The Disintermediation of Corporate IT

Information Technology is the department in many organizations that has, historically, taken on the challenging tasks of systems engineering, network engineering, database management, and software development – all in support of business applications that support (and, in some cases, make possible) key business processes.

In recent years, cloud computing and all of the AAS’s (software as a service, infrastructure as a service, storage as a service) have taken some pressure off of corporate IT with regards to all of the resources required to host, install, and manage key applications. IT departments have seen this as a good thing, but a longer view of this trend should be considered a bellwether of change: IT departments are going to shrink in size considerably, since those skills will no longer be needed in many organizations.

Think about it. Today, it’s possible for an organization to farm out all of its business applications to external service providers: from e-mail to intranet sites, many companies can get away with virtually no servers in its environment. Instead, all will be accessible via the Internet.

Same goes for the networks supporting so-called “desktop” environments. With a few WiFi access points, network wiring out to employees’ desks are a think of the past. In many cases, an organization’s business network can be a few WiFi access points, and one of those all-in-one boxes for Internet connectivity.

Remote access also becomes a has-been. With nothing in the corporate network to access, users access virtually all corporate resources via the Internet with no special access required.

In terms of the IT labor force, this does reflect a trend whereby corporations consuming IT services will require fewer IT workers, while IT service providers will require more. However, those service providers will require only a fraction of the personnel displaced by their services.  As a result, a typical IT department of the future may consist of a CIO, some business analysts and project managers, and little else.

This disintermediation has been seen in IT in the past.  Decades ago, most organizations wrote custom applications for many of their key business processes, because there were few, if any, common off-the-shelf (COTS) applications available. There were large numbers of software developers and other personnel dedicated to the development and ongoing maintenance of these applications. But over time, fewer custom applications were needed since there were many good products that IT departments could purchase, install on company servers, and operate. This trend is simply continuing, where even the hosting of these applications is moving from client organizations to cloud service providers. Soon there won’t be a need for data centers, or even wiring closets, in most organizations. This should be seen as a natural progression of innovation and improving efficiencies.

Even the department name Information Technology may give way to Information Management. After all, there will be little or no visible technology, since it will be hosted by service providers. Instead, companies will be managing information located elsewhere, and hosted, stored, and processed on their behalf by other organizations.

While the outlook for talented IT personnel may be good today, I believe the trend of disintermediation will, slowly at first, reduce demand for IT talent in many organizations. The shortage of IT personnel today may be a glut in a few years.

How to make 2013 your breakout year

SEATTLE. January 1, 2013, 12:01am

A person or organization has a breakout year when their skills and accomplishments help them ascend to a higher level of responsibility, visibility, and achievement. Often, someone has a breakout year when they are involved in situations where they excel and produce great results that are widely recognized. Often that leads to those persons or teams being rewarded with even greater responsibility, and more opportunity for achievement and greatness.

We can’t all be a Chris Christie, Andrew McCutchen, or Dan Straily, but we can excel and advance nonetheless. We can “bloom where we’re planted” and improve our lot and that of others.

Set Your Sights High

It is often said that high achievers get that way by setting big goals. Do not be afraid to set a “big hairy audacious” goal for yourself, and then do what you can to achieve it.

Don’t Be Discouraged by Failure

The world’s great achievers (including Edison, Tesla, Curie, and Churchill) did not become famous overnight, nor were they born with superhuman qualities. Instead, they had only fierce determination and a drive to keep trying despite repeated failures and setbacks. Every time they met failure, they got up, dusted themselves off, and set their eyes back on their goals and tried again.

Remember that every great achiever failed numerous times before they succeeded. Learn from your setbacks and try again!

Adopt a Servant’s Attitude

Ronald Reagan once said, “There is no limit to what you can accomplish if you don’t care who gets the credit.” So many people are distracted by posturing, politicking, and looking good – that’s all energy they could be putting into their effort instead. An individual or a team that is focused on meeting goals instead of looking good is far more likely to accomplish what it has set out to do.

I invite you to adopt a new ethic in your work. Rather than dedicate yourself to service to yourself, make it your life’s purpose to serve others. You’ll be surprised at the results, and the rewards you will receive by putting others first.

Adversity May Be Your Path

A breakout year may not mean fame, glory, and riches. Instead, you may find yourself going through difficulties that may be causing you to ask, “Why me?” However, this may be the path that takes you to your own breakout year.

