Small Business Defense – Patch Management and Defense in Depth
- At February 19, 2009
- By Josh More
- In Business Security
- 0
If you recall from yesterday, you’re in a lot of trouble. You have all these patches coming at you, and you have to apply them quickly but make sure that they don’t break anything. This isn’t easy, but what follows is a simple list of things to check. It’s far from complete, but if you’re not managing your patches already, it’s a step in the right direction.
Do you really need that patch?
Remember that patches fix specific problems in specific pieces of software. You can dramatically simplify the situation by reducing the software that is installed. If you don’t use instant messaging in your business, there’s no reason to have it installed. The same goes for various games and peer to peer applications. Depending on what you do, it may also apply to development tools and office applications. Remember, if it’s there to be exploited, it can’t be exploited.
Is there another option?
Many patches cover specific attack vectors. For example, different applications often listen for connections on specific ports. Sadly, many of them are installed in such a way as to connect with anyone that wants. Thus, if you have a payroll application that listens on port 11235 (eureka) but only needs to be accessed by the CFO, you can lock connections down so that only the CFO can use it. If you do that (and the CFO’s PC is secure), you might be able to get away with excluding or delaying the patch.
Also, many applications run at a higher user level than is necessary. Some people may have administrator rights to their own systems. They may even need them to install software and do their daily jobs. However, do they need them to use Internet Explorer when they connect to Facebook? Probably not. Using a tool like Drop My Rights or avoiding IE alltogether and using Firefox, would mitigate this problem.
Test Quickly
Despite my issues with virtualization, it is a useful technology. If you have a full virtual infrastructure, you can quickly copy a machine, apply a patch, and run a suite of automated tests to see if it works OK. If you’re a bit of risk taker, you can even flip this around and apply the patch as soon as it becomes available, and simply make a copy of the machine in case it does cause problems. That way, you’re protected as quickly as possible.
Deploy Everywhere
Remember, a piece of software should be easily accessed by those that need it, and impossible to access by those that don’t. It’s a bit like your bed. You need to sleep in it. Depending on your living situation, others may need to sleep in it as well. Thus, you need doors so you can get into your house (where you presumably keep your bed). However, you don’t want random people coming in off the street and sleeping in your bed. That’s why you put locks on the doors.
If you only apply your patches on some of your servers, it’s like only locking your front door but leaving your back door hanging open. Eventually, you’ll stumble home exhausted from your day, and find a group of strangers in your bed.
Conclusion
You have to realize that patching is essential, but isn’t enough. You can apply hardening techniques like those above and antimalware techniques like HIPS, as mentioned earlier. You can lock down your network and user rights. There are a lot of other things that you can do as well. However, you have to apply the patches.
There are technologies that can be used to keep things up to date. There are technologies that can be used to automatically test your patches. There are technologies that can help you determine if a particular patch is needed. However, before any of these can be successful, you have to commit to the reality that patches have to be applied as soon as possible, and accept that you are placing your business at risk if you do not.
Small Business Attack – Vulnerabilities and Exploits
- At February 18, 2009
- By Josh More
- In Business Security
- 0
So, by now, I am assuming that everyone around knows the importance of patching their systems when patches comes out. However, the reasons behind the practice aren’t often clear. It gets a bit complex, because a patch can be intended to solve a problem or add a feature. It gets more complex because there are different sorts of problems, only some of which are security related. For the purpose of this post, a “patch” is a small release that is intended to correct a security problem in a piece of software.
So, when these come out, there is generally a known problem in the software. Since it can allow an attacker to do something bad (to the system, the application or the data, generally), it’s known as a “vulnerability”. You’ll hear those of us in the industry natter on far longer than is polite about the different ways to classify these vulnerabilities and which ones are “real” and which ones aren’t.
Really, we’re part of the problem. See, within the security industry, there is a small and vocal minority that think that patching is stupid, and that systems should be designed securely to begin with. Secure systems should only need a patch to add new functionality, and never need one to correct a security problem. They say that people shouldn’t patch at all, and instead should hold software vendors accountable so that their software is designed securely in the first place. If we don’t, we’ll never get secure software.
