Thursday, April 26, 2007

Dems Debate in South Carolina tonight

If you haven’t heard, the Dems are getting together tonight for a little debate. Obama, Hillary, and John Edwards will be among the 8 candidates espousing on the issues tonight at 7PM on MSNBC.

I’ll be watching to see how far left John Edwards can swing trying to woo liberal voters in the South. His populist message should have businesses concerned if he does begin to make a dent in the lead held by Hillary and a fast approaching Obama.

Hillary will no doubt try to come off as a more personable candidate and look to regain some of the southern appeal that won her husband two terms in office. However, I am truly intrigued by Senator Barack Obama. While his voting record seems to indicate alignment with traditional democratic views, his speeches and demeanor have people on Wall Street thinking he might be a very favorable candidate.

It’s still very early, but with the nation concerned about current events, this debate should set the tone for hot-button issues for both parties.

DOW tops 13,000 on the way to 14K?

It is worth noting that the Dow Jones Industrial Average did close above 13,000 for the first time ever yesterday. It is also worth noting that most analysts do not foresee a slow down anytime soon, and the average could be on its way to 14,000 before the end of summer. While the Dow only represents 30 blue-chip stocks, it has always been a barometer for the pulse of the general economy and, in particular, this year indicates a very positive earnings season.

Other stocks of note fairing very well are Apple, up 6% last night after positive earnings, Coca-Cola and Pepsi were both positive, as was Amazon moving up a whopping 27%.

Thursday, April 19, 2007

Campus Security

Campus security remains a high topic of discussion this week through all the major news outlets. Collectively, we share the deepest of sympathies for the victims and families of the tragedy that occurred earlier this week at Virginia Tech.

As a result, I would like to address the issue of educational security. It should be noted I am not addressing the specific issues that occurred at Virginia Tech, rather looking at the topic from a wide lens to highlight areas worth focusing on at every campus. I have, however, analyzed the events at Virginia Tech and have found similarities to events at quite a few campuses including my own experiences in 1996 at Johns Hopkins University, which included the shooting death of a fellow student, Rex Chao.

In order to address the needs, we need to understand what barriers stand in our way from properly securing campus environments. Campus security is not an easy task. You need to secure a wide area, enforce policy, and yet enable personnel movement between areas. You want to create an environment that exudes safety while offering the perspective of freedom for thoughts and interaction between the inhabitants and outside guests.

The threats/risks are varied. We must account for individual and group safety at all times. The threats can stem from common theft and burglary to violent crimes such as rape, aggravated assault, or even disorderly conduct that could lead to injury. The more possible threats, the greater the security “net” has to be. Enhanced Video, Analytics, Call-Boxes, Access Control are all measures that need to be evaluated and implemented.

With all that said, the biggest area of concern as a security professional is communication, both between security personnel and with security devices. Educational campuses share similarities with large corporate campuses by their need for efficient communication. Too many times today, as campuses expand, we find a “hodgepodge” of technologies in place as a result of disparate funding to separate departments each running their own mini-security operations center. This variance in technologies and systems creates problems when attempting to respond to a threat. Not only do the systems not communicate, but as a result of their make-up, they require individual policies for implementation. Therefore, we have separate systems working with numerous implementation procedures and varying triggering policies.

Campuses need to address centralizing their security procedures and security technologies. Security Management Systems that enable the integration of various technologies to create a standard protocol are essential for threat management.

Monday, April 16, 2007

Silverlight is illuminating

Just a quick note, in case you don't subscribe to Microsoft Blogs.

Microsoft has come up with a name for their new graphics platform, formerly known as "codename" WPF/E. The new platform, set to compete with Adobe Flash, is called Silverlight.

From a marketing perspective, an application that competes with (and actually surpasses) Flash, that is a cross-platform and cross-browser plug-in capable of supporting HD-type video, is something worth noting. The sample applications such as the video library and page-turn gizmo are really nice (and fast).

Of course, this application was not created solely for designing web-sites or making new whiz-bang presentations, but more likely designed also as a format to drive the next YouTube and be omnipresent in the evolution of the Network-TV-Internet led by YouTube and Joost.

Kudos to Mike Harsh and the rest of the guys at Microsoft.