Years ago, I faced adversity in my personal life that shook me to the core. Those who know me understand when I call that time my “dark year(s).” But it was in the face of that adversity that my circumstances changed in miraculous ways, leading to a breakout year in both my personal and professional life. In many ways I’ve been riding the crest of that wave from then until now.

Don’t Take Yourself Too Seriously

I know plenty of people who are obsessed with what they are doing every minute of the day, and how they appear to others. To that I would say, “relax!” Allow yourself to make mistakes, and even take a moment (perhaps later on) to laugh a little bit at the memory of some of your blunders.

Your most powerful response to everything that your career and your life has to offer you is your response to those things that happen to you, for better or worse. Keep your chin up and remember that you will be here another day – a day of potential triumph.

* * *

Make this your breakout year. After all, you deserve it – you really do.  This will be my breakout year, and there’s plenty enough for the both of us.

LinkedIn skills endorsements adds buzz but not much value

I now view other users’ profiles with some skepticism and wonder whether they really possess those skills or not.

I’ve been a LinkedIn user for about eight years, and I’m highly appreciative of its business networking focus. LinkedIn has facilitate many fruitful business opportunities that might not have happened otherwise.

LinkedIn has been adding new features, and one of the newest is the Skills feature. A while after adding Skills, LinkedIn now provides a means for users to “endorse” the skills of their connections. Upon first glance, I thought this would be a useful feature that would help to add credibility to one’s claims of business and technical skills.  That is, until I started receiving endorsements from some of the people I am connected with.

I’m grateful to my connections for endorsing my skills – make no mistake about it. However, I’ve received many skills endorsements from connections that do not actually know whether I have those skills or not. While their endorsements seem to strengthen my credibility, I now view other users’ profiles with some skepticism and wonder whether they really possess those skills or not. If people are endorsing my skills without actually knowing whether I have them, how do I know whether others have the skills they claim, even when endorsed?

LinkedIn is just another tool that people can use to embellish their resumes. While LinkedIn has great potential for helping people find each other based on their profession, location, skills, and other criteria, LinkedIn is no substitute for other methods for determining whether businesspeople actually possess the skills they claim.

Why the security war will never be won

At security trade shows like RSA, we are purposefully given the impression that if we just employ some new defensive technique or purchase some new defensive tool, we will be able to keep intruders out of our systems for good.

How many times have we heard this? And how is this different from remedies that promise to solve other problems like our finances or our physical appearance?

The information security war will never be won.

Never.

As long as people, or groups of people, have accumulated wealth of any kind. Other people try to steal it. We can keep ahead of the thieves for a time, as our defenses sometimes prove better than their offensive capabilities. But the wealth is still there, proving to be such a tempting challenge to some that they will use all of their imaginative powers to find a way in.

In our homes, we have better locks, stronger doors, better windows, better alarm systems – for what?  It doesn’t seem like the problems of residential burglaries is getting any better, despite these improvements. Thieves simply improve their techniques and find a way around our defenses.

In our information systems, we have better firewalls, application firewalls, intrusion prevention systems, anti-malware, and a host of other defensive (and even some offensive) security controls. But intruders still find a way in.

There are times when it proves very challenging to break directly in to information systems.  That is when intruders switch tactics: they target personnel who are employed in the organization that owns the systems, using a variety of techniques to trick users into performing seemingly harmless tasks that give intruders the beachhead they need.

Why do intruders persist?  Because of the wealth that lies in the target systems. Whether this is direct monetary wealth, or information that can be traded for monetary wealth, as long as the information is there, and no matter what measures are used to protect the information, intruders will find a way to retrieve it. This is true, even if you have all of the latest defenses, tools, training, and so on.  Your defenses will only slow down a determined intruder, and maybe only be a small margin.

• We must protect all systems. An intruder will attack the system of his choosing.
• We must protect from all types of attacks. An intruder will use an attack method of his choosing.
• We must protect our systems at all times. An intruder will attack at a time of his choosing.
• We must teach all personnel to be aware of threats. An intruder will attack the person of his choosing.
• We must obey all laws when defending our systems. An intruder may break any law of his choosing.
• The intruder will always choose the path of least resistance, the weakest link, at our most vulnerable time.
• Intruders are patient and resourceful, and often well-funded, and often more motivated by the prospect of success than we are by the prospect of intrusion.

Healthy Skepticism Required When Using Online Storage

When online backup solutions such as box.net, idrive, and dropbox came on the scene, I was skeptical. Store my data on some service provider’s system? Only with caution.

When news of the dropbox scandal was made public, I was not surprised. The promise, “only a customer has access to their own data”, evaporated. Not that it was ever a promise that could ever be kept.

