantec, Seagate Technology's MetaLINCS, Iron Mountain's Stratify, LexisNexis, Recommind and some other smaller companies.

For more on this surprising turn of events:
- check out this eWeek.com article

Emergency radio network fails tests

Paul Mah — Fri, 22 Aug 2008 10:07:15 -0400

A post 9-11 effort to build a massive radio network connecting emergency personnel across New York has performed so poorly in tests that state comptroller Thomas P. DiNapoli has suggested that the current contractor be dropped. Tests in September last year found that spoken words could not be understood, and that communications between relay towers frequently were lost. Retests in April and July did not show any improvements.

The company hired to build the network, Tyco Electronics subsidiary M/A-COM, must fix the problems, or risk losing the contract without receiving any compensation. The state has committed to making a decision by the end of next week.

For more on this article:
- check out this New York Times article

A new technique to assess network security

Judi Hasson — Sun, 27 Jul 2008 11:39:41 -0400

Researchers at the National Institute of Standards and Technology have figured out a new way to help IT administrators assess security risks using attack graphs and the National Vulnerability Database.

"We analyze all of the paths that system attackers could penetrate through a network and assign a risk to each component of the system," computer scientists Anoop Singhal said. "Decision makers can use our assigned probabilities to make wise decisions and investments to safeguard their network."

NIST notes that a hacker can take a number of routes through the network to find confidential data once inside the firewalls. The new technique evaluates each route and assigns a risk based on the level of difficulty for the hacker. Using an attack graph analysis, three potential attack paths are determined, and an attack probability is assigned for each path.

For more:
- see this eWeek.com article

Beware bank website dangers

Judi Hasson — Sun, 27 Jul 2008 10:58:07 -0400

Researchers from the University Michigan have conducted a study of the websites of 214 banks, and found design flaws in 76 percent of them that could potentially put the customers at risk.

The research didn't find vulnerabilities in the websites themselves. Instead, it found that many banks redirect users to insure third-party sites with supposedly secure login boxes that often rely on Social Security numbers or email addresses as default names.

The study said use of this information on the insured third-party sites could make it easy for an outsiders to figure out the codes and steal personal data.

"We want banks to make the right decisions so people who are trying to be careful can do online banking securely," said lead researcher, Atul Prakash, a professor of computer science and engineering. The study said even careful customers could fall victim to a "phishing" scam if they enter personal information on a site that does not belong to their bank.

For more on this study:
- see Finextra.com article

Technologies for change

Judi Hasson — Tue, 15 Jul 2008 21:16:27 -0400

It may not be what many CIOs would have imagined, but a revolution is taking place in the IT field. The changes involve the increased need for compliance and minimizing risk on all fronts, new business pressures to reduce costs and requirements to actively support business competitiveness.

It also involves the move away from IT skill groups and professional backgrounds, toward a more customer-centric model. These and other changes still come to mean CIOs must understand the shifts, make constant adjustments, and be ready to adopt new technologies. According to CIOupdate.com, "There are a number of game-changing technologies, most conspicuously CMDB systems..." that can affect the IT workplace. The list also includes Application Dependency Mapping (ADM) capabilities that provide "dynamic insights into where your application services reside across the infrastructure and how configuration changes are likely to impact them."

To read more about these trends:
- see this CIOupdate.com article

Insiders biggest threat to IT theft

Thu, 05 Jun 2008 06:59:59 -0400

Every IT department worries about security lapses and outside hackers stealing confidential data, but a new survey suggests that CIOs believe the biggest threat may actually come from within.

Secure Computing Corp., an enterprise gateway security provider, said a survey of 103 CIOs found that 80 percent of those polled felt internal threats posed the greatest risk. The security services company also reported that CIOs are acting on this concern, directing the bulk of their security-related IT spending to shore up internal safeguards.

To read more on the Internal threat:
- see this rcpmag.com article

Hardware makers warned to start testing Windows 7 devices soon

Paul Mah — Tue, 03 Jun 2008 06:24:21 -0400

In an apparent bid to avoid the device driver compatibility problems that plagued the launch of Windows Vista, Microsoft has ordered hardware makers to begin testing on the first beta version of Windows 7 as soon as it becomes available. Those who fail to comply with the edict risk not qualifying for the Windows Logo certified compatibility program for Windows 7 or Windows Vista. Also, all submissions must include a complete CPK--a process control method with test logs from Windows 7 onward. Going by Microsoft's customary timelines, the final version of Windows 7 is expected to be out by 2010.

For more about Windows 7:
- check out this InformationWeek article

How to manage brilliant people

Tue, 27 May 2008 06:59:56 -0400

Every CIO wants a bright, top-flight IT staff. But the smarter the employees, the greater the risk that they will be demanding, ignore the opinions of others, become easily bored and think they are always right.

So how does a CIO manage a brilliant technical staff, creating a positive and productive work environment? CIO Magazine offers six basic tips. They include managing results, not processes; being inclusive and open to new ideas; being willing to engage in a dialog and learning; and finding ways to challenge yourself and stretch your creativity.

All the while, say the experts, IT executives must guide the process and cannot abdicate their managerial responsibilities.

For more tips on managing the best and the brightest:
- see this CIO magazine article

Feds encrypt 800,000 government laptops, 1.2 million more to go

Paul Mah — Fri, 23 May 2008 05:50:06 -0400

Government agencies in the United States are scrambling to plug a glaring security hole in the form of sensitive information stored on laptops and portable media such as thumb drives. More than 800,000 licenses for encryption software were purchased by agencies last year alone. Still, the brisk upswing came only after repeated headliners of gross security breaches and against a backdrop of increased risk of identity theft.

Various software from up to 10 leading vendors are available under steep discounts under the DAR (Data at Rest) Encryption program--run jointly by the General Services Administration and the Department of Defense--though the most popular products are hybrid packages that offer both full disk and file folder encryption.

For more on the DAR Encryption program:
- check out this Network World article

Can we learn from our mistakes?

Mon, 21 Apr 2008 07:00:00 -0400

Data theft is happening so often that it's not even news anymore. The latest reported theft occurred at Buffalo State College in New York, where a single laptop containing 16,000 students' Social Security numbers was stolen. The story is detailed in this week's news section. Why can't we ever learn? It should be forbidden for any contractor to take data off-site when he or she is working on a project. It should be forbidden to download personal information onto laptops that could be swiped. Until there are ultra-secure procedures for everyone and painful penalties for failing to keep the data secure, we are all at risk, aren't we? -Judi