Fence.jpgThe debate continues to rage between those who believe information security is purely a technical discipline and those who believe success must include both behavioral as well as technical components.  If you read my blogs, you already know I am a firm believer in the latter. 

 

Information security professionals typically deal with a complex ecosystem which includes technology and people.  Whereas computer systems follow rigid and clearly defined rules, people do not.  Purists tend to approach security problems by establishing a number of technology based controls.  This tact works well for electronic devices, but not so well for people.  These controls are most applicable in environments where actions are understood, limited in scope, and consistent.  Best suited to situations where specific inputs result in predictable outcomes.  People can be unpredictable ‘wild cards’, driven by individual motivations and bounded by few limitations.  We expect them to follow the rules based upon our version of ‘common sense’ even in the absence of proper training.  Technical controls can restrict some activities, but due to the tremendous latitude and flexibility, it is common for such barriers to be sidestepped by people without much thought or effort.  

 

We can see this play out in a number of related fields.  Take for example the thousands of new automobile drivers in California who hit the road every month.  These high risk teenage drivers push insurance rates up due to their historically elevated rate of accidents.

 

Currently, we employ a combination technical and behavioral approach to provide security for all drivers on the road.  The behavioral measures include mandatory drivers’ education, co-pilot experience, driver testing, financial investment, and both positive as well as negative social reinforcement. 

 

But what if we took a different approach and eliminated the behavioral controls in lieu of stronger and more comprehensive technical controls?  We could install more guard rails, speed bumps, stop signs, street lights, fix potholes and lower the speed limits on every street.  Every vehicle could be required to install top-speed and acceleration inhibitors, anti-lock brakes, high visibility lights, 8-way airbags, oversized sized mirrors, location tracking and collision detection systems, and be subject to yearly safety inspections.  A huge financial and resource expenditure to establish and sustain, but such technology would make both the roads and vehicles safer.

 

But to what result?  Because the most prevalent factor in accidents would remain unaddressed, the element of poor human judgment, I believe this strategy would not achieve the desired results.  In fact, I am confident the elimination of behavioral controls will greatly overwhelm all the benefits of the new technical controls, resulting in a skyrocketing accident rate.  In the end, technical controls cannot overcome poor decisions of drivers, and ultimately would fail to reduce accident rates, while incurring significantly higher costs.

 

Instead, thankfully, the modern solution is to train and educate new drivers in addition to modest technical controls.  They still have the worst driving records, but it is far better than the alternative.  We should apply these concepts to the world of Information Security as well.  Reliance on only technical controls is not sufficient given the dependencies on people within the ecosystem.

 

I firmly believe success can only be accomplished with a combined effort of technological and behavior controls.  Only then can an optimal solution for security be achieved.

Social information is more valuable to cyber-attackers than you think. Social Media.jpg

Social media is experiencing explosive growth with millions of people worldwide opting to share and communicate personal and private information with acquaintances in the virtual online world.  But danger is lurking, growing, and gaining momentum from attackers who will seek to leverage this data in order to improve their success and commit more heinous acts.

 

Social sites are regularly targeted to harvest email addresses and for portals to inject malware onto vast numbers of systems.  But soon these repositories will be targeted for something more dangerous, the social data itself.  The ability to identify like-minded groups is a powerful targeting tool.

 

A combination of factors is contributing to a critical failure point.   The tidal wave of information being generated and aggregated by social networks, threat agents seeking to conduct better targeted attacks, and the ease in which data is available, will combine to improve the success of malicious attacks and change what types of acts are possible.

 

We all accept certain risks when connecting to the Internet.  As long as we believe the benefits outweigh the risks, we should continue.  This is simply good risk management, which we do as part of our everyday lives.  But knowing the risks is crucial to this decision process.  As an online society we have become aware and even comfortable with traditional computer attacks, ploys, and distractions.  Alerts for viruses, spam, malicious links, bank card fraud, and pop-up ads to name a few, have lost their shock value.  People recognize most attacks they will face are opportunistic, targeting the masses and preying on those not applying digital common sense.  These are little concern as malicious emails from people you have never met are easily discarded, patches happen magically in the background, and regularly updated anti-malware applications warn and clean known viruses and worms.  So why will social information be targeted and why should anyone be more worried in the future?

 

Information is power.  The more accurate, plentiful and specific, the more valuable it is.  Sadly, we are the source of our own dilemma.  As a digital society, we provide the greatest wealth of personal data, in a timely manner, and make it easily accessible.  The aggregation sites no longer hide in the shadows.  Instead, they compete to provide the masses ways to continually feed and share more information.  People ravenously consume these services without much thought and voluntarily contribute massive amounts of personal data every day.

