Thursday, April 30, 2009

Swine Flu H1N1 Level 4: Can business survive this after severe lay-offs

The business world is growing increasingly concerned about a quickly developing H1N1 swine flu outbreak, with cases now appearing all over the world, and hundreds more in Mexico.

This should ring loud alarm bells for IT managers and spur them on to take a close look at the dusty old influenza pandemic plans, developed several years ago in response to a potential bird flu pandemic.

The additional problem that IT managers are facing today, is that following the recent consolidations, layoffs and restructurings, they will have less staff and reduced capability to deal with events. They will also have disjointed and inadequate response plans to correct because the old ones were drafted in more favourable times. People who once took a pivotal role as part of a critical team, may now be on garden-leave, collecting unemployment money or re-assigned to another location or position.

Clearly, it is very important that managers pay close attention to what's going on; the H1N1 pandemic situation is a dynamic event and is still emerging. It has been developing quickly over a short period of time. This is something that needs to be monitored and taken very seriously.

Now, the World Health Organization has raised its threat level to Level 4 in its six-level scale because the swine flu currently has "a sustained limited human-to-human transmission."

While the business world figures out just what this means, the Contingency managers are already pushing and recommending that the business seriously reviews and updates their call lists and decision-making chains. It is essential that they close any gaps and weaknesses in plans caused by recent organisational restructuring and downsizing, in particular.

If an organisation has not developed a specific pandemic plan, then they should do so quickly. Develop one by concentrating on one key factor; making a continuity plan that is business focused and that considers a "significant absence" of employees. Give serious thought about how your business could support its clients and sustain services by the use of tele-working methods and virtual environments, from your employees homes.

The standard model used in pandemic planning is to consider what would happen to a business if 40% of the workforce was absent, for an extended period of time. In this case it would be pertinent to consider a range of options, taking into consideration absentee levels of between 25 and 40%.

The WHO is in the midst of its initial investigations of the illness, and they currently believe that it may not be anywhere near the threat envisaged, specifically if the bird flu became a human influenza pandemic.

Gartner Inc.'s response in 2006 was to suggest stringent measures to IT departments, such as storing 42 gallons of water per data centre worker, enough for a six-week quarantine. Even at the time this was felt to be excessive.

Asked if Gartner was offering any advice in response to the Mexican outbreak, analyst Ken McGee, the author of that Gartner report, said today that it will go into "full-force advisory mode" not when the virus jumps from birds or swine to people, but when it jumps from people to people. So, that will be quite soon then. Worryingly, it does show a slight lack of foresight and planning on Gartner's side, as well as a reactive rather than proactive response.

If nothing else, the Mexican situation will acts as a wake-up call for businesses and clients that need to develop meaningful infectious virus disease-related influenza plans. If you consider this as a meaningful step for you, then the next sensible thing to do would be to have your plans checked and reviewed by a risk and contingency expert. These simple measures are by far preferably to having a 'live' and potentially destructive test being inflicted upon your business by the virus itself, in whatever form it takes. Your choice or no choice.

Death comes to Queen's day: Serious security breaches


5 die and 13 are injured by a lone 'maniac' during Queen's Day

I have just witnessed the most apalling scenes at the Netherland's Queen's day celebration. It was disrupted and brought to a sudden and tragic end with the breakdown of weak security measures, quickly followed by poor crisis and incidence response measures. A complete abomination from a security risk and threat analysis, and from a public safety viewpoint. The time taken to respond and control the situation was woefully inadequate. If this had been a real incident, 'carnage' would have resulted. Whoever was responsible for the risk and threat assessment on this, is in the wrong business.

The incident today showed a complete lack of awareness for current threat reduction, vulnerability mitigation and crisis response management, prevalent in the rest of the world today. The arrogance and naivity inherent in providing this level of security to the NL Royal Family and the surrounding crowds, is both negligent and incompetent.

The ease by which a lone driver was able to breach the weak security measures was shocking but the response provided, during and following the incident was severely incompetent. If this had proved to be a real attempt to assasinate the Dutch Royal family by a cynical and trained group, then it would have been highly successful to a frightening degree and would have faced no serious resistance from the surrounding security forces.

Even following the incident there were no guns drawn; the car was not isolated to protect the Royal family and the surging crowd; there were no signs of protecting or rapid removal of the 'targets'; any anti-explosion measures were ignored; the 'containment' measures were non-existant, it was a dangerously embarassing and highly volatile situation that could have been easily exploited to a devastating effect.

I have studied the counter-terrorist measures of the Israelis, the South Afrikaans and the UK. I was online to the authortities in NY, both during the aftermath and the months following 9/11, offering support and advice.

The UK's own Royal Family has been at the centre of a number of attacks going back over several decades and have been a target of many such maniacs.

In 1974 a gunman tried to abduct Princess Anne as she and her first husband, Captain Mark Phillips, were being driven along the Mall in London after a charity film show. Would-be kidnapper Ian Ball forced the car to a halt and brandished a pistol. I had the pleasure of meeting the police detective that took 2 bullets for Princess Anne on this occasion and I have to say that he was a most modest and self-effacing man. The stuff that 'heroes' are made of.

Having spent the last 30 years of my life studying such incidents, with specific concern for the impact and consequences inflicted on civilian and security agencies. The effect of trauma on the victims, witnesses and spectators alike. It is with this close scrutiny of rare but extreme events and incidents perpetrated on the UK mainland by the IRA and others, that I am appalled at how easily the security today was compromised and how easily the Dutch Royal family could have been assailed and possibly assasinated. The transfer of trauma will be on an enormous scale.

When are the Netherland authorities going to realise that they have become a target for terrorism. Partly because they have proclaimed to the world that they are setting themselves up as the centre of justice for the war against international terrorists, organised criminals, sadistic dictators and mass murderers of all kinds.

Do not be mistaken, I applaude the Dutch in their stance against the evil that is so freely conducted. The establishment of the International Criminal Court against mass murderers wherever and however they manifest themselves, is a good and honourable achievement, even if it is somewhat tainted by the smell of the additional revenues that this will bring to local law firms and the other spin-off benefits that the NL authorities encourage. Unfortunately, in the eyes of the bad guys this also makes the NL a 'legitimate' target and by association the Duth people via the Dutch Royal family and other symbols of the 'establishment'.

The incident today was shocking and unbelieveable for a country that believes this sort of behaviour can only be perpetrated on them by others. I thought the world had already learned this harsh lesson. The US and the UK have certainly learned that the biggest threat comes from 'home grown' terrorist groups. Who else knows your weaknesses better than your close family and who else can get close to you to do you damage?

Let's not forget the victims in all this, and I offer them heart-felt condolenses to the victims of this incident and their families, they did not deserve this, no-one does. It will take them many years to rationalise this but clearly, they expected more protection from their guardians than was on offer today and they should demand better protection for the future. Substantial measures that go beyond the hype and rhetoric of politicians.

