Interesting reading recently with the news that local legal advisors, Freehills, appear to have compromised the process of selling around AUD $100M in assets on behalf of their client Commander.
An article in The Australian reported the incident as follows: "Freehills this week sent confidential passwords to almost 100 people connected to companies interested in bidding for some, or all, of Commander's assets. But in an embarrassing email glitch, each participant in a sale that has been code-named Project Larry was sent the passwords of every colleague, rival and adviser associated with the sale."
Um, OK. So Freehills have sent a copy of every potential bidder's username and password to everyone else. Apart from thinking they could have just saved time and just used one shared account for everyone, I'm reminding myself that there is room for human error.
And of course, if there commercially sensitive information available after gaining access, then of course there will an appropriate level of security given the perceived risk.
After all, Freehills provide leadership in this area through their own client advice. Their website reads in part "Our approach is to find practical and commercially viable solutions to privacy and data protection issues." Really?
How about this little basic - if information has any significant commercial value then using single factor authentication (eg username and password) doesn't work. Regardless of human error, just the basic step of using two factor authentication would have prevented this scenario from unfolding. Using a single factor to authenticate means everything required to access the commercial information can be found in one spot. And "found" they are - daily - via password sharing, post-it notes and mistaken emails.
I'm not sure if I'm alone, but I suspect Freehills may not be in Commander's good books. And a couple of their clients (and prospects) may just be taking another look. And when you think about it, that is a significant factor for them and, possibly, for you. Looking beyond the actual incident, what is the PR value of being exposed as the apparent source of a major security incident?
If you're a bricklayer, chances are that a) you won't have a major incident, but also b) if you do that it may not severely impact your business. After all, there's not that much critical client information the bricklayer will have. Except perhaps for credit card information, but if you're dealing with a brickie with a bad track record then you can always choose to pay by cash, cheque or direct deposit.
But if your business is trusted with significant commercial information relating to your clients then the ramifications can be far worse. It can spell the end of the organisation - even sizable ones. It can also affect factors such as share price, the ability to attract (and keep) clients, and the confidence of employees, shareholders and suppliers.
So what to do? Essentially it comes down to risk - exactly the area where Freehills is advising clients. I'm no expert in that specific area, but as a general rule I'd say multiplying the cost value of an "incident" by the probability of an incident occurring will give you a guideline. Then identify the means by which you can change that probability, then factoring in the cost involved to implement those means and you have a workable model. Albeit quite basic! I'm also sure there's plenty of more thorough models around should you care to look. (Find some, let me know!)
The obvious tool to start with is stronger authentication. There are a number of inexpensive tools around now to make it much easier. No, it's not bulletproof but it will require someone to go to reasonable lengths to circumvent it. And it would prevent mistakes like seen above. In fact, for a tiny amount of expenditure the outcome could have been much different (and saved me this rant)!
Intended as a commentary on sport, a rant on technology and in particularly security, and observations about life. Well, mostly.
October 29, 2007
October 22, 2007
Trip Wrap - Part 1
OK, so I may have been a little optimistic thinking that there would be a few posts here during last week's trip. The hectic schedule meant time only for the critical stuff - keeping things ticking over back home. So what did we do?
LA (Sat) - off the plane and to the hotel. Resist the urge to sleep, and instead go downtown on the bus and do the touristy stuff around Hollywood. A nice dinner at Manhattan Beach (Italian!).
San Diego (Sun-Mon) - Arrive around 1pm on the Sunday from LA and we decide to go to the football for the Chargers vs Raiders clash. No idea if we'll get in! We tried to get tickets prior but this has been sold out for ages. Luck - and cash - is on our side as we buy some tickets on the trolley for a little over face value. Well and truly worth it. The noise is amazing. Seventy thousand there, but it sounds like more. Chargers get up and there's lots of high fives amongst the crowd, who seem much more into it then we see down here in the AFL.
Speaking of that, on the way back to our hotel from the game we see a couple of the Collingwood players. One was a little shocked to hear "no probs" in our Aussie accent after he said "excuse me". Then out to the Old Town for an excellent Mexican dinner - and some huge tequillas.
Monday we visit the folks at Akonix and find them very helpful. We haven't done much on that front yet, but they have a great product. It's definitely one for this time forward!
Boston (Tues - Wed) - Ah, the joys of overnight flight. After just catching the connecting flight to Boston from San Francisco we land in Boston at around 8am, jump in a taxi, check in, have a shower and go to the Imprivata partner conference. We're there by 9:05 which is pretty damn good in our (humble) opinion. Lots of good ideas shared by employees, partners and customers alike.
It was an interesting day, despite our attention span which was a little under par. Presentations from staff, other partners and clients made for an interesting mix of perspective.
The Tuesday night is at the karting track at "Boston Formula 1". Great fun, with the Europeans leading the way. Note to self - lose some weight and you'll go faster!
LA (Sat) - off the plane and to the hotel. Resist the urge to sleep, and instead go downtown on the bus and do the touristy stuff around Hollywood. A nice dinner at Manhattan Beach (Italian!).
San Diego (Sun-Mon) - Arrive around 1pm on the Sunday from LA and we decide to go to the football for the Chargers vs Raiders clash. No idea if we'll get in! We tried to get tickets prior but this has been sold out for ages. Luck - and cash - is on our side as we buy some tickets on the trolley for a little over face value. Well and truly worth it. The noise is amazing. Seventy thousand there, but it sounds like more. Chargers get up and there's lots of high fives amongst the crowd, who seem much more into it then we see down here in the AFL.
Speaking of that, on the way back to our hotel from the game we see a couple of the Collingwood players. One was a little shocked to hear "no probs" in our Aussie accent after he said "excuse me". Then out to the Old Town for an excellent Mexican dinner - and some huge tequillas.
