Patch Management

Imagine this scenario. As a security manager for your organization, your responsibilities include analyzing and applying patches to all Windows servers across the enterprise. Your process is going to each machine and manually evaluating what patches are missing and installing the most critical security patches as soon as possible. How long does this take? One hour per server? Two hours? Maybe more? How many patches are critical? How often do you do it? And, how many servers do you have? It doesn’t take long to do the math to realize that your battle may be a futile one to keep up with the most critical, let alone every, patch that’s released.     

Getting the most from your enterprise architecture

It should be clear that many things drive an enterprise architecture's (EAs) value and that the EA effort provides you only the opportunity to create value. Organizations that have discovered this the hard way may be saddled with a failing EA. It is not necessarily too late to revive it. By improving the architecting process, strengthening your chief architect's competencies, or refining the architecture products, you will eventually reenergize the EA and make it successful. The value assessors give you an idea of the work involved, but they are only a framework. How much value an organization actually gets from its architecture depends on many factors. Nonetheless, knowing what makes an architecture valuable will provide you with a solid foundation for the difficult job ahead     

Analyzing Enterprise Network Vulnerabilities

Abstract

Imagine you are an information security manager and your boss is asking: “How secure are our information systems? Is the security getting better or worse? How do you know that?” One thing is sure: if you do not have a good answer, your own job may not be secure. You could answer that you are monitoring intrusion attempts and investigating alarms, that you are updating the anti-virus software on a regular basis and applying software patches on a timely basis, but that was not the question. Your boss wants to know not only whatyou have done to lower the risk, but how effective you have been. It is all about process, measurements, and trend monitoring.¹     

The future of PGP on the Internet

The opinion of many truly knowledgeable in the areas of security in general, and Internet security in particular, is that the only true security will come from full encryption. If the messages you send are encrypted, what does it matter if they are intercepted and viewed by unauthorized individuals? If an intruder breaks into your system or network and finds that all files are encrypted, what secretes will leak, what vital information can be altered without user knowledge? If your encryption algorithm is solid, and your encryption keys are both good (i.e. not readily guessed) and secure (i.e. not readily stolen — not written on a post-it note on your VDT, not written on the last page of your desk diary, not kept in a clear text file on your disk or sent in clear text on a LAN, etc.), and if you maintain complete, current and correct backups of all critical files (which you should certainly do, independent of any Internet connectivity), then at worst you may suffer inconveniences as a result of security breaches.     

Why is technology transfer so hard?

If you were the vice president of software in a company with 10,000 software personnel, what would you do to make sure your software team had state-of-the-art tools and methodologies? At a more fundamental level, how would you and your staff even find out what they are and whether your current tools and methodologies are good, bad, or average? That is the crux of two major challenges to the software community: How do we evaluate tools and methods for effectiveness? How do we deploy better tools and methods once they have been identified? Unfortunately, the software industry lacks standard measurements and benchmarks for evaluating the effectiveness of programming tools and languages, design approaches, or almost any other kind of technology. Purchasing and acquisition decisions are often made on the basis of unsubstantiated vendor claims. Moreover, once a new tool or methodology is acquired, deployment is often slow. Tools are acquired without considering training needs, or if training is considered, it's not readily available due to schedule pressures     

Abstracts & Commentary

Abstract

Whether you are responsible for ensuring the availability of your enterprise network or you are a chief technology officer or information security manager, you will likely ask yourself these questions: How much should I spend on security? Am I more secure today than I was yesterday? What metrics can I use to measure whether my security is improving or not? When can I stop patching so I can get back to doing real work?     

Patents: to file or not to file?

In the previous paper, the author discussed the three criteria for patentability: novelty, usefulness, and nonobviousness and the practical value of obtaining a patent in terms of discoverability - the ease with which infringement can be determined, and in terms of avoidance - the ease with which a potential user of someone's invention could achieve similar results without using that invention. In this paper, the author continues the discussion of the practical value of a patent. Suppose that you have decided that your invention is novel, useful, and nonobvious. Further, suppose that you have decided that your invention is unavoidable (that is, it is the only reasonable way to do whatever it does), and that infringement would be easily discoverable. The remaining questions as to whether to proceed with a patent application are: Who would be likely to use your invention? Based on your answer to #1, what is the value to you of owning the patent? How much will it cost you to obtain the patent? Will your patent stand up in court if it is challenged?.     

Maintaining a Competitive Advantage by Controlling Your Information Environment: Part 1

During the time around New Year, many pause to reflect what was and what will be. ‘What was’ is out of your control and a fond or sad memory. ‘What will be’ is where you will spend the rest of your life. The good news is you have sufficient control to make a fond memory for yourself and a sad one for your competition. Isn’t that a happy thought to ring in the New Year?     

The Value of Leveraging Y2K Inventory Information for Corporate Risk Management and Model-Based Contingency Planning

Congratulations. By now your company has completed (or is about to complete) one of the most difficult and consuming projects in the history of its existence—the dreaded Year 2000 remediation process. If you are like most people saddled with the responsibility of managing corporate risks or ensuring business continuity, you probably can't ignore the nagging feeling that you may have forgotten something. Perhaps you have the uneasy feeling that not all of your suppliers were completely honest with you. Or maybe you can't guarantee that your test plans were absolutely foolproof. Or, if your company recently acquired another entity, you may not be completely certain that they have found and fixed all of their Year 2000 problems. What steps do you take to help ensure that you have filled all of these gaps? What actions can you take to leverage all of the time, money, and energy that has been invested in your company's Year 2000 effort to prepare worst-case scenario contingency plans? Have you considered a model-based approach to risk management and contingency planning?     