Recommendation: if you insist on storing your data on someone else’s system, encrypt it locally and store the encrypted data on the other system. That is the only way to truly guarantee that no one else can see your data.

Reference:

http://techcrunch.com/2011/06/20/dropbox-security-bug-made-passwords-optional-for-four-hours/

Amidst the Growing Web, We Are Rushing Back to Client-Server Computing

In the early 1990s, client-server computing was all the rage. But it sucked, because networks were too slow and because updating client software was unreliable. Then the web happened, and soon, applications were we written for web browsers. It was a great time, for a while.

Client server is back, and it’s now – arguably – the dominant computing model today.

I’m talking about smartphones (iPhone/iPad, Android, Blackberry, etc) with their app stores.

Smartphones are outselling laptops. And while web surfing is popular among smartphone users, app stores is where it’s at.

Smartphone apps are the new client server model.  The protocols are better (POX – plain old XML) and more efficient, HTTPS for security, and bandwidth is better. The entire mechanism for updating smartphone apps is reliable, semi-automatic, bandwidth friendly, and easy to use.

I’m not knocking web browsers, really. They are great and getting better. But the differences between them is making the development of web applications that work across all of the web platforms and versions increasingly difficult.  The web is great for lightweight application interaction, but it’s difficult to get it right in complex applications.  Making web apps work across the popular browsers, versions, and OSs is not unlike the unenviable job Microsoft has of making Windows work on everyone’s Intel-based system. In the early days of the web, you wrote HTML and it worked everywhere. Not so any more. The bloom is off the rose.

So, what about app stores for laptops / desktops?  Since app stores are accepted by smartphone users, it makes sense that we’ll see them on laptop and desktop operating systems (Windows, Mac, Linux). If you use OSX (Mac), it’s already here. Microsoft is late to the party. Again.

I believe we will see a resurgence of client-server computing in the form of app stores for all major computing platforms, and that serious business applications that were previously web based will be app-based. Just like in the old days, only better.

Car hacking, the crime of the future

Several years ago, when Microsoft announced its intention to have its software installed in automobiles, my immediate gut reaction was, oh great, now we will have bug fixes, patches, crashes, reboots, updates, blue screens of death, and car hacking. Such has been the experience of millions of users of Windows software for decades – why would the user experience in cars be any better – or different?  (and it if would be better, why are those improvements not yet present in desktop / laptop computers?)

Fast-forward to May 2010, when the New York Times ran an article that described the extent to which computer systems are at the heart of a modern automobile’s control systems. I am not talking about the navigation system here, but engine, brakes, lights, and other basic functions. A team of computer scientists from UCSD and UW demonstrated the ability to hack into a car and remotely control its basic functions, including starting, stopping, engine control, instruments, and steering.

Why hack a car

Hacked Instrument Display

Your next question might be, why would someone wish to hack into someone’s car?  Some reasons include:

• Theft. An intruder may wish to steal the car by hacking into its systems to disable the alarm, start the car, and maybe even remotely drive it for a short distance.
• Fun. Immature but technically talented individuals may derive enjoyment from their ability to take over the controls of a running automobile in order to alarm its driver.
• Harm. An individual or team may be intent on causing harm to the driver and/or passengers of a car by wrestling control of the car from the driver and causing the car and its occupants to crash.

The development of the Toyota loss-of-control matter has demonstrated to the public that automobile computer control systems are prone to malfunctions that can cause safety issues. Whether Toyota’s specific problems were proven to be related to onboard computer systems is irrelevant; the point is, that the crisis demonstrated that it is plausible that computer malfunctions can indeed result in potentially lethal safety issues.

Unsecure by design

The car hacking experiment conducted by UW and UCSD researchers was a proof-of-concept that was very time consuming to perform. The experiment proved that security controls installed in automobiles to prevent hacking are weak at best. Consistent with many other new technologies, computer systems in automobiles were designed with functionality in mind, and security given little or no consideration.

Easy to hack

Will car hacking always be difficult. Certainly not, and the firesheep tool is proof of this. Soon (perhaps already a fact for some readers of this article) there will be tools available for novice computer users who will be able to select from an array of nearby vulnerable cars, and be able to easily take over control of the car’s instruments, engine, brakes, climate control, navigation system and, indeed, practically everything in the car. There will probably even be an iPad version of this tool for hip hackers.