Friday, April 13, 2007

Joost follow-up

By the way,

Viacom announced plans in February to host TV shows on Joost (see January Blog), but yesterday published specific shows in the Wall Street Journal, such as CSI, NCIS, and the Evening News with Katie Couric.

Also, interestingly enough, in a semi-related article, Robert Scoble talks about the next generation of targeted advertisement technologies on Scobleizer. These are ads that display in the border of internet video and are rotated, based on the content discussed at that moment.

We are fast approaching a time when traditional cable will become akin to the 8-track player, a nostalgic memory.

A good "Friday the 13th" scare

Geoff Khol, of Security Info Watch, provided an interesting scenario on his blog today. Geoff, we have yet to meet in person, but I am a big fan of your work. We need more proactive persons in this industry to keep us moving forward. Biometrics and Analytics are great, but we absolutely need to have more discussions on policy and overall preventive measures from a “common sense” approach, especially in regard to identity theft.

For those who have not already, I encourage you to visit the blog topic: In short, Geoff describes a scenario in which a common laptop theft can cause great financial pain to an organization. One point, which Geoff absolutely nails, is that despite new hard-drive protections and encryptions, a host of sensitive data is still stored, or cached, on legacy systems. Laptops and PCs that do not have great protections depend on the organization and the user to be cognizant of the threat they represent.

Policies for data distribution need to be put in place at the admin level. Databases should not be allowed access to write or store information on networked PCs that could cause a threat. This can be achieved via proper network policies. We can secure a Data-Center much easier than common-area office space.

Also, developmental “test” servers should only host fictitious or “junk” data that cannot be compromised. It is when we become lazy in our testing that we fail to create false data and instead use old copies of client information.

Finally, mobile workstations must be equipped with hard-drive protections. IBM offers a great product as do several third-party software providers. Protections at the hard-drive level is the best security currently available for mobile units. This is not everything, but at least it's a start.

Great job, Geoff. We can always use a good scare on Friday the 13th.

My direct comments to Geoff:
Geoff, great narrative. These are the types of scenarios more CSO's, and maybe more importantly CFO's, need to be thinking about. It has been said many times, “Security is only as good as the enforcement policies behind it.”

No matter how great your Optical Turnstiles and Door Sense Monitors work, if you don't enforce passback , the technology is meaningless. The same can be said for data-security. The best bit-lockers and firewalls don't do anything for the employee who is not reprimanded for taking sensitive data home on his laptop or for leaving his PC in an unsecured location.

Granted, there is only so much we can do to prevent data theft, but as a collective group of security professionals, we have not done nearly enough.

Monday, April 9, 2007

Protection design offers insight to border security

We’ve been addressing immigration policy in the national press for the past few years, trying to find a balance between protectionism and our “melting-pot” heritage. For me, understanding the complexities of our current system is somewhat mindboggling, but it does offer some intriguing thoughts.

Today, Yuma, Arizona is the site of a “success story” when it comes to immigration management. At least that will be the mantra during President Bush's visit to the southwest border town. However, the question, as correctly raised by Yuma Sun’s editor Terry Ross in his weekend editorial, is "Has the overall illegal immigration issue improved?"

Yuma may serve as a case study to some who believe that security and sheer manpower (increased national guard presence) can solve our border issue, but that would be naive. Yuma more aptly can be likened to the metaphor of a cartoon dam that keeps springing leaks until you run out of appendages to plug all the holes.

As a simple security consultant, I won’t claim to know all the answers or solutions to the border issue, but I will say that comparisons to corporate security analysis are most certainly there. I have found myself addressing border security and immigration as if it were a modern facility in search of a security survey. Of course, to do this, prior to deciding on the force methods (manpower and technology) and the policy enforcement protocols (laws and punishments), you need to have an understanding of what is a risk and by whom.

Why a facility is at risk is of primary import for deciding how to protect it. There are different motivations for each type of facility. The goals for protecting a data center versus a meat packing plant versus a childcare center vary. All three should have forms of security, but each for different reasons. The data center may expect threats from identity thieves or corporate espionage while the packing plant wants to protect itself from liability of wandering persons, and a child care center worries about unauthorized exits as much as entries. Each requires different tools and technologies to address these issues.