These people are absolutely correct, and utterly wrong at the same time.
Developing secure software is very hard. It requires that all developers understand security and have enough experience to make the proper design decisions, that project managers will support them when correcting problems causes a release date to slip. It means lots and lots of testing. It means better tools and much longer release cycles.
In the end, it means very slow and very expensive software. The market doesn’t want that. Thus, we have patches.
There is a large and mostly silent majority in the security industry that simply patch every time they become available. They wait for the patches to be released, put them into their test systems and start running tests against them. The often deploy the patches to production on the weekend following the update. Thus, patches are often applied five to twelve days after they are released and cause a minimum of interruption to operations.
These people are absolutely correct, and utterly wrong at the same time.
Patches fix problems, and as we all know, problems come in different flavours and severities. If you treat every problem the same way, you are giving some problems too much attention and, worse, some far too little. This gets us to exploits.
The attackers have tools too. There are tools that scan your systems looking for problems. There are tools that automatically try to take over your system when problems are found. There are tools that cover their traces. These tools are updated too… with patches.
Specifically, when a patch comes out that addresses a security problem, attackers start looking at what the problem fixes, and add functionality to their tools that detect the problem and exploit it with ease. The more urgent the patch (more severe the problem), the more quickly they work to update their tools.
This puts you, the business owner in an interesting position:
- You can’t not patch, as that would leave your business vulnerable.
- You can’t wait too long to patch, as the attackers would slip in, take over, and cover their tracks.
- You can’t patch too quickly, as that could cause problems in operations.
What are you going to do about it?
Site Review – Scribd
- At February 13, 2009
- By Josh More
- In Business Security
- 1
Scribd isn’t as well known as many other sites, but what it does, it does quite well. Simply put, it’s a way to share documents via the web. The documents can be in various formats, and the site automatically converts them for you. Once you’ve uploaded a document, you then get the ability to embed it in different sites and download it in different formats. It’s a nice and easy way to share documents.
Pros:
- Easy to use
- Free
- Shifts the bandwidth for hosting large files to someone else
Cons:
- Requires Flash and therefore may not work well on all platforms (there have been problems with Linux in the past)
- It’s weak on the social networking
- Only two levels of document security: “public” and “private”
- Search doesn’t allow you to search by licensing
The same caveats about security apply to this site as others. In short, you have no way to guarantee that people will use your documents according to the license terms you set, and you have no guarantee that others have the rights to upload the documents that they do. So, be careful building a business model around this site.
However, like many other “Web 2.0” sites, the ease of use of this system makes up for some of the legal ambiguity. Moreover, since it doesn’t support many of the social networking features (pretty much just comments), there’s little risk of social engineering here. In fact, the biggest risks would be getting malware from downloading the original and trusting information that you shouldn’t.
Malware
The way that Scribd works, you upload a document and they automatically convert it into other formats. It is highly unlikely that malicious applications would survive an automated conversation between formats, but if you download the original, you might be at risk. You can avoid that one pretty easily by just viewing the document in the built-in viewer.
Trusting Information
This one is a risk pretty much all over the Internet, but it can be a bit trickier here. For those in the security field, consider this as a variant of cross site scripting. For those who don’t know what I’m talking about, just bear with me.
See, it’s very easy to make an account. You pick your name, you build your profile, you upload your docs. It would be very easy, for example, for an attacker to pick a moderately known public company and create an account for them. Then, they’d pull down the latest SEC documents and press releases and upload them to the site. Then, they would simply need to fabricate a press release or similar document that would indicate a change in stock price. Once that’s there, the easy sharing nature of Scribd becomes it’s weakness, as it would be trivial for the attacker to post a link to the document and embed it in a different context (be it an email or on a website somewhere).