Improvements needed

Toyota [allegedly] has proven that automobile electronics can fail all by themselves. UW and UCSD has also proven that automobile electronics have weak defenses. Firesheep has proven that easy-to-use hacking tools will quickly be developed and used. Automobile manufacturers need to adopt a secure-by-design principle in the development of all on-board electronic systems in order to minimize the threat of car hacking.

Hack-proof Miata

I think that I’ll stick with my 1991 Miata for the time being.

Certification and Experience: Putting the Cart Before the Horse

When I earned my CISSP in 2000, and my CISA in 2002, I desired to earn these certifications as a way of demonstrating the knowledge and experience that I had already accumulated. To me, these certifications are a visible symbol of my professional qualifications in the professional community.

In recent years, I have seen many people who do not have the knowledge or the experience, and they desire to earn these certifications so that they may be better qualified for positions where they can earn the knowledge and experience that these certifications require.

These people have it backwards. They are showing impatience: they want the positions that require experience, but they do not yet have it. They ask, now that I have my CISSP (or CISA or CISM), how can I now get security specialist, security manager, security auditor, or other positions? And they wonder why they have difficulty finding these jobs that require CISSP, CISA, or CISM certification.

What I believe they fail to understand is that they do not have the required experience.

The correct path for professional certification and experience is this: acquire the knowledge and the experience, and then earn the certification. This is the method expected by employers, professionals, and the organizations that develop and manage these certifications.

Would you go to a doctor who had his license to practice but did not yet have the required experience? Of course not, and likewise employers do not hire candidates based only on their certifications. Instead, employers hire based upon knowledge, experience, and particular skills.

I believe that many of these aspiring certification candidates are being led astray by training organizations who are implicitly (if not explicitly) fostering the expectation that one can earn a certification based on a short training course alone, as though it is a “shortcut” to positions with greater responsibility, expectations, and compensation.

To IT professionals who want to get ahead and earn certifications: good for you! I wish you well! However, do know that you need to accumulate years of work experience first – then earning those certifications will be relatively easy, and you will have greater satisfaction through knowing that you have rightfully earned your certification, not only because you were able to pass a certification exam, but also because you have the experience that goes with it.

CISA study group

CISM study group

CISSP study group

CRISC study group

Connection? TSA Breach + airliner bomb attempt

This writer suspects a link between the 2009 breach of TSA airport security procedures and the Christmas Day 2009 bombing attack on a U.S. airliner.

Image Courtesy CNN

CNN and the other news agencies (New York Times, Washington Post) are covering the developing story of the Christmas Day airline bombing attempt by suspect Umar Farouk Abdulmutallab who is allegedly acting on behalf of Al Qaeda.

There has been no mention whatsoever of the recent breach of airport security procedures by TSA and the possible connection between that event and this airline bombing attempt.

The potential for a connection is obvious to me: could this suspect have boarded the plane, confident that the amounts of materials he was bringing on would be undetected? The TSA airport procedures breach provided details on screen procedures and screening capabilities, including the amounts of liquids and other agents that could be brought through airport security undetected.

It is thought that TSA is in the process of modifying and improving airport screening procedures and capabilities as a result of the procedures breach, but I believe that those changes will take time to implement. The only short term change in procedures that can be implemented right away is increased pat-downs and body scanning in order to try and detect unwanted substances that will evade detection by magnetometers.

If the suspect’s device had a minimal amount of metal, it would not have been detected by the airport magnetometers. Short of a random pat-down (possible anywhere) or an image scan (not likely in Africa in my opinion, where the suspect reportedly entered the airline security perimeter) to detect liquids or powders, security procedures are not terribly effective at detecting liquids carried by a person.

E-mail security problems and the Canadian ISPs that are ignoring them

Over one year ago, days apart, I began to receive e-mail messages addressed to others. For weeks I worked diligently to try and put a stop to it. My requests fell on deaf ears. I receive regular reminders that it is happening still.

I began to receive many (or all) e-mail messages addressed to someone named Sandy, who lives in Ontario Province, Canada. The domain name is Eastlink.ca, a broadband access provider.  It didn’t take long to figure out that I was receiving all of Sandy’s e-mail. I wrote to Sandy, suggesting she complain to her ISP. And of course I also received a copy of the message in my own inbox. I wrote to Sandy a couple of times and never heard from her. I guess she doesn’t care – or maybe she did not receive them.  I also complained to Eastlink.ca, and heard nothing from them.

I also receive all of Brian’s e-mail, and his ISP is ica.net, another broadband access provider in eastern Canada.  I complianed to ica.net, several times, and never received a response.  I wrote to Brian also, and he responded and suggested I change my e-mail address. As if!

