Ted Demopoulos    Demopoulos Associates
keynote speeches
Security, IT, Business Consulting
securITy newsletter
Articles

Ted Demopoulos’ securITy

Security Policy and Wireless and Blogs, Oh My!
Wireless and Blogs - You Just Can't Ignore Them
_________________________________________________________________

  • I'm probably literally in Siberia or on the way as you read this, so any email responses will be delayed. Hopefully adopting an almost 2 year old girl!

  • I'll be at the SANS conference in Tysons Corner, Virginia, teaching a Security Essentials Bootcamp
    the week of April 3-8. Stop by and hello if you're there!

  • My book, Blogging for Business, with co-author Shel Holtz is available for preorder on Amazon and should be on bookstore shelves in a week or two. I've also started a book blog at bloggingforbusinessbook.com.

  • See my controversial USA Today editorial on Internet Governance.
    _________________________________________________________________

Security Policy and Wireless and Blogs, Oh My!

What a seemingly strange combination: security policy and wireless and blogs. In reality, they are closely intertwined, even if your organization thinks it has no wireless or blogs.

Security Policy:
Security policy is documentation that describes how an organization manages, protects and enforces its security infrastructure. Security policy aids in building and maintaining an effective security infrastructure. Security policy is essential if an organization is serious about security, but even organizations without a formal policy will have some sort of defacto security policy.

Wireless:
There are many popular wireless technologies today, including Bluetooth, ZigBee, and Wi-Fi, the 802.11x set of standards. We'll concentrate mainly on 802.11x, although our comments apply to all forms of wireless.

Wireless is almost everywhere today, and has some fundamental security weaknesses when compared to wired networking – namely no wires. A wireless network doesn't stop at your walls or company border. Wireless access points often allow a way around the firewall. Also, wireless security, at least for many implementations today, has shortcomings with authorization, encryption, and more.

We could discuss these issues and possible solutions and countermeasures for a few tens of thousands of words, but we won't. Organizations certainly have a range of options when it comes to wireless. The one option no sizeable organization has, except military and quasi-military organizations, is no wireless. Some perhaps well-meaning employee will setup a wireless access point, maybe in a conference room to help facilitate a meeting or maybe connected to their PC. Suddenly your network will be accessible from the parking lot, from the sidewalk, and down the street, probably with zero security precautions – i.e. wide open.

Since it is impossible to “Just say no to wireless,” wireless is an issue organizations need to deal with. A common choice is to have a relatively security wireless network, separated from the main network by a firewall, and regularly try to detect and remove any rogue wireless access points setup by employees. Rogue wireless access points are extremely common, in part because wireless access points are cheap – I recently bought a new Linksys wireless access point for US$5 at a flea market!

Simply put, your security policy had better address wireless.

Blogs:
Blogs are simple websites or parts of websites with reverse chronologically ordered articles that typically contain a mixture of fact and opinion, much like newspaper editorials. Blogs are usually updated very often and most allow readers to post feedback as comments. There are currently over 25 million blogs and a new one is created every second. Business Week proclaimed on their cover, “Blogs will change your Business,” and they are right! Many companies have blogs or employee bloggers including Microsoft, IBM, General Motors, and scores more. If you’ve never seen a blog, mine are The Ted Rap and Blogging For Business.

Many companies that have blogs have “Blogging Policies.” For example, IBM’s Blogging policy is here: http://www.corporateblogging.info/2005/05/ibm-blogging-policy-guidelines.asp . Blogging Policy falls under the umbrella of security policy, just like acceptable use policy, password policy, and data classification policy.

Although many companies embrace blogs and employee bloggers, many fear them. The thought of employees blogging, perhaps about work or work issues, in an open and public forum terrifies many. Who knows what they might write? What if employees write about company secrets and other confidential information? Let me add that if employees are publicizing company confidential information, you have an employee problem, not a blog problem!

Every sizable organization, and most smaller ones, has employee blogs whether they know it or not! Employees need clear guidelines about what is and is not acceptable to protect both the organization as well as employees.

Simply put, your security policy had better address blogs.

Summary:
Just like death and taxes, wireless and blogs are inevitable in an organization of any size. Security policy should address both topics!

Ted Demopoulos, Consultant and Professional Speaker, 603-231-8782 (cell)
_________________________________________________________________
This newsletter is Copyright © 2006 by Demopoulos Associates, Durham, New Hampshire, USA.  All rights are reserved, except that it may be freely redistributed if unmodified.

Sharing securITy is encouraged if the copyright and attribution are included.

The free newsletter of Demopoulos Associates, www.demop.com

© Copyright 2002-2010, Demopoulos Associates