Jon DiPietro is Domesticating IT

Weekly High Five lists the most interesting, compelling, and/or useful links of each week.

This week’s High Five theme is, “Facebook is changing the game.”

#5: Nielsen: Facebook’s Ads Work Pretty Well

According to this Nielsen article, “The study of more than 800,000 Facebook users and ads from 14 brands in a variety of categories shows a marked increase in ad recall, awareness and purchase intent when home-page ads on the social network mention friends of users who’ve become fans of the brand in the ad.”  One of the comments regarding this study was “What it doesn’t do is give the cross-media understanding of how does this piece fit into overall marketing plans.”  The irony is that Facebook’s announcements this week provide the backdrop for those plans.

Link: Advertising Age

#4: Microsoft And Facebook Join Forces To Crush Google Docs

There have been hints from pundits and observers for quite some time about Facebook (and Twitter for that matter) challenging Google in the search space.  The announcement that Facebook is going to throw its hat into the document collaboration ring came a little bit out of the blue (at least for me).  Combined with the other announcements this week (see below), there is no doubt that Facebook intends to be the ultimate power in the universe.

Link: Business Insider

#3: How to Delete Facebook Applications (and Why You Should)

As Facebook takes bold, new steps to spread its influence across the web, users need to be aware of the implications new Facebook privacy policies.  One major change is that your Facebook friends can share your information without your knowledge.  Another change, discussed in this article, is a loosening of the restrictions previously placed on applications like Farmville and Photo of the Day.  These applications may now store your personal profile information whereas they previously had to retrieve it from Facebook’s servers every time they wanted it.  This opens up additional security vulnerabilities, which prompted this article that describes some sensible steps to audit your privacy settings.

Link: ReadWriteWeb

#2: I Think Facebook Just Seized Control Of The Internet

If it’s possible for an eight hundred pound gorilla to fly under the radar, Facebook is doing it (did I just mix some strange metaphors?).  The announcements made at Facebook’s f8 conference this week could fundamentally change the way we use the Internet.  And that’s not hyperbole.  The social plugins and Open Graph integration have the potential to shift the balance of power from Google’s algorithms to Facebook’s social relationships.  It boils down to this… When you execute a search, what do you value more; the stuff Google thinks is important or the stuff your family, friends and colleagues think is important?

Link: TechCrunch

#1: Facebook’s ambition

If the previous article scares you at least a little bit, then that just means you’re paying attention.  This epic article from Robert Scoble provides a litany of benefits, concerns, dangers, and challenges associated with these developments.  Some people and organizations are jumping into the pool with both feet, while others are pledging never to subjugated.  ”May you live in interesting times.”  Indeed!

Link: Scobleizer

Feel free to provide your thoughts and/or contributions…

Continue Reading

“There is no such thing as 100% inspection.”

According to Dr. Jim Stewart of Northern Illinois University in DeKalb, IL “While working on my dissertation, I was reviewing some trade magazines from the 50′s. There were a number of case studies showing 50-75% efficiency and a breakage rate (visual inspections of wire wraps with pics) of 10-15%. Giving an effectiveness of 40-65%.”

The problem is, many IT departments do not understand this concept and are deluding themselves into a false sense of security that they are in control.

Zero Defects

When you are manufacturing widgets, your goal is for zero defects. From the start of the industrial revolution until relatively recently, it was a firmly held belief that you could hire inspectors to look at every single part coming off of the final assembly line and determine whether or not it sufficiently conformed to the requirements; whatever those may be. This was a great plan except for one minor detail; it doesn’t work very well. As it turns out, there are not enough hours in the day, not enough test equipment available, and not enough technical skill to inspect every single widget and catch every single defective part. Some will always slip through. Many companies may have discovered this fact, but typically adopted the “close enough” strategy.

As it turns out, over time manufacturers discovered much more reliable methods for producing widgets of superior quality. They understood that the best way to avoid shipping defective widgets was to prevent defects from happening in the first place, not simply scrapping the defective part when it was found at final inspection. How did they do this? There were two main components of the strategy.

Sampling

It can be mathematically demonstrated that taking a “statistically relevant” sampling of parts from an assembly line and measuring critical control parameters to ensure that the process is “in control” can result in far better overall quality than 100% inspection. It also has two additional benefits. First, because you are only inspecting a sampling of the overall production stream, it requires fewer resources and costs less. Second, this step can be performed at each step in the production process, which can catch problems earlier on and reduce scrap losses.

The challenges here are in a) determining statistical relevance and b) identifying critical control parameters. The equivalents in the world of IT security are not necessarily apparent but, the principals are still relevant in some areas such as intrusion detection and Internet usage.

