The threat from within

How paranoid are you?

No, I’m not a psychologist, but I can tell you people really are out to get you. What people? Why, your friends and colleagues–everyone you work with.

It’s nothing personal. It’s simply human nature. So if you’re tasked with keeping your organization secure, a touch of paranoia is healthy.

The fact is, the worst threat to your organization’s security comes from within. People are naturally curious, and if they know confidential information is stored on your network, some of them are going to try to access it. The question is, how easy do you make it for them to do so?

Take your network infrastructure, for instance. If you have a shared network fabric, using hubs in a star topology, do you realize that anyone with a software protocol analyzer can scan packets for an entire subnet? Those packets often contain unencrypted passwords and sensitive data. A switched network is less subject to that problem.

Do any of your users have modems on their desktop PCs? If they use modems to dial in to your network, they’re opening a back door for themselves (and potentially for hackers) that your firewall will never see.

Do you take advantage of your e-mail server’s encryption capabilities? Most organizations don’t, because encrypting and decrypting every message can be a performance drain, but doing so can help keep confidential information private while in transit.

Do you keep your server room locked? It may be convenient to leave it available for people to pick up printouts and visit with operators, but anyone can sit down at a server console to which an administrator is logged in and view any information stored on it. You should keep your backup tapes under lock and key, too.

Do you look at your security logs? You probably log all kinds of security information automatically–that’s something computers do very well. But do you check those logs for suspicious activity? If your logs are too full of data to make unusual events stand out, you need to reconfigure the kind of information you’re trapping.

How do you keep your most privileged users, your system administrators, from turning rogue? There’s very little you can do–if you have suggestions, I’d like to hear them. I recommend having two administrators with overlapping duties, meaning each implicitly keeps an eye on the other.

What do you do with your old PCs?

Usually I spend some time in this space suggesting ways you can enhance the return on your IT investments or improve your work environment. Today I’m going to talk about how to improve the environment we live in.

What do you do with your old PCs? As Jonathan Skillings reports, the problem of computer junk has become increasingly serious, considering the ubiquity of computers nowadays and the fact that the average work computer has a life of only three to five years. Because computers are constructed using both precious and toxic metals, they are inappropriate for landfills. Even if you could find a landfill that would take your old computers, it’s a labor-intensive process to separate the valuable from the dangerous.

The problem is that, while many talk about recycling PCs, few are actually doing much about it.

Some organizations sell or donate old computers to their employees. That’s a worthwhile endeavor, but if you choose to do that, don’t forget to wipe out all the data on your hard drives. If you don’t, you may be releasing old documents and programs unintentionally. On the other hand, if you leave the drive intact on purpose, be sure to transfer the licenses for any software on the computer to the new owner.

You can also donate your old computers to a worthy cause. The agencies in this directory facilitate donations of used computer hardware to schools and community groups. Computer recycling organizations and charities also accept old computers. In addition, the National Recycling Coalition has some suggestions, as does Carnegie Mellon University. Those lists should help you get started.

I know of a few worthy organizations myself that I’d recommend right away. The National Cristina Foundation provides computers to the physically and economically disadvantaged. Computers for Youth gives computers and support to economically disadvantaged children and their teachers. And Tech Corps works to wire up schools.

And don’t forget your laptop batteries. Once they run out of juice, the Rechargeable Battery Recycling Corp. can tell you what to do with them.

It’s always worth looking for ways to better the environment, but it’s particularly timely now, since Earth Day is this coming weekend. If you really want to make a difference, visit a local event. If you don’t see information on recycling computers, volunteer to be a resource for your area. As someone who faces the problem at work, you’re especially well-qualified to help out in the community.

You may not be able to save the world single-handedly, but you can make a difference in your own sphere of influence.

Vetting the vendors

Here’s a little business test for you. Which best describes your organization’s purchasing preferences?

• I like to buy best-of-breed products.
• Buying from just one vendor lets me leverage synergy between devices and applications from a single source.

In times of plenty, it’s easy to take the first approach, but now that times are tight, perhaps its time to reconsider. The leverage you can gain on volume purchases can significantly lower your total cost of ownership, because vendors are more anxious to move that inventory and make their quarterly numbers.

Still, it’s a dilemma. When you make a policy decision to designate a preferred vendor, you give up some flexibility in return for easier integration and, one hopes, a better financial deal.

Actually, the integration argument doesn’t always hold water. Most of the large vendors pad out their product lines through acquisitions, and depending on how recently a division was purchased, the parent may not have had time to integrate a point product with the rest of its product line. Be sure to uncover those management and interoperability issues before shelling out money simply on the strength of a familiar label.

Of course, sometimes you have no choice but to branch out from a happy single-vendor haven. Not all vendors supply the broad spectrum of devices you need to run your enterprise network. But if you purchase your switches and routers from Cisco, Nortel Networks, Enterasys (formerly Cabletron), IBM, or another infrastructure giant, chances are that that vendor will be able to meet most of your needs, and its hardware will be on your short list of products to evaluate for firewalls, load balancers, and other devices.

That corporate attitude makes it harder for worthy startups like Foundry or Extreme to compete. Startups have to be a step above the usual suspects if they hope to gain a toehold in many companies. They often are able to do so, thanks to innovative ideas and the ability to put them into practice. But check out an unfamiliar vendor’s technical support response time and staff knowledge before you buy, even if you’re satisfied its product is technically superior.

Another argument in favor of the single-vendor solution is accountability. If you run into problems in a patchwork network, each vendor tries to point a finger at others before taking responsibility for tracking down problems. If your equipment comes from the same source, you know who’ll have to minister to it.

Sometimes the question of which way to turn comes down to budget. On the one hand, you’re likely to get volume discounts from a vendor who provides you with large volumes of equipment. On the other, smaller players need to be nimble on pricing to compete. Often times you can play off one argument against the other when negotiating prices with vendors. Never take the list price as the last word.