Secure Value: July 2009

« June 2009 | Main | August 2009 »

July 2009

07/30/2009

Study Says 40% of SMBs not online

Internet hosting provider 1&1 Hosting released a study showing that 40% of small and medium businesses do not have online presence. The gist of the study focused on SMBs and the barriers that false perception of costs to build an online presence. Information security obstacles were not included in the study announcement.

By online presence, the study was referring to web sites and did not consider social networking tools.

I wonder if false perceptions and fears of information security issues are also barriers to going online.

Posted by Douglas Davidson at 04:08 PM in Online Business, Small Business, Social Media | Permalink | Comments (2) | TrackBack (0)

Technorati Tags: Business, Business and Economy, Computers and Internet, Information technology, Internet hosting service, Small and medium enterprises, Web Design and Development

07/29/2009

Campus Technology Innovators Need to Secure Value as they Build New Learning Evironments

Image via Wikipedia

Sitting at a break in the action Campus Technology 09 thinking.

Comparing conference chatter from last year to this .. the pace of innovation has been rapid if the talk of all things 2.0 is any indication. Just about anyone will quickly engage and share how they are using social networking or web 2.0 technologies in the classroom, in their business, in research and innovation projects or just in life. But ask a question about security or privacy and it is obvious that the dive into the 2.0 pool hasn't included some basic thinking about security.

Innovation without security thinking simply sets the stage for bad things to happen in the future. Too many security practioners lament the social network. But stopping it is like trying to stop water from flowing downhill. The trick is diverting it, channelling it, guiding it to go where you want it to go.

Embrace these new technologies. As an entreprenuer I've already seen payoffs from being socially networked. But embrace them thoughtfully with intentional security.

Posted by Douglas Davidson at 07:26 AM in #ct09, Information Security, Secure Web Development, Social Media | Permalink | Comments (0) | TrackBack (0)

Technorati Tags: Innovation, Privacy, Security, Social network, Web 2.0

07/24/2009

Secure Value: Heading to Boston to participate in Campus Technology 09 Show

Secure Value for educational innovators building learning environments in Web 2.0 technologies

Image via Wikipedia

I am gearing up for a trip to Boston next week to participate in Campus Technology '09, the 16th Annual Education Technology Conference. In the midst of all this buzz about Web 2.0, the conference Mastering Digital Worlds: Web 2.0 and beyond, will be an introduction to how colleges and universities of all sizes are investing and applying these new technologies to the learning environment. Hopefully, these schools are doing this securely. We'll find out while we are there.

The excitement around the Web 2.0 "revolution" feels just as exhilerating as the excitement around the Web 1.0 "revolution". We have some young guns in the company who have put on a brave face as I "entertain" them with my war stories from my days introducing businesses to the original web. But this new interconnectedness has the opportunity to both distract and enrich our lives. I look forward to learning at the conference.

And as always I'll have my eyes and ears open looking for examples of innovations that have been implemented with proper attention to information security principles and the privacy requirements of the audience. From my perspective an innovator at a higher education institution and an entrepreneur growing a business have similar issues to overcome.

We'll be exhibiting in Booth 630 in the main exhibit hall at the Boston Convention and Exhibition Center.

Here's a bit of information on our participation in the show last year:

http://campustechnology.com/Articles/2008/08/2008-Campus-Technology-Innovators-Network-Security.aspx

Posted by Douglas Davidson at 02:14 PM in Secure Value, Secure Web Development, Social Media | Permalink | Comments (0) | TrackBack (0)

Technorati Tags: Business, Campus Technology 2009, Education, Higher education, Information security, Mastering Digital Worlds, Privacy, Security, Web 2.0

SMB Security: Five Bright Ideas from CSOonline on How to Secure Value

I enjoy reading CSOonline. Even if its articles are geared toward big company information security technical practioners there are always some solid (and entertaining) nuggets available. This one might of use to the small and emerging business:

SMB Security: Five Bright Ideas by Lauren Gibbons Paul

The article identifies and lists five bright ideas for small businesses and medium enterprises looking to secure their business:

Risk management should form the foundation of your security practices.
The ongoing confluence of information security and physical security is good news for SMBs.
Video surveillance and analytics are now within the reach of SMBs.
Outsourcing is more popular than ever.
Recognize that you can't take people out of the equation.

