Have your say at computerweekly.com
Baffled by security recommendations
I would like to say how much I agree with your article "Secure your technology, secure your business" on Computer-Weekly.com. However, some of your recommendations for achieving this seemed a little baffling.
It is absolutely wrong to think of the network SSID as any form of security. Changing it from the default is sensible as it will help you identify your networks. Changing it on a regular basis will bring no security benefits whatever. Turning SSID broadcasting off in Beacon frames makes no difference; client devices probing for the access point will reveal the SSID to any packet capture tool.
The point about radio noise disrupting normal operation was particularly well made, but how would a system administrator know that noise was the problem? All a user would report would be difficulty in connecting.
To spot this kind of attack you need an intruder detection system, ideally with sensors overlaying the wireless network, providing complete coverage and alerting you to rogue access points and clients, ad-hoc networks, spoofing of Mac addresses and a plethora of other attempts to gain access.
A wireless security audit is vital. Wireless equipment is installed in many firms without wireless and unauthorised access points are everywhere.
IT professionals are right to be concerned about wireless security, your wired network can be blown wide open by incorrectly configured wireless equipment. But set wireless up correctly, use the security features well, install an intruder detection system and you can take advantage of wireless networking, safe in the knowledge it is secure.
Denis Laverty, managing director, Openxtra
Corporate governance will not enhance careers
In response to David Harrison's letter, which said that the role of the IT director may be enhanced by new corporate governance needs (Computer Weekly, 16 March), I cannot agree that the current focus on corporate governance is likely to enhance the role of the IT director or chief information officer.
IT managers cannot break out of "providing a service to the business at the most effective cost" due to the attitude presented by Harrison. It is a common failing in the IT community to equate form with function.
IT managers also have a reputation for talking in cost-saving terms - return on investment is often misused and has become the latest buzzword. A "dashboard" for the operation of enterprise IT systems will therefore merely reinforce the resulting prejudices of other directors.
A director has time for efficiency after considering strategic issues. Governance, including representing shareholders; board and senior management performance and recruitment; monitoring operational managers; economic and market dynamics; competition; public relations and so on, must come before operational issues. In a world where no industry stands still for long, many CIOs have too little to offer.
IT provides tools to ensure proper recording, filing and cross-referencing of a firm's actions, some low-cost ways of managing communications with customers and suppliers and some planning benefits from data analysis and projections. Aside from day-to-day operations, certifying regulatory and legal compliance; planning for customers' changing needs; supplier, creditor and debtor relationships and cost-saving, although important, are not typical major issues for directors.
Enterprise IT can only ever offer operational support because strategic issues require brain power. IT offers ways to magnify brain power, but in the end, strategic issues and governance in particular are about people.
No enterprise can compete with the exceptional and still growing economies of scale of the internet. Don't fight it - keep outsourcing and, by all means, install a dashboard to monitor your suppliers' operational performance against the contract. But do not expect it to provide a route to the board. For that, invest in your head.
System administrators slow e-mail to snail mail
Here is a thought for the week: system administrators ought to lighten up.
I recently sent an e-mail to a company which had surpassed our customer's expectations. The body of the text stated, "Congratulations! You have made a client of ours very happy."
The system administrator returned it to me as I had "triggered rule [offensive or derogatory]". My e-mail had been trapped by an automated system. It would be reviewed and would only be forwarded if deemed work-related.
Does this mean we cannot even get away with praise these days? I wonder whether any other Computer Weekly readers have had similar experiences?
I have since had two further rejections after sending clear, work-related e-mails. After calling the recipients to confirm the message, I have learned that it can take two hours for e-mails to come out of the security system.
So much for high-speed messaging. I think I might go back to sending good old-fashioned faxes or letters.
Are returned virus messages illegal?
I am getting fed up with the sites that continue to bounce virus e-mails back to the supposed sender. Many viruses now spoof the sender address, so what is the point of clogging up the internet with yet more junk e-mails?
Then I thought about it a bit more. Isn't harvesting an e-mail address from a virus e-mail, and then using that personal information to send a "you have sent us a virus" e-mail a breach of the Data Protection Act?
The data controller has not taken reasonable steps to ensure that the data is correct, and an incorrect decision has been made using automated processing.
Also, isn't bouncing a virus e-mail technically the same as spam? It is an unsolicited message, meaning it is illegal under EU law.
Should security be outsourced?
In response to articles in last week's Computer Weekly about the increasing trend of outsourcing IT security management
Last week's Computer Weekly confirmed that outsourcing security management is on the increase, but it also confirmed that good IT security professionals are not easy to find.
However, one word of caution: although any firm may outsource the management aspects of IT security, they must remember that the overall management and control of the risk must reside within company control.
It is all about reputation and a firm grip must be maintained over ownership of security maintenance.
John Walker, BCS registered security specialist
The excess of security technology
In response to the article, "Study says security appliances are the way forward", which stated that smaller businesses are rejecting security software in favour of security appliances (Computerweekly.com).
I beg to differ with this article. Author Sally Whittle merely promoted opinions expressed by suppliers of security equipment - that the world needs more security equipment.
At the risk of being labelled a heretic, I would like to state the opposite opinion: the last thing we need is yet more technology. Blaming insecurity on a lack of appliances is like blaming famine on a lack of refrigerators.
Information security is, and always has been, primarily a people problem. It is people who run unknown mail attachments and spread malware. People choose weak passwords and share them with their friends. People make mistakes coding and configuring software. People accidentally delete important files. Computers do what humans tell them to do. We are telling them the wrong things and no amount of appliances will prevent this.
We cannot continue blaming technology for human failures - it is time to face facts. We must acknowledge that we are creating the problems. We must promote information security education, training and awareness, not just in response to individual incidents, but as a systematic cultural change. Information security should be as natural as locking the front door.
So long as we continue to tolerate bloated, buggy and insecure software by pinning our hopes on "security appliances" to solve our security woes, we will continue to suffer avoidable security breaches.
Gary Hinson, chief executive, IsecT
Why schools must help themselves
In response to a letter from a primary school volunteer (Letters, 9 March) who had received government-funded laptops but no maintenance budget or advice on how children should use the touchpad to avoid repetitive strain injury.
I would advise the concerned school volunteer to think about two words: gifthorse and mouth.
You have received 15-20 laptops at a cost of say £15,000 upwards, a lapbank/lapsafe at a cost of about £3,000, printers and wireless connectivity. A total cost of about £20,000. For free. And your school objects to this?
In response to your concerns about RSI, I would suggest that half an hour, two or three times a week is very unlikely to cause RSI, and if you really believe it would, I am sure this could be rectified with one half-hour lesson - we find that kids generally are not as stupid as you seem to think they are.
Also I would suggest that the "butterfly" position the children are adopting is something that had been observed by teachers and only then were the children asked if it had hurt - a question which most eight-year-olds would not really understand. If the staff are using the laptops and then complaining about RSI, I am sure they are bright enough to figure out what to do.
I agree that all schools should have an IT co-ordinator, someone who has some degree of computer literacy, and there is funding available for this post within every school.
In defence of the local education authority in question, if it is in any way similar to the organisation I work for, it is probably overstretched and understaffed. The bottom line is that time is money, even within local government.
The government is throwing money at IT in schools, but if the schools are not prepared to work with us and accept some of the burden, we are fighting a losing battle. There is no use complaining about something until you are prepared to find a solution.
This was first published in March 2004