I also receive messages to someone at charter.net, but this user’s e-mail address does not indicate their name. I wrote to them and to Charter.net – you guessed it: no response.

Soon after this began, I wrote inbox rules to immediately delete all e-mail messages addressed *to* these user accounts that ended up in my inbox.  Now and then I look in my Trash Bin (where deleted e-mails go), and sure enough, there are still scores of e-mail messages: thank you’s for online merchant orders, FaceBook invites, e-cards, and personal correspondence.  I don’t read these messages.

Some of these messages still come to my inbox – this includes messages where the recipient is in the BCC (blind carbon copy) list. My inbox rules don’t know how to respond to these.

I wish this would stop. I’m going to write to ica.net, Charter.net, and eastlink.ca again, but I’m not expecting any response, not to mention action.

I cannot imagine that this is happening only to me. If some malevolent (or even accidental) action is behind this, then chances are that hundreds or thousands of other users’ e-mail messages are also being forwarded without their permission.

This also makes me wonder if this is happening to MY incoming e-mail: could some other user out there be receiving messages sent to me?  I sure don’t relish that idea: sometimes I receive “reset your password by clicking on this URL” messages. What if someone else receives these and decides to click the one-time link before I do? Some online account of mine could be compromised as a result.

I’m also worried about my own liability in this matter.  I’m receiving e-mail messages that are supposed to be sent to others. I don’t want them, I don’t read them, and I delete them when I see them. But what if I receive messages containing personal medical information, for instance?

There are several possible causes for this inadvertent e-mail forwarding:

• Malware, tampering, or compromise of ISP e-mail server.
• Compromise of individual users’ e-mail accounts, where attacker inserts rules to forward mail to me (and maybe others).
• Malare or compromise on individual users’ computers; this may be true if users use workstation-based e-mail software such as Outlook, Outlook Express, or Thunderbird.

There may be other potential causes, but I cannot think of any more.

If malware or a human intruder were behind this, what is their gain? What is the benefit for an intruder if someone’s e-mail is forwarded to someone who lives 3,000 miles away?  If the intent is to harm someone, who does it harm? If the intent is to harm the individuals whose e-mail messages are being forwarded to me, then I can think of several more malicious ways to harm them.  If the intent is to harm me, I don’t see how this harms me.

Commentary on Microsoft and Mac

I’ve been a PC user for 25 years and switched to Mac last year. It is SO much easier to use, HIGHLY reliable, no hangs or reboots, no DLL hell. The Mac just runs and runs and runs, absolutely reliable, no performance problems.

I ran Vista last year and it is AWFUL: terrible performance, compatibility problems, booting took a long time, and it lost all of my data twice. After six months I switched that laptop back to Windows XP. XP is the last MS OS I am buying. We are either going 100% mac, or going to run Mac and Linux systems. Microsoft has been so completely disappointing with continued security problems (despite “the memo” in 2002, things have continued to get worse) that I have completely given up on them.

I have used PCs since 1985, and it’s really disappointing to see the direction that MS has taken. Windows is no longer a usable OS, but a symbol of the bloat and middle age that has occurred in the MS company itself.

I am sold on my Mac and wonder why I waited to long to switch.

If you switch to Mac, you will be amazed at how easy it is to use. You’ll be productive on day one, without all of the attendant problems present with Windows.

Are more federal cybersecurity laws needed?

Someone I know recently sent me a Washington Post article about some proposed U.S. federal regulations on cybersecurity. The article was an attempt at fear-mongering over privacy concerns. As a cybersecurity professional and author on twenty books on cybersecurity and the technology of data communications, I’m qualified to comment on this article.

Federal regulation on cybersecurity is LONG overdue. Today, almost all of the 50 states have enacted cybersecurity laws, each different, most designed to protect the privacy of citizen data, and none of these state laws go nearly far enough to deal with the blatant irresponsibility on the part of many private corporations on protecting citizens’ data. The scourge of security breaches (such as the recent Heartland heist of ONE HUNDRED MILLION credit card numbers) are, in part, still occurring because private corporations are not doing enough to protect OUR DATA.

My most recent book on cybersecurity, which is to be published in May, opens in this way:

“If the Internet were a city street, I would not travel it in daylight,” laments a chief information security officer for a prestigious university.

