Social media and intranet case studies, best practices, & evolution by Toby Ward.
Intranet Blog
Main Page  »  Security
« Previous 6 articles  |  Next 6 articles »
Thursday, March 30
View Article  Extending single sign-on with federated identity
by Toby Ward on Thu 30 Mar 2006 08:12 PM PST

After the ubiquitous employee complaint about not being able to find anything on the corporate intranet, one of the next most common complaints is about passwords. “There’s too many passwords to remember!”

 

Of course, more important to satisfying the lazy memories of employees, is your organization’s security – particularly the authentication of any user’s identity. The organization must ensure that bad guys are not impersonating employees.  

The promise of Single Sign-On (SSO) for all an organization’s applications – one login, one password – is something that makes logistical and economic sense. Federated identity extends SSO one step further by integrating passwords across enterprises to include, for example, access to partner or vendor sites (for example, an external vendor site where you order office supplies online).

Of course, as Patrick Thibodeau writes in Hidden challenges of federated identity, the biggest challenge for Federated identify is one of politics and governance.

“For example, federating systems for employee portals raises questions about who owns the data associated with various identities and who has the final say when the data doesn't agree. Ownership issues aren't limited to external partners; federations between the HR and finance divisions of a single company can sometimes be the most acrimonious.”

Organizational politics; perhaps the biggest drag on corporate productivity, and without question the number one corporate problem limiting the evolution and value of the corporate intranet.

To effectively establish governance to combat the political challenge, Thibodeau stresses the four main components to a proper governance model:

 

  • business issues (who does what, who pays, revenue-sharing, etc.)
  • liability (auditability and mitigating risk)
  • privacy (use and controls for personal information)
  • security

RELATED READING:

Federated Identity: Single Sign-On Among Enterprises

Assessing your security risk

Best practices: securing your intranet

Securing your intranet from the inside

 

© 2006 Toby Ward - Prescient Digital Media

Leave Comment  |  Trackbacks (5)  |  Permanent Link  |  Cosmos
Thursday, March 23
View Article  Best practices: securing your intranet
by Toby Ward on Thu 23 Mar 2006 02:22 AM PST

Did you know there is software that you can download for free that can crack password protected network in less than 5 seconds? Or that your website can be copied and replicated with a simple click of a mouse? What has your organization done to secure the intranet and the network?

 

Security – it’s perhaps the top issue on the minds of network administrators. It rarely though is on the minds of those managing the content in communications, marketing and human resources – but it should be.

 

Of the 556 executive interviewed in a recent Fusepoint/Sun Microsystems/Leger Marketing survey, 55% say that their confidential and private data is at risk of an attack. For good reason: your intranet is open to attack and requires security measures. Attacks happen every day.

 

GeoTrust’s Best Practices For Securing Your Enterprise prioritizes their “Top 10” recommended security practices for “building online trust both inside and outside your enterprise.” They admit that these are not comprehensive guidelines, but focused on most critical areas you need to adopt at your organization including:

 

  • running SSL on servers
  • supplying client side SSL certificates to employees
  • establishing solid policies and procedures for security
  • embracing paperless transactions
  • physical network security including firewalls
  • building a secure PKI system
  • creating a testing environment

What’s the most important thing?

 

“The simplest but most powerful thing of all – ensure every security patch for all operating systems and applications is applied on all systems as soon as they come out. Hackers know well the vulnerabilities of Microsoft’s Internet Information System Web Servers and seek sites running them as easy targets. Patches that make IIS not vulnerable have been freely available for years and yet over 30 percent of IIS systems on the public web are not up to date. This one is worth repeating: apply all security patches immediately.”

 

RELATED READING:

Overview of an Intranet Security System

 

© 2006 Toby Ward - Prescient Digital Media

Leave Comment  |  Trackbacks (1)  |  Permanent Link  |  Cosmos
Monday, March 20
View Article  Phishing the U.S. Navy Marine Corps Intranet
by Toby Ward on Mon 20 Mar 2006 12:49 AM PST

Those scam artists are getting bold. The ROI from the Nigerian and Cameroon email scams are no longer the bounty they once were despite the compelling and well-written tales of woe and potential riches. Fool me once shame on me. Fool me twice… well Bush got re-elected so it’s no surprise phishing works; even in the U.S. military.

