A recent news report got me to thinking. The report involved a claim that an Israeli “cyber unit” was responsible for a computer worm that attacked Iran’s Bushehr nuclear power station. The intent is to disable Iran’s nuclear war-making capacity and direct threat to Israel.
Israel is on record: Stating that it would be willing to mount a pre-emptive strike of this nature, in ensuring its own safety and continued existence. Therefore, it is not a stretch to surmise that the worm might be their work.
Not to discount issues involving mortal enemies whatsoever – but the story got me to thinking about something a little more local: What if business rivals, in the course of (comparatively) routine and mundane matters, decided to mount a cyber attack on a business competitor? Much more likely: What if it were a rogue employee who decided to take down a competitor? Or perhaps more likely still, what if a rogue former employee decided to mount cyber-war on his or her former company? All of this is not only within the realm of risk and possibility; indeed measures of these things have happened.
In the realm of risk (all together now), unmanaged possibilities become probabilities. And, left hanging, probabilities always manifest.
As I state in my book, I.T. Wars, an effective internal check-and-balance on unreasonable actions diminishes rapidly as the size of a considered group diminishes. Thus, smaller organizations, comprising small and medium business (SMB), may lack awareness, training, and oversight in catching trouble as it brews…
Or – governance in some unscrupulous organization may simply decide that it can get away with wreaking havoc on a rival (you wouldn’t believe what I observed when I was a car salesman back in my youth; I’m glad that I never, ever, ever, did anything nefarious – at least, that’s my story). To think that today’s, and particularly tomorrow’s, shenanigans won’t involve cyber manifestations is to be quite naïve.
What does this mean to us now? It is easy enough to mount virus attacks against entities – and to mask the origins of the attack. With ever more resources in The Cloud, and thus with fewer “brick-and-mortar” physical protections, organizations today must guard against attacks from a variety of potential origins, and from any number of directions – and those directions are leveraged via an exploding array of wired and wireless means.
Train your staff. Make known general prior prosecutions of individuals who have mounted attacks – there’s nothing wrong with that. Have your security personnel spec’d up-to-the-minute, and have them apprising your staff on a schedule that supports your comfort: monthly, quarterly, semi-annual training –
Security for 2011 and beyond: Get it going – get it improved. Get it delivered.
NP: John Coltrane, The Stardust Session, on LP.
A recurring question in many environments follows along this line:
“If we no longer have servers, does IT need to maintain server management and administration skills?”
Organizations are virtualizing all manner of things – making some IT persons in specific environments and roles increasingly nervous. If you’re a server administrator, a technician for any specific piece of infrastructure, a programmer for an inside app that’s going to the Cloud, etc. – look out.
You’re seen primarily as an asset by IT governance… business. Sure, you’re “user-friendly,” supportive, well-liked… but – you’d better retool yourself and demonstrate ongoing value in some new realm, or look for a job elsewhere. Obviously, any IT professional has to support something, while progressing it, bettering it, and furthering its ongoing value to business. If something moves to the Cloud, or otherwise becomes virtualized, you’re going to be at a loose end – but not for long in the present organization.
A BTW tenet is that change is a continuum. Immerse yourself in assessments of change; read periodicals online and off; visit companies that are at the forefront of change, such as professional project management companies. Create friends and professional contacts at these sorts of orgs. Always be learning, both formally and informally.
As long as you’re taking stock of other organizations, keep something in mind: IT is pervasive – it has, after all, gathered virtually every human being around you and deemed them “users,” while simultaneously boosting their time spent using technology to nearly 100% of their workplace occupancy – all within an explosion of products, enablements, and services. See what other savvy organizations are doing, and how things are working for them. Evaluate their systems and services for possible furthering in your organization. Ensure your value – your business value.
Don’t wait for the organization to push you through awareness and training; get going yourself. You must remain a viable asset to the organization; in supporting it today and tomorrow; and you must change along with, preferably ahead of, all of the other change that is swirling around you… around all of us.
NP: Coltrane Plays the Blues, John Coltrane, Atlantic, original LP.
I was reviewing the accelerating change I’ve witnessed this year for both business and IT.
At the end of the year, it remains obvious that change is a continuum – even when major change is not manifesting and being managed within the organization, you must track change with-out: New products, resultant enablements, efficiencies to be gained, risks, and the appropriate scale and match to your org. And… timing is everything, as they say…
One aspect of this accelerating change, and its sponsor of universal challenge to business, is the proliferation of endpoint devices and users’ access (and expectations for access) to business content. A conventional office is not quite the antique-equivalent of a manual typewriter, but that “core” tradition of the office-bound, fixed, worker is shattered as a universal model for all business, and is fast being shattered in new realms and businesses all the time.