The Internet is critical infrastructure for the world’s commerce. Cybercrime is escalating; once the domain of hackers and script kiddies, cyber-gangs and organized criminal organizations have discovered the business opportunities for extortion, embezzlement, and fraud that now surpasses income from illegal drug trafficking. Criminals are going for the gold, the information held in information systems that are often easily accessed anonymously from the Internet.

The information security industry is barely able to keep up. Cybercriminals and hackers always seem to be one step ahead, and new threats and vulnerabilities crop up at a rate that often exceeds our ability to continue protecting our most vital information and systems. Like other sectors in IT, security planners, analysts, engineers, and operators are expected to do more with less. Cybercriminals have never had it so good.

There are not enough good security professionals to go around. As a profession, information security in all its forms is relatively new. Fifty years ago there were perhaps a dozen information security professionals, and their jobs consisted primarily of making sure the doors were locked and that keys were issued only to personnel who had an established need for access. Today, whole sectors of commerce are doing virtually all of their business online, and other critical infrastructures such as public utilities are controlled online via the Internet. It’s hard to find something that’s not online these days. The rate of growth in the information security profession is falling way behind the rate of growth of critical information and infrastructures going online. This is making it all the more critical for today’s and tomorrow’s information security professionals to have a good understanding of the vast array of principles, practices, technologies, and tactics that are required to protect an organization’s assets.

What I have not mentioned in the book’s opening pages is that cybersecurity laws are inadequate. The security incidents of the recent past (and short-term future, I fear) are so severe that they may pose a far greater threat on our economy than the worldwide recession.

Case in point: considerable intelligence suggests that the likely culprit for the great Northeast Blackout of 2003 was not electric power system malfunctions, but computer hackers who are sponsored by the People’s Republic of China.  I have read some of the intelligence reports myself and they are highly credible. You can read a lengthy article in the National Journal about the outage here. A few years ago, I attended a confidential briefing by the U.S. Office of Naval Intelligence on state-sponsored Chinese hackers. The briefing described many cyberterrorism activities in details that I cannot describe here. I believe that the capabilities by those groups are probably far greater today than they were at the time of the briefing. The fact that these groups’ efforts have been so successful is because U.S. private companies are not required to adequately security their networks; they are not even required to disclose whether security incidents have occurred (except as required by a patchwork of U.S. state laws).

I do not know whether the specific legislation discussed in the Washington Post article is an attempt to federalize the laws present in many U.S. states, or whether this legislation has a different purpose.

Security standards that are enforceable by the rule of law are badly needed. No, they will not solve all of our cybersecurity problems overnight, but if crafted correctly they can be an important first step. Today we have good standards, but no private company is required to follow them. The result is lax security that leads to the epidemic of cybersecurity incidents, many of which you never hear about.

Is the CISSP certification still relevant?

Some argue that, because more people have earned it, the CISSP certification is becoming less relevant.

The CISSP certification is not less relevant because more people are passing it – more people are passing it because there is a much higher demand for CISSP-certified professionals than at any time in the past. Information and business security are far more relevant than in the past, because more organizations are using information systems in increasingly-complex ways to support critical business processes.

In my opinion the growth of CISSPs is still not keeping up with the demand for such professionals. If anything, the certification is MORE relevant now than at any time before.

I disagree with the statement that it will become less relevant. On the contrary, as the number of people who earn the CISSP certification grows, the MORE relevant it will become! Say, for instance, 20 years from now, that 1/3 of all IT professionals have the certification. That would make CISSP *HIGHLY* relevant!

I think that maybe you are asking a completely different question. Today, having a CISSP gives relevance to the individual person who holds it. When CISSP is rare, having it makes the person more relevant. But if CISSP were to become plentiful, that would make the certification far more relevant.

Take MCSE. Lots of IT pros have it. The certification is *highly* relevant – so much so that it is practically a standard. A person who does *not* have the MCSE is not relevant. In many companies you can’t play in the game if you don’t have it. That sounds like high relevance to me.

the Zune failure and Microsoft

Many articles in the press have chronicled the failure of Microsoft’s first-generation 30GB Zune MP3 players.  They all simply froze on December 31, 2009. The remedy: they had to be powered on and allowed to completely discharge, and then wait until after 12:00 GMT on 1/1/09 before they could be used again. Total downtime – around 24 hours.

Microsoft is yearning to expand its market space into embedded systems in automobiles, military systems, and other areas. Am I being overly fearful of the consequences of a Microsoft whose products are even more deeply embedded into the machinery of our lives?  Today is one of those days when I am distrustful of technology as a path for an easier life.