With this sort of attack, the target is duped into believing the information is accurate and then provoked into a predictable response (often, a “buy stock” or “give me your credit card” response). It would be important to verify any information before acting, especially if it’s marked as “urgent”. The Internet allows us to share vast amounts of data very quickly. This puts social pressure on us to react similarly quickly, and that is exactly what an attacker relys upon.
Conclusion
I use Scribd, albeit not a lot. I think it fills a need, but my content is increasingly in non-document forms, so Scribd doesn’t really apply much. If you are still writing for the print format, but want to share that work via the Internet, Scribd is a great tool. Get an account, become familiar with the system so you can recognize when it is used outside of the main site.
As always, view all emotionally charged content as suspect and verify it before you act.
Small Business Defense – Antimalware
- At February 12, 2009
- By Josh More
- In Business Security
- 2
As many have noted before me, antivirus is dead. However, let’s clarify a few things.
First of all, you are more likely to get hit with a virus if you don’t have antivirus than if you do, so it’s not exactly useless. Second, you can get antivirus systems for free (Windows version here) so there’s no economic reason not to run one. However, if you go into the process thinking that if you install an antivirus system, you’re done, then you’re making a mistake. Antivirus may not be dead, but your system will be.
See, the way that antivirus works is by maintaining a set of signatures, or unique identifiers for a piece of malware. This worked well enough twenty years ago, but these days, the people that write malware are pretty good at making each one have a unique signature. So, these things can change and morph faster than you can keep up. However, you’ve got to do something, right? What are your options?
Ignore The Problem
My mother used to tell me that if I ignored the mean kids, they’d stop teasing me. She was wrong. In the same way, ignoring this problem will not make it go away. Instead, it will likely create a situation where your systems get infected and then spread that infection to your customers and partners. I hope that we can agree that this is no solution.
Host-Based Intrusion Prevention
Many of the traditional antivirus vendors have started rolling host-based intrusion prevention systems (HIPS) into their products. These systems shift the problem from scanning the entire system to looking at what actually runs. These systems can detect common security flaws and prevent malware from accessing them. With some vendors, they are combined with application blacklisting, so you can use the same system to prevent employees from running games or installing browser plugins.
Perimeter Control
In the past, we’ve used a firewall to prevent access to internal systems. Some people are trying to extend this idea and pushing extra capabilities onto these network devices. The logic is that if you control where your people can go (web filtering) and what can come to them (email filtering), you can block malware at the edge of your network. It’s a nice theory, but given that you also would have to deal with USB drives, MP3 players, CD/DVDs, wireless networks, etc etc, I have my doubts that this technique will be effective.
Application Whitelisting
As many people do, once they’re told that something’s not working, they go to the opposite extreme. In this case, instead of building a blacklist of “bad” applications, they try to identify some known “good” applications and only allow those to run. While I’m not a fan of extremism, it seems to be working in this case. Bit9 seems to be the current leader in this space, but it’s only a matter of time before there are others. The one caution here is in relying on only this technique, as if anyone uncovers a flaw in the technology that prevents the non-whitelisted applications from launching, they can then launch anything they want. Also note that, depending on your organization, it might take a long time to define the “good” applications.
Loss Detection
One thing I recommend is to recognize that your system will probably get compromised eventually, no matter what you do. If you implement a system that can identify your important data and let you know when it detects it somewhere where it’s not supposed to be, you can at least know that there’s a problem. Small comfort, I know, but it’s better than not knowing, right?
Combination
Every organization will have a different set of needs and will need a different solution. However, there are a large number of businesses out there that would likely benefit from the following type of solution:
- Application Identification – Take the time to identify which applications are required for business.
- System Imaging – Build a standard “image” of all applications that a system should have and deploy to all computers.
- Application Whitelisting – Install a product like Bit9 (there are others) to prevent anything non-approved from running.
- Antivirus – Install a product like ClamAV (free) or Sophos (pay) to serve as an additional layer of defense… especially if you have laptops.
- Document Repository – Use a centralized document repository to keep all of your documents and log who accesses them when.
