We touched on IDRU in our prior article (please see if you haven’t read it). It is paired with DAPR, which we’ll discuss in our next article.
IDRU (Id`-roo) is an acronym:
Inadequacy, Disaster, Runaway, and Unrecoverability.
And IDRU is this:
Inadequacy: Inadequacy is manifested as lack of proper awareness, planning, action, proper results, and resultant dire consequence. On a local scale, we’re aware of inefficient, ineffective, and inadequate attention, inadequate business, and inadequate technology (or use of it), leading to poor business outcomes.
Disaster: Today, business frequently finds itself in an unrecoverable posture due to a lack of planning. In the case of small business, it’s been estimated that more than 60% of startups fail due to lack of a coherent business plan and proper allied execution. In the case of larger businesses, just Google “List of business failures” for some perspective.
Runaway: In a true condition of Runaway, you, and any action you take, are irrelevant in the face of an inevitable outcome. Consider that statement carefully.
A simple analogy will serve: You are the driver of a car. You are speeding on a wet and winding road. There are signs, and they expose your conditions: One gives the speed limit. Another indicates “Slippery When Wet.” One states “Dangerous Curve Ahead.” Given the nature and conditions of the road, you should have an adequate awareness of danger, and you should have enough information to take action: To slow down, to drive with care, to prevent a bad outcome.
However, you fail to do these things. Your attention, concern, and actions are inadequate. You fail to imagine and plan for the contingency that soon happens: You cannot make the dangerous curve; you break through a guardrail; and you begin a plummet down a cliff. Your predicament was preventable, But now this, for you, is disaster.
However – you yet have ‘systems’ at your disposal! You mash the brake. There is no effect. You turn the wheel to the left, to the right – again, your action has no effect. In fact, your fall accelerates. You pull the emergency brake. You are in an emergency and beyond: You are in a condition of Runaway. It is, simply, too late.
(Here, prevention isn’t some part of a disaster plan – it is all of it). Once you begin Runaway, there is no meaningful action to be taken, and – regardless of remaining plans – no executable part of a plan contains any meaning. In terms of business and technology, Runaway can occur when systems, security and allied process (and use) start to lag. If the organization doesn’t invest on a timely basis, and bring new services and products to market in remaining competitive – and learn to make best use of technical business enablements and protections, it becomes harder and harder to regain a responsible forward edge. It’s a choice: The organization faces either an ongoing manageable incline – or the face of an impossible cliff.
Unrecoverability: Once you’re in the zone of an inevitable bad outcome, you are in a position of Unrecoverability. Our car is in a Runaway condition, and the car and its occupant are now unrecoverable – they will be smashed and killed, respectively. Any business relying on technology – any Business-Technology Weave – is susceptible to unrecoverable situations.
For business: Runaway and unrecoverability begin with such things as failure to invest in the future; loss of business reputation through negligence, poor customer service, poor products, etc.; poor investments in process, the wrong infrastructure; resultant inability to raise captital – or a pouring of efforts into “catching up” at the expense of properly serving the present.
Understanding IDRU’s “value”: As we can see, Unrecoverability is something to be avoided at all cost: There can be no good reason to risk even the beginning of IDRU: Inadequacy.
It all begins with a modern awareness. Awareness. That bring us to DAPR – and our next article.
NP: Things Are Getting Better, Cannonball Adderley, jazz24.org
In his excellent Wall Street Journal article, Cyber Combat: Act of War, Siobhan Gorman writes of our nation’s challenges in responding to state-sponsored acts of damage – acts of war, really – due to cyber attack.
When you think about it, the business of securing a nation is similar to any other business (save for the scale of balance and effects). We have streaming, ongoing, objectives in answer to goals and challenges: Resultant plans; attendant projects; priorities; resources; adjustments – and – there’s always the unexpected, isn’t there?
It got me to thinking about two paired concepts that are unique to my consulting practice and my subsequent counsel to business: IDRU and DAPR. (id-roo and dapper respectively).
IDRU is: Inadequacy, Disaster, Runaway and Unrecoverability.
DAPR is: Disaster Awareness, Preparedness and Recovery.
