(Source Photo: here with attribution to Kenny Holston 21)
(Source Photo: here with attribution to Kenny Holston 21)
Good video by the The Washington Post (2 June 2012) on the importance and challenges of cybersecurity.
There are 12 billion devices on the Internet today and this is projected to soar to 50 billion in the next decade.
Cybersecurity is paramount to protecting the vast amounts of critical infrastructure connected to the Internet.
There is a lot riding over the Internet–power, transportation, finance, commerce, defense, and more–and the vulnerabilities inherent in this is huge!
Some notable quotes from the video:
– “Spying, intrusions, and attacks on government and corporate networks occur every hour of every day.”
– “Some sort of cyberwar is generally considered an inevitability.”
– “Cyberwar although a scary terms–I think it is as scary as it sounds.”
– “Right now the bar is so low, it doesn’t take a government, it doesn’t take organized crime to exploit this stuff–that’s what’s dangerous!”
We all have to do our part to raise the bar on cybersecurity–and let’s do it–now, now, now.
(Source Photo: here with attribution to University of Maryland Press Releases)
Information Security, like all security, needs to be managed on a risk management basis.
This is a fundamental principle that was prior advocated for the Department of Homeland Security, by the former Secretary Michael Chertoff.
The basic premise is that we have limited resources to cover ever changing and expanding risks, and that therefore, we must put our security resources to the greatest risks first.
Daniel Ryan and Julie Ryan (1995) came up with a simple formula for determining risks, as follows:
– Threats = those who wish do you harm.
– Vulnerabilities = inherent weaknesses or design flaws.
– Countermeasures = the things you do to protect against the dangers imposed.
[Together, threats and vulnerabilities, offset by any countermeasures, is the probability or likelihood of a potential (negative) event occurring.]
– Impacts = the damage or potential loss that would be done.
Of course, in a perfect world, we would like to reduce risk to zero and be completely secure, but in the real world, the cost of achieving total risk avoidance is cost prohibitive.
For example, with information systems, the only way to hypothetically eliminate all risk is by disconnecting (and turning off) all your computing resources, thereby isolating yourself from any and all threats. But as we know, this is counterproductive, since there is a positive correlation between connectivity and productivity. When connectivity goes down, so does productivity.
Thus, in the absence of being able to completely eliminate risk, we are left with managing risk and particularly with securing critical infrastructure protection (CIP) through the prioritization of the highest security risks and securing these, going down that list until we exhaust our available resources to issue countermeasures with.
In a sense, being unable to “get rid of risk” or fully secure ourselves from anything bad happening to us is a philosophically imperfect answer and leaves me feeling unsatisfied–in other words, what good is security if we can’t ever really have it anyway?
I guess the ultimate risk we all face is the risk of our own mortality. In response all we can do is accept our limitations and take action on the rest.
(Source Photo: here with attribution to martinluff)
I came across two very interesting and concerning studies on cloud computing–one from last year and the other from last month.
Here is a white paper by London-based Context Information Security (March 2011)
Context rented space from various cloud providers and tested their security.
Overall, it found that the cloud providers failed in 41% of the tests and that tests were prohibited in another 34% of the cases –leaving a pass rate of just 25%!
The major security issue was a failure to securely separate client nodes, resulting in the ability to “view data held on other service users’ disk and to extract data including usernames and passwords, client data, and database contents.”
The study found that “at least some of the unease felt about securing the Cloud is justified.”
Context recommends that clients moving to the cloud should:
1) Encrypt–“Use encryption on hard disks and network traffic between nodes.”
2) Firewall–“All networks that a node has access to…should be treated as hostile and should be protected by host-based firewalls.”
2) Harden–“Default nodes provisioned by the Cloud providers should not be trusted as being secure; clients should security harden these nodes themselves.”
I found another interesting post on “dirty disks” by Context (24 April 2012), which describes another cloud vulnerability that results in remnant client data being left behind, which then become vulnerable to others harvesting and exploiting this information.
In response to ongoing fears about the cloud, some are choosing to have separate air-gaped machines, even caged off, at their cloud providers facilities in order to physically separate their infrastructure and data–but if this is their way to currently secure the data, then is this really even cloud or maybe we should more accurately call it a faux cloud?