- Operations: Applications – On a regular basis (monthly is good) patch all applications in your image, update the application whitelist and push the changes out to all systems.
- Operations: Data – On a regular basis (monthly is good, quarterly is acceptable, yearly is not), review the access logs on your repository and make sure that things are reasonable.
There is a lot more that you can do, and if you have servers, a lot more that you should do, but as you’re likely not doing the above yet, hopefully this gives you a good place to start.
Small Business Attack – Malware
- At February 11, 2009
- By Josh More
- In Business Security
- 0
It’s interesting how business awareness lags actual security threats. I was having a conversation recently with someone who said something like “yeah, we get by a virus about once a month, but we clean it up and keep going”. This took me aback as I realized that there are a significant number of people out there that don’t view malware seriously.
This is our fault. For years, we’ve been classifying threats and discussing their differences instead of focusing on their similarities. If you’ve touched any IT in the last decade, you’ll recognize the following list of words: virus, worm, trojan, spyware, adware, malware. You’ve probably been told that your antivirus application will take care of it, so you run it and get on with your life. Well, I’m sorry to break it to you, but you’ve been lied to.
We’re at the end of what antivirus can do. We’ve also reached the point where malware (malicious programs) have moved from being annoying to being evil.
Back in the day, malware would spread from system to system and slow things down. Sometimes, they’d delete files. That was then.
Today, people are using these systems to create what are known as bot armies. Once they take over your computer and add it to their armies, they can do anything they like to your computer. Like what?
- Conduct attacks on other networks
- Store illegal materials (often child pornography) on your computer
- Crack passwords
- Banking data
- Harvest all proprietary data (trade secrets, tax information, business plans, source code) from your network
- Harvest client data (credit card numbers, social security numbers) from your network
Basically, if you get infected with malware, the attackers can get anything they want from you. Any file you have, any site you browse to, any email you send or receive. It’s all theirs.
It’s more than a nuisance. What are you doing about it?
Site Review – Flickr
- At February 06, 2009
- By Josh More
- In Business Security
- 0
For those that don’t know, you know, those of you have been under a rock for the last few years, Flickr is a photo sharing site. It has numerous social media features which make it very easy to post your content, add it to groups, discuss it with others, etc. It supports all types of cameras as well as files from applications like PhotoShop and PaintShop Pro. They recently added the ability to share movies.
In short, it’s great. I use it all the time.
But, like all systems, especially in the fancy 2.0 world, there is a risk assessment that you should consider.
Pros:
- Easy to use
- Free to low cost
- Active community with which to interact
Cons:
- Who owns your content?
- How can you use other’s content?
- How can others use your content?
- How is your content backed up?
- Are you at risk from social engineering?
Please note that copyright is a complicated thing and well outside of the scope of this blog. For real questions, please see a lawyer. However, I’ll be glad to answer my own fake questions, after all, it’s my blog, right?
Who owns your content?
Well, you do, of course. You made it, it’s yours. Yahoo even agrees. Oh, wait a minute. The Terms of Service state:
Yahoo! Inc. (“Yahoo!”) welcomes you. Yahoo! provides the Yahoo! Services (defined below) to you subject to the following Terms of Service (“TOS”), which may be updated by us from time to time without notice to you.
So maybe it would be more accurate to state that “you own your content right now”. Not exactly ringing with assurance, but it’s the best we can do.
How can you use other’s content?
Oh, this one is easy! Each photo is marked as “All rights reserved” (meaning you can’t use it) or “Some rights reserved” (meaning, umm, maybe). Flickr uses the Creative Commons to allow people to license their photos as they wish. Luckily, they also provide an advanced search so you can find photos that you can use and alter for commercial use.
Of course, there’s nothing preventing a user from posting a photo that you can re-use and then changing the licensing AFTER you’ve used it. Any idea how you could prove that it used to licensed differently? I sure don’t know.
Also, what happens if a photo is licensed so that you can use it but the person in the photo never signed a release? Is it usable? Can you be sure?