I’ll explain those and their relevancy to the enterprise in my next article, so I solicit your patience. First, some lessons and observations by employing “example by extreme” -
Part of what our Pentagon is presently wrestling with is how to respond to a cyber attack. An idea gaining favor is a measure of “equivalence.” That is, if a cyber attack was to cause a similar measure of death, damage and disruption that a bombs-and-bullets military attack would, then a like-attack would be warranted, employing a similarly-scaled return effect through conventional military attack.
However, the ultimate of cyber attacks wasn’t mentioned: That of Electro-magnetic Pulse (EMP). In 2006 I wrote of this threat. My book, I.T. Wars: Managing the Business-Technology Weave in the New Millennium, (BookSurge 2006), has a concluding chapter, What’s At Stake, dealing with the ultimate threat and challenge for any enterprise, to include entire countries. Here, there are lessons for the “local” organization – that is, yours.
An EMP attack could be something as simple as a scud missile carrying a single nuclear warhead. This missile need not be accurate for any specific target. It need only be detonated at a suitable altitude: the weapon would produce an EMP that would knock out power in a region – all power.
Not only would some measure of a nation’s power grid be out, but also generators and batteries would not work. There would be no evacuation of affected areas: Cars would not work, and all public transportation would be inoperable. Even if trains, planes, and other mass transit were operable, the computers that enable their safe use would not be. This would be due to the loss of all electronic data, rendering all computers useless. There would be no banking, no stock market, no fiscal activity of any kind, and there would be no economy.
Hospitals would fail without power. There would be no electronic communications: no mobile phones, no land phones, no e-mail, no television transmission, nor even radio. There would be no refrigeration of food, which would quickly rot to become inconsumable. Potable drinking water would quickly be expended, and the means to create more would not exist. Fires would rage, since the ability to deliver and pump water would be virtually nonexistent.
Now imagine a simultaneous application of a couple large-scale nukes detonated over the country.
No Federal Government would be able to govern – nor would any state or local government command any control over events. No police department could be able to know where events were happening requiring response. Priorities would be non-existent: The only actionable situations would be those in a direct line of sight. The Military would not be able to communicate. Hence, there would be no chain-of-command; no control. Scattered commands and units would soon begin operating autonomously in the vacuum.
The affected society, on all levels, would be sliced and diced into small groups and factions hell-bent on survival – the situation would be an almost immediate chaos. As we’ve seen during post-Katrina New Orleans and other disasters, breakdown of the social order is rapid and deadly. In this circumstance, it would also be prolonged, and possibly permanent – until the arrival of an enemy control. Imagine, if you will, a peak, sustained, Katrina/New Orleans disaster, coast-to-coast.
As the Pentagon considers “equivalency” and proportionality in regards to cyber attack, remember EMP. Of course, you can bet our government and military is well-aware of the threat of EMP. However, there’s a new wrinkle here. For years, people have taken some measure of comfort in the old “Mutually Assured Destruction” (MAD) theory: If Russia or another country sent a nuclear volley into the U.S., we’d still have some means for a response – and send a volley back. Thus, a deterrent effect was in place.
Today, it’s not clear if one country could “get the jump” and disable another through EMP, thus rendering the threat of retaliation moot.
In discussing cyber threats, one really does have to go to the ultimate in assessing threats, and make consideration of EMP. In fact, it was that very consideration that led me to IDRU and DAPR, and their applicability to Business – in fact, their very necessity. So, what do these mean to the local organization – yours?
Stay tuned. In the meantime, we may wish to consider:
The dogmas of the quiet past are inadequate to the stormy present. The occasion is piled high with difficulty, and we must rise with the occasion. As our case is new, so we must think anew and act anew.
The best way to predict the future is to create it.
I like that last one especially. For Business and IT I say: You must thwart cyber attacks and crimes on a proactive basis. You must stay ahead of potential hacks, disablements and thefts by virtue of a responsible forward edge (RFE). Invent your future; sustain your safe entry to it.
Remember: Your number one asset is your reputation.
On this day (May 31st): In 1868 Dr. James Moore of the UK wins the first recorded bicycle race – a 2k velocipede race at Parc fde St Cloud, Paris.
Several things are on the rise as concerns the Cloud.
