Who would be an IT Security Officer?

Someone told me that protecting a corporate network is like protecting your land with a plastic fence. Not only is that bad enough, but it is like having your kids compounding things by continually punching holes in the fence. Think about the challenges for the company IT Security guy:

1) He has to ensure that there are controls which are delivered through policies, training and clever technology.

2) There are a lot of clever hackers out there. Take “Anonymous” – They seem to have the ability to take out government sites at will so what chance does our IT Security guy have (let’s call him SG from here on in).

3) SG has lots of enemies.

Who are SG’s enemies

a) The Hackers – obviously enemy number one.

b) Software and Hardware suppliers, particularly those who produce vulnerable software.

c) Employees of his organisation who fall into two broad categories. The first category are the normal users who will inevitably try to install “illegal” software, access dodgy web sites and use personal USBs etc. SG ought to be able to use clever technical controls to prevent this type of behaviour.

The second category, management, is much more difficult for SG to overcome. To illustrate this, let’s think of the steps in an IT security model.

– Risk assess the threat

– Put in place proportionate controls

– Assess if the controls are effective

Take the first stage – Risk Assessment. Quite often, non technical management will decide how IT Security breaches will impact on the organisation. Not being knowledgeable whilst comparing it to other business risks, they will more often than not understate the impact. This is like a bunch of civilians try to wage war against a belligerent enemy. Therefore, SG will probably not be able to put in place proportionate controls.

So SG will have to take a reactive viz-a-viz proactive approach to IT Security Management and there will be breaches. Let’s consider the stages of a breach:

Intrusion

Detection

Remediation

This sounds straight forward. You might think that it will work something like this: Your AV software tells you that you have a possible breach whereupon you just quarantine and remove the whatever it is which is causing the problem.

However, leaders in security incident response management such as Mandiant paint a different picture. Their recent report has some interesting highlights:

Nearly two-thirds of organizations learn they are breached from an external source.

The typical advanced attack goes unnoticed for nearly eight months.

Attackers are increasingly using outsourced service providers as a means to gain access to their victims.

Attackers are using comprehensive network reconnaissance to help them navigate victims’ networks faster and more effectively.

Advanced Persistent Threat (APT) attackers continue to target industries that are strategic to their growth and will return until their mission is complete.

Once a Target, Always a Target

This inevitably has a significant impact in terms of reputation, finance and employee morale. Furthermore, the remediation process will attract a cost circa ten times that of having had preventative measures in the first place.

SG will no doubt remind management of his recommendations but organisations have short memories.

Are technical strategies a thing of the past?

Let’s start with one definition of a strategy is: A plan of action designed to achieve a long-term or overall aim.

Most large organisations and indeed governments develop and implement strategies in order to  deliver objectives – think of health care, roads and public transport and most importantly, the economy  .  Once you come to technology,people often want to show they have a ‘CAN DO’ attitude, particularly if tactically minded managers are in charge. Another challenge to the strategists is that technology moves on so quickly that it does not make good business sense to get stuck in a long term quagmire. They probably know that “CAN DO” from amateurs often becomes “CANNED, WHO?”

So think of a scenario in ACNE Food company – The strategic manager, Mister Good, approaches the HR director, Mister Evil, who is heading up the IT and Technology function.

Mister Good : “I recommend developing a technical strategy based on what the business need for the next five years. That way, we’ll ensure that we can offer an agreed and fit for purpose SLA by having a fully resourced and funded ICT service offering.”

Mister Evil : “I know what the business want. They need the latest I-pads so they can read minutes of meetings when they are on the train.”

Mister Good : “What about aligning technology to support the new commercial and sales strategy we heard about last week.”

Mister Evil : “I don’t want you navel gazing into the future. Just get your guys warmed up to get those I-pads with a few apps on them to see what the Press is saying about us.”

==========================================================================================

One year later, the ACNE Food company Board are very proficient in using I-pads despite one of them losing some personal data from accessing a rather dodgy site. In the meantime, the company’s finance and logistics systems are now becoming obsolescent and struggling to meet the increasing commercial demands of the company. It’s not all bad news though. The Marketing department have developed a number of apps and have received a marketing Industry award for them. However, the ICT budget has been blown trying to prop up the antiquated corporate systems.

===========================================================================================

The question I would like readers to answer is was the HR Director correct in pursuing his short term objectives? After all, his Board colleagues saw him as someone who is proactive and technically savvy. Conversely, they saw the Strategy Manager as a superfluous whining overhead.

Please let me have your comments.

Are Raspberry PIs a waste of money?

Introduction

This is a post which explains the reasoning behind why people should purchase a Raspberry Pi. It is not intended to be technical blog and is aimed at those who have some technical knowledge.

What is a Raspberry PI

A Raspberry Pi is a small barebones computer onto which an operating system (usually Linux) may be added. The recommended operating system, Raspbian comes preloaded with Python, the official programming language of the Raspberry Pi and IDLE 3, a Python Integrated Development Environment. This is accessible from the provided desktop and is designed for absolute beginners who wish to learn to program.

However, anyone with reasonable Linux skills can access the power of this operating system through what is know as a command line prompt. Such users can download other programming environments of their choice, such as Perl, PHP and Java.

What are the benefits of a Raspberry Pi

1) Procurement cost

2) Uses low cost common peripherals, such as micro USB power and SD cards etc.

3) The default desktop environment should get you programming in no time.

4) The Raspberry Pi user community and on-line documentation is superb.

5) It can interface easily with cameras, temperature probes and other electronics components as the backbone of say a home automation project.

6) In the hands of a knowledgeable technical person, it can be used as a powerful prototyping tool set without tying up expensive servers.

7) It is portable and can be used for such applications as remote CCTV or as an intelligent data sensor.

What are the limitations of a Raspberry Pi

1) It is a fragile piece of kit because it relies on an SD card which has a much lower life cycle than conventional storage devices. (It can use flash drives etc but the current Raspberry Pi must always boot from an SD card.)

2) It has limited computing power.

3) It does not come with a protective case and therefore may be susceptible to mis-handling and electrical or physical damage.

4) It cannot be used in a full production environment.

5) It is susceptible to security attacks if exposed to the web, without first hardening the system.

Are Raspberry PIs a waste of money?

To answer the initial question I posed, the answer is most certainly no, so long as the realities of the device are considered.