 

The aggregation of data shows an individual’s scope of influence, economic standings, consumer trends, social circles, as well as political and religious positions.  Combined with physical location, purchasing, and browsing habits creates a detailed profile.  In exposing work, friends, and associates it is possible to derive clusters of people with similar beliefs, lifestyles, fears, and motivations.

 

New attacks are on the horizon.

Ideological, political, and personal attacks become very possible.  In locations where people who express their view are potentially persecuted, oppressive organizations could leverage the constantly updating well of social information to harass, prosecute, coerce, threaten, or inflict harm on people who have made unacceptable opinions, travelled to forbidden areas, made friends with suspicious people, or supported ideas and groups not perceived as friendly.  It can give hostile agents of such activities the means to expand their scrutiny, to friends and associates of distrusted people.  Guilt by association.  Will social data and connections be scrutinized when crossing borders, offered a job, or granted a benefit?

 

There are many organizations, groups, and individuals which look for ways to target people who do not align to their religious, ideological, or political beliefs.  One of the most significant barriers to oppress others is the inability to determine who believes what. Social media solves this problem, giving those who wish to discriminate an undeniable source of a person’s alignments, through their very own words and social connections.  Additionally, there are predators seeking to commit crimes against people, who are looking for way to select their victims.  Social media data may become the ultimate tool to empower their efforts.

 

This will open doors for other aggressors targeting social targets as well.  Social insights make it easier to target supporters of rival sports teams, gaming guilds, social cliques, and people with differing political views.  It is now possible to target employees of a disliked company or government, people who live in a specific area, supporters of a political party or social cause, or those who are away from home.

 

In many ways, it is easier to act decisively against an individual who is known to commit acts or hold beliefs which are deemed offensive, rather than a group which may contain a mix.  Human history is filled with gruesome examples.  In the recent digital times, we are already witnessing cyber bullying, online gaming retributions which manifest in the real world, and political prosecution for voicing digital opinions among friends.

 

Let's not forget our current cyber attackers who are always looking for better ways to accomplish their nefarious objectives. The application of social intelligence simply enhances longstanding attacks.  In the past, attackers lacked the means to target precise groups of potential victims and the ability to establish a false sense of trust.  Social media data is the equivalent to marketing demographics for people with malicious intent.

 

Imagine a 419 internet scammer who successfully bilks money from an unsuspecting victim.  One victim is good, but what if they could target the community of likeminded individuals at the same time. From a social perspective, people with similar personalities, backgrounds, and interests tend to flock together.  These clusters become evident in social sites.  In this example, the victim’s online friends are perfect targets.  Why waste time on people who will not easily be fleeced when focus can be directed to a community who are most likely to fall for a scam.  Credit card fraudsters may target the wealthy, fake aid organizations may target the affluent or people who have friends/family in affected areas, while bot herders may prey on communities new to the internet or groups less inclined to see the value of security controls.  Cross referencing location, affiliation, and employment data can reveal a targets bank, investment broker, or credit handlers.  Such information is the first step in sophisticated discrete spoofing attacks, to encourage victims to reveal login and transaction credentials.  The opportunities for the malicious are almost endless.

 

Social networks also give some level of inherent credibility.  Most savvy web users would never follow a suspicious link in an email sent to them from an unknown sender.  However, using information gathered from social sites, an attacker could craft a message which appeared from a friend, referencing a discussion that occurred just moments before.  Even the most paranoid user would likely fall victim.  Taking it a step further, the attacker could recreate the banter between two friends, say chatter about a football game, and broadcast to the friend’s community, with instructions to visit a tempting malicious link.


Our private data is everywhere and easily accessible.

It is shared by the very entities we provide it to, to improve our experience and empower our social reach and influence.  Many of these service providers are upstarts, with little motivation, experience, or capabilities to adequately protect our data.  Privacy policies can be paper dragons without any tangible controls to support them.  Security functions tend to fall far behind the pursuit of profitability, leaving data exposed.  In the end, aggregated social information is not well protected and easy to obtain.  It is inevitable it will become a juicy target for attackers who desire intelligence and an inside advantage on prospective targets.

 

Once the data is lost the security industry's capability to thwart follow-on attacks is nearly nonexistent.  It is an immature field where technology is poorly adaptable.  Attacks which leverage social information take advantage of human nature and our desire to be a part of our communities.  Security controls rarely can stop an empowered user from making poor decisions when they believe it is safe.

 

We are a victim of our own social desires.

Humans are after all, highly complex social animals.  Without a doubt, social platforms on the internet are very attractive and incredible communication tools.  They will continue to evolve to meet the desires of users and will rush to deploy new features for people to communicate, share, and play active roles in the lives of others.  But it is important we do not ignore the simple fact such devices are tools and can be wielded for both positive and disruptive means.  The landscape of digital security is about to change again.  We must be cautious with the most precious data we possess in this age of digital insecurity.