Articles:

Leap year Zune glitch persists for some (CNN)

Original Zune confounded by leap year, shuts down (Seattle Times)

Zune support page explanation

Zune insider blog

ETrade: phishing or not?

Financial institutions are very in tune with the phishing threat and how it can damage their brand.

Or are they?

I received this e-mail from ETrade yesterday.  I’m a security expert and I recognize spam and phishing. I had to look this one over a few times to distinguish whether it was real or not.

This isn’t helping customers. Instead, it’s training them to respond to *real* phishing mail by making phishing and real messages indistinguishable.

Here is the spam – um, I mean, e-mail:

* * *

Special Pricing Expiration Notification

Your discounted commissions on stock and options trades will expire in 7 days.

You can still get extraordinary value when you trade with E*TRADE. We customize our commissions(1), making it easy to qualify for our best pricing.

If you have any questions, please call 1-800-ETRADE-1 (1-800-387-2331) or log on to your account at http://www.etrade.com and contact us through the Help Center.

View our current commission schedule (https://us.etrade.com/e/t/estation/pricing?id=1206010000)

PLEASE READ THE IMPORTANT DISCLOSURES BELOW

1. For details and additional information about our trading commissions and options contract fees, please visit http://www.etrade.com/commissions.

(c) 2007 E*TRADE Securities LLC, Member NASD/SIPC (http://www.sipc.org). All rights reserved. The information contained in this Smart Alert does not constitute a recommendation by E*TRADE Securities, and is subject to the Smart Alerts Terms and Conditions (https://us.etrade.com/e/t/estation/help?id=1209038000) and the E*TRADE Securities Customer Agreement (https://us.etrade.com/e/t/estation/help?id=1209031000). We cannot respond to e-mails sent to this mailbox. If you have questions, please contact us through the Help Center (https://us.etrade.com/e/t/estation/help?id=1203000000).

Going on a LinkedIn Diet

I joined LinkedIn about five years when one of my colleagues joined and invited me to sign up.   Because I am gregarious and have worked with hundreds of people over the years, I accumulated over 625 connections.

But over the past couple of months, I have begun to re-think why I had many of these connections.  I came to realize that I was connected to former colleagues I haven’t heard from in years and have made little or no contact with me in the intervening years since we worked together.  I wondered, what is the value of these connections?

LinkedIn is a network built on trust.  Well, that’s what it was supposed to be. Unfortunately, there are many who amass connections with anyone who will connect back, almost like anonymous sex.  You connect with me, I’ll connect with you. Never mind that we don’t know each other, and that we live 9,000 miles apart, have nothing in common, and will never, ever meet in our entire lives, nor do we have ANY common acquaintances.  That’s not trust, that’s just adding points to the score card.  So what? So what if you have 8,000+ connections. Do you really know and trust all of those people? I don’t think so.

Linked In Open Networkers (LIONs) is the term for people who connect to anyone who will ask. While they believe that what they’re doing is good, they’re actually hurting all of the legitimate users who follow the rules and connect to people they actually know.

Further… connecting with people you don’t know is a direct violation of the LinkedIn terms and conditions. Not that anyone notices, but doing so only dilutes the experience for everyone. LinkedIn is supposed to be about webs of trust, where I can trust your connections because I trust you. But if I don’t even *know* you, how can I possibly trust you, not to mention your connections, who are unknowns of unknowns?

Sorry for my rant.  So if you used to be connected to me and you aren’t any longer, don’t take it personally. I probably didn’t know you much in the first place, or perhaps not at all.

* * *

Apparently I’m not alone. Many others are disgusted with LinkedIn open networking:

Not the way to use LinkedIn

Redefining my use of LinkedIn

Are you connected – or just linked?

You had me then you lost me (better for the comments than the rant itself)

* * *

I have reported various types of abuse to LinkedIn Customer Service over the past few years. Every time, they say, “yeah we know about it,” which now makes it clear to me that their priorities are on the numbers, not the value. There is a market opportunity here for another business networking play that will figure out how to only accept links with people who are actually *known*. What a concept.

Open Networking is a violation of the LinkedIn terms and conditions

It really irks me when I see people on LinkedIn who connect with anyone who is willing to accept a connection.  This is a blatant violation of the intentions – and the terms and conditions – of LinkedIn.

I connect only with people I know. I am VERY hesitant to connect with people who are promiscuous linkers, because I do not have any way to know which people in *their* network are trustworthy.

Today I saw a posting on a LinkedIn group that read,

“Lets expand our network together. Open Networker Accepting All Invitations.”

