Tuesday, April 28, 2009

Are Your Admins Accountable?

A comprehensive security process protecting critical assets needs to follow a basic outline such as this:
  • Prevention
  • Detection
  • Reaction
  • Correction

Access to servers is one area where I see this process break down all the time. First, people reasonably Prevent access with passwords. However, they use a common account such as Administrator; which seriously weakens the Detection and Reaction steps. If every system administrator is using the same privileged account to do their work, there is no accountability (a key component of detection) and no reasonable ability to React when something goes wrong.

CIOs, don't let your admins grow up to be cowboys! Make it a policy and practice to require that system administrators use their own accounts to perform their jobs.

Monday, April 20, 2009

SharePoint Designer is Free

SharePoint has taken the world by storm. In almost all of our clients SharePoint has been deployed or is being discussed and this phenomenon is happening everywhere. SharePoint Designer is one of the key tools that you can use to customize the SharePoint experience without coding. Download it for free here. You can also use SharePoint Designer to do traditional HTML programming.

Thursday, April 2, 2009

Two-factor authentication comes to Main Street

Security can be a wonderful thing and if it is well thought out and it does not have to be onerous.

I have seen an increase in the number of merchants who are asking me for my billing zip code when using my American Express card. Walmart has been doing it for years. Many gas stations have started and last night, Walgreens asked me for the first time.

This is a great example of intelligent two-factor authentication. The transaction relies on “something I have,” the credit card, and “something I know,” the billing zip code. Something that is easy for me to remember.

This is much more effective than a signature because the credit card processor can easily validate my zip code as compared with analyzing handwriting. If security involves a cycle of:

  • Prevention
  • Detection
  • Reaction

the use of the Zip Code raises the ability of the bank and merchant to prevent and detect a fraudulent transaction.

Several years ago someone stole my credit card and spent about $300 before I noticed the next morning that the card was gone. Had the thief been asked my zip code, he never would have been able to order that $50 meal at McDonald’s. Let’s hope that more merchants follow this protocol and we see a drop in credit card theft, saving all of us money in the long run.