Learning IT Security By Consequences

This is a brilliant little video on IT Security.

What I like about it is that it doesn’t just tell you what not to do to stay safe, but rather it shows you the consequences of not doing the right things.

Whether you are letting someone into your office, allowing them borrow your badge, leaving your computer unsecured, posting your passwords, and more–this short animated video shows you how these vulnerabilities will be exploited.

It is also effective how they show “Larry” doing these security no-no’s with signs everywhere saying don’t do this.

Finally, the video does a nice job summing up key points at the end to reinforce what you learned.

I think that while this is simpler than many longer and more detailed security videos that I have seen, in a way it is more successful in delivering the message in a practical, down-to-earth approach that anyone can quickly learn core basic practices from.

Moreover, this video could be expanded to teach additional useful IT security tips, such as password strengthening, social engineering, and much more.

I believe that even Larry, the unsuspecting office guy, can learn his lesson here. 😉

(Note: This is not an endorsement of any product or service.)

Analyzing The Law

So I am back in school AGAIN (I’m a life-long learner), augmenting my not so slow-paced job.

Let’s just say that at this point, I recognize that the more I know, the more I don’t know anything.

The class that I am taking now is Cyberlaw, and while I did take law in business school–many moons ago–that was more focused on contracts and business organizations.

This class looks interesting from the perspective of the legal and regulatory structure to deal with and fight cybercrime, -terrorism, and -war.

One interesting thing that I already learned was a technique for evaluating legal cases called IRAC, which stands for:

– Issues–the underlying legal matters that the case is addressing.

– Rules–what legal precedents can be applied.

– Analysis–whether those rules apply or not, in this case.

– Conclusion–rendering an opinion on the case.

This is a structured way to analyze any legal case.

Of course, before you do these, you have to look at the facts–so that is the very first section.

The problem with that is then you have F-IRAC and that can definitely be taken the wrong way. 😉

(Source Photo: Andy Blumenthal)

Technology Forecast 2013

I am an avid follower of everything technology and trends, but am tired of hearing about cloud, mobile, and social computing.

It’s time to get over it with the agenda of the past and get on with it with the future of technology.

In the attached graph is my Technology Forecast 2013, and here is where I see us going forward:

1) Service Provision–Cost-cutting and consolidation into the cloud is a wonderful idea and it has had it’s time, but the future will follow consumer products, where one flavor does not fit all, and we need to have globalization with a local flavor to provide for distinct customer requirements and service differentiators, as well as classified, proprietary and private systems and information.

2) Service Delivery–Mobile is here and the iPhone is supreme, but the future belongs to those that deliver services not only to remote devices, but in wearable, implantable, and even human augmentation.

3) Human Interaction–Social computing epitomized by Facebook, Twitter, LinkedIn, and many more is a cool way in interact with others virtually, but wall posts, email, and chats are getting cliche–next up conjoining with others with capabilities such as telepathic communication, mind melding collaboration, and even virtual sex for the outlandish.

4) Robotics and Artificial Intelligence–With something like 10,000 drones flying the friendly and not-so friendly skies and even drones that autonomously land on aircraft carriers, the next robot is coming to the ground near you–drones will become (an)droids and will eventually have the AI to become part of our everyday society.

5) Service Assurance–Enough playing defense with a sprinkling of offense against our worst enemies–it’s past time to move from trying to stop-gap infiltrators and do damage control once we’ve been robbed blind, and instead move to a hunter-killer mentality and capability–the price of being a bad boy on the Internet goes way up and happens in realtime.

6) Data Analytics–Big data isn’t a solution, it’s the problem. The solution is not snapshot pretty graphics, but realtime augmented reality–where data is ingrained in everything and transparent realtime–and this becomes part of our moment-by-moment decision processes.

7) Biotechnology–Biometrics sounds real cool–and you get a free palm reading at the same time, but the real game changer here is not reading people’s bio signatures, but in creating new ones–with not only medical cures, but also new bio-technological capabilities.

8) Nanotechnology–Still emerging, quantum mechanics is helping us delve into the mysteries of the universe, with applications for new and advanced materials, but the new buzzword will be nano-dust, where atomic and molecular building blocks can be used on-the-fly to build anything, be anywhere, and then recycled into the next use.

Overall, I see us moving from mass produced, point-to-point solutions to more integrated end-to-end solutions that fit individual needs–whether through continued combinations of hardware, software, and services, man-machine interfaces/integration, and building blocks that can be shaped and reused again and again.