 

Phishing of course is the rarified art of fraudulently obtaining an Internet user’s personal information – such as banking information – for criminal gain. The famous ones are of course the aforementioned Nigerian and Cameroon scams where the son of a former head of the national bank needs just a little cash to free up $10 million just sitting in some bank corner and waiting for your little ante. Of course, your little ante is worth at least a million or more if you’re willing to back this get-rich-quick plan of a most noble Nigerian aristocrat. God bless that they could find your e-mail address to let you know of this fabulous opportunity! Hey if they can find $10 million…maybe they know where to find all my lost socks from the dryer…??!!?

 

The big dog phishers have strapped-on a big set of brass you-know-whats and are now phising U.S. Navy and Marine Corps soldiers and civilians using the world’s biggest intranet – the Navy Marine Corps Intranet (NMCI).

 

NMCI headquarters has warned Navy and Marine Corps intranet users of a scam involving the myPay website, run by the Defense Finance and Accounting Service's (DFAS) myPay website. DFAS are the very small, naive and easily conned group who pay military people and contractors – more than 20 million of them – more than US $530 billion every year. Small fry.

NavyCompass.com reports (see Phishers scamming with myPay) that NMCI users get emails that resemble something like the following:

"Hello user of navy.mil email server, our main mailing server will be temporary unavailable for next two days, to continue receiving mail in these days you have to configure our free auto-forwarding server. For details see the attach. Password: Kind regards, the Navy.mil team. http:/www.navy.mil."

Hmmmm, misspelled words, bad grammar, and no sender name – an uncannily lame attempt altogether. Yup, these must be those poor sons of former Nigerian dictators! Man, the kahonas to go after the U.S. Military… but I can see the leap in logic: “Hey, remember those grandmas we scammed with that Nigerian bank thing!?! Let’s try the U.S. Navy AND Marine Corps!! Man, those guys are so gullible!!”

 

Despite the eloquent prose waxing poetic contained in the phish email, the Navy has issued a warning (in case there people were born yesterday or within a few weeks of yesterday):

NMCI Users who get emails or popups requesting personal information for "legitimate" reasons should contact the agency directly if they suspect they're a being targeted by phishers. Supervisors should train new workers on typical scams, and advise the chain of command and NMCI if repeated attempts are being made to infiltrate DOD information systems and obtain sensitive information.

If these great criminal minds are phising the U.S. military, it’s for a reason – because it’s working. Sadly, but likely true. Now, if these klowns (no relation to Krusy) are duping soldiers who are normally kind of cautious folks, then they can fool your employees too. Better make sure your security polices are up-to-date, well-publicized and communicated often.

 

RELATED ITEMS:

World’s Biggest Intranet

Assessing your security risk

Securing your intranet from the inside

 

 

© 2006 Toby Ward - Prescient Digital Media

Permanent Link  |  Cosmos
Wednesday, March 8
View Article  Management’s top IT priorities: staffing and ROI
by Toby Ward on Wed 08 Mar 2006 09:14 PM PST

The top two IT-related problems are operational incidents and staffing issues, according to a global survey commissioned by the IT Governance Institute (ITGI). A previous top priority, security has fallen to seventh on the list of the top eight IT priorities.  Compliance was reported to be the least important problem—likely due to the significant efforts that have been put into information security projects and compliance programs, such as those for Sarbanes-Oxley in the US.

 

The survey consisted of 695 interviews with CEO/CIO-level executives in 22 countries, and the full results can be found in the IT Governance Global Status Report 2006.The study assessed the C-suite’s IT governance priorities and actions executives have taken related to IT governance. It is a follow-up to ITGI’s 2003 report and tracks IT governance trends over the past two years.

 

The study found several improvements since 2003. For instance, IT is included more often on boards’ agendas—63 percent regularly or always include it, compared to 58 percent in 2003.

