>“I Am Legend” and Enterprise Architecture

>

Sometimes, when we architect change, we can make mistakes and people and organizations end up getting hurt.

In the movie I Am Legend, mankind architects a way to use a virus to kill cancer—seemingly, the cure that we’ve all been hoping for; but something goes terribly wrong and 90% of the world ends up dead, while another 9% end up as zombie cannibals feeding off of the remaining 1% of the population that is immune to the virus.

“Viral diseases such as rabies, yellow fever and smallpox have affected humans for centuries…Examples of common human diseases caused by viruses include the common cold, the flu, chickenpox and cold sores. Serious diseases such as Ebola, AIDS, avian influenza and SARS are caused by viruses…The ability of viruses to cause devastating epidemics in human societies has led to the concern that viruses could be weaponized for biological warfare.” (Adapted from Wikipedia)

So is there such a thing as a good virus?

Now scientists have architected, they believe, a way for viruses (bacteriophages) to kill bacterial infections (hopefully, not a repeat of the I Am Legend plot!)

MIT Technology Review, 15 April 2008, reports that “in the fight against infection, viruses take up where antibiotics leave off.”

Superbug bacteria infects up to 1.2 million patients a year in the U.S., particularly in hospitals where bacteria can spread from countertops, stethoscopes, and catheters.

Scientists have developed “nylon sutures coated with bacteriophages—viruses, found naturally in water, that eat bacteria while leaving human cells intact.”

Bacteriophages were used in World War II to treat soldiers with dysentery and gangrene, but this was soon overcome by rising interest in antibiotics. But “it takes time to get new classes of antibiotics onto the market, whereas bacteriophages can be easily isolated from environmental sources such as sewage water.”

How do the bacteriophages work?

“In water, these natural born-killers are extremely effective at eating up bacteria. The virus binds to bacteria and injects its DNA, replicating within its host until it reaches capacity, whereupon it bursts out, killing the bacteria in the process.”

What is the advantage to using bacteriophages?

“Antibiotics are broad-spectrum, and for certain bacterial strains, it’s easier to use bacteriophages if you know exactly which bacterium is causing the infection. You can target one strain, and it wouldn’t affect any other bacteria that may be protecting cells.”

Aside from sutures, how else might bacteriophages be applied?

They can be incorporated into sprays and creams.

Additionally, bacteriophages, aside from use in fighting bacteria, may be useful in detecting bacterial infection.

From an enterprise architecture perspective, the baseline for fighting infection has for many years been through antibiotics. Now, the target architecture includes viruses that can kill the bacteria. However, as in the case of the virus that is supposed to help cure, but instead causes a lethal epidemic, there is always the potential for things to go off course, when we architect change in the enterprise.

Catastrophic consequences from change can occur for example, when we make changes to products, processes, people, and technologies in organizations. These can result in unintended consequences like defective products, inefficient processes, accidents to employees, and failed IT implementations to name just a few.

The point is that enterprise architecture is not a bacteriophage or antibiotic cure-all. As architects, we need to be cognizant of the risks inherent in change (as well as in maintaining the status quo) and manage change thoughtfully, carefully, and with an eye toward risk management all along the way.

The last thing we want to be is Lieutenant Colonel Robert Neville (in the movie I Am Legend) left as the last healthy human along with his trusty dog in New York City and possibly the entire world.

>Hacker Camps and Enterprise Architecture

>

One of the perspectives of the enterprise architecture is Security. It details how we secure the business and technology of the organization. It includes managerial, operational, and technical controls. From an information security view, we seek confidentiality, integrity, availability, and privacy of information.

Who are we protecting the enterprise from in terms of our information security? From hackers of course!

How do we protect ourselves from hackers? By teaching our security professionals the tricks of the trade—teach them how to hack!

The Wall Street Journal, 1 April 2008, reports that “Hacker Camps Train Network Defenders: Sessions Teach IT Pros to Use Tools of the Online Criminal Trade.”

“In such sessions, which cost about $3,800, IT pros typically spend a week playing firsthand with the latest underground computer tools. By the end of the week, participants are trained as ‘ethical hackers’ and can take a certification test backed by the International Council of Electronic Commerce Consultants.”

Overall more than 11,000 people have received the ‘ethical hacker’ certificate since 2003; nearly 500 places world-wide offer the training.”

Why do we need to teach these hacking tools to IT security professionals?

They need to understand what they’re up against so they can more effectively plan how to protect against the adversary. Know thy enemy!

How large is the IT security issue?

The average large U.S. business was attacked 150,000 times in 2007…the average business considered 1,700 of these attacks as sophisticated enough to possibly cause a data breach. In addition, the number of unique computer viruses and other pieces of malicious software that hackers tried to install on computers and IT networks doubled to 500,000 last year from 2006…[and it’s expected] to double again in 2008.”