So, why does the United States need protecting and who are the likely perpetrators? This question is very involved, but needs to be addressed as part of the overall immigration reform package set before congress. Our primary concern as a nation is terrorists entering our country. However, efforts to track and identify their entry are masked by the thousands who cross simply in search of a better life. Terrorists are simply a needle in a haystack.

To filter the migration, we must address immigration incentive. “Incentive is the most important issue of illegal immigration, and that is where we need to begin.” Guest-worker programs, tax reform (i.e. fair tax plans), and a clear roadmap to citizenship would go a long way to alleviating the migration of illegal immigrants and would allow our force protection (manpower and technology) to focus on other threats such as terrorist entry. We have the technology to enforce mechanisms; we don’t have to cover it in red tape. Rather, we need to be transparent and consistent in our message.

Friday, April 6, 2007

Visa limit shows lack of planning for immigration

One thing I detest about management is an arbitrary decision-making process. I don’t care if you are a small business, a fortune 500, or the Immigration and Naturalization Service for the United States of America; you need to have some thought behind your decisions.

As I have blogged about earlier, the limit on H-1B visas (the process for foreign citizens to work in the United States) was arbitrarily reduced to 65,000 slots. In 2006 this was filled up within weeks. This year 150,000 applications (more than double the limit) was reached within the first few hours. Most of these applications are from tech firms such as Microsoft, Intel, or staffing agencies looking to fill the gap of qualified design engineers and consultants.

This onslaught of applications prompted the US immigration service to announce that selections would be based strictly on an “ARBITRARY” lottery system. Therefore, the deciding factor as to who will enter our country and possibly add to or detract from our collective economy will be RANDOM. No prejudice towards education or experience, but just sheer luck-of-the-draw.

Now you cannot tell me that in a country with the greatest minds, companies, and ALGORITHMS in the world, we cannot come up with a thoughtful process for ranking, rating, and qualifying the applications for admission. If we are stuck with this absurd cap, the least we can do is qualify who makes the cut.

Monday, April 2, 2007

Security "Grows-up" in '07

Is the security industry maturing right before our eyes? Maybe. Sure, security itself is as old as dirt, but as a private industry it did not truly begin to evolve until after World War II. The introduction of the American Society for Industrial Security (ASIS) was not even formed until 1956.

So how is it maturing in 2007? Well let’s analyze this past week’s ISC-West (International Security Conference) trade show in Las Vegas. The keynote was delivered by Guido Jouret, Chief Technology Officer of Cisco, and one of the highlight booths (at least for me) was none other than International Business Machines, commonly referred to as simply IBM. I dare say this is what the pundits might call CONVERGENCE. Are we finally seeing the big money IT firms take a stake in the Security industry?

Of course we are. The big money goes where big money can be made. Security, as a corporate industry, is now a player in B2B services. It has always been there, but with the events and technology development of the past 10 years, card access and CCTV monitoring has moved from a luxury to an absolute necessity. Throw in analytics, biometrics, and data-mining and it is a no-brainer to see IT take a vested interest in this evolving sector.

Thus, let’s ponder the technology on display at this year’s show.

Analytics, the term is as broad as employee-management. Every company with a camera and a digital recorder is touting their latest analytic package. This means the ability to “analyze” and to some extent interpret the digital data from video to illicit a response. Although it is not limited to video, as there are some progressive employee-management companies also using analytics to mine data from traffic patterns and access groupings, it is most commonly associated with the video side of security.

That being said, I was impressed with the ability of a couple of companies and their "analytic" development. One such company is Agent Vi (pronounced “Vee-I”) or Agent Video Intelligence. Formerly Aspectus, Agent Vi is the result of a calculated branding effort to stress true Video Intelligence without most of the price barriers associated with video analytics.

Of course, all of us in the industry should be cognizant of the movements made by Cisco since their acquisition of SyPixx in ’06. Their IP cameras have been designed with network security and bandwidth restraints in mind (see Security InfoWatch story).

Another video company that gets “it” when talking about convergence is IPVision (http://www.ipvisionsoftware.com/). This is a little company with some very big goals and unlimited potential. Look out for these guys and their top notch “edge” device management ability.

Finally, check out these other links for more info on this year's show.
www.SecurityDreamer.com
www.SecurityInfoWatch.com
www.ISCWest.com