Ever more organizations are taking advantage of the Cloud: Its universality; its ready storage potential for shared data (or even static, backed up, data); its grant of access to networks; its dispensation of services, and so on. Rising use by a rising number of organizations and org-types is paired with something else, however…
Also on the rise are attacks on the Cloud, and resultant successful breaches. Darn! Every time I begin to sense a perfect world, something comes along to burst my bubble.
The Cloud is attractive in that it is cost efficient: Storage is inexpensive, easily mounted and maintained, and again – there’s the ready access as enabled by the web. How about Software as a Service (SaaS)? Again, ready access and use. Further, utility and production easily “drop” from the Cloud to any desktop, any device (with proper access and authentication) – and a user is off and running.
But recognize that whether it’s data, apps, tools or services, something very fundamental – perhaps as fundamental as it can possibly get – is shifting. The enterprise, the organization, no longer harbors security. The organization no longer controls security – as in the days of an in-house discreet network, with a room of servers, and a workstation population largely within four walls (whether literally or figuratively) of… the organization’s control.
When things move to the Cloud, recognize that a service provider, a vendor, a solutions partner – whatever you’re using and/or deem to call it – is now running the security show. You must ensure that they have best security practices in place: Constant survey, adjustments, upgrades, risk assessments, notifications – in service to a leading security edge, not a lagging one – a proactive security posture.
You’d better do some due diligence. Why? Who manages security in these circumstances? The answer – the only answer that counts from the enterprise’s perspective is - Someone other than the enterprise. And this leaves you vulnerable: Ensure you get the actual security you need, demand, and pay for in these circumstances.
And yet: Indemnification for breaches and losses is always difficult to negotiate. Cloud services providers (including storage as a service) aren’t exactly in a posture of “Use at your own risk”, but because attacks are always evolving, and breaches can expose providers to catastrophic loss, it’s tough to ascertain just how secure any environment is in the Cloud – and contracts can be difficult to negotiate and discern.
But don’t get lazy and sign off on something you’re not comfortable with. Search and select your partners carefully. Then, survey contracts, guarantees, and remunerations. Don’t rush to the Cloud faster than providers are willing to mount, and stand behind, appropriate security.
NP: Cakewalk Into Town, Taj Mahal, jazz24.org
There is a potential problem at LinkedIn – a social networking site bringing professionals together for creating and networking with business contacts, and for furthering one’s career prospects and opportunities.
There’s a claim that a liability with LinkedIn’s authentication cookie creates a breach potential. A New Delhi researcher, Rishi Narang, claims hackers can exploit LinkedIn’s storage of authentication information in a cookie that doesn’t expire for an entire year, from date of creation.
Further, LinkedIn, according to him, does not ask whether you’d like to store this information, as does Google and many other sites. For that matter, Google and other sites only store cookies’ information for a few weeks.
Anyone breaking the cookie can gain access to a user’s account. Given the liability of a year’s expiration, that use could obviously continue for a year. Particularly for people who use public computers, such as those at libraries, or even devices in a work environment, they could be leaving themselves open to identity theft.
Narang has reported his findings to Reuters news agency, as well as posting details on his blog:
“There exists multiple vulnerabilities in LinkedIn in which it handles the cookies and transmits them over SSL. This vulnerability if exploited, can result in hijacking of user accounts, and/or modifying the user information without the consent of the profile owner.”
According to LinkedIn’s own site statistics, one million new members join each week; faster than one per second. With more than 100 million members in over 200 countries and territories, it is the world’s largest professional network, and just recently became the first U.S. social networking company to go public.
LinkedIn has said that it takes the privacy and security of its members seriously.
On this day: In 1701, Captain Kidd was hung after conviction for piracy and murder, in London.
Security is not evidenced merely through the absence of harm. A harming event may be transpiring in this moment, not yet apparent. – a B-TW warning.
You may remember my discussion of Sony’s earlier breach in my article, “Sony is Sorry.” I don’t mean to be mean, but that can be taken a couple of different ways.
It was an apology, but now Sony is looking to be in rather a sorry state of affairs: They’ve been hacked again. Sony in Japan’s customer rewards site was broken into by an intruder, and that intruder stole virtual points worth the equivalent of $1,225 from account holders. Not a whole lot in terms of theft, but the fact that access was gained is a very worrisome thing – particularly as a follow-on to what happened at Sony earlier.