I also hope and pray that the NL authorites can contain the wave of xenophobia and the right-wing, anti-foreigner lobby that will spring up in the wake of this incident. Queen's day is already a symbol of white, Christian, conservative NL. There were few oriental or coloured faces on show in Apeldoorn. Marginalised and excluded from these occasions, it is easy for extremists to build on this 'pro-white' image and to corrupt the minds of the young people in NL. We must prevent this kind of backlash and counter-strike mentality that drives sectarianism and terrorism alike.

There are many serious questions here, and hard lessons to be learned. I hope everyone is open to them. The future is full of uncertainty and we need to be strong and determined to prevent terrorism and anti-social behaviour gaining ground. We have to be proactive and smart about it, not reactive and emotional. We need to address the cause of exclusion and dysfunction in this society and give the victims of this a voice to express themselves in a reasonable and rational manner. Otherwise they will find other ways to crash the party and express themselves in a dysfuntional way.

What is certain about the future, is that the 2010 Queen's day will be very different, perhaps more secure and less relaxed than previous years. The end of a dream, a childlike naivity and an optimistic but distorted perception of liberal NL. This may be a sad thing to propose but it is a more realistic approach, a practical sign of our times and the price we pay for the defense of civilisation, eternal vigilance.

Tuesday, April 28, 2009

H1N1: The story behind the pandemic

The H1N1 influenza viruses consisting of a mixture of human, swine and bird strains (H5N1) are not new, they have been found before throughout history of mankind. However, there is a sense in which this virus could be regarded as partly man-made.

Flu viruses contain 8 strands of RNA, which code for 10 proteins. If two flu viruses infect a cell at the same time, new viruses budding from that cell can contain a mixture of RNA strands from the two original viruses, this is a phenomenon called re-assortment. This Recombination, "cutting and pasting", can also produce some evolutionary mixing within RNA strands.


It is unusual to be infected by two flu viruses at the same time, and even rarer for one of those viruses to come from another species altogether, but it does happen, especially in pigs, which are susceptible to both human and bird flu viruses. Repeated re-assortments can produce mixtures like that found in the swine flu virus now spreading worldwide.

Again it is not a new phenomenon. There was re-assortment between bird and human flu viruses in pigs in Italy during the 1980s and in the 1990s, a H1N2 swine flu circulating in pigs in the UK was found to be a mixture of swine, human and bird flu strains resulting from multiple re-assortments.

It is not yet clear exactly when and how Mexican swine flu strain evolved, but it could certainly have happened without the help of genetic engineers. Despite this, the swine flu could still be regarded as man-made.

Mounted Policeman in Mexico City sports a facemask

There are now over 6 billion people on the planet, and each year we raise more than a billion pigs and perhaps as many as 70 billion chickens. The result is a paradise for influenza viruses, which can lie dormant for long periods.

The problem is not just the sheer number of potential hosts. The conditions in which animals are kept can favour the evolution of new and deadlier strains.

Par example, in the wild, flu viruses can be self-limiting. The nasty flu strains that make animals too ill to walk or fly are unlikely to spread far. In crowded factory farms, they can spread like wildfire, helped by the global trade in animals and the distribution and transportation of animal products.


The intimate interaction of farm workers with animals, especially on small-holdings where pigs, ducks, chickens and children all happily intermingle, also provides plenty of opportunities for viruses to jump species.

Animal vaccines might seem like the answer, but vaccines e.g Tamiflu (Oseltamivir) and Relenza (Zanamivir) that do not provide 100% protection can actually make things worse. Vaccines are not totally effective against viral strains. When there is widespread vaccination, viruses can mutate and spread without any visible disease. Viruses are smart. Ineffective vaccines also create strong selective pressure driving the evolution of new strains that can dodge the immune attack provoked by the vaccine.

Already, attention is turning to the big pig farms in Mexico, and the role they may have played in creating this new strain of swine flu but all intensive pig farming is a 'risk' and 'at risk'.

The undeniable and scary fact is, that we still know so little about flu and what makes it capable of spreading from human to human. This means that analysing and reverse engineering a virus of this kind and developing an anti-virus, would be a huge challenge.


Yes, it's possible that this virus was created by a mistake at a research laboratory or a vaccine factory and it is more possible that a virulent strain has been accidentally released into the wild, as has happened many times before and the most plausible explanation is, that this monster is the long-predicted product of our farming system.

H1N1 Pandemic - WHO raises pandemic threat level

World health officials have raised the level of alert about a possible swine flu pandemic, since the virus seems to be spreading regularly from person to person.

The World Health Organization (WHO) upgraded the alert in an http://kenbudd.blogspot.com/2009/04/h1n1-story-behind-pandemic.html in Geneva on Monday evening.


"It's a significant step towards pandemic influenza, but it is a phase that says we are not there yet," said Keiji Fukada of the WHO. "A pandemic is not considered inevitable at this time."


The new H1N1 influenza virus has struck hundreds of people in Mexico, where at least 18 have died, and several dozen people in the US (see Deadly new flu virus in US and Mexico may go pandemic). In the last couple of days, confirmed cases have also been found in Canada, Spain and Scotland.


Six-point scale


WHO officials decided that the new cases and infection patterns warranted increasing their pandemic warning level from 3 to 4, on a six-point scale.


Ever since the scale went into use in 2005, it has stayed at 3 – indicating that most cases of an emergent influenza virus are caused by animal-to-human transmission.


At 4, the infection is spread primarily from human to human. At 5, human-to-human transmission is occurring at multiple geographic locations; while 6 represents an all-out pandemic, which occurs when a virus is new, causes severe disease, and transmits easily enough to be sustained.


Researchers are still studying how efficiently the virus spreads. "The situation is very fluid and it is possible we could move to a higher phase shortly," Fukada said.

Bluetooth is now as fast as Wi-Fi

Let's talk about how Bluetooth got as fast as Wi-Fi.


Bluetooth 3.0
High Speed Bluetooth has stopped being chained to the low-power, low-throughput radio that has been both its strength and its weakness. Newly developed code lets Bluetooth applications now run over 802.11g wireless connections in the 2.4GHz, with a throughput jump to 20M to 24Mbps, from 1M to 3Mbps.

One of the key creators of this bit of wizardy is Kevin Hayes, a technical fellow with Atheros Communications, who has worked in more than a dozen task groups around the IEEE 802.11 wireless LAN standard, and in Wi-Fi Alliance projects such as Wi-Fi Protected Access.

Hayes was the technical editor for the 802.11 Protocol Adaption Layer (PAL), one of the big changes in the just-announced Bluetooth 3.0 specification, a two-year project. PAL, together with the 802.11 media access control (MAC) and 802.11 physical (PHY) layers constitute the Alternate MAC/PHY or AMP, enabling a Bluetooth profile (such as file transfer) to run over a Wi-Fi link.


It may be the beginning of "Bluetooth everywhere," according to Network World blogger Craig Mathias but make sure you look for the full formal designation: Bluetooth 3.0 + High Speed (or HS). (For some uses, vendors can deploy 3.0 without the ability to use a Wi-Fi connection but they can't use "high speed" in labeling it).


Is this such a big change?
It's a generational change. The Bluetooth SIG wanted something a) that would deliver five to ten times the performance of current Bluetooth b) that would be available to customers in a short timeframe and that was proven technology.