Training

The factor that makes the most significant difference and is also the most directly applicable to IT security is training. In most Japanese manufacturing facilities, assemblers are responsible for the maintenance of the machines they use. There are two reasons for this. The first is to establish a sense of ownership of the process. Operators who are responsible for repairing their own machines will generally treat them with greater care and respect. The second reason is to give the operator a much deeper understanding of the process and an innate ability to sense when something is not quite right. This approach obviously involves a significant amount of training. However, in the long run it saves money by significantly reducing defects and producing more efficient workers.

The equivalent in the IT world is to train and empower users to be the mechanics for their own production tools; their computers. This does not mean turning them all into PC technicians. It does, however, mean training them in its proper use and preventative maintenance and making them responsible for ensuring that their tool is in good working order. By giving them a sense of ownership, you incent them to treat the machine (computer) with more care and respect. By training them in its proper use and maintenance, you empower them to use the computer as a tool and become true innovators, not simply trained chimps tapping the same series of keys in their cages.
When you treat people like adults and professionals, you are bound to be disappointed from time to time. However, it has been my experience that the numbers of humans who will exceed expectations far outweigh those who fall short. Far too many IT departments view it as no coincidence that “user” is a four letter word. That’s unfortunate because when you stop viewing users as an inconvenience and start viewing them as an asset, wonderful things can happen.

Conclusion

The answer isn't more locks - it's smarter security guards.

There is no such thing as 100% inspection, just like there is no such thing as an impenetrable firewall, an unhackable password policy, an infallible virus protection program, or a memory stick that can’t be lost. Each and every IT security tactic comes at a price in terms of both cash outlay and diminished efficiency.  Furthermore, the most common tactic employed by deliberate hackers is social engineering.  There are still no hardware or software solutions to that vulnerability

Incidentally, I have never seen an IT department measure, much less justify, the cost and impact of many security measures in reduced worker productivity. But much more dangerous than that, too many companies have sold themselves on the lie that 100% inspection is “good enough.”

Continue Reading

Weekly High Five lists the most interesting, compelling, and/or useful links of each week.

This week’s High Five is all about cyber security.  There are a couple of stories about protecting yourself, and two very important stories about protecting critical infrastructure.

#5: EU Wants Consent for Every Web Cookie

This is a story about the nanny state run amok.  Cookies are little chunks of text that web sites leave on your computer so that they can remember who you are when you return to their site, and store some information about your preferences and habits while on their site.  Limiting their use will lead to a greatly reduced user experience, not mention tremendous expense to all web site providers who will need to rework their architecture.

Link: TechRadar.com

#4:Stop Paying for Windows Security; Microsoft’s Security Tools Are Good Enough

Lifehacker makes the case the the free suite of security tools from Microsoft have reached the point where they are at least as good as the paid versions like Norton Antivirus.  The reality is understanding how to avoid scams and dangerous web sites is at least as important security software.

Link: Lifehacker

#3: Banned Xbox 360s Flooding Craigslist, Ebay

If you’re looking for used bargains this Christmas season, be particularly wary of purchasing used Xbox 360 consoles.  Microsoft recently began “actively banning consoles from Xbox LIVE that have been modified to play pirated games.”  These castrated units are now finding their way to the classified ads.

Link: PC World

#2: Cyber War: Sabotaging the System

60 Minutes broadcast an important story about vulnerabilities in critical infrastructure and the threats posed by hackers and nation states.  While parts of the story are a bit sensationalized (I know, shocking) if not downright misleading.  However, we still need an awakening with regard to cyber security and the crucial role every user plays in keeping our systems safe.

Link: CBS News

#1: Control system cyber events, 60 Minutes, disclosure, and FUD

The previously mentioned 60 Minutes story touched off a firestorm of discussion on a cyber security mailing list I subscribe to.  This article is a response by Joe Weiss, who is one of the world’s foremost experts in cyber security of process control systems and has even testified before Congress.

Link: ControlGlobal

Feel free to provide your thoughts and/or contributions…

Continue Reading

This afternoon I presented “Introduction to Cybersecurity” to members of the New England Water Works Association in New Haven, CT.  The presentation focuses a recurring theme of this blog; no/low cost options for improving security.  This particular presentation focuses on the particular challenges faced with securing SCADA (Supervisory Control And Data Acquisition) systems.

During the presenation, I stressed the point that humans are the weakest link.  I wish it had occured to me to embed the following video of Kevin Mitnick demonstrating social engineering techniques:

Remember, people are the weakest link.

Continue Reading

Is cyber security a technology problem or a people problem?

Cyber security is complex, highly technical subject that is best left to the Asperger-nerd in the computer room battling against the pimply-faced hacker sucking down Mountain Dew in his mother’s basement, right?  It’s a cat and mouse game that pits the white hats against the black hats, the antivirus computer scientists against the hackers, right?  It’s certainly not the realm of the average small business owner, right?  Wrong, wrong, and wrong!