It’s great that we are advancing the training of our information security champions and defenders, but what about those who take the course, but are really there to learn hacking for the sake of hacking? How many of the 11,000 ‘ethical hackers’ that have been trained are really ethical and how many are using their newfound knowledge for more nefarious ends?

From an enterprise architecture standpoint, we need to ensure that we are not giving away the keys of the kingdom to anyone, including our own IT security staff—through hacker training. Also, we need to be careful not to rely on any one individual to maintain the security order of things. We need to plan our security using a system of checks and balances, just like the constitution lays out for the governance of the nation, so that even the chief information security officer (CISO) is accountable and has close oversight. Finally, we need to institute multiple layers of defense to work best we can to thwart even the determined hackers out there.

>Intrusion-Prevention Systems and Enterprise Architecture

>Firewalls have traditionally been used to “wall off” the enterprise from computer attack, but now intrusion-prevention systems are augmenting the organization’s defenses.

The Wall Street Journal, 28 January 2008 reports that “intrusion prevention systems promise an even smarter defense” than firewalls.

Firewalls are intended to keep intruders out. However, because certain traffic, such as email, needs to get through, holes or open ports allow in traffic that can carry viruses or malware into the network.

Intrusion-prevention systems work differently—they don’t wall off the enterprise networks like firewalls, but rather like a metal detector, they filter or scan every piece of traffic entering the organization for suspicious activity, and reject any item that is identified as a threat.

According to Wikipedia, Intrusion prevention systems (IPS)… [are] a considerable improvement upon firewall technologies, IPS make access control decisions based on application content, rather than IP address or ports as traditional firewalls had done.

Intrusion-prevention systems can be hardware that is physically attached to the network or software that is loaded onto individual computers.

Are intrusion-prevention systems really necessary?

Yes. “According to the Computer Security Institute 2007 Computer Crime and Security Survey, the average annual loss suffered by U.S. companies from computer crime more than doubled last year to $350,424 from $168,000 in 2006. And these reported losses tend to underestimate the number of attacks.”

Gartner analyst recommends antivirus on PCs and an intrusion –prevention system on the network.

Are there any problems with intrusion-prevention systems?

One of the biggest issues is false positives, which if not adjusted for will block desired incoming traffic. One way to handle this is to use the intrusion-prevention system to “detect threats and flag them,” rather than simply block them altogether. Additionally, the organization can adjust the filters that they may not need. This is the tuning required to ensure performance in terms of network speed and an appropriate level of filtering.

If your organization is not using an intrusion-prevention system, this is something your enterprise architecture needs to plan for and implement ASAP.

>Information Security and Enterprise Architecture

>

Information security is generally considered a cross-cutting area of enterprise architecture. However, based on its importance to the overall architecture, I treat information security as its own perspective (similar to performance, business, information, services, and technology).

According to the Wall Street Journal (WSJ), 11 December 2007, professional hackers are getting smarter and more sophisticated in their attacks and this requires new IT tools to protect the enterprise. Here are some of the suggestions:

  1. Email scams—“hackers have responded to improved filtering software and savvier population by aiming their attacks at specific individuals, using publicly available information to craft a message designed to dupe a particular person of group of people” In response, organizations are installing antivirus and antimalware software from multiple vendors to increase the chance, the an attack that gets by one security software products, will be stopped by one of the others. These products can be obtained from vendors like Sophos, Sybari, Micosoft, Symantec, and McAfee.
  2. Key loggers—“one common form of malware is a key logger, which captures the user names and passwords that an unsuspecting computer user types, and then sends these to a hacker.” However, software from Biopassword Inc. can thwart this by recording employees typing rhythms, so that even a hacker that knows a username and password is denied access if he types too fast or too slow.
  3. Patrolling the network—hackers who get past the firewall often have free rein to roam once inside the network. However, CoSentry Networks Inc. has a product that imposes controls on where a user can go on the network, so even someone with a valid login will be prevented from snooping around the network or accessing information from an unapproved location.
  4. Policing the police—one of the biggest threats to an enterprise is from the insiders, employees who have access to the systems and information. Software from Application Security Inc., however, monitors access, changes, repeated failed logins, and suspicious activity and notifies the designated security officer.

From a user-centric EA standpoint, information security is paramount to protect the enterprise, its mission execution, its employees, and stakeholders. As the WSJ points out, “breaches of corporate computer security have reached epidemic proportions. So far this year more than 270 organizations have lost sensitive information like customer credit-card or employee social security numbers—and those are just the ones that have disclosed such incidents publicly.” EA must help the chief information security officer to identify these enterprise security threats and select appropriate countermeasures to implement.