Gartner analysts picked Bluetooth 3.0 as one of eight hot mobile technologies to watch.
With 3.0, the Bluetooth stack exploits whichever radio link is best. Firstly, it would only be used if both sides support it, in silicon and software. Some of the classic Bluetooth profiles, such as the headset profile or the hands-free profile for a car kit, will never use high-speed [Wi-Fi] silicon.

There are many object and file transfer protocols and profiles that would happily use it. Things like file transfer, object push, printing, imaging: all these would involve taking some object or file from one device and moving it to another. The new standard is appropriate for almost all of these.

What happens when the new Bluetooth code is deployed on gadgets with a Wi-Fi radio?
There's a generic Bluetooth framework, that rides over the classic Bluetooth radio. There are a set of protocols for doing things like discover and negotiation and so on. Some configuration variables are currently handed over to the new software module, called the 802.11 PAL, which translates those variables from the Bluetooth domain to the .11 domain. It translates the sent data packets from the Bluetooth stack, and broadcasts these over 802.11.

How does it do that?
It removes part of the Bluetooth stack header and replaces it with the 802.11 header, and sends this to the 802.11 MAC for transmission. And it reverses this process when you're receiving a Bluetooth 802.11 packet.

How complicated was this?
What was the most challenging or puzzling thing about creating this translation layer? Bluetooth, as a stack, does have a different set of expectations in its parlance, compared to IP. For example, the idea of "best effort" in transmission. In IP, best effort means "this channel gets no advanced quality of service." Bluetooth is not quite like that. In Bluetooth, best effort means it doesn't get any advanced priority service, but it is a reliable channel anyway.

Another example, is the way Bluetooth defines certain channels, for example, for audio streaming: Bluetooth will send packets and retry if they get dropped, but after a certain amount of time has passed, it will stop retrying. While 802.11 also does retries, it doesn't use time measurements, but a configurable number of retry attempts.

The PAL layer adapts the intentions of the Bluetooth layer to the capabilities of the features in the 802.11 MAC and PHY physical layers.

How does this mess up existing Bluetooth applications or usage?
This process is very clean: the Bluetooth stack itself is unchanged. That was very important. The "profiles" in the Bluetooth stack are really the applications. That was a very clear mandate from the Bluetooth SIG that none of these would change in order to support this alternate MAC/PHY. They didn't want to have to test all their profiles all over again.

How does adding this new translation step affect performance?
There's no performance loss, because there's no need for any queuing in the adaptation layer and this is normally where you lose performance in a network stack. The 802.11 stack can accept packets at 20Mbps to 25 Mbps: that's more than 10 times as fast as the classic vanilla flavoured Bluetooth.

What about the reverse? How does the Bluetooth stack receive packets at 20Mbps to 25 Mpbs from the 802.11 stack?
That part of the Bluetooth stack is not standardised. So if a mobile phone manufacturer did nothing in their 3.0 implementation to address this, you might have performance issues. You must make changes to this layer to perform at high speeds with 3.0, by adding resources for queuing.

How big a problem is that technically?
It's well within the developers capabilities to address these issues.


What parts of the stack do I have to look at to optimize performance?
This is simply the same exercise you would go through for Bluetooth as you would for adapting your network stack for gigabit Ethernet. You are on familiar ground here.

What will users see?
Clearly, to benefit from the high speed connection, you'll need two devices with the new 3.0 silicon, e.g. a smartphone trying to send five to ten jobs to a PC. Users will be be shown a simple menu option on their smartphone, saying "send to Bluetooth" or a simple Bluetooth menu. They would go through the same motions as they do now, in transferring data but it would just happen faster.


When will they see it?
Nine to 12 months is the time frame, according to the Bluetooth SIG. If you are wanting a smartphone with Bluetooth and 802.11, you'll have to wait for the next version of the phone to come out. I am sure the manufacturers and providers will rush to get these on the shelves as quickly as they can when the technology is available.

Why is it always 1986 in the Health IT world

Simplifying payment structures and standardising treatment protocols will transform health care, but because of the legacy IT systems involved and the 'locked-in' situation, many of the things that have to be done, will remain fiendishly complex and, thus, marvelously profitable for the IT consultants, system providers and integrators, for many years to come.

Monday, April 27, 2009

Do not skimp on replacing old laptops

Your Business may not survive it!
Not replacing laptops can prove very costly. You will need additional service cover against losses and breakdowns, because the warranties have expired, not to mention the lost productivity in using a three year old model. Keep your laptops up to date and in the new budget. If there are cuts to be made then this not the time or the place.

Companies are trying to cope with reduced IT budgets and are postponing the purchase of new laptop computers but they are making a big mistake.

Extending the use of laptops two years beyond the traditional three-year lifetime cost companies an average of $/Euros 1,050 per machine, more than the initial replacement cost.

The additional costs will include a hype in repair costs simply due to old age, normal wear and tear and the end of three-year warranty periods.

For each laptop user that is using the outdated equipment, it costs the company about $/Euros 9,600 in lost worker productivity over the two-year period.

Many companies are keeping a tight control over new purchases because of the recession. Some forward-thinking companies have taken the more positive step of replacing some user laptops with less expensive smartphones or other handheld devices. Such devices can be far more cost-effective for users who are only using laptops to access e-mail.

The replacement of corporate laptops with mobile devices should grow significantly over the next decade. In fact, it is predicted that in less than 10 years, the majority of Internet users will be accessing the Internet via a mobile device instead of a laptop or desktop.

Mobile devices are now being seen as mission critical but organisations are not quite at the point where they are completely confident about replacing laptops with smartphones. They are looking seriously at it and planning to research the potential gains in efficiency.

More Job Hunting Tips for this Tough Market

"How is business? What's the job market like? What are you working on? Do you know of any opportunities that I might be qualified for? I'm looking for an opportunity; can you help me? How can I navigate this job market? What do I need to do to differentiate myself?"

Those are the most common questions executive recruiters say job seekers are asking them these days. The recruiters note that IT professionals—whether they're employed or whether they've been laid off—are genuinely anxious about their job prospects. So, knowing executive recruiters have their fingers on the pulse of the job market and understand exactly what employers are currently looking for in candidates, job seekers are urgently phoning and texting recruiters to solicit them for career advice. Some get as many as 60 such calls and e-mails each day.

Many recruiters say they would genuinely like to help every job seeker who contacts them, but realistically, with the call volume so high, they can't. Business is scarce in the recruitment /search industry, and the consultants have to spend their time on what pays: drumming up search business and working on projects for existing clients.

To help the poor old recruiters and the IT professionals contacting them, we have compiled recruiters' answers to job seekers' pressing job search questions. These have been organised into six 'tips' for ways of working effectively with recruiters and for increasing your chances of landing a new job in this terrible market.

Make Yourself Visible (1)
If you want recruiters pursuing you for jobs, instead of you haranguing them, you have to make yourself visible. This means becoming a thought-leader in your industry or area of expertise. When you become a thought-leader, recruiters have an easier time finding you.