What happened earlier was the stealing of personal information when the Sony PlayStation network was hacked, as well as Sony Online Entertainment.
“What we’ve done is stopped the So-Net points exchanges and told customers to change their passwords,” So-Net, Sony’s ISP unit in Japan, said in a statement.
At present, the company says that the breach seems to be limited, and no accounts are at risk other than those immediately affected.
The company further states, “At this point in our investigations, we have not confirmed any data leakage. We have not found any sign of a possibility that a third party has obtained members’ names, address, birth dates and phone numbers.”
Unnamed security experts have said that Sony’s world-wide networks remain vulnerable, according to Reuters news agency.
For that matter, I supposed we’re all vulnerable. As noted, the mere absence of evidence of something harming is not necessarily a “secured state.” Only through ongoing survey of systems, and a forward-thinking security posture, can you be reasonably certain that you are secure; that the environment is secured. Even then, there are no guarantees in this world.
Do your best, and then quickly do better.
Firewalls, intrusion preventions, virus scans, surveys for malware, antispyware, e-mail protection, and so on – are no good if someone is not surveying reports and taking note of the warnings yielded.
Also, you must take note of the successfully thwarted attempts, to remain cognizant of where attempts are coming from and what sort of entities are mounting them - in making best attempt to project and predict where threats are going in their nature, and where they’ll be coming from in the future.
You need a very proactive, evolving, and agile posture as regards threats and security.
Ensure that those who are on the forefront of securing your organization get it.
Is Sony sorry? They said they are…
NP: Thelonious Monk, Straight, No Chaser. On CD (cleansing with vinyl later…)
Many people get distracted at work. No, seriously, they really do. It was hard for me to believe at first, too. Once I “get to it,” I’m hard at it, focused, and efficient. Further, it’s hard for me to stop working… I know you’re the same way.
But it seems that for many others, distractions are a recurring nuisance, and these folks are susceptible to them. Huh.
According to software company harmon.ie (formerly Mainsoft) and uSamp (a polling company), a 1000 member firm wastes $10 million per year due to the distractions of social media, e-mail, and badly designed software applications.
This blinding news comes from a survey of 515 white collar workers. It seems that more than half of them waste at least an hour a day: 60% of this waste is due to interruptions from electronic devices and e-mails (if these are work related, are they really “interruptions”?), and the remaining 40% is phone calls and talking to colleagues. I dunno – I had an office back in my pre-consulting days – simply closed my door. I dimly remember working in a cube or two way back when. I also remember saying, “Sorry Fred, I’m really crunching on something just now. Can we cycle past the front desk to see what Linda is wearing a little later?”
As to these interruptions: Phone etiquette demanded the answer of calls. E-mails were routine too.
Apparently, according to the study, two-thirds of people space out at meetings, reading voicemail and checking devices. Here’s a simple solution: Unless expecting something critical, instruct folks in the meeting to leave devices in their holsters. (I don’t recommend turning them off, due to possible emergency notifications from family, etc.). Make it a part of new employee orientation to mention respect for meetings, speakers, etc., and what the expectations for behavior are.
I work as a consultant now, but my office days are relatively recent, and of course I consult in offices similar to the ones I used to work in. Everyone needs a mental break, and whether that’s sauntering down to the kitchen for coffee, soda or snack, and a little tete-a-tete with whomever else has to space out for a couple minutes, I’m not sure much has changed.
Hire solid employees, set expectations, explain work, distribute work fairly and evenly, and I think things are going to be just fine.
Stay sensible out there. :^ )
NP: Feeling Good, Gerry Mulligan, Jazz24.org
By now, many if not most people have heard about Facebook’s so-called “secret” hire of an outside public relations firm to plant less-than-flattering stories about Google as regards security. That public relations firm, it is now known, is Burson-Marsteller – one of the biggest, and… er… one of the best (?).
In the interest of full disclosure, your humble correspondent was Information Technology Director at one of Burson-Marsteller’s (B-M) largest regional offices: Washington, DC. In fact, I was actually a Young & Rubicam employee, positioned at the DC office of B-M: Young & Rubicam owns Burson-Marsteller.
