Jon DiPietro is Domesticating IT

“There is no such thing as 100% inspection.”

According to Dr. Jim Stewart of Northern Illinois University in DeKalb, IL “While working on my dissertation, I was reviewing some trade magazines from the 50′s. There were a number of case studies showing 50-75% efficiency and a breakage rate (visual inspections of wire wraps with pics) of 10-15%. Giving an effectiveness of 40-65%.”

The problem is, many IT departments do not understand this concept and are deluding themselves into a false sense of security that they are in control.

Zero Defects

When you are manufacturing widgets, your goal is for zero defects. From the start of the industrial revolution until relatively recently, it was a firmly held belief that you could hire inspectors to look at every single part coming off of the final assembly line and determine whether or not it sufficiently conformed to the requirements; whatever those may be. This was a great plan except for one minor detail; it doesn’t work very well. As it turns out, there are not enough hours in the day, not enough test equipment available, and not enough technical skill to inspect every single widget and catch every single defective part. Some will always slip through. Many companies may have discovered this fact, but typically adopted the “close enough” strategy.

As it turns out, over time manufacturers discovered much more reliable methods for producing widgets of superior quality. They understood that the best way to avoid shipping defective widgets was to prevent defects from happening in the first place, not simply scrapping the defective part when it was found at final inspection. How did they do this? There were two main components of the strategy.

Sampling

It can be mathematically demonstrated that taking a “statistically relevant” sampling of parts from an assembly line and measuring critical control parameters to ensure that the process is “in control” can result in far better overall quality than 100% inspection. It also has two additional benefits. First, because you are only inspecting a sampling of the overall production stream, it requires fewer resources and costs less. Second, this step can be performed at each step in the production process, which can catch problems earlier on and reduce scrap losses.

The challenges here are in a) determining statistical relevance and b) identifying critical control parameters. The equivalents in the world of IT security are not necessarily apparent but, the principals are still relevant in some areas such as intrusion detection and Internet usage.

Training

The factor that makes the most significant difference and is also the most directly applicable to IT security is training. In most Japanese manufacturing facilities, assemblers are responsible for the maintenance of the machines they use. There are two reasons for this. The first is to establish a sense of ownership of the process. Operators who are responsible for repairing their own machines will generally treat them with greater care and respect. The second reason is to give the operator a much deeper understanding of the process and an innate ability to sense when something is not quite right. This approach obviously involves a significant amount of training. However, in the long run it saves money by significantly reducing defects and producing more efficient workers.

The equivalent in the IT world is to train and empower users to be the mechanics for their own production tools; their computers. This does not mean turning them all into PC technicians. It does, however, mean training them in its proper use and preventative maintenance and making them responsible for ensuring that their tool is in good working order. By giving them a sense of ownership, you incent them to treat the machine (computer) with more care and respect. By training them in its proper use and maintenance, you empower them to use the computer as a tool and become true innovators, not simply trained chimps tapping the same series of keys in their cages.
When you treat people like adults and professionals, you are bound to be disappointed from time to time. However, it has been my experience that the numbers of humans who will exceed expectations far outweigh those who fall short. Far too many IT departments view it as no coincidence that “user” is a four letter word. That’s unfortunate because when you stop viewing users as an inconvenience and start viewing them as an asset, wonderful things can happen.

Conclusion

The answer isn't more locks - it's smarter security guards.

There is no such thing as 100% inspection, just like there is no such thing as an impenetrable firewall, an unhackable password policy, an infallible virus protection program, or a memory stick that can’t be lost. Each and every IT security tactic comes at a price in terms of both cash outlay and diminished efficiency.  Furthermore, the most common tactic employed by deliberate hackers is social engineering.  There are still no hardware or software solutions to that vulnerability

Incidentally, I have never seen an IT department measure, much less justify, the cost and impact of many security measures in reduced worker productivity. But much more dangerous than that, too many companies have sold themselves on the lie that 100% inspection is “good enough.”

Continue Reading

Weekly High Five lists the most interesting, compelling, and/or useful links of each week.

This week’s High Five is all about cyber security.  There are a couple of stories about protecting yourself, and two very important stories about protecting critical infrastructure.

#5: EU Wants Consent for Every Web Cookie

This is a story about the nanny state run amok.  Cookies are little chunks of text that web sites leave on your computer so that they can remember who you are when you return to their site, and store some information about your preferences and habits while on their site.  Limiting their use will lead to a greatly reduced user experience, not mention tremendous expense to all web site providers who will need to rework their architecture.

Link: TechRadar.com

#4:Stop Paying for Windows Security; Microsoft’s Security Tools Are Good Enough

Lifehacker makes the case the the free suite of security tools from Microsoft have reached the point where they are at least as good as the paid versions like Norton Antivirus.  The reality is understanding how to avoid scams and dangerous web sites is at least as important security software.

Link: Lifehacker

#3: Banned Xbox 360s Flooding Craigslist, Ebay

If you’re looking for used bargains this Christmas season, be particularly wary of purchasing used Xbox 360 consoles.  Microsoft recently began “actively banning consoles from Xbox LIVE that have been modified to play pirated games.”  These castrated units are now finding their way to the classified ads.