The “KISS” Principle

Abstract

To be consistent with the buzzword of current processing, I want to make this column as interactive as possible. You will find my personal e-mail address at the end of the text — you can communicate your thoughts on what I write, what subjects you would like to see explored, and pose questions as you see fit. Of course, you can also take shots as you feel the need (as if a person giving out an e- mail address does not expect that to happen!). However, if you have a problem with anything you read here (or do not read here), I will expect you to include suggestions as to what might be done to improve things and be more responsive to our readers. Sorry, we do not acknowledge griping for the sake of griping; leave your flamethrower at home.     

RFID: a technical overview and its application to the enterprise

Radio frequency identification (RFID) offers tantalizing benefits for supply chain management, inventory control, and many other applications. Only recently, however, has the convergence of lower cost and increased capabilities made businesses take a hard look at what RFID can do for them. This article offers an RFID tutorial that answers the following questions: i) what is RFID, and how does it work? ii) What are some applications of RFID? iii) What are some challenges and problems in RFID technology and implementation? iv) How have some organizations implemented RFID?.     

Guidelines for applying research results

The software engineering literature is full of research reports that relate the conclusions of case studies, surveys, and formal experiments. But it is not always easy to tell which results apply to you. When results conflict, how do you know which study to believe? To understand how to sort through these studies, and decide if you should perform your own study, the author has put together the Non-Trivial Pursuits game board, that tells you when you have enough information to draw a valid conclusion about a relationship between factors. To begin, suppose your project team is interested in improving the quality of the code it produces. You want to determine what factors improve quality so that your team can use appropriate techniques or tools to generate better code. Your first attempt to find out what affects code quality is to examine population studies, in which characteristics of a large developer population are examined for associations among variables     

Special issue on out-of-box experience and consumer devices

“Computer equipment is hard to choose, install, maintain, and, especially, operate” (Landauer 1995 In: The trouble with computers: usefulness, usability, and productivity). How many cables did you have to connect (and organise) before the personal office system was properly installed and put into use? How many set-up procedures and agreements did you have to complete before you could access your e-mail with your mobile phone or PDA? Did you lose any documents or applications when you replaced your old computer with a new one? Computers, mobile devices and information technology products are sometimes difficult to put into use because of the several operations required prior to their first use.     

Attention design: Eight issues to consider

In HCI research there is a body of work concerned with the development of systems capable of reasoning about users’ attention and how this might be most effectively guided for specific applications. We present eight issues relevant to this endeavour: What is attention? How can attention be measured? How do graphical displays interact with attention? How do knowledge, performance and attention interact? What is working memory? How does doing two things at a time affect attention? What is the effect of artificial feedback loops on attention? Do attentional processes differ across tasks? For each issue we present design implications for developing attention–aware systems, and present a general discussion focussing on the dynamic nature of attention, tasks (number, nature and variety), level of processing, nature of the display, and validity of measures. In conclusion, we emphasise the need to adopt a dynamic view of attention and suggest that attention is a more complex phenomenon than some designers may have realised; however, embracing the multi-faceted nature of attention provides a range of design opportunities yet to be explored.     

Staff Smart, Part 1: Motivation

If you're a manager, for the most part, you can only be as capable and productive as your staff. It thus behooves you to develop skills to make your staff as capable and as productive as they can reasonably be. How do you do this? It depends to a large extent on your skills in recruiting, your artistry in motivating, and your knack in delegating.     

Measuring Agility and Architectural Integrity

Most organizations that depend on software are pursuing more flexible architectures and more agile life-cycle processes to increase business flexibility. What does agility look like, and how do we measure it? A truly agile project or organization should experience changes that are more straightforward and more predictable. Consequently, improvements are best measured by gauging the change trends in software baselines. A well-accepted tenet of software engineering states, "The later you are in the life cycle, the more expensive things are to fix." This iron law, an artifact of a waterfall culture, should not apply if you have transformed to agile software delivery with a well-architected system. This bold assertion is the root of the metric patterns presented in this paper.     

Design Strategy

Software designers and managers can find it challenging to agree on the "sweet spots" of their system that warrant their best design efforts. Most projects are short on time, budget, and resources. How can you stay ahead of the design curve, and where should you focus your design energies to gain the most leverage? The essence of strategy is that you must set limits on what you're trying to accomplish.     

Four ways to improve security

How can you tell if an IT security product (or a product that includes security components) can secure your application? How can you be certain that a product will fully deliver on its claims that it will protect against malice in a deployed environment? Unfortunately, few vendors - and even fewer customers - can make these judgments. The article won't make you a security wizard, but it will give you a feel for what to look for in, and when to be concerned about, a vendor's claims. To ensure that a product has a chance of being secure; customers should check that vendors use adequate approaches in four primary areas. In order of importance (and maturity and availability), they are: quality-control (QC) mechanisms; cryptographic primitives; hardware assist mechanisms; and separation mechanisms.     

Aesthetic considerations unique to interactive multimedia

Using early multimedia art pieces often resembled reading paragraphs ripped out of Shakespeare and handed to you at random. The mistakes in plot and composition made by beginning writers and artists can find new power to convey incoherence when automated by a computer. What are the compositional issues? How about basic hypermedia structures and their aesthetic effects? What should be random, and what must be deterministic, if you wish to be more artist than noise generator? We address some of the issues based on our own experience as multimedia artists