That said, it’s a rather interesting story about a lack of judgment, and a rather unsound understanding of The Business-Technology Weave that we all inhabit. The Daily Beast has reported that Facebook’s initiative to put Google in a bad light backfired when Burson-Marsteller tried to enlist a blogger in furthering negative privacy implications surrounding Google’s Social Circle social networking service.
That blogger, Chris Soghoian, a former Federal Trade Commission researcher, published his e-mails with B-M, and this exposure was ultimately reported by USA Today. The flavor of events became such that it is now clear that Facebook was engaging in an anti-Google campaign.
Here’s the kernel of what has Facebook, and perhaps Google, in a bit of hot water: Google’s Social Circle service is intended to help Gmail users maintain connection with people they chat with or e-mail – “direct connections.” But beyond, this service sends Gmail users the names of what they call secondary connections; these are any people that the direct connections follow publicly through the internet. Thus, there’s an uncomfortable mixing of private and public connections… further, Google is constantly refining the “Google experience” – mixing all manner of people, associated information, and online activity into an ongoing evolution of the web experience. It usually happens seamlessly, and many people may not be aware of what their presence within Google’s circle actually represents.
Google also prompts Gmail users to connect other outside accounts to the Social Circle: Facebook, Twitter, Yahoo, LinkedIn, Flickr, as well as others. More uncomfortable mixing, at least according to my taste. The stew can have too many ingredients; there’s always a point of diminishing return…
I like managing things very tightly, and I communicate in different styles according to different individuals and audiences – I’m sure most readers here do too. That’s the crux of the matter – what is it that you’re doing, and to whom might it inadvertently be exposed? Are you completely knowledgeable about access to your vital information – content – and do you harbor a similar knowledge as to where any of your “sends” go? (Whether e-mail, Twitter, post, etc.).
I’ve often asked of Business: What is being done in the name of your domain? But now I say to the individual social networking user: What are YOU doing in the name of your domain? That is, under the umbrella of your own personal good name?
For example, I know that when I publish in the domain of David Scott, my content is appropriate, and goes to appropriate entities and eyes.
Do you know that in your own regards?
NP: Light-Foot, Lou Donaldson, www.Jazz24.org.
Hey, if ya can’t access it, what good is it? Well, it ain’t no good. Also, “half-information” isn’t any good either (grammar mode back on). You have to have comprehensive access to a little thing called “reinforcing content” in assembling the bloom and yield of the enterprise’s best information… content… knowledge…
“Hey, I heard about this great new restaurant…”
“Excellent! We were looking for somewhere new to go tonight!”
“Um, I forget the name, and I don’t know where it is…”
In accessing any organization’s information assets – its content, data, knowledge-base, etc. – one has to have an efficient access to the broad swath of existing and enhancing content, for a whole “best picture” view (within qualification for access, of course). Business projections have to be accurate, statistics must be up-to-date (and therefore relevant), choices and new initiatives must not only be surveyed, but accurately splayed for the qualified eyes that have to assess initiatives and options.
Within these necessities, forward-thinking employees want to employ ever more devices (most personally owned) in accessing organization data. Of course, personally owned assets generally do not enjoy the same, rigorous, scrutiny in relation to security – either for the devices’ status, nor for their actual use – a challenge for sure.
According to a survey sponsored by Trend Micro, 88% of small and medium sized business (SMB) report that some of their employees are using their own smartphones and tablet PCs for their business purposes. In the past, we’ve discussed the peril in “friending” one moment, and “businessing” the next (please review if necessary): Essentially, employees can be social networking one moment, and then accessing organizational resources and conducting business the next. The danger in sending content to the wrong party is high; further, it is easy to blur business communications with over-familiarity, slang, jokes, etc., in this blurred environment.
Ready access to business process and content enhances efficiency. Not only that, personally owned devices generally don’t cost the organization in terms of overhead: The employees own their devices, service plans, and update their own assets. Thus, no TCO (total cost of overhead). What’s not to like? Ah… but that pesky security issue.