For example, if someone is conducting a search for a vice president of business intelligence, they find out who's speaking at BI conferences and heading up BI-related professional organisations to find potential candidates for the job. The executives who are speaking at conferences and who are elected to boards of professional associations have made themselves visible to recruiters.

Obviously, you can't become a thought-leader overnight. The quickest thing you might be able to do to establish yourself as an expert in your field is to start a search engine-friendly blog and update it every day. Remember that this is not an instant solution. It will take time to make an impact.

Make Yourself Visible (2)
Another way to make yourself visible is to maintain a strong presence on the websites recruiters use to find and screen candidates, such as LinkedIn and ZoomInfo.

Offer Something in Return
You can distinguish yourself from the rest of the job seekers contacting recruiters for advice by offering something to them. You could offer the recruiter a lead on an employer who's either having trouble filling a high-level position on their own or who's looking for a retained search partner.

You could offer a contact from your network who might be perfect for a job the recruiter is trying to fill. You could share an article relevant to the recruiter's business or some other market intelligence you've picked up while networking. Recruiters like job seekers who try to help them. They appreciate the help and they remember it.

Don't String Recruiters Along
If you're not interested in a position that a recruiter calls you about, or you're in the middle of a 12-month long systems implementation and you can't make a move until it's complete, tell the recruiter up front. Recruiters are like every else, they don't appreciate being misled.

Similarly, if a search firm offers you an interview with a client that you know you absolutely don't want, tell the search firm straigh away that it isn't what you want. Clearly you should explain why and tell them what you are looking for. Don't go to an interview just to get some 'practice' it can be very distructive for your credibility.

Just as recruiters remember the professionals who help them, they also remember the people who make them look bad. Part of the role of a recruiter is to keep good records and most keep detailed notes on who helps them and who doesn't, going back many many years.

Bag the Résumé
Handing out your résumé at networking events is expected but it can also appear to be a bit "old and stale". Instead, try out business cards printed with your name, personal e-mail address, mailing address and cell phone number.

The advantage of a business card over a CV document is that it's "soft, genteel and not in your face", not mention it being easier to carry around.

In addition, when you give out a business card, you usually get one in return. As you place your business card in the recipient's hand, you can ask them to please let you know if they know anyone who might be interested in your background. When you get their business card, you can then follow-up with them via e-mail, with an offer to help them in any way, a brief paragraph describing your skills, and a request for them to forward your name to anyone who might benefit from your skills. You have started a dialogue.

Keep Your Options Open
You can increase your chances of finding a new job if you're open to being flexible in your approach; relocating, switching industries or doing different work.

Candidates that limit themselves to a particular geography or fix the type of position they are looking for, generally stay unemployed longer.

Consider consultancy as a career
This is also an excellent time to consider consulting as a career move because a lot of companies are much more likely to take on a consultant than they are to take on a full-time employee. It's a lot less risky for an employer. They can take on a consultant much faster, with much less internal deliberation, without three rounds of interviews over five months.

If you're going to be flexible about your location, the position you're willing to take, and/or your compensation, you have to give recruiters and employers a good reason for your flexibility. You don't want to look like you're being flexible because you're desperate or at the mercy of the market.

Network. Network. Network
You've heard it over and over, but it's true: Networking is critical to finding a new job. Most jobs are found through networking. Consequently, people looking for jobs should spend most of their time networking.

Reach out. Do research on companies you're interested in working for and do some networking to find people who can introduce you to those companies.

Wednesday, April 22, 2009

Risk Management - 5 steps to success

What does it take to get Stakeholder attention and for IT initiatives to be acknowledged and accepted in today's lean mean enterprise?

In most cases it means making a compellingly attractive business case, getting the pertinent information to the right decision makers and being sure that its written in a language they can understand.

Executive suite
IT risk management initiatives are most definitely aimed at executive attention and for good reasons. The economy has become increasingly dependent on the Internet and IT systems (the Cloud). this makes the inherent risks in these systems far more visible and potentially more significant than ever.

Risk management is a discipline with a myriad mix of interests groups and stakeholders: CIOs, CFOs, enterprise risk management teams, compliance and regulation staff, and both internal and external auditors.

Choose your words wisely
You need to aim your plan at CIO level and there are generally two types of CIOs; the executive infrastructure managers and the strategic business thinkers. The latter will succeed with their IT risk management agenda because they speak in terms of business advantages, not technology outages (Business Impact Analysis). Par example;

  • Instead of talking about a "zero day threat," consider the impact of a potential incident, in terms of potential business losses. (Quantify in general terms)
  • Instead of talking about RTOs and RPOs, speak in terms of lost revenue and customers during an outage. (Sales, turnover, throughput, etc)
  • Instead of highlighting unimplemented ISO controls, speak about the lost communication and effectiveness of employees who need to collaborate and share information both inside and outside the firewall.
  • It also doesn't hurt to point out the impact on productivity when the critical path and workflow is disrupted.

Use a High-Medium-Low spectrum of potential business loss

Part of using the right language is to help you move away from absolutes. Inevitably, a single prediction of loss will start a battle of statistics and probability debate, with the risk that your request will get lost or bound up in the process. Instead, provide stakeholders with a variety of realistic scenarios and have some good data to back it up.

Start by considering whether you are a low risk company, moderately tolerant, or highly tolerant and then you can go to work with some calculations. Be prepared to back up your recommendations with numbers. Understand that you probably won't get exactly what you are asking for, but by presenting accurate potential scenarios, you might get your mid-range goal.

Use headlines to your benefit

All of today's business leaders have been shocked by the recent headlines regarding corporate scandals and the sudden loss of freedom or career prospects that this may bring. They dread the thought of the "orange jumpsuit retirement program." and there is still a steady stream of privacy and data leakage issues that will continue to feed into the headlines.

Those held responsible, willingly or otherwise, have ranged from; unsuspecting backup administrators and employees who unwittingly left laptops in car trunks; to mid-level managers involved in publishing quarterly financial reports and executives operating with full and certain knowledge of potential breaches.

You can make good use of these "publicly displayed sacrificial offerings" to illustrate and re-enforce the real risks at stake. This will help you move away from the discussion regarding the siza, shape and probability of an incident or event and break the statistical deadlock.

Move your message up and around the chain

Identify and consider the strong players and potential champions involved. Work hard to win them over to yor way of thinking. Rememeber, IT risk management isn't an exclusively IT-driven discipline. Work with the compliance team, the IT group, the legal group, the auditors, the enterprise risk management group, and the business leaders. Create cross-company initiatives to align each of these groups. This will require as much time communicating outside of IT as inside.

Identify your milestones

Before going into an executive meeting with your precious ember of a request, identify up to three milestones you expect to meet and explain in business terms how these milestones will provide real benefits and payback to both the business and IT.

If you can, start with a proof of concept e.g. for a content filtering project. This will have much more value if users from audit, legal and a line of business are involved in choosing terms to flag, track and quarantine events. A security 'incident reporting' process may get more enthusiastic response, if users understand that increasing their awareness will help to save the company money and protect the corporate image.