While Cloud Computing may hold tremendous cost-saving potential and efficiencies, we need to tread carefully, as the skies are not yet all clear from a security perspective with the cloud.
Clouds can lead the way–like for the Israelites traveling with G-d through the desert for 40 years or they can bring terrible destruction like when it rained for 40 days and nights in the Great Flood in the time of Noah.
The question for us is are we traveling on the cloud computing road to the promised land or is there a great destruction that awaits in a still immature and insecure cloud computing playing field?
(Source Photo: here with attribution to freefotouk)
– The attacks are real, stealthy, persistent, and can devastate our nation.
– Cyber attacks occur at the speed of light, are global, can come from anywhere, and can penetrate our traditional defenses.
– In the event of a major cyber attack, what could we expect? Department off Defense networks collapsing, oil refinery fires, lethal clouds of gas from chemical plants, the financial systems collapsing with no idea of who owns what, pipeliness of natural gas exploding, trains and subways derailed, a nationwide blackout. This is not science fiction scenarios. (Adapted from Richard Clark, former Senior Advisor of Cyber Security)
– It is not a matter of if, but whena Cyber Pearl Harbor will occur. We have been fortunate [so far]. (Adapted from General Keith Alexander, Director of the NSA).
I believe we must address these threats and our vulnerabilities in at least five main ways:
1) Increase research and developmentfor new tools and techniques–both defensive and offensive–for fighting cyberwar.
2) Establish a regulatory frameworkwith meaningful incentives and disincentives to significantly tighten cybersecurity across our critical infrastructure.
3) Create a cybersecurity corpsof highly trained and experienced personnel with expertise in both the strategic and operational aspects of cybersecurity.
4) Prepare nationwide contingency plansfor the fallout of a cyberwar, if and when it should occur.
5) Create a clear policyfor preventing cyberattacks by taking preemptive action when their is a known threat as well as for responding with devastating force when attacks do occur.
With cyberwar, just as in conventional war, there is no way to guarantee we will not be attacked, but we must prepare with the same commitment and zeal–because the consequences can be just, if not more, deadly.
I watched an interesting TED video presented by Brene Brown, who has a doctorate in social work and is a author many times over–she talked about one book in particular called The Gifts of Imperfection: Letting Go of Who We Think We Should Be and Embracing Who We Are(2010).She said that from all her studies and research, what she learned is that purpose and meaning in life comes from the connections we make and maintain.
But what gets in the way is shame and fear–shame that we are not good enough and fear that we cannot make real connections with others.To move beyond shame and fear, we need to feel worthy as human beings–true self acceptance–and say “I am enough.”
However, she points out that as a society there is a lot of numbing going on (i.e. plenty of shame and fear) and that is why we are the most in debt, obese, addicted, and medicated society in history. I liked this presentation and thought about how hard we are on ourselves–we are never good enough.
Yet, as Brown points out those that are successful with relationships and have a strong sense of love and belonging are those that feel they are inherently worthy. They have self-esteem without having to achieve any of these things.
That sense of self-worth and confidence, Brown says, enables you to achieve three key things in life:
When you have that self-worth and confidence then you can embrace your vulnerabilities and make them beautiful, rather than numb yourself to constantly try to cover the disdain you feel for your frailties and weaknesses.
From my perspective, our growth and contributions to the world are good things–leave the world better than you found it!
However, the proving ourselves and amassing “things,” while milestones in life, are not a measure of a person’s true worth.
Sometimes it is fine to get over it all–accept yourself, be yourself, and stop worrying that you are never good enough.
In the Torah (Bible), when Moshe asked G-d his name–G_d replies in Exodus 3:14: “I am that I am.”
To me, this is really the lesson here–if we but try to emulate G-d, then “we are what we are.”
That is not defeat or giving up on bettering ourselves, but acceptance of who we are, where we came from, and wehre we want to go in our lives.
We don’t have to beat ourselves up for being those things or for making good faith mistakes along the way.
Stage freight (aka “performance anxiety”) is one the most common phobias.
While often attributed to children, this is really a fear that everyone experiences–to a greater or lessor extent.
Organizations like Toastmasters help people overcome their fear of public speaking by having them practice regularly in front of the group.
Yet even the most experienced speakers and performers still get that knot in their stomach before a really big performance.
