Reporter's Notebook: IT Security
- 08 August, 2002 12:02
The Plague of Password Typos
It's a bummer when employees forget their passwords or get locked out of a system because of password typos. And it's even worse when the network administrator has to be summoned at 2 am to reset the password.
That was a weekly occurrence for Jeff Bair, senior LAN administrator at American Color Graphics, a printing unit of ACG Holdings in Brentwood, Tennessee. So he turned to the Password Station.Net 2.0 software from Avatier in San Ramon, California. A Web-based interface allows end users to securely and easily reset their forgotten passwords, set new passwords and unlock their accounts -- all without IT intervention.
Before, employees frequently locked themselves out of their own accounts by leaving the caps lock key on while typing their case-sensitive passwords, Bair says. And when an employee was locked out of the system, it could mean missed printing deadlines.
Bair obviously likes the self-service nature of the software, as well as the ability to check whether the password meets his security policy.
"It frees up time for me to work on other projects. And my wife wasn't liking those 2 a.m. calls either," Bair says.
Managed Security Services: Take It In-house?
Managed security service providers in the traditional mould -- where the service is provided from a remote operations centre -- are struggling and consolidating. The wave of the future, says Thomas A Gluzinski, CEO of Paladin Technologies in Schaumburg, Illinios, is to bring that same expertise to the user's premises.
That's what Paladin is doing in the federal sector, and Gluzinski claims that the practice will also take hold in the commercial sector. The service provider brings in its own expert staff or hires the existing security staff, but either way, they stay on-site to handle security chores.
"These are people who know and understand firewalls, intrusion detection and signatures for attacks. Quite frankly, there aren't a lot of people out there with that skill set," Gluzinski says.
He says another hot trend is getting security assessments from service providers such as Qualys on a subscription basis. Redwood Shores, California-based Qualys says that companies such as Deloitte & Touche LLP and Tower Records have signed up for its managed vulnerability assessment services.
Open Source Helps Hospital
It's important for a leading health care facility to protect sensitive medical information from hackers, so getting an intrusion-detection system (IDS) may seem like a no-brainer.
Mount Sinai School of Medicine in New York took the approach of using an open-source IDS: the OpenSnort Sensor appliance from Sourcefire in Columbia, Maryland.
Ken Redman, computer operations manager at the school, says he likes the open-source nature of the product. "Configuration is easy because it's open source. I can take a rule out or add one in," he says. And setup took only 20 minutes, Redman adds.
In terms of security, OpenSnort has demonstrated the huge number of probes and viruses that have tried -- and failed -- to get into his systems, Redman says. "We get hit with the Code Red virus every day, but it's been stopped [externally]," he says. "That just floors me. It's not gone."
Getting digital certificates for e-commerce transactions can take three to five days using conventional vendors. But that wasn't fast enough for Tim LeGrand, owner of Superior-Host International, an Indianapolis-based Web hosting company for online merchants. He says the delay has cost him customers.
So LeGrand is using QuickSSL from GeoTrust in Massachusetts. GeoTrust's Secure Sockets Layer (SSL) product provides fast delivery of 128-bit, SSL digital certificates for encrypting communications between Web browsers and servers. The company's authentication systems process and respond to certificate requests automatically -- within 10 minutes.
LeGrand says the new certificate can be installed and running in about 30 minutes, a convenience customers appreciate.
He says the process is faster with GeoTrust because business information is collected via online forms, rather than from numerous faxed documents. LeGrand says he's satisfied that the GeoTrust process is sufficient to prevent fraud.
Security as Byproduct
Sometimes, better security is the byproduct of another IT effort. For example, Orem, Utah-based Morinda is migrating to the Microsoft Exchange 2000 platform by the end of this month, with help from bv-Control from Houston-based BindView. The product helps administrators manage Microsoft Exchange environments.
One result is that Jon Williams, global information systems administrator at Morinda, has a better handle on his company's e-mail system. Using the BindView software, he can monitor the content of e-mail messages and control access and permissions, he says.
"And if there's a dangerous e-mail -- like a message from an employee quitting or a virus that the antivirus software doesn't pick up -- I can kill those e-mails in one fell swoop," Williams says.