Policy and Wireless and Blogs, Oh My!
and Blogs - You Just Can't Ignore Them
probably literally in Siberia or on the way as you read this, so any
email responses will be delayed. Hopefully adopting an almost 2 year old
at the SANS conference in Tysons Corner, Virginia, teaching a Security
the week of April 3-8. Stop by and hello if you're there!
Blogging for Business, with co-author Shel Holtz is available for
preorder on Amazon and should be on bookstore shelves in a week or two.
USA Today editorial on Internet Governance.
Security Policy and Wireless and Blogs, Oh My!
What a seemingly strange combination: security policy and wireless and
blogs. In reality, they are closely intertwined, even if your organization
thinks it has no wireless or blogs.
Security policy is documentation that describes how an organization manages,
protects and enforces its security infrastructure. Security policy aids in
building and maintaining an effective security infrastructure. Security
policy is essential if an organization is serious about security, but even
organizations without a formal policy will have some sort of defacto
There are many popular wireless technologies today, including Bluetooth,
ZigBee, and Wi-Fi, the 802.11x set of standards. We'll concentrate mainly on
802.11x, although our comments apply to all forms of wireless.
Wireless is almost everywhere today, and has some fundamental security
weaknesses when compared to wired networking – namely no wires. A wireless
network doesn't stop at your walls or company border. Wireless access points
often allow a way around the firewall. Also, wireless security, at least for
many implementations today, has shortcomings with authorization, encryption,
We could discuss these issues and possible solutions and countermeasures for
a few tens of thousands of words, but we won't. Organizations certainly have
a range of options when it comes to wireless. The one option no sizeable
organization has, except military and quasi-military organizations, is no
wireless. Some perhaps well-meaning employee will setup a wireless access
point, maybe in a conference room to help facilitate a meeting or maybe
connected to their PC. Suddenly your network will be accessible from the
parking lot, from the sidewalk, and down the street, probably with zero
security precautions – i.e. wide open.
Since it is impossible to “Just say no to wireless,” wireless is an issue
organizations need to deal with. A common choice is to have a relatively
security wireless network, separated from the main network by a firewall,
and regularly try to detect and remove any rogue wireless access points
setup by employees. Rogue wireless access points are extremely common, in
part because wireless access points are cheap – I recently bought a new
Linksys wireless access point for US$5 at a flea market!
Simply put, your security policy had better address wireless.
Blogs are simple websites or parts of websites with reverse chronologically
ordered articles that typically contain a mixture of fact and opinion, much
like newspaper editorials. Blogs are usually updated very often and most
allow readers to post feedback as comments. There are currently over 25
million blogs and a new one is created every second. Business Week
proclaimed on their cover, “Blogs will change your Business,” and they are
right! Many companies have blogs or employee bloggers including Microsoft,
IBM, General Motors, and scores more.
Many companies that have blogs have “Blogging Policies.” For example, IBM’s
Blogging policy is here:
. Blogging Policy falls under the umbrella of security policy, just like
acceptable use policy, password policy, and data classification policy.
Although many companies embrace blogs and employee bloggers, many fear them.
The thought of employees blogging, perhaps about work or work issues, in an
open and public forum terrifies many. Who knows what they might write? What
if employees write about company secrets and other confidential information?
Let me add that if employees are publicizing company confidential
information, you have an employee problem, not a blog problem!
Every sizable organization, and most smaller ones, has employee blogs
whether they know it or not! Employees need clear guidelines about what is
and is not acceptable to protect both the organization as well as employees.
Simply put, your security policy had better address blogs.
Just like death and taxes, wireless and blogs are inevitable in an
organization of any size. Security policy should address both topics!
Ted Demopoulos, Consultant and Professional Speaker, 603-231-8782 (cell)
This newsletter is Copyright © 2006 by Demopoulos Associates, Durham, New
Hampshire, USA. All rights are reserved, except that it may be freely
redistributed if unmodified.
Sharing securITy is encouraged if the copyright and
attribution are included.
The free newsletter of Demopoulos Associates,