We are all human, and when we go out there and open ourselves up to others, we are vulnerable to ridicule and shame and being seen as shysters and charlatans.
So it really takes great courage to go out there and “do your thing” in front of the world–for better or worse.
As the child poet, Rebecca says, “when I go on stage, it’s me, myself, and I.“
What a wonderful perspective in being yourself and doing your best.
Here’s what she has to say–in a poem called Butterflies.
(Credit Picture: scienceray.com)
Butterflies, that’s what I feel before the poetry slam.
It’s 2 minutes before I read my poem.
I feel them tickling around my stomach making me want to puke.
My mom always tells me just imagine the audience in their underwear but it makes me feel even worse.
I told myself when I came up here you’ll do fine but, I know I’ll just stumble on a word.
Buzzing noises start in my ear.
I feel like I want to just go up on the stage and conquer my fear.
I shouldn’t care what people say because it’s my thoughts that matters.
When I go onstage it’s me, myself, and I.
1 minute till showtime.
Finally I hear my name.
I walk up to the stage unsteadily and all the lights are on me.
Everyone’s eyes beam towards me, almost as if they are watching a movie and I’m the show.
I read my poem.
I’m sweating like a dog running in the heat of summer.
I stumble upon a few words, but I survive it.
I am almost done. Just be done, already.
I read the last sentence but the time when I’m reading that sentence feels the longest.
My life is not going to end.
I’m done and I feel accomplished.
Center of Gravity (COG) is a military concept that Dr. Joseph Strange defines as “primary sources of moral or physical strength, power, and resistance.” From a military perspective, this is where we should concentrate when attacking the enemy. As Prussian strategist Carl von Clausewitz states, “that is the point against which all our energies should be directed.”
In “Center of Gravity Analysis” (Military Review, July/August 2004), Army Colonel Dale Eikmeier describes the framework for COG and how an enemy (your threat) attempts to exploit them, as follows:
· Center of Gravity—the organizations that do the work (e.g. the military/industrial complex)
· Critical Capabilities (CC)—the strengths of the organization—its “primary abilities”
· Critical Requirements (CR)—the supplies that a COG use—the inputs that are their opportunities, if leveraged for future plans
· Critical Vulnerabilities (CV)—the vulnerabilities a COG has—e.g. exposed or unguarded critical infrastructure
From an enterprise architecture perspective, I greatly appreciate this analysis of COG as it aligns beautifully with Albert Humphrey’s famous Strenghts, Weaknesses, Opportunities, and Threats (SWOT) Analysis for organizational strategic planning.
Aside from typical SWOT analysis to develop your organization’s strategy, the COG analysis adds greater offensive analysis to SWOT–like the military, organizations using the COG model can disrupt competitors’ advantages by seeking to weaken them where they are most vulnerable.
For example, EA used in this fashion may lead a company to build a sophisticated online sales site that directs customers away from your competitor’s retail location. Similarly, acquiring a major supplier (i.e. vertically integrating) may disrupt a competitors’ supply capability, and so on. The point is that EA becomes a force for attack rather than a mere planning tool or information asset.
It is at this point that I disagree with the assertion in the article that “Information is not power; it is a tool, an enabler. It helps wield military or economic power. By itself, it is simply information.”
Far to the contrary, information is one of the greatest assets that we have. It is the way that an advanced, intellectually based society competes. Of note, our declining performance in Science, Technology, Engineering, and Mathematics (STEM), which is so greatly worrisome to our leadership, is of concern because it is directly a threat to our competitive advantage, both militarily and economically, in the global environment.
Information, as embodied by the Internet, is now the center of our society. With it, we perform critical tasks of information sharing, collaboration and education. Used effectively, our military has developed robust command, control, communications, computers, intelligence, reconnaissance, and surveillance (C4ISR)—all information-based. Similarly, our industry is highly competitive and advanced because of the engineering, innovation, and people behind it.
Enterprise architecture, once a small part of the IT infrastructure, can actually play a far greater role in the information society if we allow it to. We have morphed from the industrial age of the 18th and 19th centuries to a highly advanced information society that creates new sources of critical capability, but also new critical vulnerabilities that must be defended. And we must also leverage the vulnerability of our enemies in order to stay viable. Whether it’s cyber-warfare or economic survival, information is at the heart of everything we are successfully doing today.