Access to content is becoming an expectation no matter the circumstance; conference rooms are the obvious and quite longstanding members of the “remote” (that is, non-internal-desktop) access. Satellite offices, and allied agencies, were next. Home offices made their entry – no longer merely a place to handle the household budget and taxes, a home office now is a full-range extension of the formal workplace: online access to all work applications, internet tools and research, e-mail, color printing, scanning, and manipulation of content.
Add to this all manner of access devices; laptops, phones, Kindles, virtual desktop interfaces, and the subsequent explosion of ready-access by employees, developers, vendors, VARs, brother-and-sister agencies, contractors, oversight agencies… There is not only a proliferation of devices and access-points for monitor and control, there is the accompanying population and ‘round-the-clock challenge that comes with this. It bears mentioning that if means and access increases for authorized personnel, then too does it increase for unauthorized personnel.
But, we’re up to the challenge. I know it. Stay safe this upcoming year.
Meantime: Happy New Year.
NP: Lonely Woman, Andy Summers, Jazz24.org
You may have heard about the man being prosecuted for using his wife’s password to access her e-mail account. Many news reports indicate that he “hacked” in to her account. However, the couple kept a small notebook of passwords next to the computer; he logged in.
Still, the man faces charges under a Michigan statute that, when boiled down, bars access to computers and associated resources without proper authorization.
Without going into the detail or merits of this specific legal case, it serves to remind us of something very important. If you don’t want your information read, breached, misused, or otherwise accessed and possibly disseminated, then don’t write your passwords down, and definitely don’t have them laying around for easy access.
Which brings us to the real concern: I’m aware of several environments that have shared accounts – system accounts – for controls, setups, configurations, etc. The accounts are shared amongst several, authorized, people. Sometimes there are multiple shared accounts; each having its own class of personnel availing themselves of specific avenues of access and system influence via this means.
Reasons for having shared accounts include:
1. Fewer accounts (and passwords) to create and maintain.
2. Personnel absences easily covered.
3. Fewer instances of forgotten passwords and resultant resets…
…and so on. Whatever the reasons, they are not good ones. Shared accounts represent a problem on several fronts:
What if there is a data breach due to a human error that occurred within the domain of a shared system account? Who is at fault and will they own up?
Suppose there is fraudulent activity… who is the guilty party? This could even include embezzlement, or directing too much authority to a specific user, for example.
If there are setup or configuration errors, it’s important to readily identify the transgressing party for purpose of training, or discipline in the case of sloppy work.
Each person in the organization should have a unique account name and associated password. Network supervisory roles and other special accounts (for the aforementioned setups, fiscal management programs, etc.) should be tethered to one specific person. If additional accounts with similar roles and authorities are required, create them with unique names and passwords.
As to people who keep passwords in notebooks next to their computer, be advised: You’re practically soliciting a breach. Don’t share passwords, don’t write them down (unless they’re in a locked safe, with a discreet list of access), and for certain don’t have them written somewhere in the vicinity of data’s access point (the computer).
NP: The Red Garland Trio, Manteca, original 1958 LP. Wonderful album.
When securing information, intellectual property, data (hard and soft, paper and electronic; hereafter referred to as content) it’s first necessary to know what you have… and where.
Once you know what you have and where, it should be relatively simple to secure data. Note that I didn’t say “easy.” But in terms of simplicity, there’s a relatively flat qualifier – something very initial – to securing content that comes before anything else. Something comes prior to any associated system, and any hierarchy of control regarding such things as outside regulatory oversight, internal control, general stakeholder interest (that is, specific department oversight), and general principles of security.
Initially, any activity involving content requires looking through a security prism. Merely consider content’s “lay” (its location, its residency, its container, its present status, et al) vis-à-vis your upcoming, intended, action on that content.
The view through security’s prism must always generate this question:
Will my action on this content compromise, or possibly compromise, its protection, discretion and safety?
Of course, by extension we’re really talking about the organization’s protection, discretion and safety – as well as allied parties (clients, customers, partners, etc.). It’s essential to take a big picture view and make best consideration of all interests, involvements and relationships.
