Security Expert: U.S. 'Leading Force' Behind Stuxnet [NPR]

One year ago, German cybersecurity expert Ralph Langner announced that he had found a computer worm designed to sabotage a nuclear facility in Iran. It's called Stuxnet, and it was the most sophisticated worm Langner had ever seen....

Click for full article: Security Expert: U.S. 'Leading Force' Behind Stuxnet : NPR

Usernames Continued: Universities and FERPA

In my previous post I discussed usernames and their role in the authentication process. Systems in a university setting has similarities with any organization but have different regulatory requirements. Before Federated Identity Management (FIM) or Single-Sign-On (SSO), many universities also used to use SSN or a student ID or as a username to access some systems on campus. Using an ID# or personal pin# was probably not a good idea since the SSN or student ID may have also been used to authenticate students in a way similar to a password is used in other instances by some university departments to access student records.

In addition the Family Education Records Privacy Act (FERPA) helped push universities away from using confidential information such as SSN as a student ID or username. FERPA is the federal law protects certain pieces of student records from being made public without student consent. For example, faculty are no longer allowed to post a list of student grades attached to their SSN as was common in the past. But student email accounts are not protected by FERPA as they are considered "directory information". For campuses with FIM or SSO systems the email would likely be the same as the username and therefore also be made public. Students do have the option to make any of their "directory information" confidential if they choose.

Are Usernames Supposed to be Private?

It is a common misperception is that system usernames are always meant to be private. In most cases, usernames are not meant to be private, and I would argue that in many cases in which they are meant to be private the people designing the access control and authentication systems may have made a mistake. A username is part of the identification & authentication process. The ID (e.g., username) is authenticated or verified through correct entry of at least one private piece of information, such as a password, and sometimes additional authentication factors something the user knows (password/challenge question), has (key card/security token), or is (biometric such as fingerprint or retina scan).
[Tip: Use a strong password.]

Think about your workplace account. Most organizations now have single-sign-on (SSO) systems that allow you to login to multiple systems with the same username and password. The username is typically the first part of the email address or the email address in its entirety. Most organizations assign an email/username rather than allow employees to choose their own to create a naming convention that allows for creation of unique account name. But if you know the basic naming convention for an email which includes a person's name or initials, then you will likely be able to determine anyone else's email address in the same organization if you know an individual's name, and thus you will know the username as well.

Problems may occur if an organization allows the user to choose the username or the naming convention used to create a username includes some information that should remain confidential. In the past it was more common for a username to include or be one's social security number, bank account number, or student ID number. A SSN username or similar should not be used as a username, when it may also be used in a different setting to authenticate someone in a way similar to a password. 

IS2010 Information Systems Curriculum Guidelines as Word Clouds

The IS2010 Curriculum Guidelines for Undergraduate Degree Programs in Information Systems as a word/tag cloud.
Note: I only used the Core course specifications in section 13 as input.

From Wordle:

Should you email your cubicle neighbor?

From ISACA CEO, Susan M. Caldwell:

I recently read some interesting rules about e-mailed communication. They were suggested by D. Mark Schumann, chair of the International Association of Business Communicators. He calls these his “three e-mail rule”:

1. You should exchange only three e-mails with anybody on a single topic. If you haven’t resolved the issue after three e-mails, you should have an actual conversation.

2. You should copy only three people on any e-mail. If you need to copy more, you should have a meeting.

3. If you are in the same office with someone and that person is less than three feet or three floors away from you, you should talk with them in person or call them. The same applies if you are not in the same office, but the person is less than three hours away from you.

---

By the way, the Information Systems Audit and Control Association (ISACA) is an excellent organization!

FREE MIS Textbooks for Students

Flat World Knowledge and others have ‘open education resources’ (i.e., free) for some formats of the books. The site also has a list of universities that have adopted the book. For those teaching a core Information Systems course I encourage you to review Information Systems: A Manager’s Guide to Harnessing Technology—by John Gallaher: http://www.flatworldknowledge.com/printed-book/227252

The benefit is the price (free for students if read online) and availability of multiple formats for students. The book has exam/quiz supplements in Blackboard format as well as Powerpoint presentations. It may be an option to help reduce the cost of textbooks for students if the quality is reasonable. From what I can see the book is continuously being updated and quality is good.

Pricing for Books at Flat World Knowledge:

• Read Online- FREE
• Hard Copy (Color) - $69
• Hard Copy (Black & White) - $35
• Download a PDF to Read Offline and/or Print Yourself - $25
• Audiobook - $40
• Ebook (kindle, nook, ipad) - $25

I’m not opposed to textbooks from traditional publishers, but in the courses that may require multiple texts, I’m a proponent of finding inexpensive or free materials for students at least for some of those required texts, given they’re of similar quality and based on the purpose of the text for use in the course.

Is the CIO the highest ranking IT executive in a company?

InformationWeek generates an annual list of 500 of the "nation's most innovative IT organizations, providing a unique opportunity to understand and examine the business practices of these firms across core areas of operations, including, technology deployment, IT budgets, business-technology infrastructure, and IT strategies" (IW500 FAQs). Although the IW500 collects a great deal of benchmark data I only took the publicly available (i.e. free) demographic information from the 2010 list and put the data in a spreadsheet.

Although the basic methodology for determining the IW500 may have weaknesses, the data still provides a useful snapshot of the current state of IT governance across industries. The variables include the organization name, industry, name of the 'highest IT executive' in the company as well as the title of the highest IT executive. I did a simple text analysis of the titles to determine how many companies identified their highest IT executive as someone holding the title of Chief Information Officer. Of the 500 companies on the list, 386 (77.2%) included CIO as one of the titles of the highest ranking IT executive. Some organizations listed other C-level executives or joint-titles including CTO, CFO, VP for Information Technology, and even CEO. See the chart I created that breaks down the number companies on the list by industry. For the 114 companies that included someone other than a CIO as the highest ranking IT executive, it remains unclear whether or not those organizations have a CIO at a lower level in the company. View or download the Google Spreadsheet I created for additional data [1=Yes; 0=No].