I responded,

“In my own opinion this violates the LinkedIn terms and conditions. And I’m surprised to hear this from a CISSP and CISA who is supposed to uphold two different codes of ethics that require honesty in all professional dealings.

In LinkedIn, we are supposed to connect only with people that we *know*, NOT with everyone who will push a button. The LinkedIn Terms and Conditions, section 3, reads:

‘The purpose of LinkedIn is to provide a service to facilitate professional networking among users throughout the world. It is intended that users only connect to other users WHO THEY CURRENTLY KNOW and seek to further develop a professional relationship with those users.’ (emphasis mine)

How can you reconcile your requirement to abide by the LinkedIn terms and conditions, your statement, “Open Network Accepting All Invitations” and your codes of ethics that require you to respect laws, regulations, and rules?

As security professionals, we are supposed to lead by example. Otherwise, how are we supposed to expect others to do so if we PUBLICLY and brazenly violate them ourselves. Doing so compromises our ability to be effective in our professional work.”

The LinkedIn terms and conditions also says:

“Any other use of LinkedIn (such as seeking to connect to someone a user does not know or to use LinkedIn as a means of generating revenue through the sale of contacts or information to others) IS STRICTLY PROHIBITED AND A VIOLATION OF THIS AGREEMENT.”

Can this be any more clear?

IT security spending squeeze? Switch to risk-based spending

Security managers often have a difficult time getting budget money for security controls during times of economic health, but in a downturn that puts financial pressure in some industry sectors, security budgets can literally dry up.  This may be especially true in organizations that were releasing funds for spending on security controls based upon qualitative justification.

If you’re in this situation, maybe it’s time to switch to a risk-based model for making decisions on where to best spend money on security.

This approach requires that an organization adopt a risk management and risk analysis methodology that is used to perform a detailed risk analysis for any given situation.  A risk analysis methodology will enable a security manager to precisely identify threats, vulnerabilities, and risks in specific situations or settings, which can lead to a clearer understanding of specific risks and what can be done to reduce those risks.

In the end, it’s middle or senior management’s job to make spending decisions.  As risk managers, we can help decision-makes to make more informed decisions based upon identified risks and potential remedies to those risks.

Image courtesy Tech Republic

If a decision-maker still says “no”, do not consider this a failure.  It is a risk manager’s job to help management make informed decisions.  As long as the risk manager provides the facts, including the alternatives in a risk situation, then the risk manager has done his or her job.  It is the decision maker’s job to make risk decisions.  Whether we agree with those decisions may be the basis for much professional discussion – if it’s not our decision, it’s not our decision.

The consolation for the risk manager is that risk-based spending at least puts money where it’s needed the most.

Sources for information on risk analysis and risk management:

NIST 800-30, Risk Management Guide for Information Technology Systems
OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation)
FRAP (Facilitated Risk Analysis Process)

ID theft suspects in TJX heist arrested

Newswire stories are carrying a story that describes the arrest of several suspects in countries around the world in what is claimed as the largest ID theft ring in history.  This group is accused of possessing over 40 million credit and debit cards, including those in the collosal TJX breach a couple of years ago.

The U.S. Department of Justice claims that some of those arrested are the same persons who broke into TJX’s network.  So this may not merely be a matter of the middlemen being caught, but the actual perpetrators of the TJX break-in.

Stories like this often fade into the background.  Criminal and court proceedings take a very long time and generally do not hold our interest.  Those in my profession (data security) will probably keep a closer eye on this matter than the general public.

Links to news story:

LA Times

CTV News

Bankinfo Security

AP via YouTube:

Last day to buy XP

Today is the last day to buy Microsoft Windows XP.

It’s the end of an era.

I’m glad I don’t need a new OS right now, but next time I’m in the market for a computer, it’s going to be running Linux. I used Vista for six months (even wrote an e-book about its security), and it was so intolerable that I switched back to XP.

Microsoft has SO violated the public trust with Vista. I have no confidence that Windows 7 will be any better. In fact, it may be worse. I will be long gone.

Apparently the protests and petitions sent to Microsoft have fallen on deaf ears.  Microsoft is apparently so full of itself that it really believes that Vista is better. After all, look at the numbers: it’s selling like crazy (never mind that dealers have little choice but to gag what is forced down their throats).

One independent computer dealer I know is selling all of his new computers with Linux, and is doing well.  I’m sure that there are many more like him.

Articles:

Microsoft to stop selling XP on Monday