Long gone are the days when a person’s best and only PC was the machine used at work. In fact, most people have several PCs at home along with numerous other gadgets and smart devices. The consumerization of IT reflects the growing trend of employees wanting to use their personally owned devices within the enterprise. Consumerization is not just about devices. It’s also about services. Instant messaging, blogs, wikis and social networks all began as consumer solutions and are now deeply entrenched in the enterprise. As Intel’s CIO, my job is to enable our employee productivity–to make it easier to do great work. I would love to welcome all personal devices into Intel and give access to as many corporate applications, and as much data as employees want. The new wave of employees, don’t want to carry around multiple devices–one for professional and the other for personal use.

 

I understand: employees want to access the information they need, when needed, on whatever device they happen to have on hand.

 

Embracing the consumerization of IT has real business value. Allowing employees the flexibility to use personal devices not only results in higher employee satisfaction but it also helps attract and retain talent, especially new talent. The flexibility created by a consumer-powered IT results in a more engaged and productive workforce. We cannot inhibit the use of any type of technology that empowers employees to deliver new ideas and unleash powerful innovation.

 

But I have a problem.  For me to enable any personal devices, I need to know they can be secured and efficiently managed. PCs and laptops come with great enterprise features and capabilities that allow me to confidently manage our fleet of 100,000 clients.  Unfortunately, these enterprise features are not a standard part of consumer products. Consumer product capabilities vary wildly from device to device. There is also the variety of form factors, device capabilities, and operating systems to be considered. There’s no simple solution today.

 

Intel IT has embraced the challenge and we are absolutely making progress, enabling employees to move seamlessly between their work lives and home lives, between being an employee and a consumer. As the IT industry, we need to continue to work with the solution providers, communicating the security and manageability requirements of all products and solutions – consumer and enterprise alike. The line between enterprise and consumer is blurred. Adding enterprise capabilities to consumer products will help us, as IT, be more responsive and agile in delivering what employees are asking for– capitalizing on the consumerization of IT trend.

Here at Intel we've had a strong focus on improving and embedding sustainability efforts both inside and outside of our data centers. The work that we've done through server virtualization as part of our server refresh cycles is now saving Intel millions of KWH each year due to the efficiencies gained. Beyond the data center though we're looking at ways to improve the efficiency of computing resource usage in our office and lab areas. This includes not only the electricity needed to power the devices, but also things like paper consumption due to printing. While the savings opportunities are not nearly as large in this space as we've seen in the data center, there is still value in integrating sustainable practices in everything we do.

As we all know, you can't manage what you don't measure. We'd taken the first steps toward understanding our office and lab usage at a macro level and had a feel for where we might be able to influence change. The challenge then was how to make the data visible and actionable at a personal level.  What we've decided to try is providing a tool that can be installed on a PC that allows for tracking of power management and printing behavior. We wanted usage to be optional so as not to seem too "Big Brother" but we also wanted ease of use and timely feedback available to the employees.

One of my colleagues in IT, Randy Sole, developed a gadget that sits on the desktop where employees can get nearly real time feedback. This gadget uses system event logs to gather data on system shutdown/sleep and printing history. We then use the data to generate a score in the areas of power management and printing. Detailed data is available as is content guiding the employee on how to improve their score. The goal of course is to have employees shut down machines when not in use, have their PC's power management settings such that unused machines power themselves down, and to reduce the amount of paper used printing. I have captured a screen shot of my personal usage below, I definitely need to improve shutting down my system when I’m not using it but I am doing well in shutting my system down at night and my printing!

 

I have sent out a ‘friendly competition’ invitation to my team mates to download the gadget and compare scores at the end of the month. I’ll keep you posted on how the competition goes.

Have others taken a similar or different approach and what have the results looked like in your organization?

 

gadget.pngflyout..png

 


It is that time of year again when security professionals dust off their crystal ball and forecast what the future of security holds.  I have been reading many good insights, most of which I wholeheartedly agree.