Conclusion:
IT risk management will become increasingly important as key organisational stakeholders begin to see the importance and effectiveness of an ongoing program. For now, IT risk professionals and their associated colleagues can continue to work to establish a baseline program by using the right language and the right information to ensure continued support internally.

Friday, April 17, 2009

Four Tele-commuting Security Mistakes


  1. Careless use of Wi-Fi and accessing unsecured open networks
  2. Letting family and friends use work-issued devices and attaching unauthorised peripherals
  3. Altering or deleting security settings to view Web sites that have been blocked by the company
  4. Leaving a work-issued device in an unsecured place or public location
Security is a good mind-set to adopt

For more information and assistance, speak to your IT Helpdesk and Security personnel . They have a range of proven and tested (approved) tools, which are closely aligned with simple operating procedures and guidelines to help you reduce the potential impact of threats and vulnerabilities. The effective use and implementation of these, is up to you.

Remember to check with the security guys regularly. There is always something new going on in their world that will directly affect your business world.

If in doubt give the Security doctor a shout!

As with most things, it is always easier to find security issues and threats before they escalate into a crisis. A mild infection can be treated quickly and effectively if brought to their attention early but, if left untreated, there is always the risk of cross-infection to other members of staff, with the potential loss of a limb or vital organ.

In your business world, it is your server, applications and your data that keeps you alive! You don't want to lose any of these or even break the arterial chain that holds them together.

3 Security Flaws in Google Docs?

Security Analysts find 3 Flaws in Google Docs!

1) One of the flaws allows images to be accessible even if a document has been deleted
2) The second problem allows users to see all versions of an image that's been modified
3) A third problem is perhaps the most serious of all; It appears to allow people who once had access to someone's Google Docs to still get access even if access rights have been changed. Details of this one have not been released yet.

Click on the dragon for more details

Tuesday, April 14, 2009

SAP: Defending itself against massive law suit

SAP has engaged 25 to 30 contract attorneys and spent several $Mns to defend itself against a 2008 lawsuit brought by Waste Management. They allege that the SAP ERP implementation, has failed.

Leadership; more skills needed in recession

Trust me! I'm a Leader!
The only way out of a difficult situation is through good positive leadership. It has been a long time since I met a leading figure that I respected. Now I would be satisfied with meeting one that I liked and can spend more than 5 minutes in their company. What qualities do you look for in a good leader in these challenging times? Intelligence, foresight, sobriety, etc.

Re-Introducing
You have heard this introduction before in many guises; money is tight, employee layoffs loom and spirits are dwindling, we're in a recession. So where are the great leaders and orators that will lift us out of this or are we those great leaders, playing out of position. Maybe you should stop looking out for help and start looking inwards. You, as an IT consultant, subject matter expert or executive have the insight and determination to develop and expand your powers to take on the qualities of a good leader. Why do you not take it to the next level?

Same old same old
You have spent all those years keeping your staff engaged and motivated through numerous spirit breaking projects; company mergers, legacy systems upgrades, application server integrations, etc you are well used to meeting the slings and arrows of outrageous fortune seekers. Managing changing expectations in uncertain times is what you do as a day job. Why do you expect others to do it for you? They are far too busy with more important things, like growing their egos, cubicles and their expense accounts.

You, as the leader
Find within you and develop further, the ability to lead and inspire. In times where fear and instability raise their scary heads, people need someone they can feel confident in. Someone who knows in what direction they should be going, in what direction they are actually going and the potential impact of this delta.

All is questions
You don't have all the answers, no-one has but you have a team of experts around you that do. If not then expand your points of reference. There is a vast array of knowledge resources out there. Use them.

When all around are losing theirs
Make yourself the go-to guy, the point of contact and voice of reason. A safe haven where people can go and talk freely. Somewhere they can brainstorm without being rained on. Somewhere they can workshop with sharp tools and smart products. It is your job to make them feel good and go away feeling better about who they are, what they're doing and how they are contributing. People want leaders (strange but true). Look around you and then take a long look in the mirror and ask yourself 'Who else is going to do it?

Develop your listening skills
Be consistent, be effective, be a frequent communicator, but most important of all, be an intelligent listener. Ask good questions, absorb what's being said and appreciate the issue that's being passed to you with the same level of attentiveness and concern as you expect from them.

Short Term benefits
Find the quick wins and short-term benefits to help the team and the organisation. You also need to communicate upwards with the entire leadership team, ensuring that the whole organisation is in agreement and aligned.

Develop your voice
The leadership team as a whole needs to be very committed to the new roadmap. Ask for their buy-in and a demonstration of their unity. After all, you're asking everybody else to do more with less, why not include the management team. There is no room for passengers and overweight expense accounts on this voyage.

Is there real credibility in the operational results you're striving for. Be honest, set achievable expectations and execute on promises, if you want to be taken seriously. You can easily declare 'We pay on results and performance' but don't say it if you can't deliver on it yourself.

Be Captain credible or Rupert realistic
This means striving to deliver better results on projects, more quickly than you may have been accustomed to in the past. How is this possible? No long term projects or milestones allowed. Two- and three-year projects in these recessive times are doomed to fail. The impact on the bottom line has to be shown within 6 - 12 months, for their credibility to be sustained.

Caution, do not pull in the delivery dates too drastically but look at the credible re-structuring of them. Break them into smaller modules, more agile projects, with regular, smaller deliverables that add up to a realistic whole. If you do it right then the sum of the parts will exceed the original whole. It should help you get through the tighter change management and more stringent implementation criteria. You will have witnessed the rapid construction of these recently, safety barriers thrown up by the business to protect themselves from criticism.

Prioritise your priorities
The ability to prioritise is key in these situations, but you have been doing that as a routine anyway. Now think about priorities differently, more like the leader you are. Leadership in a recession requires strong prioritisation skills. Look differently at the expense and capital side and what can get done, as a priority. Look differently at the organisation as a whole and find the core functions that will deliver the short-term results but provide a platform for growth in the future.

The Pareto Principle
Using Pareto's 80-20 principle, closely examine your IT portfolio and determine which 20% of your investments will give you the 80% benefits.

Innovation re-invented
Innovation, creativity, flexibility and the ability to embrace change, isn't that where we have been for the last decade. Unfortunately it was aimed at technological solutions but now its concentrated on finding ways to cut expenses without layoffs. If you let people go now when the financial pictures gets murky, where is the rapid growth and steady recovery going to come from? So, for now, you have to be extra creative in trimming your budget, again.

Jettison excess cargo
Big fat overweight expense accounts are underoing a slimming program. Creative scheduling and cutting executives' perks and pay need to be considered before contemplating employee layoffs. The most agile and productive companies, are completely opposed to layoffs but this is delaying the decision not fixing it. It may lead to having to chew their own limbs off, at a later date.

Layoffs unplugged
Although they believe that layoffs are damaging to motivation i.e. the worst things you could possibly do, and the last tool in the arsenal to pull out, it may become inevitable. A company who begins laying people off, believ that the rest of the people stop worrying about their work and start worrying about themselves and their future. Thus there is a noted drop in productivity in those who remain with the company. Unfortunately they seemed to have accepted the example of a badly handled layoff and I am afraid to say that this may be the norm.