Monday we visit the folks at Akonix and find them very helpful. We haven't done much on that front yet, but they have a great product. It's definitely one for this time forward!
Boston (Tues - Wed) - Ah, the joys of overnight flight. After just catching the connecting flight to Boston from San Francisco we land in Boston at around 8am, jump in a taxi, check in, have a shower and go to the Imprivata partner conference. We're there by 9:05 which is pretty damn good in our (humble) opinion. Lots of good ideas shared by employees, partners and customers alike.
It was an interesting day, despite our attention span which was a little under par. Presentations from staff, other partners and clients made for an interesting mix of perspective.
The Tuesday night is at the karting track at "Boston Formula 1". Great fun, with the Europeans leading the way. Note to self - lose some weight and you'll go faster!
October 11, 2007
Grey
My partner found her first gray hair today. Well the first growing one that hadn't fallen off me. I reckon she's lucky; mine was at aged 14, and I stuck it up with blue tac on my bookshelf where it stayed for many years. Odd.
October 10, 2007
On Tour
Well, having just started jotting on this site it's going to be a struggle to keep the rate up over the next week. Then again, it may be even more productive. And the reason? Well, in a couple of days I'm (we're) off to the states on something of a whirlwind tour.
A day in the slightly surreal chaos of LA, and down to San Diego the next morning. Haven't really spent much time there, so looking forward to a nice Sunday there before catching up with the folk at Akonix the next day. We were hoping to catch the Chargers vs Raiders game on the Sunday, but ticket availability is appearing a very large obstacle!
Then the overnight flight traversing from the south-west to north-east. Looking forward to it! On arrival in Boston we head straight to the Imprivata partner conference. At the risk of sounding a little repetitive, I'm also anticipating this conference. Whether the feeling is the same as we land at around 7am and heading straight to conference kickoff at 8am is another thing entirely. And if the driving's bad at the karting session that evening it won't be entirely unexpected.
Thursday is a quick look around New York. One day is about two months too short.
Friday is across to Seattle and the "old crew" at Attachmate. Well at least I think there's a couple of people left at 1500 Dexter Ave Nth from the WRQ days. With any luck we may even get a chance to cruise around Lakes Union and Washington - depending on whether a couple of other meetings are confirmed.
And that's it - straight back to Melbourne and work at CoreSight on Monday!
So hopefully there will be lots of exciting and interesting posts. But then again, I may be sleeping.
A day in the slightly surreal chaos of LA, and down to San Diego the next morning. Haven't really spent much time there, so looking forward to a nice Sunday there before catching up with the folk at Akonix the next day. We were hoping to catch the Chargers vs Raiders game on the Sunday, but ticket availability is appearing a very large obstacle!
Then the overnight flight traversing from the south-west to north-east. Looking forward to it! On arrival in Boston we head straight to the Imprivata partner conference. At the risk of sounding a little repetitive, I'm also anticipating this conference. Whether the feeling is the same as we land at around 7am and heading straight to conference kickoff at 8am is another thing entirely. And if the driving's bad at the karting session that evening it won't be entirely unexpected.
Thursday is a quick look around New York. One day is about two months too short.
Friday is across to Seattle and the "old crew" at Attachmate. Well at least I think there's a couple of people left at 1500 Dexter Ave Nth from the WRQ days. With any luck we may even get a chance to cruise around Lakes Union and Washington - depending on whether a couple of other meetings are confirmed.
And that's it - straight back to Melbourne and work at CoreSight on Monday!
So hopefully there will be lots of exciting and interesting posts. But then again, I may be sleeping.
Single Sign-On and all that
This is really not so much of a post, as a link to a basic overview of enterprise single sign-on (ESSO or SSO) that I put up on the Squidoo site a little while back. So before I go too far, here's the link:
The (Unofficial) Executive Guide to Single Sign-On
So what are the lessons to be learned from the article. Well, firstly, that there's a fair bit of background to consider before we even get to single sign-on in a business environment. Things like existing directories and authentication methods are critical. As is the way any SSO integrates with these. There's also the consideration of applications. Typically web and client/server apps are pretty simple to SSO into. Legacy apps using emulation can create challenges, as can Java apps with multiple libraries. None insurmountable.
I'd be interested in your opinions on SSO systems you've used. From any of an implementation, administration or user perspective? And whether it's been part of an all-encompassing identity management project, or focussed SSO project.
The (Unofficial) Executive Guide to Single Sign-On
So what are the lessons to be learned from the article. Well, firstly, that there's a fair bit of background to consider before we even get to single sign-on in a business environment. Things like existing directories and authentication methods are critical. As is the way any SSO integrates with these. There's also the consideration of applications. Typically web and client/server apps are pretty simple to SSO into. Legacy apps using emulation can create challenges, as can Java apps with multiple libraries. None insurmountable.
I'd be interested in your opinions on SSO systems you've used. From any of an implementation, administration or user perspective? And whether it's been part of an all-encompassing identity management project, or focussed SSO project.
Little steps
OK, so we need to start somewhere here. Is this going to change the world? No. Actually perhaps by a tiny amount, but only if you want it to. More likely it will serve as a mix between diary, comment on a few areas of interest and at least a reasonable level of understanding, and as a resource for when I'm trying to find that article or site I was captivated by a while back.
So what's in it for you? Bloody good question. I suppose it depends what you want of out it ... but I suspect it will be highlighting the odd well-buried, interesting or obscure IT security snippet, a take on something in the (local) sporting world, or a slightly different take on something mundane.
I suppose time will tell.
So what's in it for you? Bloody good question. I suppose it depends what you want of out it ... but I suspect it will be highlighting the odd well-buried, interesting or obscure IT security snippet, a take on something in the (local) sporting world, or a slightly different take on something mundane.
I suppose time will tell.