Goto Blog Home PageRevell Research Systems: Alastair Revell's Web Log
On this page....
Archive
<May 2009>
SunMonTueWedThuFriSat
262728293012
3456789
10111213141516
17181920212223
24252627282930
31123456

RSS 2.0     Atom 1.0     CDF

Summary
Search
Navigation
Categories
Blog Roll
About Alastair Revell
Alastair Revell is the Managing Consultant of Revell Research Systems, a Management and Technology Consulting Practice based at Exeter in the United Kingdom.
Contact Alastair Revell
 EMail Revell Research Systems Limited Email Me
Copyright
Legal & Other Notices
Sign In
Disclaimer
The material published in this web log is for general purposes only. It does not constitute nor is it intended to represent professional advice. You should always seek specific professional advice in relation to particular issues. The information in this web log is provided "as is" with no warranties and confers no rights. The opinions expressed herein are my own personal opinions.

Web Log Home | Welcome to this Web Log | Using this Web Log | New to Blogs? | About Revell Research Systems | Contact Details

Review Entries for Day Tuesday, May 19, 2009

I periodically battle with SME clients who argue that no one really would want to “hack” their organisation – they are simply too small or too insignificant to warrant the effort. I suspect I am not alone and that many other advisers on IT have the same trouble persuading their clients of the very real risks they face.

The argument that is often recited is that when the partner or director was employed elsewhere, their previous firm was much slacker with their IT security and had no problems whatsoever. The issue, of course, is that the goal in hacking has changed from destruction to utilisation. The aim is to take unseen control of the computing resources of an organisation and to use those resources for crime. It simply doesn’t surprise me that there never are any signs of compromise!

The BBC recently reported that security firm Finjan had tracked down a botnet with over two million machines under its control to a group of criminals working in the Ukraine. This particular botnet had even ensnared computing resources inside both the UK and US governments, which in itself raises concerns.

I suspect that firms that take few steps to lock down their workstations will have background malware undertaking all sorts of malicious activities. These infections will probably have managed to enter their sites via the web or email, which is increasingly carrying malicious content.

The so-called drive-by attacks using infected third party web sites is particularly worrying. Few organisations seem to scan inbound data over the web for vulnerabilities, partly because of the impact on browsing speeds that this would have. Those organisations that then don’t lock down their desktops so users cannot install software run very real risks of users innocently and unknowingly installing something they really don’t want. Once such software is on the inside of the firewall, most SME organisations simply have little or no defence, especially if the software is not strictly considered a “virus” and ignored by their anti-virus product.

A technical colleague in another firm drew my attention recently to Sophos’ Security Threat Report 2009, which provides examples of firms that have suffered attacks on their web sites. Some of these web sites would have posed risks to casual browsers of those sites as well as to those who had previously provided them with confidential information.

The list included such well-known names as ITV, a site selling Euro 2008 football championship tickets, the anti-virus firm Trend Micro, Cambridge University Press, Sony’s US Playstation site, the Association of Tennis Professionals’ web site as Wimbledon opened in the UK in June 2008 and the Business Week web site.

Unfortunately, I doubt few SME business leaders that have small (if any) indigenous IT staff will actually ever get to read it.

However, the difficulty simply persists that many SME organisations believe that no symptoms means no underlying problems. I can see their dilemma – a bunch of (often external) IT professionals becoming excited about dangerous threats and advocating the spending of money in a recession is far from appealing, especially when the risks from a naïve perspective seems minimal.

I was recently a guest at The Institution of Analysts and Programmers Spring Seminar in the London Docklands at which Microsoft’s Chief Security Advisor in the United Kingdom, Ed Gibson, spoke. He is an engaging speaker, an attorney in the United States and a practising solicitor in England and Wales, as well as a former FBI agent. He has for sometime been trying to raise awareness of these issues in the United Kingdom.

While listening to him and while mulling over his thoughts at the (excellent) lunch that followed, I believe that we really do need some form of reliable reporting mechanism for attacks of the sort documented by Sophos and these need to become highly publicised, even if in an anonymous form.

SME business leaders need to have independently verified facts about the IT security risks they face that are both readily available and easily digested; and in a form that brings the message home.

More about Alastair Revell

Tuesday, May 19, 2009 6:37:15 PM (GMT Standard Time, UTC+00:00)  #
Comments [0] Security | Trackback

Review Entries for Day Monday, November 24, 2008

The closure of the San Jose hosting company McColo Corp has had an amazing effect on the level of spam world-wide. A number of sources suggest that spam has dropped by around 66% in the last week or so.

McColo Corp is alleged to have been the home to a number of command and control systems for a variety of botnets, some with more than 600,000 zombie computers under their control. Many reports also suggest that the company was hosting a variety of other nefarious web sites. 

I understand two Internet Service Providers (ISPs) decided to act by effectively cutting McColo off from the Internet.

I have certainly noticed the dramatic drop off in daily spam. The amount of time spent world-wide dealing with junk email is huge and is an unwelcome drain on resources, especially as many businesses try and weather the current economic downturn.

I am quite surprised just how effective the action taken by these two ISPs has proved to be, although I doubt it will last for long. The spammers will find alternative ways to continue.

However, it does raise an interesting point about how effective this sort of action can be. Perhaps, we should look to legislate to make this kind of response much easier to take. I suspect that the amount of money saved globally by this action over the last week alone was quite staggering.