Knowledge losses grow
In past recessions companies laid off workers to please the banks and Wall Street, but when the economy rebounded the costs of finding new hires; recruiting, training and getting them up to speed, was more than the savings that were realised during the layoffs. They also lose the "tribal knowledge" of how things are done in the organization and are doomed to repeat the mistakes of the past.

Leadership qualities
The conventional model of a leader is rather dictatorial. One where they believe themselves to be omnipotent; all powerful, larger than life and always sure and definite in their manly stance. They are defensive, secretive and avoid any signs of weakness or criticism. Doors are locked, blame is dished out and examples are made to 'motivate' the others.

A good leader, is humble, self-effacive and expresses positive self-doubt when appropriate. He is honest in his praise and criticism alike. They admit to their faults when necessary, but if they do this when it is not appropriate, then it will be interpreted as a weakness.

Tigers caged
You may have read recently, if you were not on a tour of another galaxy, that many conventional business executives have been found out to be no more then paper sabre-toothed tigers and have been easily captured in the news; as willing players in long term corporate scandals, requiring mammoth bailouts. Given those negative headlines we are all dearly wishing that our new 'leaders' will aim to provide us with something different.

Teach a man to swim
"'Fish swimming upstream' is a good way to describe people who buck conventional wisdom and don't just go along. The ability to position yourself and your organisation as a sanctuary for good talent. You can spend a lot of time, money and effort seeking out the good people but it is much better if they come to you. Develop the ability to attract, develop and retain top talent.

Networking, networking, networking
Develop a world-class network of your top peers from the IT world, as well as providers and others you've encountered in your business dealings. Get the most out of the resource pools that surround you, whether it's your team, a potential hire, an executive, etc and do not neglect the greater technology community. This is the source of your new promising land.

Don't go overboard
Moderation in all things! Remember that the knowledge, wisdom and resources at our disposal are far bigger and greater than we ever let ourselves imagine. Just scratch the surface and stand back. These are dangerous waters full of monsters and pirates but having jettisoned excess cargo and found all the stowaways, shored up the leaks and established a true course, be prepared to accept eager boarders on this voyage of discovery. Captain, my captain!

Is Blind faith the best approach when not seeing good results?

Sunday, April 12, 2009

Where can I find a profit

'When you eliminate the obvious, then what remains, albeit improbable, must be the truth.

The times are tough, the going rough, the customers are in defensive mode and profits are a difficult thing to find. So, where do we look for profits? Consider there habits. Where have they been found in the past and where will they be found now?

The answers may differ from business model to business model but profits have always come from exploitation and RISK. You must exploit opportunities and take risks if you want to really be in business i.e. developing and profiting, no matter what the economic environment.

It is now, more than any other time in your lifetime, that those who have the courage will be able to take advantage of and exploit some of the greatest investment opportunities in this century. It is a buyers' market, whether you are in retail, stocks, real estate or a venture capitalist taking the biggest risk of all, looking to invest in a new business.

"I never guess. It is a shocking habit and destructive to the logical faculty."

There is an old adage in the business world that says “Be thoughtful and hesitant when others are greedy and be quick to exploit when others hesitate.”

Most business markets are based on a pack mentality. They cling together for protection and this 'pack' is currently hesitant and fearful in its approach. Not daring to be the first to break ranks, in case they are followed, found to be wrong and are pillaried and expelled by their peers. They have much fear and much to fear. Consequently, they are acting with a fearful mob mentality, hesitant, irrational and unpredictable in most cases.

If you have the courage and expertise to take some well measured and calculated risks at this time, you could become the new pack leader. The trend setter that sniffs out the route to safe and steady profit. Resulting in some, much or great profit in the months and years to come.

Your issue is what Risks do I need to take to make this vision come true and how best should I measure these risks?

"London, that great cesspool into which all the loungers and idlers of the Empire are irresistibly drained." Sir Arthur Conan Doyle

Fortunes won and lost


"Fortunes are not made in boom times…that is merely the collection period. Fortunes are made in depressions or lean times when the wise man overhauls his mind, his methods, his resources, and gets in training for the race to come." - George Wood Bacon

Finding another executive position

If you talk to recruiters and headhunters that are specialising in executive searches, you will discover taht they are all saying the same thing: Talent cannot hide, if you're good, we'll find you. This may or may not be simple rhetoric but for today's executives whose phones are not ringing off the hook, we thought it might be useful to ask about the dos and don'ts of raising one'sprofile and getting picked up on a recruiter's low frequency radar.

For my part I will concentrate on the IT profession. A survey of 150 enterprise executives and IT managers found that while 38% found their current job through a personal network, 30% worked with a recruiter to land a job. Leaving 32% to wander in the wilderness.


Executives not looking to move, the headhunters we interviewed said there are ways you can make yourself useful that will pay dividends down the line and mistakes that can, put you in the doghouse forever.


First, you need to establish some kudos. After years of operating on the outer rim of the C-suite fishbowl, enterprise IT managers /executives are in deep. The executive IT manager role has moved to the forefront. It's a true C-level position.


The IT manager has found a seat at the table but IT managers are expected to contribute at board level. They are not an overhead to be controlled and contained, or a back-office function to ignore until something happens. They are a business enablement function that needs to be developed and cherished.


With the status comes pressure. There is zero tolerance for anything but solid execution, benefit achievement and results. The board room and sponsor expectations are higher than ever.


"Mediocrity knows nothing higher than itself; but talent instantly recognizes genius."


The IT manager /executive operates on a different level than several years ago, when IT was at the epicenter of the tech bust. IT managers /executives are expected to be more business focused and enabling. There isn't a job that IT doesn't support and the extent of their financial spend and budget control is often the biggest in the company.


Moreover, despite all signposts pointing to a rough road ahead, recruiters remain busy, even if they are looking over their shoulders. Good candidates have multiple options and are difficult to retain.


Here are some suggestions, from the macro to the minuscule, for managing your career, so that you have multiple options too.


1. Track record


This speaks to the cardinal rule of recruiters: Build something and they will come. IT managers /executives who are going places stay at one organisation for a long enough time to deliver.


If you haven't been through a business cycle or two, I don't care how good you are, you can't claim success or real experience. A year or 18 months usually doesn't cut it. You have to be at an organisation long enough to live with your decisions, to make adjustments, to fix you're mistakes and to build on the things you've got right.


IT manager /executive searches often begin with very specific queries from client companies. A CEO of CFO will come forward and suggest that they want to drive a massive transformation of the business and require a strong IT manager /executive who has successfully completed major systems integration. Given some more specific information, the search is then on, where that talent exists.


Companies know that you don't always have full control over how long you last in a specific position but you should have management power over your career.


You have to look at your career and ask, 'Am I continuing to progress, am I getting broader, bigger and more complex responsibilities, am I building a portfolio of experience that will be valued by the next company, or the company after the next company?" Look for good companies and good leaders from whom you can learn.


Remember, nobody is going to do that for you. If you sit back and let your career happen, you might get lucky, but you might not. I wouldn't be too comfortable in letting fickle lady luck and moody madam fortune decide where I end up or what I am able to do.


