Have your say at computerweekly.com
Baffled by security recommendations
I would like to say how much I agree with your article "Secure your
technology, secure your business" on Computer-Weekly.com. However,
some of your recommendations for achieving this seemed a little
baffling.
It is absolutely wrong to think of the network SSID as any form of
security. Changing it from the default is sensible as it will help
you identify your networks. Changing it on a regular basis will
bring no security benefits whatever. Turning SSID broadcasting off
in Beacon frames makes no difference; client devices probing for
the access point will reveal the SSID to any packet capture
tool.
The point about radio noise disrupting normal operation was
particularly well made, but how would a system administrator know
that noise was the problem? All a user would report would be
difficulty in connecting.
To spot this kind of attack you need an intruder detection system,
ideally with sensors overlaying the wireless network, providing
complete coverage and alerting you to rogue access points and
clients, ad-hoc networks, spoofing of Mac addresses and a plethora
of other attempts to gain access.
A wireless security audit is vital. Wireless equipment is installed
in many firms without wireless and unauthorised access points are
everywhere.
IT professionals are right to be concerned about wireless security,
your wired network can be blown wide open by incorrectly configured
wireless equipment. But set wireless up correctly, use the security
features well, install an intruder detection system and you can
take advantage of wireless networking, safe in the knowledge it is
secure.
Denis Laverty, managing director, Openxtra
Corporate governance will not enhance
careers
In response to David Harrison's letter, which said that the role of
the IT director may be enhanced by new corporate governance needs
(Computer Weekly, 16 March), I cannot agree that the current focus
on corporate governance is likely to enhance the role of the IT
director or chief information officer.
IT managers cannot break out of "providing a service to the
business at the most effective cost" due to the attitude presented
by Harrison. It is a common failing in the IT community to equate
form with function.
IT managers also have a reputation for talking in cost-saving terms
- return on investment is often misused and has become the latest
buzzword. A "dashboard" for the operation of enterprise IT systems
will therefore merely reinforce the resulting prejudices of other
directors.
A director has time for efficiency after considering strategic
issues. Governance, including representing shareholders; board and
senior management performance and recruitment; monitoring
operational managers; economic and market dynamics; competition;
public relations and so on, must come before operational issues. In
a world where no industry stands still for long, many CIOs have too
little to offer.
IT provides tools to ensure proper recording, filing and
cross-referencing of a firm's actions, some low-cost ways of
managing communications with customers and suppliers and some
planning benefits from data analysis and projections. Aside from
day-to-day operations, certifying regulatory and legal compliance;
planning for customers' changing needs; supplier, creditor and
debtor relationships and cost-saving, although important, are not
typical major issues for directors.
Enterprise IT can only ever offer operational support because
strategic issues require brain power. IT offers ways to magnify
brain power, but in the end, strategic issues and governance in
particular are about people.
No enterprise can compete with the exceptional and still growing
economies of scale of the internet. Don't fight it - keep
outsourcing and, by all means, install a dashboard to monitor your
suppliers' operational performance against the contract. But do not
expect it to provide a route to the board. For that, invest in your
head.
Stephen Wheeler
System administrators slow e-mail to snail
mail
Here is a thought for the week: system administrators ought to
lighten up.
I recently sent an e-mail to a company which had surpassed our
customer's expectations. The body of the text stated,
"Congratulations! You have made a client of ours very happy."
The system administrator returned it to me as I had "triggered rule
[offensive or derogatory]". My e-mail had been trapped by an
automated system. It would be reviewed and would only be forwarded
if deemed work-related.
Does this mean we cannot even get away with praise these days? I
wonder whether any other Computer Weekly readers have had similar
experiences?
I have since had two further rejections after sending clear,
work-related e-mails. After calling the recipients to confirm the
message, I have learned that it can take two hours for e-mails to
come out of the security system.
So much for high-speed messaging. I think I might go back to
sending good old-fashioned faxes or letters.
Millie Kinghorn
Are returned virus messages illegal?