How can others use your content?
OK, this one should be easy, right? After all, you upload your photos and you set a license and you’re done. Flickr does all the magic to make sure that people only use your photos the way you want, right?
Well, not exactly. See, if you license your photo under any of the Creative Commons options, the original image is available to everyone. In other words, they have to voluntarily agree to abide by the copyright. If they don’t, you have to deal with that yourself. Are you able to monitor all the images on the Internet to make sure that yours are being used according to your wishes? I know that I’m not.
How is your content backed up?
This really isn’t known. There’s no mention of backups in the terms of service, and there has been at least one high-profile issue involving backups. In general, they should be safe, but you might want to consider other options. Or, you know, just keep a copy of whatever you upload to them.
Are you at risk from social engineering?
Finally, once that can be answered definatively. Yes. You are always at risk of social engineering. The more interesting question is “How are you at risk from social engineering?”
Flickr allows you to post photos. Odds are that these photos will be of people you know and places you’ve been. You can tag these photos by location, put people’s names into them and otherwise release loads of information for the savvy social engineer. They can take this information and use to develop friend and family graphs and identify themselves to you or one of your friends as someone who seems trustworthy, but isn’t.
Conclusion
Wow, that’s a lot of negatives. Does that mean that you shouldn’t use Flickr?
Well, that’s a decision that you have to make on your own. In case it helps you, this is the decision that I made:
I choose to use flickr because I like the community and because I want others to use my photos. With the exception of people that have not signed a release, all of my photos are tagged under the Creative Commons to allow re-use but only for non-commercial use and if I am credited. Also, since a great many of my photos are taken at zoos, I allow zoos to use my photos for free, even for commercial use, so long as they ask politely.
In short, I do not make much of a living directly off of my photos (though I’m working on some projects at the moment that may change that). Rather than expend my energies pursuing and defending misuse, I choose to trust the majority of people to do the right thing. I do, however, keep the originals on my systems and am prepared to defend my rights, should I become aware of a violation.
I do NOT use anyone else’s photos for a commercial purpose without their permission. I do not consider accent and illustritive photos in this blog to be commercial use (as I make no money off this site), so I may use someone’s photo here or there. However, I am very easy to get ahold of, and if anyone asks me to take down one of their photos, I’m easy to work with.
So yeah, it’s not exactly straightforward, but to me, it’s worth the risk.
Small Business Defense – Document Leakage
- At February 05, 2009
- By Josh More
- In Business Security
- 0
If my last post raised any questions for you, this post will hopefully answer some of them. As with many security topics, the issue is complex and this post will NOT give you all the answers. Hopefully, though, it will help.
The first thing to look at is access. In order for an attacker to get your data, they have to get on your network and somehow access the documents. The more places that you keep your documents, the easier this is for an attacker to do. If you put all your documents in a single place and prevent anyone from saving them anywhere else, you’ll be a bit better off. (Odds are you won’t be able to keep them off your network, just so you know.)
However, this will also make a nice place for an attacker to target, so you should control this storage location. At a minimum, you should control access to the document repository by username and password. If you can, it would be good to split up access levels within the repository so that the documents are grouped by type and only people with the business need to access those documents have the ability to do so.
Do not rely on the built-in password protection of the documents themselves. They can be broken. (Also, please note, running random software off the Internet is unwise. It may not work, it may do things other than what you expect, it may give an attacker the very files you are trying to protect.)
If you are somewhat technical or have a technical consultant helping you, you may want to implement an encryption mechanism to protect your documents. This is highly complex and hard to do right, but it can help more than almost anything else you can do.
Once your documents are all in one place and reasonably protected, stop and think about what to do if someone does access and misuse the document. Are all of your sensitive documents clearly marked? Are you certain that the law will protect you if they’re not? (Sometimes it doesn’t.) Would marking the documents as “sensitive”, “secret” or “proprietary” just give attackers something to search for?
Hmm, what an interesting problem.