If your staff doesn’t know to take this view, doesn’t know to ask this question, then it doesn’t know how to handle and protect content. Simple.
You don’t know what you don’t know – ‘till you know it. Survey and account for data. Then~
Bring the associated system(s) of control to bear, ensure their effective use through training and ongoing awareness. Most breaches of content and exposures are due to human error. Ensure appropriate human awareness for treatment of content by reinforcing that look through the security prism.
Remember: Know what you have; know how to protect it.
NP: Thingamagig – The Mel Powell Trio – Original 1954 Vanguard LP.
Senator Tom Coburn, (R)-Oklahoma, appeared on Fox News Sunday with Chris Wallace this past weekend. He delivered a sobering assessment of the Federal debt and its future impact (absent getting it under control) in the midst of my Happy Holidaying.
“What does this have to do with content and systems management?” one may well ask. Well, let’s consider:
Coburn gave an encapsulated and articulate description of Federal redundancies and waste which some believe, if left unchecked, will lead to 15 to 18% unemployment, hyper-inflation, debilitating effect on GDP, and destruction of the middle class. Heck, is that all? Gimme another stimulus…
Seriously, consider that the Feds harbor 267 job training programs across 39 different agencies – why? Talk about compartmentalized and silo’d…
There are 105 programs, 105, to encourage people to go into science, technology, engineering and math. In Coburn’s view, “That’s 105 sets of bureaucrats; none of them have metrics on them.” So… if we take him at his word, there are no empirical measures to determine if some, one, or any of these programs are making effective use of resources?
As to another area of waste, there is 100 billion dollars (maybe more) of fraud in Medicare and Medicaid. As Coburn says, “That’s money that’s just being blown away.”
He continues, “The Pentagon can’t even audit its own books. It doesn’t even know where its money is going. And we refuse to have the tough forces go on the Pentagon so at least they’re efficient with the money they’re spending.”
Coburn says there is approximately 350 billion dollars that can be eliminated from the budget that will not truly impact anybody in the country.
But in my own view, any elimination of waste, fraud, and abuse is only going to come from an accurate accounting. Before there can be any political rendering, and any resulting pragmatic, empirical, meritorious action that delivers to real-world realities… we have to know where we are.
Only generally do we know where we are: We know there’s waste; we know there’s fraud; we know there’s redundancies, wasted effort, duplicated effort, efforts that work at cross-purposes, and money pouring down a drain. But we have to survey, expose and manage according to a coherent, comprehensive and trusted system of accountability, as it delivers real data from systems’ content.
Of course, it’s the big entitlement programs (Social Security, Medicare, Medicaid, and various stimuluses) that are the largest drivers of the deficit and resultant debt. We’re not going to get into that, being that this isn’t a political column. But frankly, I think every little bit counts, even if only for the discipline and practice of being austere, frugal and fiscally responsible.
The Federal Government really, really, needs better content and systems management – now. The expanding Federal Debt will yield what some describe as “apocalyptic pain” in a few years’ time – if we don’t act soon.
The time is now. It’s the right thing to do.
NP: Miles Davis, Kind of Blue – Legacy Edition. (On CD, yes, but I’ll be listening to some jazz on original Vanguard LP a bit later… rest assured.
I just happened to stumble into an interesting debate (again) through a chance circumstance. I was dining with a couple of handsome ladies and one of their sons had an Asus Netbook with a Dvorak keyboard.
For the uninitiated, the Dvorak keyboard is an entirely different layout than a standard keyboard, with keys situated and labeled in an unfamiliar pattern for the overwhelming majority of people with standard QWERTY devices. (The QWERTY name derives from the letters just above the “home” row of the left hand, reading left-to-right).
The Dvorak board supposedly makes more efficient use of finger motion by grouping the most commonly used (typed) letters together. Thus, there is supposed to be less wasted motion and a benefit in reducing or eliminating chance of carpal tunnel syndrome. Hmmm…
I’m an experienced typist of more years than I care to remember – in certain overseas locations, I even banged out more than a few reports on manual typewriters way back in my dim past. In my years of communicating via sticks on logs, smoke, drums, typing on mechanical machines, various consoles, IBM Selectrics, desktops and laptops, I’ve noticed one thing for certain: I’m fortunate in that I type as fast as I think. (Insert jokes here).
I’ve never felt any particular discomfort when typing; even for long periods. However, I’m all for optimization and efficiency. A simple software is available for switching from QWERTY to Dvorak – and back – should anyone be interested. The fellow who had his Dvorak Netbook said it took about a month to learn Dvorak. Further, he said it took about 20 minutes to become optimal if switching back to QWERTY.