I am getting fed up with the sites that continue to bounce virus
e-mails back to the supposed sender. Many viruses now spoof the
sender address, so what is the point of clogging up the internet
with yet more junk e-mails?
Then I thought about it a bit more. Isn't harvesting an e-mail
address from a virus e-mail, and then using that personal
information to send a "you have sent us a virus" e-mail a breach of
the Data Protection Act?
The data controller has not taken reasonable steps to ensure that
the data is correct, and an incorrect decision has been made using
automated processing.
Also, isn't bouncing a virus e-mail technically the same as spam?
It is an unsolicited message, meaning it is illegal under EU
law.
Terry Davies
Should security be outsourced?
In response to articles in last week's Computer Weekly about the
increasing trend of outsourcing IT security management
Last week's Computer Weekly confirmed that outsourcing security
management is on the increase, but it also confirmed that good IT
security professionals are not easy to find.
However, one word of caution: although any firm may outsource the
management aspects of IT security, they must remember that the
overall management and control of the risk must reside within
company control.
It is all about reputation and a firm grip must be maintained over
ownership of security maintenance.
John Walker, BCS registered security specialist
The excess of security technology
In response to the article, "Study says security appliances are the
way forward", which stated that smaller businesses are rejecting
security software in favour of security appliances
(Computerweekly.com).
I beg to differ with this article. Author Sally Whittle merely
promoted opinions expressed by suppliers of security equipment -
that the world needs more security equipment.
At the risk of being labelled a heretic, I would like to state the
opposite opinion: the last thing we need is yet more technology.
Blaming insecurity on a lack of appliances is like blaming famine
on a lack of refrigerators.
Information security is, and always has been, primarily a people
problem. It is people who run unknown mail attachments and spread
malware. People choose weak passwords and share them with their
friends. People make mistakes coding and configuring software.
People accidentally delete important files. Computers do what
humans tell them to do. We are telling them the wrong things and no
amount of appliances will prevent this.
We cannot continue blaming technology for human failures - it is
time to face facts. We must acknowledge that we are creating the
problems. We must promote information security education, training
and awareness, not just in response to individual incidents, but as
a systematic cultural change. Information security should be as
natural as locking the front door.
So long as we continue to tolerate bloated, buggy and insecure
software by pinning our hopes on "security appliances" to solve our
security woes, we will continue to suffer avoidable security
breaches.
Gary Hinson, chief executive, IsecT
Why schools must help themselves
In response to a letter from a primary school volunteer (Letters, 9
March) who had received government-funded laptops but no
maintenance budget or advice on how children should use the
touchpad to avoid repetitive strain injury.
I would advise the concerned school volunteer to think about two
words: gifthorse and mouth.
You have received 15-20 laptops at a cost of say £15,000 upwards, a
lapbank/lapsafe at a cost of about £3,000, printers and wireless
connectivity. A total cost of about £20,000. For free. And your
school objects to this?
In response to your concerns about RSI, I would suggest that half
an hour, two or three times a week is very unlikely to cause RSI,
and if you really believe it would, I am sure this could be
rectified with one half-hour lesson - we find that kids generally
are not as stupid as you seem to think they are.
Also I would suggest that the "butterfly" position the children are
adopting is something that had been observed by teachers and only
then were the children asked if it had hurt - a question which most
eight-year-olds would not really understand. If the staff are using
the laptops and then complaining about RSI, I am sure they are
bright enough to figure out what to do.
I agree that all schools should have an IT co-ordinator, someone
who has some degree of computer literacy, and there is funding
available for this post within every school.
In defence of the local education authority in question, if it is
in any way similar to the organisation I work for, it is probably
overstretched and understaffed. The bottom line is that time is
money, even within local government.
The government is throwing money at IT in schools, but if the
schools are not prepared to work with us and accept some of the
burden, we are fighting a losing battle. There is no use
complaining about something until you are prepared to find a
solution.
Phil Brockbank