What many companies choose to do is to classify information based on it’s security level. There are different ways to do this, but all of them start with the question “what’s the most important and/or damaging information?” Once you can group your documents by risk, you stand a chance of protecting them. Then you can write a document classification policy and start looking at tools to implement it technologically. These steps are beyond the scope of this post, but your legal and technological contacts can help you with that.
Lastly, I should mention that the easiest data to protect is data that isn’t there anymore. You might want to read Brett Trout’s post on document retention policies.
Small Business Attack – Type of Data: Office Documents
- At February 04, 2009
- By Josh More
- In Business Security
- 0
How many of you use Microsoft Office? OpenOffice.org? KOffice? AbiWord?
I’ll bet you’re all raising your hands right now, right? We’ll put’em down, you’ll want to hit scroll at some point.
What do you know about these files? Did you know that many of these files track changes? In other words, if you redact certain things or change data, that a clever attacker can open the file and revert it to what it used to be? It happens.
Do you know what kind of data is stored in these documents? financial data? Email addresses? Trade secrets? Passwords?
(The above links go to Google searches. There is no guarantee what Google may find when you search on certain things. If you access information that you shouldn’t, saying “but it was on Google” may not be a good defense. Remember rule number one of security is don’t be stupid.)
If someone wanted data from your company, where would they go to get it? Is there any one thing (say, a spreadsheet perhaps) or location (hmm, shared drive) that might be particularly tempting to an attacker?
If you get a virus or spyware infection on your computer, might the person who wrote it be able to access all the documents that you can access?
How are you protecting your files?
Grinnell and Giving Followup
- At December 28, 2008
- By Josh More
- In Business Security
- 0
About a month ago, I made a post calling out to former Grinnell students to stand with me to get some changes made.
Well, while that post was one of my most widely read, no one stood with me. I somewhat expected this. Also, Grinnell isn’t making any reactive changes. I also expected this.
What I did not expect, however, was to receive a phone call from Jim Hess, the Director of Alumni Relations at Grinnell College. We had a good talk and followed this up by meeting in person and talking for a few hours. I also talked with Dan McCue, the Assistant Director of Alumni Relations. Dan was kind enough to send me the following (links changed to be made clickable):
Josh,
Thanks for stopping by the office last week. I wanted to share some sites that detail the issues you addressed:
1. Admission to Grinnell is need blind and financial aid has been increasing as necessary already. (A brief explanation can be found on the Admission website: here.) We have already limited loan within need to $2K per year. (Details available from the Office of Financial Aid: here.) This change was instituted this past winter, prior to the current economic downturn: here. An article also appeared in the Spring 2008 issue of The Grinnell Magazine.
2. We have many post-grad fellows, but we’re not a grad school. Information about post-grad fellowships is online at the Office of Social Commitment: here. Grinnell also funds the Grinnell Corps program: here.
3. The senior opportunity scholarship buys-down debt of deserving seniors. Visit here for more information.
4. Our pay-grades are $7.25, $7.50, $8.25, and $8.85 – dining is $8.25 and they have job openings.
5. The Career Development Office continues to work with any alumni who call. CDO can assist alumni with resume critiques, interviewing tips and share job search resources. Visit here for more information.
So, in considering my challenge from earlier:
1) Either discount tuition for the Senior year (to keep them in school) or institute a tuition freeze for all current students (i.e., no tuition hikes for current students).
This was not done, but I had been previously unaware of the senior opportunity scholarship. I think that this partly counts, so I’m going to award them a half point. I also had the $2k debt limit explained to me. The college really prefers this to be called a $2k loan limit, but I must admit that when I first heard this term, I had thought that they were lowering financial aid, not raising it. What it really means is that, at the end of a student’s four years, they should be left with no more than $8000 personal debt, which I think is a very reasonable way to manage the situation. They get the other half point for this.