We then got into a discussion of keyboards with keys having tiny LCD screens on top of them: In this case, you can assign a letter, function symbol, or picture to the key – and make changes any time you wish. Easy enough, then, to re-label from QWERTY to Dvorak, among other things.
However, in the case of simple keyboard layout swaps, I recommend something quite simple and totally reliable: Lenticular optics.
Remember those pictures that changed as you tilted them? Holding a lenticular picture at one angle might show a tiger, for example – when tilting slightly in the other direction, the picture might change to a lion. It would be easy enough to use lenticular optics to toggle keyboard labeling between two systems. On a laptop or Netbook, one could simply raise or lower back risers to effect the change if the optics were horizontal. Or, a vertical optics could be employed, and simply sliding the device’s position a few inches left or right could effect the change.
At any rate, I am fortunate and glad that I do not have carpal tunnel syndrome, and that I don’t think (or generate original content) any faster than I do. My typing seems quite efficient as matched to the flow of my thoughts…
…and I fault all mistakes in grammar and spelling errors to my software.
NP: This is the Moody Blues, double-LP, vinyl.
Word comes to us, courtesy of an excellent article in USA Today, that the number of people 55 and older with jobs is projected to hit 28 million – a record. (American workforce growing grayer, by Dennis Cauchon).
I don’t’ know about you, but I’m not at all surprised. Beyond reasons stated in the article, such as “better health, longer lives and less physically damaging jobs” there are a couple other phenomena – the article touches on one: Experience. So true. Older workers do, generally as a group, have more experience. How can they not?
But there’s something else: In my own general experience, older workers are more exacting, careful, and prideful (in a good way): They take pride in their work, and what that work delivers.
I’m a bit older myself, so I run the risk of veering into a zone of “these young whippersnappers today, they just don’t care…” – and that’s not where I’m trying to go. What I’d like to reinforce, to the younger audience, is that in order to break into a sluggish job market, with older workers hanging on, you must separate yourself, distinguish yourself, sell yourself – in the interview.
When I was just out of high school, attending college part-time at night, I was applying for jobs by day. About all I’d done was physical factory work. Not a thing wrong with that. In fact, I dropped a resume off at a large electrical manufacturing firm in order to apply for an opening on their loading dock. Some kind person – gosh I’d like to thank them properly today – noticed that I had extensive drafting classes in High School and Community College – and HR called and asked if I’d like to be interviewed for an Electrical Draftsman position. Would I?
But… why didn’t I think to market myself that way? Well, I was around 19 years old: a little too modest, perhaps… a little insecure – and also, I didn’t know a thing about marketing myself – about blowing my own horn. But, I won that job, held it, and loved it for about three years before entering the U.S. Army for many, many more experiences.
Blow your horn – be accurate, be modest, but make full exposition for who and what you are.
Now, recognize that beyond experience, employers like older workers for very specific qualities. Therefore, if you can convince an employer that you – as a younger worker – possess those same specific qualities, and you qualify in core respects, you’ll win the job:
Emphasize your dependability (and be dependable); emphasize your “results-oriented” mentality; emphasize your ability to work well with others. I have no empirical measures or surveys handy, but in the course of my consulting, I hear the same laments on the side: Send me some people who know what it means to get along, to stay focused on results, to come to work on time…
In my time, I’ve hired a lot of people – and fired more than a few. My hires worked and “stuck to the walls” – that is, they were great employees – I knew what qualities to look for. Anyone I fired was almost always someone I “inherited.” Be the person that all hiring managers look to find: core competencies are almost a given or you wouldn’t be applying for a particular job – but emphasize all the collateral requirements that factor into… not a good employee – but a great one.
If you were looking for someone you absolutely HAD to depend on – what would you look for? Then… BE that, and SPEAK to that, when you interview.
NP: Backdoor Santa – Clarence Carter. At Starbucks. What a great R&B track – check it out if you get a chance.
I see where the University of Wisconsin–Madison campus had a recent breach necessitating the contact of 60,000 people (according to the Milwaukee Journal Sentinel). There are interesting twists to this particular breach.
First, to set the stage: A database was “compromised,” and it contained names and social security numbers. Oops; compromising names and SSNs is rather an embarrassing violation of data’s security – no question.