What if I told you that human error was more responsible for data breaches in 2008 than hacking?  What if I told you that hacking was third on the Identity Theft Resource Center’s (ITRC) categorized list of data loss methods?  The reality is that cyber security is a people problem first and a technology problem second.

More Awareness, Less Reliance

I’ve come to a remarkable, if not depressing realization in my information technology career.  Over the last 20 years of consulting, I’ve visited scores of clients in hundreds of facilities and I can easily count the number of times I was ever given any sort of cyber security orientation – exactly once.  I’ve walked into propped-open back doors of more manufacturing facilities than you can shake a stick at, and more often than not waltzed right up to a machine control panel, hooked up my laptop, and started pounding away at the keyboard while smiling and waving at trusting operators I had never before met in my life.  The realization is this; the vast majority of companies, large and small alike, is completely oblivious to the weakest link in the security chain; people.

The misperception that cyber security is all about technology is a serious mistake that is made by both small and large businesses.  The small businesses often believe that they are not sophisticated enough to employ their own cyber security programs and, therefore, either ignore it altogether or simply outsource it to an IT subcontractor.  The large businesses spend millions of dollars on intrusion prevention systems, biometric security, and other sophisticated technological countermeasures.

Hopefully by now I’ve made the point that cyber security is about much more than firewalls, Trojans, and keyboard loggers.  So without further delay, here is a list of five no-cost practices every organization can implement that will go a long way toward securing their data.

Use Passwords, Use Them Well

OK, show of hands… how many of you are rolling your eyes?  It sounds obvious, but password laziness and ignorance is still the number one vulnerability for computer systems.  I understand how painful it is these days to maintain all of the user names and passwords in our lives these days.  However, it is the world we live in and we must accept it and follow these bare minimum password practices:

• No shared passwords:  This is especially common in process automation where there are many users of the same machine.  Everyone must have their own unique user name and password.
• Complex passwords:  Use combinations of letters and numbers, preferably composed of one or more words that are not in the dictionary.  Why?  Read this article about Dictionary Attacks.
• Change passwords:  This is probably the most annoying of these three practices, and I confess that it aggravates me to have to do.  However, changing passwords periodically is one of the best ways to prevent misuse of a password that is unknowingly (or even deliberately) disclosed.

Utilize Automatic Updates

Unpatched operating systems and out of date virus definitions are like the gimpy prey of a flock; they are the first to be targeted by the hunter.  Many computer viruses and other exploits rely on software vulnerabilities that are typically patched within days or weeks.  However, it is not at all unusual for me to see network servers out of date by more than a year.  Another common problem is for antivirus subscriptions to expire, preventing the virus definitions from updating.

Clean House

Every program loaded on a computer is a potential vulnerability.  The fewer of them there are, the better.  A typical Windows PC has loads of “crap-ware” installed on them that can and should be removed using the Add/Remove Programs option in Control Panel.  Additionally, there are Windows Components (e.g. Messenger, Media Player) that should be removed if not used.  Finally, there are usually Windows Services running by default that are not used.  This particular cleanup is generally left to computer professionals, as it is not always obvious which of these is required and disabling the wrong service can lead to “unexpected behavior.”

Create Policies

There are many reasons for establishing written computer and internet policies for employees.  One, of course, is legal liability for the employer.  The other is (or at least should be) educational.  It’s not enough to write up these policies; they need to be presented and explained in an open environment to ensure that they are understood and appreciated.  These policies go far beyond telling users they can’t surf porn on the company’s computers.  They need to include things like proper care and usage of portable storage devices, remote access procedures and policies, e-mail policies, etc…  You can find a list of templates at the SANS Security Policy Project web site.

Protect Sensitive Information

Insiders and subcontractors are another major vulnerability and care must be taken to provide information necessary for them to do their jobs, but no more.  This is especially true of subcontractors, of which I am one, who are frequently given and/or create sensitive documents, diagrams, lists, and other data.  It is important to establish guidelines for its use to ensure that the information is handled with care and returned or disposed of when the job is complete.  As incredible as it sounds, a subcontractor published a complete schematic of Pearl Harbor Naval Base’s power monitoring control system in a white paper available publically on the Internet (I just checked and the information has apparently been removed).

The Bonus Round

What is the hacker’s #1 tool of the trade?  I’ll give you a hint; it has nothing to do with computers.  It’s called Social Engineering and you can read more of it in my blog, “The Hacker as a Magician.”

Feel free to share your own anecdotes and pearls of wisdom on the subject.  What are some of the head-shaking moments you’ve witnessed?  Are there any “doh!” moments you care to share?

Credits and citations:

• Office thief cartoon by michael molenda
• Mr Oblivious photo by San Diego Shooter
• Data breach report from “2008 Data Breach Totals Soar”, Jan 5, 2009, Identity Theft Resource Center

Continue Reading