Number 3, video surveillance, might not be for everyone but the other 4 are definitely topics to be aware of when working to secure your small business environment.

Posted by Douglas Davidson at 12:07 AM in Information Security, Small Business | Permalink | Comments (0) | TrackBack (0)

07/18/2009

Why don't small businesses Secure Value?

We don't build buildings without locks but we do build intellectual, informational and digital assets without locks, why?

I asked a number of people last week:

Regarding Twitter's security breach announced today as an example, how should startups consider information security in their planning?

I got a mix of responses that boiled down to:

Information security is too complicated, too technical for startups to consider.
Start ups don't have the capital to invest properly in information security.

In the context of the Twitter story .... one of the founders, first name Jack, had as his username / password combination to use Google apps Jack with the password, password .... the responses do not make sense.

Twitter has brilliant innovative people working for them who fundamentally understand information technology. The information security control (read: lock) that wasn't in place would cost $0 as their bad week could have been prevented by a hard to guess user name and a strong password. In the end it is negligence and a lack of awareness about how important this stuff is (or perhaps awareness that bad things do happen). How many other startups and growth companies enter the marketplace without proper protections?

Posted by Douglas Davidson at 03:44 PM in Secure Web Development, Security in the Business News, Small Business | Permalink | Comments (2) | TrackBack (0)

07/15/2009

Will Twitter Secure Value NOW?

Secure Value by being intentional about security issues from start up on.

Article on TechCrunch disclosing breach of Social Media hot tool Twitter by releasing hacked documents.

Article from TechCrunch discussing start up Twitter's poor security culture as shown by a breach of their business systems.

UPDATE:

Some words from the old guard media at the New York Times on the issue.

Posted by Douglas Davidson at 11:32 PM in Secure Value, Security in the Business News, Social Media | Permalink | Comments (0) | TrackBack (0)

07/13/2009

What are the top three concerns that I should be aware of i.e. putting applications on my facebook page. I don't do it because I am paranoid.

Secure Value by being intentional about your use of Social Media and the information you expose.

A little paranoia is useful because it gets your attention! There are concerns. Here are our top concerns and recommendations to protect yourself:

1. Concern: Facebook does not have a screening process for applications. This means that applications can be put out on Facebook that are potentially dangerous. Facebook however will remove these apps over time, if several users report them. The removal of apps has historically only happened after a few million people have already used them though. Protection: My recommendation is to only use Facebook apps that you really need and that have been widely used for a period of time (30 to 60 days).

2. Concern: These applications can be used to steal information from your page that can be used for identity theft, some of these “25 questions about yourself” applications actually ask for many of the answers that you would be most likely to use as your security questions for various accounts. Applications like this or other quiz applications are bad because they not only steal your profile information, they also probe you for additional information making it even easier for you to become a victim of identity theft. Protection: I wouldn’t use these types of applications.

3. Concern: Facebook applications have the ability to load third party sites inside of the Facebook application itself. What this essentially does is load up a new browser window inside of Facebook, making you think you are still on Facebook, but actually putting you on another website. This makes it easy for an attacking application to not only steal your information, but also install malicious software to take control of your system as well. Once a trojan is on your system it can steal your Facebook account information, and then send out malicious links to your friends without your knowledge. Protection: Ensure your web browser and operating system as well as any applications on your PC (MS Office, Acrobat, etc.) are patched. Have anti-virus and anti-spyware programs installed and up to date. Consider a firewall. The second step is to once again always check and understand what the applications are that you are installing.

4. Concern: Finally, be aware of what you exposing with any Facebook application. Here is a warning from when I started to use LivingSocial, a FaceBook app. "Allowing LivingSocial access will let it pull your profile information, photos, your friends' info, and other content that it requires to work.” Those that write applications have access to everything in your Facebook profile even if the intent of the application does not appear to need access to those things. Protection: Again, only use applications you really need and consider any information that you put on Facebook to be exposed to the world because in essence it is.