From my perspective, there a seeming lull in innovation, but the next big leap is around the corner.

(Source Graphic: Andy Blumenthal)

Those In The Know, Sending Some Pretty Clear Warnings

There have been a number of leaders who have stepped up to tell people the real risks we are facing as a nation.

They are not playing politics–they have left the arena.

And as we know, it is much easier to be rosy and optimistic–let’s face it, this is what people want to hear.

But these leaders–national heros–sacrifice themselves to provide us an unpopular message, at their own reputational risk.

That message is that poor leadership and decision-making in the past is threatening our present and future.

Earlier this week (15 May 2011), I blogged about a documentary called I.O.U.S.A. with David Walker, the former Comptroller General of the United States for 10 years!

Walker was the head of the Government Accountability Office (GAO)–the investigative arm of Congress itself, and has testified before them and toured the country warning of the dire fiscal situation confronting us from our proclivity to spend future generation’s money today–the spiraling national deficit.

Today, I read again in Fortune (21 May 2012) an interview with another national hero, former Admiral Mike Mullen, who was chairmen of the Joint Chiefs (2007-2011).

Mullen warns bluntly of  a number of “existential threats” to the United States–nukes (which he feels is more or less “under control”), cyber security, and the state of our national debt.

Similarly, General Keith Alexander, the Director of the National Security Agency (NSA) and the head of the Pentagon’s Cyber Command has warned that DoD networks are not currently defensible and that attackers could disable our networks and critical infrastructure underpinning our national security and economic stability.

To me, these are well-respected individuals who are sending some pretty clear warning signals about cyber security and our national deficit, not to cause panic, but to inspire substantial change in our national character and strategic priorities.

In I.O.U.S.A., after one talk by Walker on his national tour, the video shows that the media does not even cover the event.

We are comfortable for now and the messages coming down risk shaking us from that comfort zone–are we ready to hear what they are saying?

(Source Photo: here with attribution to Vagawi)

Understanding Risk Management

Information Security, like all security, needs to be managed on a risk management basis.

This is a fundamental principle that was prior advocated for the Department of Homeland Security, by the former Secretary Michael Chertoff.

The basic premise is that we have limited resources to cover ever changing and expanding risks, and that therefore, we must put our security resources to the greatest risks first.

Daniel Ryan and Julie Ryan (1995) came up with a simple formula for determining risks, as follows:

Risk = [(Threats x Vulnerabilities) / Countermeasures)]  x  Impact

Where:

– Threats = those who wish do you harm.

– Vulnerabilities = inherent weaknesses or design flaws.

– Countermeasures = the things you do to protect against the dangers imposed.

[Together, threats and vulnerabilities, offset by any countermeasures, is the probability or likelihood of a potential (negative) event occurring.]

– Impacts = the damage or potential loss that would be done.

Of course, in a perfect world, we would like to reduce risk to zero and be completely secure, but in the real world, the cost of achieving total risk avoidance is cost prohibitive. 

For example, with information systems, the only way to hypothetically eliminate all risk is by disconnecting (and turning off) all your computing resources, thereby isolating yourself from any and all threats. But as we know, this is counterproductive, since there is a positive correlation between connectivity and productivity. When connectivity goes down, so does productivity.

Thus, in the absence of being able to completely eliminate risk, we are left with managing risk and particularly with securing critical infrastructure protection (CIP) through the prioritization of the highest security risks and securing these, going down that list until we exhaust our available resources to issue countermeasures with.

In a sense, being unable to “get rid of risk” or fully secure ourselves from anything bad happening to us is a philosophically imperfect answer and leaves me feeling unsatisfied–in other words, what good is security if we can’t ever really have it anyway?

I guess the ultimate risk we all face is the risk of our own mortality. In response all we can do is accept our limitations and take action on the rest.

(Source Photo: here with attribution to martinluff)

Securing The Internet: A Historical Perspective

This week, I had the opportunity take a great class in Cyber Security / Information Assurance.

As part of the class, we had to do a team project and my part was to present a brief history of the Internet and how this best positions the Federal Government to take the lead in securing the Internet.

Here is my part of the presentation:

Good morning. I am Andy Blumenthal, and I am here to talk with you today about the wealth of historical experience that the U.S. Federal Government has with managing the Internet and why we are best positioned to govern the security of it in partnership with the private sector and international community.

As you’ll see on the timeline, the U.S. Government has played a major role in virtually every development with the Internet from inventing it, to building it, and to governing it, and it is therefore, best prepared to lead in securing it.