Here’s the really interesting – and quite dismaying – part: UofW used to embed the students’ social security numbers in their student ID numbers. Hmmm. That’s bad enough – really unwise. But further, their present system contained an old file with old photo IDs, names, and the student ID number with the embedded SSN. You know, just hanging ‘round in case – or maybe because no one remembered it was there… and no system existed that could throw up a flag.
Content management anyone? A tenet: If data no longer has business value, relevancy, and use – get rid of it. Archive it or delete it. This is a perfect example of legacy data’s liability.
Lessons of Legacy: It’s reported that the identities of those who accessed the file remains unknown. But consider: There are all manner of systems out there, with “dead wood” files just hanging around. Who knows what measures of security awareness existed at the time of creation and accumulation of records in those files? What vulnerabilities exist that we wouldn’t even consider looking for today? I’d never have thought someone would embed an entire SSN in a larger ID number- seems rather crazy, but I’d just about bet they weren’t the only ones to do something like this back in the day.
Going back and surveying legacy systems and files for larger enterprises can represent a mountain of work – and it’s no small task for SMB and their corresponding smaller staffs – and once undertaken, you might not even expose and correct vulnerabilities to a 100% standard. This is why it is so critically important these days to mount security from a whole-view perspective, with a whole-view of content. It is far easier, and much more efficient, to manage as you go. Construct and secure data within solid systems, and have a CMS system with destruct-dates and archive-dates well established.
For stuff that no longer has active business or historical value, get it out of the active system; be certain the actions you take are legal – and in accordance with governance (business sanction) – archive it if you must; if you can, delete (destruct) it.
Don’t wait because, today, violating data’s security attains a much higher profile, becomes much wider-spread, and is increasingly unaffordable.
NP: Haitian Fight Song, Charles Mingus – Jazz24.org – online; (10:36:02 in length, and it’s jammin’ – I’ll cleanse myself with vinyl/analog later tonight).
The Wikileaks mess remains front and center in the news and it only gets worse.
In an earlier article I noted that, today, undesired outcomes have efficiencies – right along with efficient solutions. Our desired objectives and outcomes are at risk. For example, consider simple errors: Once upon a time, if you made an error in configuration, or just set something that wasn’t optimal for business, it involved the setup and correction of a single computer. Now, errors can be compounded and propagated exponentially by virtue of erroneous images when ghosting machines, for example. One image can affect dozens, hundreds, thousands, of machines.
In the case of Wikileaks, they can affect what millions of machines (and people) are doing.
As Wikileaks is showing us, it now turns out that data breaches are quite efficient too. Perhaps we need a nice handle for a high-profile element of information warfare that comports with such things as web surfing, friending (social networking), databasing… how about data breaching?
What did you do last night?
I was busy data breaching – copped a lot of interesting content. Tonight I’ll be hacking bank accounts.
In matters of efficiency, consider that Wikileaks has quite an efficient “staff.” Julian Assange’s London-based lawyer Mark Stephens says,
“He’s had more credit for the publication of these cables than perhaps is due to him and he’s also had more attention than is perhaps due to him as a consequence. I think people will realize over the next few weeks, if Julian stays in custody, that actually he’s not essential to the functioning of this organization and it will continue.”
Jonathan Hunt, of Fox News, noted that the leaks from Wikileaks keep coming, and that Assange had said prior to being jailed that 100,000 people now have the ability to publish all of the documents if something should happen to him. Wikileaks has been characterized as a well-oiled “leaking machine.”
What does this mean? Consider: No one who isn’t supposed to know, knows the formula for Coca-Cola. Or Pepsi… but the State Department can’t even cough up a flag when a Private First Class downloads over 250,000 classified documents. You know, something like,
“We’re sorry. In order to guard against data breaching, you are limited to access of 100,000 classified documents in a 24-hour period. Please try again tomorrow.”
I’m being a little facetious – but this whole situation begs credulity. What I would suggest for everyone here, including any readers from the State Department, is to:
1. Review and update your data security and content management policies ASAP, and all associated security measures.
2. Schedule security refreshers for organization staff. (Create the training if you don’t presently have it – and shame on you).
3. Review your statuses and protections for all technical enablements; meet with vendors, VARS, solutions-partners, etc. – anyone and everyone.
4. Don’t forget to review physical security and associated measures such as access, locks, authorized personnel, and so forth.
NP: Time Out, The Dave Brubeck Quartet, on original 1959 Columbia vinyl LP.