Link: PC World

#2: Cyber War: Sabotaging the System

60 Minutes broadcast an important story about vulnerabilities in critical infrastructure and the threats posed by hackers and nation states.  While parts of the story are a bit sensationalized (I know, shocking) if not downright misleading.  However, we still need an awakening with regard to cyber security and the crucial role every user plays in keeping our systems safe.

Link: CBS News

#1: Control system cyber events, 60 Minutes, disclosure, and FUD

The previously mentioned 60 Minutes story touched off a firestorm of discussion on a cyber security mailing list I subscribe to.  This article is a response by Joe Weiss, who is one of the world’s foremost experts in cyber security of process control systems and has even testified before Congress.

Link: ControlGlobal

Feel free to provide your thoughts and/or contributions…

Continue Reading

Weekly High Five lists the most interesting, compelling, and/or useful links of each week.

This week saw a couple of major releases; Windows 7 and a new Facebook user interface.  On its surface, the new Facebook “Live” and “News” streams may seem innocuous, if not confusing, to most, it is an obvious reflection of their recent hiring of the FriendFeed founders and indicates their intent to leverage real time search as part of their business model.

#5: How To Build A WiFi Home Surveillance System With Your PC

Our next door neighbor’s home was broken into a couple of weeks ago and suffered significant loss.  I’ve been researching various surveillance options and found this:

http://www.makeuseof.com/tag/how-to-build-a-wifi-home-surveillance-system-with-your-pc/

#4: Email Being Replaced by Social Networks? Not So Fast Wall St. Journal

As someone who is just slightly obsessive compulsive, I love symmetry and this week’s #4 post provides the perfect follow up to the Wall St Journal article that was last week’s #4, “The End of the Email Era.”  This predictable response from email marketing provider Vertical Response” provides some lucid arguments against the somewhat overstated conclusions in the Wall St Journal article

http://blog.verticalresponse.com/verticalresponse_blog/2009/10/email-being-replaced-by-social-networks-not-so-fast-wall-st-journal.html

#3: New Views for Your Home Page

The new look of Facebook’s home page is no surprise to those of us who have used FriendFeed.  Recently, Facebook acquired the talent behind that social networking site and promptly gave it the “Friendfeed treatment.”  The thing that flabbergasts me is that Facebook did not publicize this change ahead of time, or provide users with a link to this otherwise obscure blog post that explains the how and why of the changes:

http://blog.facebook.com/blog.php?post=162536657130

#2: Lifehacker’s Complete Guide to Windows 7

Those of you who have suffered through Windows Vista with me should run, not walk to upgrade to Windows 7.  I’m still waiting for my free upgrades to ship, but the reviews I’ve read are unanimous in their praise that W7 absolves the worst sins of the horror show that was Vista.

http://lifehacker.com/5386953/lifehackers-complete-guide-to-windows-7

#1: Scan of Internet Uncovers Thousands of Vulnerable Embedded Devices

This article covers a serious networking threat to many home users.  If you use a home wireless router to connect your PCs to the Internet, and you’ve never changed the default administrator account password you are in danger!  This vulnerability has been addressed in recent years by Linksys and other manufacturers by requiring a password change before the device will work, but there are still thousands of devices in use that were taken out of the box, plugged in, and never touched again.  The problem is that these routers are exposed to the Internet and all have the same factory default username and password, which allows hackers to take control of your router and, potentially, gain access to your home network.

http://www.wired.com/threatlevel/2009/10/vulnerable-devices/

Feel free to provide your thoughts and/or contributions…

Continue Reading

I recently read two different stories that I probably never would have connected, had I not read them within 24 hours of one another. It struck a chord with me because it made me think about a particular pet peeve of mine in a slightly new way. But more about that later.

The first article was entitled “Social Engineering 101: Mitnick and other hackers show how it’s done.” Kevin Mitnick was the computer hacker who allegedly used the telephone system to hack into NORAD and was the inspiration for the movie Wargames. This article contains several YouTube videos in which Mitnick and other hackers describe social engineering tricks they’ve used to successfully trick employees into releasing sensitive information. The examples are at once hilarious and horrifying.

The second article was a blog entry entitled “The Magic of Marketing” on Guy Kawasaki’s “How to Change the World” blog. In it, he talks about research conducted on the relationship between misdirection and social queues. In a nutshell, one experiment found that the way a magician used his eyes influenced the audience and helped to induce the misdirection required for the illusion. Kawasaki, who’s marketing gears are moving full speed 24/7, made the keen observation that similar social queues can influence marketing.

I’m sure by now you’ve made the same connection; Mitnick and other social engineers use common social queues to their advantage in order to create misdirection that allows them to create whatever illusion they wish. Now I can bring this home to my pet peeve regarding IT security – reliance on technology while ignoring the weakest link… people.

I am a firm believer that an ounce of prevention is worth a pound of cure, and it applies to security as well. Basic employee education and standard computer and internet use policies are a major step in the right direction toward closing some of those holes. But during my travels as a technology consultant, I am disappointed by the number of organizations that don’t seem “get it.” Too many of them exist in a the sense of security (pun intended) that their firewalls, IPS’s, and security agents will keep them safe.

One, two! One, two! And through and through
The vorpal blade went snicker-snack!
He left it dead, and with its head
He went galumphing back.

Continue Reading