Part of the answer may lie in a recent report by Quocirca: A value proposition for IT security. Check out the free download, which discusses prudent, responsible, and secure ways to integrate the wealth of collateral devices into your enterprise, in making business process ever-more efficient and cost-friendly through ready access.
Access, access, access. Access is King. Or Queen. Just make sure it’s not the Joker.
NP: I Thought About You, Miles Davis, jazz24.org
In some quarters, it’s being estimated that most enterprise web applications are insecure.
According to a study by Imperva, WhiteHat Security and the Ponemon Institute, 70% of respondents don’t believe web security is a strategy in their orgs, with appropriate budget targeted to web application security and associated risk.
This poses a major threat to the enterprise. Most organizations today grant access to mission critical apps through their websites. However, executive management doesn’t focus much on security – indeed, they may not even really understand it – and thus the proper emphasis and protections are not driven downward, into that bulk of managers and staff who actually do the doing in implementing security.
In all regards, security must be a central design element; in systems as well as human endeavors. In other words, security must be inherent in functionality, and process must reinforce – even force – adherence to security. In terms of human instruction, interactions, training, and use of systems, there must be the dissemination of appropriate protocols and refreshers and reminders for best security awareness. And, of course, all necessary updates.
Most organizations lack a cohesive, coherent, monitoring system for intrusion detection/attempts. Often, even simple event logs are not monitored, and logs are not synchronized across the enterprise in leveraging enhancing information, nor capturing an efficiency of review.
Unfortunately, security is a rather ho-hum endeavor. The excitement and attraction is always the “next big thing,” with resultant mods of bells and whistles that further use and delivery; time and budget are precious, and developers are pointed forward. They do not have time to look at the present lay of the land, in assessing or advancing security – until a breach forces them to, that is, by grabbing everyone’s attention by the throat.
It all starts with awareness. Do your part as you can, within the limits of your power and authority: Once the vulnerabilities are exposed (both systemic and organizational), the senior executive class understands that a breach can not only take some or all of business offline for some measure of time, it can result in the longer lasting liabilities in exposure of content, revenue loss, and compromise of reputation.
NP: Rapid Shave – Shirley Scott / Stanley Turrentine, jazz24.org
Did you ever notice the similarity between the words “Sony” and “Sorry”? I’m just sayin’ – it’s uncanny.
“Sorry” – so says Sony’s Chief Executive Officer Howard Stringer. Sony’s recent breach, which I talked a bit about here, and here, is thought to be the biggest ever. Data from more than 100 million accounts has been compromised. One. Hundred. Million.
Sony’s PlayStation blog carried the CEO’s apology: “As a company we – and I – apologize for the inconvenience and concern caused by this attack.”
Something for companies to keep in mind in the overall swim of risk we’re in: Sales, revenue, and reputation, are heavily weighted within bad outcomes such as security breaches. A big one like this makes a consumer think twice before buying something, before subscribing to a service, before entering crucial personal information online – things like credit card numbers in the service of a purchase, and all manner of other central personal data.
The Zone: The really, really, really bad thing about any data breach is that… even if it’s the first and (thus far) only one, a company is now in a particular zone. That zone is a sort of permanent breath-holding posture: Will there be a second breach, whether soon or down the road?
A second breach could well sink a company’s reputation permanently. Ensuing that there’s never a first breach is paramount. Companies must actively survey for risk, must continually make present circumstances better, and must evaluate new products, services and implementations against new avenues of risk. All of this must be done with prudent concurrent survey for what’s going on, on the outside – breaching entities are ever-more sophisticated and powerful.
Employees must be oriented upon hire according to best security practices generally, and to practices specific to the company’s position, products, and potential vulnerabilities (absent strong controls) that are unique to its market and presence in it, etc. Going forward, all employees must then undergo regularized security training. That schedule is up to each individual company, within its own assessment of risk, vis-a-vis budget, time, and potentials.
As we’ve noted before: All activity must be viewed through a security prism. For anything you do: What effect does this action have on “the other end”? Does this process/transmission/implementation put data at risk of exposure? Does what we’re doing open a hole into our environment, or weaken a defense posture, for creating potential breaching conditions?
Stay safe out there.
On this day: In 1906, a “temporary” permit was issued in San Francisco to erect overhead wires on Market Street.