2. Visibility


About two-thirds, maybe even three-quarters, of the people that headhunters contact during executive searches, are already in the headhunters' databases. It's their job to know who is out there before they are hunted but that leaves a good chunk of good people who have slipped under the low frequency radar. This includes those who are working so hard they haven't had time to put their head up.


Leave behind the cloak of invisibility and the anonymous mantle of obscurity. All headhunters stress the importance of getting on the speaker circuit and raising your profile. When doing a search, the first place to go is to the top expert in the field who is talking about this subject. Identify a topic you know well and have a lot of experience in and tell your vendors that you're available to speak at events.


Some touch of the artist wells up within me, and calls insistently for a well staged performance. Surely our profession would be a drab and sordid one if we did not sometimes set the scene so as to glorify our results


If it has been some time since you last agve a talk to a big audience, you can first get on a panel or a forum, which may be easier than giving a direct speech. People are always hungry to get expert speakers. It is actually easier than you think to be on a panel or a forum.


If you are selected as a speaker, prepare, prepare, prepare. Word travels fast if you fail to meet expectations.


We are a big fan of LinkedIn, but it must be used strategically. Your information must be accurate and concise. Hide your connections, but do connect to as many good people as you know. It is only prudent that you should ignore any request from somebody you don't know, and do ignore it, there is no need to write back and justify your actions.


3. A trusted source to recruiters



The covenant of eternal employment was broken some time ago, hence the need for a strong professional network, which includes headhunters and recruiters.


You need to proactively build a relationship with executive recruiters in your space, so you come into their mind before insignificant others.


Good recruiters have visibility into the marketplace. Over the course of a long career, a recruiter can act as trusted advisor but good relationships are a two-way street and mutually beneficial.


Good headhunters are busy and they're going to be spending most of their time on the searches they're being paid to do, not just giving out superfluous career advice to you. You can make yourself useful to them, in ways that will repay you many times over.


If you're the IT manager of Acme and used to work at GE, the headhunter may call you and ask to talk to the best IT person in your organisation, with Six Sigma process improvement knowledge. The question is are you willing to give them that information? If they ask you for a reference for a candidate that you know from a previous position, would you provide this?


When it comes to your own career, don't exxagerate or fudge. If you're thinking of leaving but can't really move for the next eight months because you're due to come into a major stock option, you'd better say so. Be honest and good recruiters will be honest back, sometimes painfully so. They don't work with people who are lying and exaggerating. It's not worth their while because ot erodes their integrity.


4. Go best, young execs


A word to the wise for the up-and-coming executives: Ambitious professionals look for the next rung up, the job nobody thought they could do, to prove themselves but the wise investment might be a lateral move, if there is an opportunity to learn, grow and work with the best.


These can be great learning environments and worth the investment and sideways step. Clearly, it's best to make the investment early in your career, if possible, when you have a little more flexibility in the scope and scale of role you can take.


In any case, big organisations, the Microsofts, Dells, GEs and Procter & Gambles of the marketplace, tend to hire "bigger than the role."


These companies are so complex, the matrix is so difficult to get your arms around. To put you in a stretch role in an environment where you don't know the company, you don't know the political landscape, is really difficult. It's a unique individual who can take on those two variables and be successful.


Their view is to put you in a role that you can do, so you're not underwater from day one. As you progress and figure out how things get done, they will expand your role. It is an expansionist veiw, limited only by what you are capable of.

Risk Management; A mind set

To those who have not yet discovered it, security and risk management is a mind-set. When you go into a shop or restaurant, you may automatically check out the security and note where the exits are. If so, you will also check as to how secure the financial transactions are. How does the waitress handle the credit cards? How far the credit card machine is to staff and other customers. You will have noted the location of the security cameras, the lack of a security station or the location and the number of bouncers.

As a security and risk specialist, you will always be thinking about and assessing the security scenarios but not to exploit or take advantage of it but to be aware. You cannot switch it off, its the way you are. It is the same for members of the emergency services, never really off duty.

Security Compliance

If you have to consider a risk management approach to security compliance, as part of your many regulatory obligations, the best way to approach compliance is through risk. It is ineffective to focus on the bare minimum, just ensuring you are simply compliant. Threats and vulnerabilities are forever mutating, growing and changing. The bare minimum is not enough. This is the first principle of IT security and of risk-based IT management.

When looking at new applications, components, systems or architectures, check out the risks to your business and the risk to your core information. Those are the important things to note. You are concerned if it meets a line item associated with HIPAA and SOX.

Pattern recognition

The 'always on' risk management mind-set is always looking for patterns, checking out ways of doing rather than items on a regulatory checklist. You will look closely for items that pose a threat to your core assets, those that you are responsible for and have dedicated your reputation to protecting.

When somebody comes to you with a potential security problem, even if you know nothing about the particular system or application, you can assess it by the application of the risk framework and therefore formulate a validate set of pertinent and probing questions.

Secure games

Most security and risk managers live and breathe in a security mind-set, whether they are hardcore techies or recruits from the business side. The methodology they follow day by day at work is the methodology they live by, outside of work. Even at conferences, when they unwind afterwards with a soft drink, they invariably play a Where’s Waldo? version of security gaffes, competing to see who can spot the most security lapses. It can appear very weird and a little black, if you are outside the circle.

Nailed by the business

The mind-set can have its limitations and can be self-perpetuating. There is an old adage that says 'If you are a hammer, the whole world looks like a nail.' Indeed, when taken by surprise, the average security and risk manager is typically out manouvered by something that happens on the business side.

Good grief! Have they learned nothing? You can’t believe that the business would make such a decision. Just because you have a structured, risk averse and secure mind-set, you forget that 'normal' people don’t always think that way.

Damage control

What happens next is up to you. If the security has been jeopordised or the risks are too high then it is your task to get it back into line and put the geni back in the bottle. The fact is clear, you are dealing with consequences. The business has taken a chosen path and you have to control the damage, mitigate against it or make it right. After all, isn't that your job as security and risk 'support' person? In reality, you are seen by the business (suits) as being in the same category as the IT help desk and that is all you are.

Although it is accepted that the security and risk manager serves and protects the
organisation and its profits, until it can be unequivacally determined how you can directly make money and grow the profits for the organisation, you will always be considered as merely a supporting act. So, let's make up and get on with it! The show must go on!

Thursday, April 9, 2009

Zombies Ahead! Spooks in the machines!

An electronic road sign was hacked and changed, to alert drivers to the potential hazard of 'hoards of the undead' jaywalking. This provides a nice example of why the status of the security on the US Grid and associated infrastructure is such a “big deal”.

The hack itself is trivial: an intrepid individual discovered that electronic road signs shared a common default password. The good news is; that the default password would have been discovered and publicized years ago if the systems were connected to the internet. They were only left alone or overlooked, for years because very few people had the initiative or twisted interest, to walk up to one of the signs and attempt what is essentially a simple dictionary attack against the authentication mechanism.