Long may the lull continue …

More about Alastair Revell

Monday, November 24, 2008 8:46:31 AM (GMT Standard Time, UTC+00:00)  #
Comments [0] General | Trackback

Review Entries for Day Friday, October 31, 2008
Over the last couple of weeks, I’ve spent a couple of fun days at the University of Plymouth being a dragon! I probably need to explain …
More about Alastair Revell

Friday, October 31, 2008 6:17:23 PM (GMT Standard Time, UTC+00:00)  #
Comments [0] General | Trackback

Review Entries for Day Tuesday, September 23, 2008
I was pleased to hear recently that both IBM and PGP have between them made a grant of £57,000 towards the upkeep of Bletchley Park. The BBC has reported that the “donation will help curate and restore exhibits at the National Museum of Computing in Bletchley Park, Bucks”. However, I suspect a good deal more is needed to keep the museum going.
More about Alastair Revell

Tuesday, September 23, 2008 10:29:01 AM (GMT Standard Time, UTC+00:00)  #
Comments [0] General | Security | Trackback

Review Entries for Day Wednesday, September 10, 2008
I think one of the long term problems that faces the IT profession is how we train new entrants to our profession. Established professions, such as law and surveying, have long had well-defined routes that graduates can take to become qualified.
More about Alastair Revell

Wednesday, September 10, 2008 5:46:13 PM (GMT Standard Time, UTC+00:00)  #
Comments [0] IT Profession | Trackback

Review Entries for Day Monday, June 30, 2008

I suspect that at some point in the future, today may well be seen to be very significant! Why? Simply because today was the first day that Microsoft moved forward without its founder at the helm. (Bill Gates retired from Microsoft as an executive last Friday, although he still remains its non-executive chairman).

Changes in strategic leader nearly always are accompanied by big changes in direction, not necessarily immediately, but often relatively soon afterwards. This is even more evident when the strategic leader has been the organisation’s founder. Microsoft is clearly very keen to play down any hint of a change and I doubt there are any plans to be different at this stage, but I suspect when we look back at some point in the future, the big changes will seem to have sprung from this period.

Obviously, the direction and stance that Microsoft takes will have a profound influence on the computing industry and business at large. It will be interesting to see how Microsoft moves forward and what those changes will be.

More about Alastair Revell

Monday, June 30, 2008 7:29:39 PM (GMT Standard Time, UTC+00:00)  #
Comments [0] General | Trackback

Review Entries for Day Saturday, May 31, 2008

I can’t believe just how many web designers claim that their web sites are compliant with the standards when they are demonstrably not!

I’m talking in particular about the World Wide Web (W3C) consortium’s standards for HTML and XHTML. You’ve probably seen their compliance logos proudly displayed on web sites that claim to comply. The standards are exacting and very unforgiving on slips in the code. A particular page either complies or it does not, but this is nothing particularly challenging for a professional discipline that is used to such binary situations.

The standards are important for all sorts of reasons, not least because there is a greater chance that more browsers will render the sites as intended, that search engines are more likely to index them properly and that people using less popular browsers because of their disabilities are more likely to be able to access them.

There are standards in many different professions and one thing you expect of professionals working in those fields is that they will work to them. Indeed, they would be unprofessional if they did not.

I find it contemptible that an increasing number of web designers will proudly place the W3C’s compliance logo with a link to test the page in question against the W3C’s validator, which when clicked shows not just one or two errors, but hundreds. The fact that they link to the validator when the page is riddled with serious errors clearly indicates that they have little regard for their clients.

Do not get me wrong. I know how hard it is to keep a web page compliant, particularly since many editing tools seem to delight in surreptitiously inserting non-compliant elements in to them. However, there is a clear difference between a casual slip and complete disregard for the standards. It is those that are just sticking the badge on and misleading their clients that anger me.

What makes me so angry about this particular issue, though, is that it goes to the very heart of professionalism within our field. It must surely be a tenet in any profession that those in it do not misrepresent the truth to their clients or to the general public.
More about Alastair Revell

Saturday, May 31, 2008 2:56:25 PM (GMT Standard Time, UTC+00:00)  #
Comments [2] Web Design | Trackback

Review Entries for Day Tuesday, March 18, 2008

I came across an interesting article by Bruce Lawson on The Web Standards Project web site about the UK Government Accessibility Consultation that was held by the Cabinet Office last November.

The consultation clearly aimed at looking at ways of making .gov.uk web sites more accessible to people with disabilities. It proposed making it mandatory for government web sites to achieve World Wide Web Content Accessibility Guidelines (WCAG) AA-level compliance (presumably to meet European objectives for inclusive e-government).

The bit that caught my eye was the proposal that government web sites should face withdrawal from the .gov.uk domain if they failed to comply.

It occurred to me that a similar approach could be very effective at ensuring commercial .uk web sites comply with existing UK legislation (such as the Companies Act 2006 and the Disability Discrimination Act 2005). What if the Internet domains publishing web sites that failed to comply with UK legislation simply couldn't be renewed?

More about Alastair Revell

Tuesday, March 18, 2008 3:40:18 PM (GMT Standard Time, UTC+00:00)  #
Comments [0] General | Trackback

RSS 2.0 Feed If you enjoyed reading an article on this blog, why not subscribe to the RSS 2.0 feed to receive future articles?
   
Revell Research Systems Logo Visit the Revell Research Systems Web Site if you want to learn more about this management and technology consulting practice.