 

Here are a few from the news which I support:

  • Bigger players, mostly defense industry, are joining the ranks and establishing security foundations and even external services
  • Custom malware will continue to increase
  • Social engineering attacks will continue with no end in sight, as it targets the weakest link: people
  • Regulations worldwide will increase, in the attempt to spur more security
  • As cloud computing grows, especially with small and medium sized organizations, so will attacks and exploits

 

Sources for more reading: SANS, Symantic, Imperva, CIO, Unisys

 

Here are my contributions to the collective list:

  1. More specialized attacks, directed toward specific targets and objectives.  Sophistication will increase and attackers will be more bold in target selection and follow-through.  Organizations with sufficient resources, motivation, and audacity will top the list.  This will include governments, organized crime, and extreme political groups making the leap forward.
  2. Social media sites will be targeted (insert your favorite site where you identify your associates, list your affiliations, volunteer your private data, and willingly disclose your current/routine locations) by attackers as the value of the social data itself will prove valuable.  This will result in the worst kind of cyber-attacks, ones which support the targeting, tracking, and injury/death of others.   Sadly I think we will see the spark of such activities this year, with sustained increase, albeit stealthily, for years to come.
  3. Attackers will be targeted.  On a positive note, I foresee authority organizations will begin attacking the attackers with more ferocity than seen before.  Look for a major uptick in prosecution (not just from a judicial perspective) of cyber attackers from many different governments, service providers, and organizations worldwide.  This will continue to trend up for several years.

In Part 1 of Server Refresh + Energy Rebates = A MATCH, I chatted with my colleagues Tom and David to understand how they were able to motivate their internal customers to stay on track to a four-year refresh cycle. In Part 2 of this discussion, I talked again to David and to his colleague Mary. Mary is a System Administrator and Resource Planner within the Computing Solutions and Services team. Mary owns server purchases and removals.


David – You spent a lot of money to get a rebate that only paid for a fraction of the costs. What other motivation did you have for doing the refresh?


• Great question -- Being a good corporate citizen. Doing the right thing is all part of the big picture. Look, our data centers were reaching capacity limits with no end for incremental growth. An opportunity was presented to remove older capacity refreshing with newer. We just needed to figure out the multiplier and calculations to achieve a reasonable refresh ratio. In an Intel IT white paper: Realizing Data Center Savings with an Accelerated Server Refresh Strategy, we found that we can achieve consolidation ratios ranging from 7:1 to 13:1 depending on the workload and other factors, while substantially reducing energy consumption. Just imagine your data center footprint reduction, power reduction (mechanical/electrical) and my favorite reduced hardware support in addition to a reduced monthly/quarterly power bill. The benefits are long term… 

 

Mary - You didn’t have much time to remove such a large amount of equipment, how was that done?


• Running an efficient, streamlined end of life (EOL) process is important when you are trying to remove a lot of servers from your data center.  Effective customer communication is key to being successful in accomplishing incident free EOL.  Our EOL Process is done in two phases.   The first phase, is essentially our planning phase and where our initial customer approvals take place.  Out of warranty compute servers are identified 6 months prior to the EOL date.  This gives us ample time to contact server owners and to identify critical servers that cannot be EOLd.  The second phase is the EOL Execution.  This is where the actual EOLing of servers take place.  Due to our diligence during phase 1, we are assured that everything targeted for EOL can be shutdown without interruption to our customers.

 

David - Did the Energy Trust conduct audits to make sure equipment was removed?

 

• Yes – An ETO representative performed a final verification. The verification consisted of power readings (within 10% of the forecasted readings), hardware class and quantity. The hardware power readings were monitored for five days meeting all the requirements. Actually I found the process easy and the contracting firm flexible. The representative brought their own equipment for testing to acquire the necessary results.  



Mary - What happens to the removed equipment?


• All of the equipment goes through the Intel waterfall process.  Some of the servers are sold to recyclers through the Intel Resale Chanel.  In Oregon, we have donated portion of our EOL equipment to StRUT (Students Recycling Used Technology).  StRUT is a program incorporated into Oregon Schools where students take donated computers and equipment and learn to refurbish and recycle them.


             
Mary - What did you use the rebate money for?


• We have completed two energy saving projects using the rebate money, we replaced and recycled CRT monitors with new LCD monitors and replaced and recycled hard disk drives with solid state drives.

 

David - If others are interested in finding similar opportunities in their areas, how should they go about finding them?


• If you search your local power companies web site, there is usually rebates set aside for businesses. In most cases, contact information is available to call the program manager directly. The first step is making the call… second, finding out what rebates are available… Third, find out what benefits are offered sized appropriately for your business to initiate server, monitor, lighting, building upgrades (mechanical/electrical) refresh/upgrades.

 

David - Are there some concerns you had?


Knowing what to ask and share the right data is always helpful…
• In most cases you will be asked to share specific data so it is recommended to have a non-disclosure agreement in place and always gain prior approval before sharing any third-party information 
• If you have an idea and willing to share this with the utility power company program manager, a customized program can be developed around your idea. It might be a onetime offering or yearly offering. 
• Know your target – if you’re refresh servers, ask the Utility Power company for a template to calculate the refresh. If this is not available I found several key searches for the word “sustainability” on the web.

Filter Blog

By author:
By date:
By tag: