OnlineFamily.Norton: Setting the House Rules
When it comes to children and the Internet, there is no substitute for parental supervision. It’s certainly not wrong to use parental control software, but parents must understand that software is intended to assist, not do their job for them. The problem is that many vendors don’t seem to appreciate the difference. Thanks to Norton, that’s changing with today’s launch of the OnlineFamily.Norton service.
According to Jody Gibney, Group Product Manager of OnlineFamily.Norton, many parents don’t understand what their children are doing online and only about 20% of parents with kids aged 6-18 use technology to help.
It should be no surprise to parents that kids do a lot online:
- They consume, create, and share web content.
- They socialize one-on-one and in groups.
- Kids who use social media have an average of 145 online friends.
- They often have multiple complex online identities.
It’s no surprise that parents have a hard time keeping up.
Parents also may not realize where the real dangers lie. While pedophiles have lured children across the Internet, such occurrences are very rare. Much more common is, as Jody put it, “plain kid-on-kid meanness.” Social media sites allow kids to post hurtful words, images and videos that can result in real-world embarrassment. Parents need to know what sites their kids are using and decide if and how they should monitor it. Rather than simply prohibiting access to sites, Jody suggests that parents negotiate age-appropriate solutions with children. For example, a teen may be allowed to use Facebook on the condition that they ‘friend’ Mom so that she can see what is being posted. If the child sets up a second Facebook account, it’s important that Mom have a way of finding out about it.
Some elements of Norton’s approach, like categorizing web sites and reporting on use, are similar to other products, but their philosophy is different. Norton’s service is designed to encourage dialog and negotiation between parents and children. For example, Norton encourages parents to log in to OnlineFamily’s web-based interface with their children and discuss the various choices and options. The selections made for each child become “house rules” and include web site categories as well as rules relating to the use of instant messaging, what times the Internet can be used, for how long, and what happens when rules are violated.
Most rules and limits can be configured as hard or soft. Hard time limits log the child out after giving a 15 minute warning, while soft time limits simply report the activity. Similarly three options exist for web sites: Monitor use but don’t block, warn the child first but let them proceed to blocked sites, or actively block access to sites that violate the house rules.
Norton’s approach, Jody explained, is to “understand intent, guide online behavior and discuss online activities.” When a web site is blocked, OnlineFamily gives the child options that include “Oops, I made a mistake! Let me go back.” and “I want to tell my parents why I tried to go to this Web site.” There is also an option to dispute the categorization of the site. When a child researching a homework assignment is prevented from accessing a site, he or she can explain why they want access and the request is sent to parents in real-time.
I’m often concerned about the ethical implications of monitoring software and I believe that spying on family members can erode trust and damage relationships. OnlineFamily avoids that issue completely. Not only does it display a notification every time the child logs on, but the child can also click on the application’s icon and display a summary of house rules, including information on what types of activity is being monitored.
Last week I created an account on OnlineFamily.Norton.com while it was still in beta. I downloaded the program and installed it on our family computer. Then I logged into the OnlineFamily web site, added my daughter as a family member, identified which computer account she used and sent an invite to my wife giving her ‘parent’ access. Next I set the rules and explained the system to my daughter. Overall, I’m impressed. I did run into a few rough edges with the beta, but by the time you read this they will have been fixed.
OnlineFamily.Norton is the first product in this space to actively involve parents and that makes it a winner. It officially launches today at http://Onlinefamily.Norton.com and is free until January 1, 2010. Norton hopes to receive feedback from parents and say they will consider it carefully before deciding on the future pricing model.
The Future of Computing
As I watched the launch of VMware vSphere 4 on Tuesday I was torn. Part of the event was more corporate group hug than product launch, and in many ways vSphere is a logical extension of the company’s existing products. But a little voice in my head told me, “This is something big.”
Some technological leaps seem clear, especially when viewed historically. For example, we speak of moving from the mainframe to the PC – from centralized to distributed processing – as if it happened quickly. But in fact it took years and there were several steps and stumbles before PCs replaced “dumb terminals” in numbers.
For the past ten years VMware has been developing leading-edge virtualization technology. In the early days it was primarily used by developers and geeks. Then more powerful servers appeared on the market, RAM prices plummeted, and virtualization moved into the datacenter. The business case for server consolidation can be simple: Less hardware, fewer racks, and power savings.
But virtualization is quickly moving beyond simple server consolidation. VMWare provides the ability to move a running computer between physical boxes without any downtime. A new feature allows a running “computer” to execute simultaneously in lockstep on two different physical machines — if one fails the other simply takes over. Security products will defend each virtual machine against attacks. And this will all work with existing operating systems and applications.
This year VMWare is bringing true cloud computing to the enterprise, and with it comes the ability to implement highly available systems and solid disaster recovery. We’re about to witness the next major jump in computing technology. Hold on tight, it’s going to be an exciting ride!
Internet Security and Web Apps
Last week Symantec released their 2008 Internet Security Threat Report (ISTR). The report provides an analysis of worldwide Internet threat activity, vulnerabilities, malicious code, phishing, spam and activity on underground economy servers.
The ISTR contains a lot of interesting information and I’d encourage you to read it — I’m certainly not going to repeat all the findings here. But if you’re an average Internet user wondering what’s going on, here is my greatly oversimplified summary:
Criminal activity on the Internet continues to increase. Criminals are targeting your personal information, especially your credit cards and logins to your financial institution. They’re doing so mostly by compromising the web sites you visit and installing nasty stuff that downloads to your computer.
There are a lot of things you could do to protect yourself. But the real question isn’t what you could do, it’s what should you do. Here are my top five recommendations:
- Ensure your anti-virus software is up-to-date. If you don’t have an AV package, get one. AVG, BitDefender, Kaspersky, McAfee, Nod32, or Norton/Symantec. (In alphabetical order if you’re wondering.)
- Update your operating system and unless you have a very good reason not to, set it to update automatically. A lot of systems are being compromised even though a fix was issued more than 6 months ago.
- Back up data you don’t want to live without. Use removable media (CD, DVD, USB Flash drive, USB Hard drive) or an automatic Internet backup service like Carbonite.
- Avoid the darker side of the Internet like gambling, porn, pirated software, illegally distributed movies, etc. They’re a haven for malware.
- Don’t let your kids play on your work computer.
The vast majority of intrusions into personal computers are preventable. Following these five simple recommendations dramatically reduces your risks.
For business readers, here’s an excerpt from the ISTR:
“Web-based attacks are now the primary vector for malicious activity over the Internet. The continued growth of the Internet and the number of people increasingly using it for an extensive array of activities presents attackers with a growing range of targets as well as various means to launch malicious activity. Within this activity, Symantec has noted that most Web-based attacks are launched against users who visit legitimate websites that have been compromised by attackers in order to serve malicious content. Some of the common techniques used by attackers to compromise a website include exploiting a vulnerable Web application running on the server (by attacking through improperly secured input fields), or exploiting some vulnerability present in the underlying host operating system.”
Sixty-three percent of vulnerabilities documented by Symantec in 2008 affected Web applications. The message to web application developers is clear: Many of you are not paying sufficient attention to security. As a profession, you are failing your customers.
I realize that’s a harsh statement and that in many cases web developers are responding to downward pressures on price and unrealistically short development timeframes. But as a profession it’s time to step up to the security challenge and start designing web applications that resist and even tolerate some intrusions while still protecting sensitive information and users. Those users, after all, are your customer’s customers.
We must start paying more attention to security throughout the software development lifecycle. That includes ensuring security requirements are identified along with other functional requirements for new applications. In fact one of the problems is that we still consider security requirements somehow separate from ‘functional’ or ‘business’ requirements. They’re not.
Perhaps this is one space where the open source community could play an important role. Most web applications have common requirements like user account maintenance, authentication, priviledge management, session control and input validation.Yet every application developer seems to create their own and many make the same mistakes. Perhaps it is time for an open web application framework that handles these critical functions…and does it right.
Radian6: Monitoring Social Media
The explosive growth of social media is changing how companies interact with customers. Those that understand social media know that what is being said about them online can have a huge impact on their bottom line.
There are a number of ways to monitor a brand online. Some free services will monitor search engines for mention of specific keywords and other medium-specific tools can be used to monitor media like Twitter. But when I asked the pros what they use, the name Radian6 came up — over and over again.
Radian6, founded in 2007, is based in Fredericton, New Brunswick and has 45 full-time employees. Amber Naslund, the firms’s Director of Community, explained,
“Radian6 provides the social media monitoring platform for marketing, communications and customer support professionals. The company’s flexible dashboard enables monitoring all forms of social media with results appearing in real-time as discovered. Various analysis widgets give users the ability to uncover the top influencers as well as which conversations are having an impact online.
Radian6 gathers real-time-as-discovered information from across the social web, including blogs, video sharing sites, boards and forums including LinkedIn Answers, and emerging media such as FriendFeed and Twitter.”
After a brief online training session that Radian6 provides to all new customers, I logged in to their slick web application and began to enter some keywords I wanted to track. And that’s where the similarity with free tools ended. Radian6 provides powerful tools to drill down in results and analyze them. For example, I could quickly sort hits based upon the level of engagement (measured by comments) or inbound links.
While savvy companies will obviously want to read everything written about their products, it is often necessary to prioritize. Radian6 not only finds relevant information and conversations, but they also provide the tools needed to analyze and prioritize.
While monitoring their brand is an obvious priority for Radian6’s 300+ customers, I can imagine many other uses. For example, by choosing the right keywords and leveraging Radian6’s powerful widgets, I was able identify and begin to track key influencers on specific subjects. A similar approach could also be used to track competitors, business partners or a key industry.
It didn’t take long to understand why PR pros pointed me to Radian6. Behind their advanced software is a team that not only understand and embrace social media, but they also ‘get’ customer service. When I needed help, one Tweet and Amber had me sorted out in a matter of minutes. It doesn’t get better than that.
Data Loss Prevention
[This article originally appeared in MONiTOR Magazine]
Protecting sensitive information gets more difficult every day, and it shows. We hear about major security breaches on a weekly – sometimes even daily – basis. There are several reasons:
- Corporate perimeters are disappearing due to information sharing requirements and an increasingly mobile workforce;
- To remain competitive, applications are often rushed to the market without adequate security design and testing;
- More data is in motion, both inside and outside corporations, on a variety of mediums; and,
- Employees often receive little security awareness and training.
Every company should be conducting risk assessments, vulnerability assessments and security awareness training. But a significant contribution to the problem is that most of the security controls we have traditionally used focus on protecting networks and computers instead of data.
The assumption, of course, is that by protecting the server, you protect the data on it, and that remains an important concept in a layered security architecture. But what about protecting the information asset more directly?
Corporate and government information is subject to all sorts of threats. And while we tend to focus on espionage and the theft of financial information, a lot of information leakage is unintentional. For example, employees often email confidential information because it’s convenient, without realizing that it is highly vulnerable to interception while in transit. It’s also easy to accidentally send email to the wrong person, as many of us have embarrassingly found out. Sometimes issues results from what I call the “intentional unintentional”. For example, and employee who can’t send a .zip file attachment due to corporate rules might log into a webmail account and send it from there. While the employee knew that they were breaking corporate policy, their intent was just to get their job done, not create a security incident.