Without the motivation and justification of protecting installations from sustained and multiple attack, engineers saw no reason to improve the security of their systems. Following the threat response reasoning, that defense is only required where attack is likely or where expenditure restrictions veto and supress security issues. (Discuss!) You could also argue that the lack of protection in certain areas forms part of the overall strategy of the threat and those that threaten.

It seems that everyone laughed off the hack as a simple prank, but failed to consider the serious implications and security problems that exist in systems that are legacy-based, semi-automated and semi-attached to the National grid.

There are a large class of systems that are semi-attached to the grid and they also have similar security problems and vulnerabilities. Known as SCADA (Supervisory Control And Data Acquisition) Systems, these computers are responsible for controlling electro-mechanical devices and physical plant as found in nuclear reactors and oil refineries.

Many of these systems were deployed years ago in simpler times, well before the information security industry fully understood code quality problems and how they can be and would be, exploited by attackers. These systems are only safe from exploitation for as long as you can guarantee a substantial air-gap or secure firewall between the control network and anything a human being can touch.

Serious Vulnerabilities

Spies and government sponsored hackers have already been probing the U.S. electrical grid for months and planting software that is intended to be activated at a future date, according to a Wall Street Journal. The report highlights the latest non-physical, indirect threats and vulnerabilities facing the U.S. power infrastructure.

The Journal notes that the spies are from China, Russia and other countries who are more openly threatening. While the news is very disturbing, it isn’t all that surprising. The vulnerabilities of the U.S. infrastructure are well documented. It is also notable that the electrical grids were initially thought to be somewhat hacker proof, until recently. Why? because the grids run on old legacy software, which is often proprietary. This it turns out is its greatest weakness, along with apathy and complacency.

The barbarians are not at the door but they may have remote access to your infrastructure and life support systems! Prepare to repel boarders!

Microsoft Security Intelligence Report - Extracts

Here’s a look at the five most important aspects from the full Microsoft Security Intelligence Report.

1. Vulnerabilities (the response and reaction to them) vary, depending on whether the target is at work or home.

Based on data provided by its enterprise Forefront Client Security and consumer Windows Live OneCare, Microsoft found that vulnerabilities are very different. Why? A corporate user may have email and Internet limitations that reduce the attack surface. A home user has more software tools to be infected but less critical data at risk.

Simply put, a home user is more likely to get hit with a Trojan attack to extract bank and credit card details, etc. In the enterprise, the weapon of choice is the Worm attack, which is primarily destructive and disruptive.

The greatest difference between enterprise and home vulnerabilities is social engineering. Microsoft explains:

  • The Windows Live OneCare list also includes several families associated with rogue security software, such as Win32/Renos, Win32/FakeXPA, and Win32/Antivirus2008.
  • The social engineering messages used in connection with rogue security software may be less effective in an enterprise environment, where malware protection is typically the responsibility of the IT department…
  • By contrast, the Forefront Client Security list is dominated by worms, like Win32/Autorun, Win32/Hamweq, and Win32/Taterf.
  • Worms rely less on social engineering to spread than categories like trojans and downloaders do, does and more on access to unsecured file shares and removable storage volumes, both of which are often plentiful in enterprise environments.

2. Users don’t always remove unwanted software: There’s great appeal to the procrastinator in the “ignore” button.

  • Microsoft explains one nuance of the malware issue:Software cannot always be classified in binary terms as “good” or “bad.”
  • Some software inhabits a gray area wherein the combination of behaviors and value propositions presented by the software is neither universally desired nor universally reviled.
  • This gray area includes a number of programs that do things like display advertisements to the user that may appear outside the context of the Web browser or other application and which may be difficult or impossible to control.

Microsoft’s scans allow users to ignore a security alert, allow software to remain, issue a prompt, quarantine or remove it.

If software is really malicious it is removed without user input. The gray areas appear when users have a choice.

Microsoft adds:
  • These decisions are influenced by a number of factors, such as the user’s level of expertise, how certain they feel about their judgment regarding the software in question, the context in which the software was obtained, societal considerations, and the benefit (if any) being delivered by the software or by other software that is bundled with it.
  • Users make choices about what to do about a piece of potentially unwanted software for different reasons, so it’s important not to draw unwarranted conclusions about their intent.

Moderate or Low threats are often ignored by users, who think that there’s value in the software. These threats are keepers based on user behaviour:

3. Rogue security software (Scareware) gains momentum.

The concept of rogue security software is pure genius. Malicious hackers prey on the fears of users, cook up bogus security software and extract payments to keep your PC running. Microsoft notes that rogue security software is becoming a hot category.

Microsoft reports:

  • Rogue security software authors have long attempted to exploit this trust by giving their programs generic, anodyne names, like “Antivirus 2009,” and making them resemble genuine security software in many ways.
  • Recently, many threats have taken this approach a step further, posing as components of the operating system itself or as a familiar search engine.
  • One of the first families observed to exhibit this behavior was Win32/FakeSecSen, which was added to the MSRT in November 2008 and was the eighth most prevalent family in 2H08 overall.
  • Win32/FakeSecSen adds an icon to the Control Panel named Vista AV or MS AV and fraudulently uses the same four-colour shield icon as the Windows Security Center. Double-clicking the icon launches the rogue software, which claims to detect a large number of nonexistent threats and urges the user to “activate” the software by paying for it.

Win32/Renos is a longtime threat that delivers rogue security software. It was the most prevalent threat in the second half of 2008. Two new trojans–Win32/FakeXPA and Win32/FakeSecSen were the seventh and eight most prevalent family class.

4. Social networking phishing attacks represented less than 1 percent of attacks, but yielded a big chunk of phishing impressions.

Translation: Social networking sites will remain a big phishing target.

Microsoft explains:
  • A typical social network phish is likely to trick an order of magnitude more users than a typical financial phish. There are a number of explanations for this discrepancy.
  • While financial institutions targeted by phishers can number in the hundreds, just a handful of popular sites account for the bulk of the social network usage on the Internet, so phishers can effectively target many more people per site.
  • In addition, phishers often use the messaging features of the sites themselves to distribute their attacks, typically by gaining control of a user’s account and using it to send phishing messages to the victim’s friends.
  • These attacks can be much more effective than e-mail–based attacks, because they exploit the considerable level of trust users place in their friends.

Take a look at:

And.

5. Malware is dominant in the U.S. and accounted for 67 percent of all infected computers.

Trojans—the miscellaneous variety–were detected on 29.4 percent of infected computers. Among other items:

  • Five of the top 20 families detected in the United States in Q3 and Q4 of 2008 (Win32/Renos, Win32/FakeXPA, Win32/FakeSecSen, Win32/Antivirus2008, and Win32/Winfixer) download rogue security software or display misleading warning messages to convince users to purchase a program that supposedly removes spyware.

Here are the top five individual threats:

Trojan downloaders and droppers were detected on 24.4 percent of all infected computers.

I trust this was of interest to you and you will see the sense of protecting your computer(s) with known and trusted anti Virus software as well as setting up a good Firewall and Intrusion detection. The rise and rise of Malware across the globe means that you will also need to protect your system(s) from this menace.

Do your research, read the reviews and never be the first to try any new protection software.