 

Even though 57 percent of respondents said IT is very important to the delivery of the corporate strategy, compared to 52 percent in 2003, the study found that CEOs are responsible for governance over IT in only 24 percent of the responding organizations.

 

"As in 2003, CEOs and business executives are still hesitant to discuss IT governance,” said Everett Johnson, CPA, international president of ITGI. “This finding is troubling because boards and CEOs are ultimately responsible for oversight over all major assets—including IT.”

Other findings include:

  • IT is more critical to business than ever. For 87 percent of the participants, IT is quite to very important to the delivery of the corporate strategy and vision.
  • For 63 percent of the respondents, IT is regularly or always on the board’s agenda (up from 58% in 2003).
  • The IT department at more than half (56 percent) of the organizations surveyed understands and supports the business users’ needs.
  • IT outsourcing is no longer seen as the most beneficial way to resolve IT problems—45 percent of US respondents believe it is ineffective.
  • The number of companies that indicated they had no IT problems increased from 7 percent in 2003 to 21 percent in 2005.
  • IT governance is not as easily implemented as respondents originally estimated.
  • Only 9 percent of the responding organizations are not considering implementing any IT governance solutions—down from 17 percent in the 2003 survey.

The survey was conducted from July 2005 until October 2005.

 

One other interesting tidbit from this survey… a lot of non-IT clients often complain about IT being unresponsive and uncommunicative. Not surprising then are the results from the following question: “How regularly does your IT department inform the business about potential business opportunities enabled by new technologies?”

 

Never or sometimes was the response of 45% of the CEOs and CIOs. Only 55% said regularly or always. It would be interesting to repose the same question to marketing, human resource and communications managers… the finding would be far worse (I suspect). However, those same communications, marketing and human resource managers are just as guilty of failing to properly document, plan and communicate their needs. Instead, non-techie business people lean far too heavily on their IT families. IT is a corporate service, and not necessarily a driver of the business.

 

© 2006 Toby Ward - Prescient Digital Media

Leave Comment  |  Trackbacks (3)  |  Permanent Link  |  Cosmos
Home
Syndicate
Search

Twitter Updates

    follow me on Twitter
    Recent Articles
    8 ingredients of a great executive blog
    Social business is nothing new
    Enterprise 2.0: key ingredients & barriers
    Innovative intranets
    Intranet design
    SharePoint for ECM: 5 big enhancements
    UPDATE: Introducing SharePoint 2010: learnings from SPC09
    Intranet governance begets intranet success
    Intranet in the cloud
    Top 5 intranet KPIs
    Intranet Assessment
    Intranet Governance: Ownership, Management & Policy
    Social Media Becoming Mainstream on Corporate Intranet
    Intranet Report Podcast: Intranet 2.0 findings & learnings (July 2009)
    Intranet 2.0 increases employee engagement
    Recent Comments
    Re: The big 3 ingredients of a winning intranet
    Re: Re: Top 5 intranet KPIs
    Re: Top 5 intranet KPIs
    Re: Re: Social business is nothing new
    Re: Employee social networking (case study)
    Other Blogs & Articles
    Intranet Global Forum
    Intranet Articles
    Intranet (Finding ROI) White Paper
    Intranet Services
    Intranet Consultants
    Intranet Plan
    Intranet Report
    Get Strategic
    IABC Chair Blog - Mark Shumann
    Intranet Strategies by JMC
    InTake (Internal Comm - Insidedge)
    Charles Pizzo - Ragan Postcard
    James Robertson - Column Two
    Portals & KM
    Northern Telecom... and Tech - Mark Evans
    Enter Content Here - Seth Gottlieb
    Blog des managers intranet (b-r-ent)
    eHealthNews.com
    Canucks Blog
    Intranet Portal Blueprint
    Enterprise Portal Blueprint
    Intranet Planning
    Intranet Blueprint
    HealthyCanada.com
    Inside Out
    The Future Place Blog
    Intranet Plan
    ECM Stuff (Jed Cawthorne)
    IntranetLife.com
    Intranet 2.0 Blueprint (Plan)
    Intranet Strategy