Some organizations have reacted to the data leakage risk by implementing draconian ‘security’ measures like physically disabling USB ports and using web filtering technologies to prevent employees from accessing webmail accounts, social media sites, and other resources deemed “not employment related”. While these measures can sometimes help, overkill is not without cost, including impact on employee morale and retention. Perhaps I’m a security rebel, but I suggest that my clients consider encouraging employees to use webmail accounts for personal email and reserve their corporate email account for company business. This reduces risks such as embarrassment due to employees writing controversial emails, makes it clear when the employee is speaking for the organization and when they are not, and reduces the amount of personal information on company servers and in archives.
But enough on the problem. What’s the solution?
Data Loss Prevention (DLP) is the next big thing in information security. DLP is a discipline to reduce information leakage by discovering, monitoring and protecting sensitive information assets. DLP products are both content and context sensitive — a new level of sophistication for security products.
DLP products use different terminology, but it’s easiest to understand them by thinking of a toolbox rather than a single tool. Most vendors offer a central point of administration, and those who don’t are in the process of integration. The other tools have specific purposes. Discovery modules scan file shares, databases, web servers and other repositories for information that shouldn’t be there. Based upon the policy configuration, they may generate alerts, reports or automatically move information to a secured location, leaving behind a ‘breadcrumb’ to tell users what has been done.
Monitoring modules work at the host or network level. A sniffer approach is often used to monitor network traffic at the organizational perimeter to detect sensitive information leaving the organization. Endpoint agents (installed on user laptops and workstations) can also provide passive monitoring. It’s important to note that this is very different from the “spyware” type of monitoring that I’ll be discussing next month. The purpose of these modules is to detect and monitor the movement of sensitive information assets, not the user’s overall activity on the system.
Last, but not least, are modules that provide active protection. In some cases, such as the endpoint, the difference between monitoring and protection may simply be a matter of configuration. In network applications, protection agents are placed inline. For example, outbound email can be inspected and automatically routed to an encryption gateway or bounced as dictated by policy.
But there is much more to the discipline of DLP. Successfully using DLP tools in the corporate environment requires vision, strategic implementation and integration with other security program fundamentals. To begin, one has to be able to define sensitive information in order to detect it. If the organization already has a good classification policy in place it may need to be refined. If not, that’s a good starting point.
DLP tools can then be used to identify areas of concern. For example, a data loss assessment at the corporate perimeter can be used to quantify the organization’s leakage onto the Internet. Scanners can rapidly detect credit card numbers in documents on file shares. And endpoint agents can be used to monitor sensitive parts of the organization.
Once the magnitude and location of the data leakage problems are identified, an appropriate business case can be developed and DLP tools deployed where a sufficient business justification exists. I usually recommend a period of passive monitoring to fine-tune rules prior to implementing active protection. This reduces the likelihood of business interruption due to false positives. In addition to rules, some DLP products can also fingerprint both structured and unstructured data known to be sensitive so that it can be recognized in the future. Using these features requires careful planning so that the DLP deployment itself does not create vulnerability.
I’ve often said that security awareness is the best security investment an organization can make, and it’s noteworthy that DLP vendors seem to understand the value of education as well as the need to minimize operational overhead. Products on the market today have feature sets that facilitate automated remediation and user education. For example, we can write DLP rules to automatically notify the user if they have breached (or are attempting to breach) the organization’s policy.
For example, when a user attempts to email a file containing personal information, a DLP endpoint agent could pop up a box to warn the user and ask why they are trying to send the file. This not only educates the user, the also gathers important information for DLP administrators. At the network perimeter, a DLP sensor could detected that a user has included one social insurance number in an email, bounce it back to the user with an explanation, notify the user’s manager and close the incident. On the other hand, if the email included an attachment with many social insurance numbers, the email could be quarantined and an incident opened with the information security team.
The DLP discipline offers us new tools to directly address serious issues that corporations and governments face today. By combining them with other sound security fundaments, we can significantly reduce risks related to data leakage.
Keep in Touch
Kudos
Recent Comments