2) Boost the number of on-campus student jobs by at least 30. and 3) Raise the entry-level wage for student jobs by at least $1.00/hr
Since there are openings that are not being taken, and they are at a comparable rate, I’m going to call these “close enough”. I still think that Grinnell should create some more jobs, especially since there are worthwhile projects out there that would help both the students and the school, but if current students aren’t taking the current job openings, there must not be sufficient need to push this.
4) Offer free classes to alumni on getting a new job, covering interview, and resume techniques. Ideally, these classes will be available online so that non-local alumni can attend them.
I’ve long heard that the CDO will work with any alumni who call. However, I view this as a far cry from actually providing classes. Classes are about education and learning and are strategic in nature. The method currently offered by the CDO is reactive and tactical in nature. I’d still like to see a program around helping people target new opportunities, craft a marketing plan for themselves and pursue the opportunity. The days of simply sending out resumes and interviewing on chance are over, so I do not perceive this as taking a leading position. (If you’re with the CDO and wish to disagree with me, comment here or give me a call.)
So, no points there.
In the end, It looks like Grinnell got 3 points, or $300. Dominican University therefore gets $100. In any case, I’m out $400.
But, you know what I got for that $400? I got an amazing first hand look at branding and marketing.
Now, I am sure that I am biased, but I have known about Grinnell for many years, as have many of the people I’ve talked to since I’ve graduated. In contrast, the response that I got from friends and associates when I mentioned Dominican University was a universal “where’s what? / who are they?” It seems that Grinnell has done a good job of branding. Seemingly (at least in my area) a better job than Dominican University.
However, and this is the very interesting bit, I got a very fast reply from Dominican within the same medium as my message. I got a contact from Grinnell that was effectively out-of-band. I had no idea what Grinnell had been up to before I was contacted, but I found out what Dominican was doing almost the same day they did it, without my altering my daily routine at all. In short, Dominican is embracing social media and Grinnell is not (I have been informed that this will be changing soon). So, while Grinnell has a stronger brand than Dominican, Dominican has better marketing than Grinnell.
The other interesting observation was about communication. I heard from a few Grinnell alumni that I should have checked better what Grinnell was doing before I posted this, that I should have checked here and there (at which point they’d send me a list of obscure links). All of these communications were personal and emailed directly to me. All of them came from people still working in academia. What’s interesting here is that I’ve transitioned to business. My communication style is many/one-to-many, not one-to-one. Sure, I could have looked up the base rate that students were being paid, the number of jobs available. I may have even found out that limiting loans to $2k isn’t a bad thing (doesn’t limiting the loan amount sound bad to you?).
However, to do so, I would have wasted at least half a day finding the right people. The Dominican information came to me, as I follow news relating to education. I do not follow news that is specifically Grinnell-focused, but anything important that touches on education and liberal arts should come my way. Dominican managed to release the information in a way that was concise, easy to understand, easy to propagate and timely. Grinnell’s information was not – even though I get emails and letters from them, I was unaware of certain things that they were already doing.
In my discussions with Jim Hess, it was clear that this is something that Grinnell is working on. In fact, there is a chance that I may be allowed to work on it with them, as the project that they’re pursuing to make this happen has some potential. However, as my work with other schools has shown me, “the wheels of academia turn slowly”. I find this a sad thing, as it’s that very slowness that could cause a weakening of Grinnell’s brand position and allow (relative) upstarts like Dominican to overtake them. Clearly, being a graduate of Grinnell, I’d prefer that this not happen (sorry, Dominican) and will put forth some effort to help them out.
In any case, it’s $400 that gives Grinnell and Dominican students a bit of help, gives me a valuable lesson and hopefully allows me to pass the lesson along to you.
I consider that money well spent.
Grinnell and Giving
- At November 25, 2008
- By Josh More
- In Business Security
- 3
I know I’ve not been blogging much lately. I’m working on that, but until I get to the business and security content that so many of you come here for, I have to share this. It’s about my alma mater, Grinnell College.