As this Social Media world continues to evolve, some of these concerns will be put to rest, while others will arise. Invest some time understanding the tools and what they do so you can change with the evolution.

Posted by Douglas Davidson at 01:04 PM in Secure Value, Social Media | Permalink | Comments (0) | TrackBack (0)

Technorati Tags: information security, privacy, Secure value, social media

07/10/2009

Secure value by considering information security when selecting a web developer

Many web based businesses are ideas in the heads of non-technical entreprenuers that are translated into action by web application developers. Selecting the right web developer is key to a successful web based business.

Make sure you secure your value when you select a service provider to develop your great idea, million dollar mousetrap or next big thing by asking these questions:

1. Does the developer have an active portfolio of sites that handle content, information and processes similar to your planned site?

2. Will they let you select references from their portfolio (rather than tying you to those they hand pick)? Ask the references how site security was considered during the course of the project.

3. Does the service provider consider secure coding as important to your project’s success as the ascetics and functionality of the site?

4. Does the provider use templates as a base for their work or do they develop everything “from scratch” based on a custom model?

· If they use templates ….

o Are the templates developed in house, acquired from a trusted source, or acquired from the public domain?

o Regardless of the source, how do they validate that no known vulnerabilities are in the template code?

· If they write all of the code themselves …

o What is their development process?

o Do they develop all of the code in house with company employees?

5. Do they test the code before its release for performance and security vulnerabilities?

6. How do they validate they are delivering a secured site?

7. Will they include an independent 3rd party vulnerability assessment in their service that must be passed before you'll accept delivery?

8. Do they consider information security in their contract? Do they offer a guarantee that code is provided with no known vulnerabilities?

9. Does their service (and price) include maintenance on the code they provide? Does the maintenance include both in house developed code and template based code? Are security considerations included in their maintenance processes?

10. How do they monitor new vulnerabilities in the code they produce? Will they guarantee or warranty their code?

11. Does the service provider vault the code so you have a secure code set to restore to in the case of a breach?

Posted by Douglas Davidson at 03:39 PM in Information Security, Secure Value, Secure Web Development, Vendor Selection | Permalink | Comments (0) | TrackBack (0)

07/07/2009

No Secured Value -- The case of the insecure web "specialist"

Include information security considerations when contracting with a web developer to code your great idea.

We took a call recently from a woman whose brand new web-based business closed its doors for good before less than a day after her site's launch. The site had been corrupted by a SQL injection attack. She was an entrepreneur with a great idea and in selecting a developer had made a fundamental error. It is an error many web based entrepreneurs make.

She had contracted with a “web specialist” to develop an ecommerce site servicing consumers who were busy mom’s just like her. She and her husband had done everything right except consider the “web specialist” and his ability to code securely. That mistake meant that after the breach they were out of money and unable to continue their business.

They had done many things right, following conventional wisdom in creating a home-based business. They had a business plan. They had incorporated as an LLC. They had purchased and registered a catchy domain name, thoughtfully considered the function of the web site and how customer’s might use it to make purchases. They’d taken their plans and their savings, all of it, and hired a web "specialist" to build the application. To them their idea was the million dollar mousetrap.

The specialist (not a developer but a webmaster with administrative skills and some light web coding experience) had used a library of open source web page templates to “customize” the site. The templates had not been securely coded. He didn’t possess the skills to secure it himself or the awareness that security needed to be considered. And, our husband and wife entrepreneurial team, had not included information security issues in their plans or in their agreement with this “specialist”.

We were called to scan the site to provide a list of what needed to be corrected. All of their investment (again read this as life savings) had been put into the site. They had no money to pay for security services or redevelopment. We advised them to hold the “specialist” accountable. The last we heard they had decided that the cost of an attorney and the costs of redevelopment were too great for their finances. Before writing this I searched for the site under both the topic and the old URL to no avail. It appears as if they were forced to stick with their decision to close.

Have you considered the security of your web based business as part of your planning?

Posted by Douglas Davidson at 09:12 PM in Secure Web Development, Small Business, Vendor Selection | Permalink | Comments (0) | TrackBack (0)

Secure Value

Secure Value focuses on information security issues that impact the value of start up and growth oriented small and medium businesses.