It all started with the invention of the Internet by the government.

Starting in 1957 with the Sputnik Crisis, where the Soviets leaped ahead of us in putting the first satellite in Earth’s orbit—this caused great fear in this country and ultimately led to a space and technology race between us and the Soviet Union.

As a result of this, in 1958, the U.S. Government established the Advanced Research Projects Agency (or ARPA) to advance our technology superiority and prevent any future technology surprises.

In 1962, ARPA created the Information Process Techniques Office (IPTO) for enhancing telecommunications for sharing ideas and computing resources.

Finally in 1964, the concept of the Internet was founded with the publication by RAND (on contract with the Air Force) of “On Distributed Communications,” which essentially invented the idea of a distributed computing network (i.e. the Internet) with packet switching and no single point of failure.  This was seen as critical in order to strengthen the U.S. telecomm infrastructure for survivability in the event of nuclear attack by the Soviets.

The Internet era was born!

The U.S. government then set out to build this great Internet.

In 1968, ARPA contracted for first 4 nodes of this network (for $563,000).

Then in 1982, after 8 years of anti-trust litigation, the U.S. government oversaw the breakup of AT&T into the Baby Bells in order to ensure competition, value, and innovation for the consumer.

In 1983, ARPANET split off MILNET, but continued to be linked to it through TCP/IP.

In 1987, the National Science Foundation (NSF) built a T1 “Internet Backbone” for NSFNET hooking up the nation’s five supercomputers for high-speed and high capacity transmission.

And in 1991, the National Research and Education Network (NREN, a specialized ISP) was funded for a five-year contract with $2 billion by Congress to upgrade the Internet backbone.

At this point, the Internet was well on its way!

But the U.S. government’s involvement did not end there, after inventing it and building it, we went on to effectively govern it.

In 2005, the Federal Communication Commission (FCC) issued the Internet Policy Statement (related to Net Neutrality) with principles to govern an open Internet—where consumers are entitled to choice of content, apps, devices, and service providers.

And now, most recently, in 2012, we have a proposed bill for the Cybersecurity Act to ensure that companies share cyber security information through government exchanges and that they meet critical infrastructure protection standards.

You see, the government understands the Internet, it’s architecture, it’s vulnerabilities, and has a long history with the Internet from its invention, to its building, and its governance.

It only makes sense for the government to take the lead in the security of the Internet and to balance this effectively with the principles for an open Internet.

Only the government can ensure that the private sector and our international partners have the incentives and disincentives to do what needs to be done to secure the Internet and thereby our critical infrastructure protection.

Thank you for your undivided attention, and now I will now turn it over to my colleague who will talk to you about the legal precedents for this.

(Source Graphic: Andy Blumenthal)

Visualizing IT Security

I thought this infographic on the “8 Levels of IT Security” was worth sharing.

I thought this infographic on the “8 Levels of IT Security” was worth sharing.

While I don’t see each of these as completely distinct, I believe they are all important aspects of enterprise security, as follows:

1) Risk Management – With limited resources, we’ve got to identify and manage the high probability, high impact risks first and foremost.

2) Security Policy – The security policy sets forth the guidelines for what IT security is and what is considered acceptable and unacceptable user behavior.

3) Logging, Monitoring, and Reporting – This is the eyes, ears, and mouth of the organization in terms of watching over it’s security posture.

4) Virtual Perimeter – This provides for the remote authentication of users into the organization’s IT domain.

5) Environment and Physical – This addresses the physical protection of IT assets.

6) Platform Security – This provides for the hardening of specific IT systems around aspects of its hardware, software, and connectivity.

7) Information Assurance – This ensures adequate countermeasures are in place to protect the confidentiality, integrity, availability, and privacy of the information.

8) Identification and Access Management – This prevents unauthorized users from getting to information they are not supposed to.Overall, this IT security infographic is interesting to me, because it’s an attempt to capture the various dimensions of the important topic of cyber security in a straightforward, visual presentation.

However, I think an even better presentation of IT security would be using the “defense-in-depth” visualization with concentric circles or something similar showing how IT security products, tools, policies, and procedures are used to secure the enterprise at every level of its vulnerability.

IT security is not just a checklist of do’s and don’t, but rather it is based on a truly well-designed and comprehensive security architecture and its meticulous implementation for protecting our information assets.

Does anyone else have any other really good visualizations on cyber security?

(Source Photo: here)