When I set foot on Grinnell’s campus, it felt like home. My four years there were focused on education. Not necessarily the academics, but education nonetheless. While I did learn a lot about Physics and Art, I learned a lot more about friendship, adversity, pain, love, and how to get along with others. It was where I stopped being a child and started on the path towards being an adult. It was a time of transformation and metamorphosis. Of all the times in my life, it is the one I point to when I need to say “This is when I really started to be me.”
Since that time, I have worked a few jobs and have learned a lot about adult life and the working world. I’ve begun to look upon Grinnell with new eyes.
Since graduation, I have been irritated when I get calls and letters from Grinnell asking for money. This is not because I think poorly of my time at Grinnell, quite the contrary. It is because the administration of Grinnell seems to have been working very hard to ensure that the experiences that I had there could not be repeated in the future. I’ve heard about the exorbitant salary for the college president, continuously skyrocketing tuition, and the erection of larger and larger buildings. It appears to me that the college is attempting to grow and, through growth, become something other than what it was to me: a small, incredibly liberal arts college where students are free to experiment, make mistakes, and become adults.
My fear is the Grinnell has gotten lost in the pursuit of college rankings and the cost of the college experience. As such, I cannot justify giving any of my money to the college.
Today, I heard about Dominican University. It’s similar in size to Grinnell. It’s a small Catholic university located in Northern Illinois. I don’t know their politics or academic record. However, I do know something about their values. Detailed in a press release, they are addressing the current economic situation as follows:
1) To encourage students staying in school, all seniors graduating in January and May 2009 are granted a tuition reduction towards Masters-level tuition.
2) They are expanding the number of on-campus student jobs.
3) They are raising the entry-level wage for student jobs.
4) They are offering free classes in resume writing, interviewing, and finance management to all alumni that need them.
5) They are offering scholarships to parents of current students who are between jobs and wish to gain education.
I am astonished that the little school about which I knew almost nothing prior to today is taking such an active role in promoting education in society. I am impressed at their creativity and attention to their values. I am deeply deeply ashamed that my own school is not leading the effort.
So, what am I going to do about it?
I am not skilled in political theory or sociology. I do not have an incredibly deep understanding of economics or history. Grinnell did, however, teach me about systems and to be a moderately skilled writer. I know about physical, biological, technological and business systems. I know that the lifeblood to an institution like Grinnell is money and that the lifeblood to a college student is the assurance that they can stay at Grinnell to complete their education. I know that a great many people that attended Grinnell have skills that vastly exceed mine in their own areas of expertise.
Therefore, I am going to put my money where my mouth is. I challenge Grinnell to meet Dominican University and lead that way, proving that education and raising responsible adults still wins out over political games and attracting high-profile donors. I am setting aside $400. It’s money that I had earmarked for something else, and not having it will hurt. I think that this is very important, however, so I’m going to do it. I give Grinnell four challenges to meet by February 1.
1) Either discount tuition for the Senior year (to keep them in school) or institute a tuition freeze for all current students (i.e., no tuition hikes for current students).
2) Boost the number of on-campus student jobs by at least 30.
3) Raise the entry-level wage for student jobs by at least $1.00/hr
4) Offer free classes to alumni on getting a new job, covering interview, and resume techniques. Ideally, these classes will be available online so that non-local alumni can attend them.
For each point that the college can meet, I will give the college $100. For all that haven’t been met by February 1, I will give $100 to Dominican University. I am not Catholic and suspect that I would disagree with their politics, but I have to support these particular values. If my alma mater won’t adopt them, I’ll support the school that will.
Similarly, I challenge my fellow classmates to join me. Work within your own areas of expertise to spread the word. Come up with other ways that the college can help the students, not just the rankings. Put up what money you can afford so that Grinnell can see we’re serious. Either challenge Grinnell directly or donate with an earmark towards “reducing the economic burden on current students”. Post this or an abbreviated rewrite (I do tend to go on) on your blogs/facebooks/myspace/livejournals/etc. I may not be skilled in “getting the word out,” but I know that some of you are fantastic at that.
Do what you can
Help us help the next generation.
-Josh More
Grinnell Class of 1999