HomeIndustry Commentary

When they’re good at being bad, learn from the good

Like Tweet Pin it Share Share Email

More thoughts triggered by Target, because I can’t resist:

Just because they’re the bad guys, that doesn’t mean we have nothing to learn from them.

For example, hackers have a more modern management structure than most corporations, which is one reason they have no trouble staying a step ahead.

Most people think “management structure” means the organizational chart. They aren’t exactly wrong. They’re just looking in the wrong direction.

The organizational chart describes how the work of the corporation has been delegated. It starts with the CEO, who’s accountable for everything. The next layer, called the Executive Leadership Team or something like it (and it’s rarely a “team” in the sense of its members truly trusting each other and being aligned to a common purpose, but I’ll let it go) … where was I? Oh, yes, the ELT. Each member is accountable for a slice of the organization’s work. In theory, and it’s a bad theory because it’s always wrong, they each have their own, mutually exclusive partition. Add them up and you have the company as a whole.

It’s a bad theory because the organizational chart also describes decision-making authority, because as we all know, you’re supposed to match authority and responsibility.

Except you can’t, because so many important decisions cross organizational boundaries no matter how you design the org chart (“Hierarchy is dead. Long live hierarchy, KJR, 6/15/2009).

Which is why leaders should encourage anyone to collaborate with anyone else, no matter where they sit or who they report to, to figure out whatever needs figuring out that day and to reach a reasonable decision no matter which parts of the organizational chart are supposed to have authority.

This is how you keep the organizational chart from turning into a bunch of warring siloes.

The community of data thieves is organized more or less like this. It’s a bunch of autonomous actors who collaborate when it’s useful and convenient. They more or less trust each other, and are aligned to a common purpose … intrusion and theft.

Maybe loose aggregation vs hierarchy is the inevitable difference between organizing for offense and organizing for defense. So never mind information security. Businesses as a whole should be organized to play offense, which means traditional CEOs — those who prefer hierarchical decision-making at least — have something to learn from the data thieves.

Your vendors are you

In case you haven’t been paying attention, Target’s problems seem to have started with a phishing attack on one of Target’s vendors — one that provides refrigeration units to its supermarket section. The phishing attack gave the data thieves login credentials to a Target vendor portal.

First thought: We don’t know how a vendor portal could have provided access to the rest of Target’s network. Seems to me, limiting a portal’s access to the rest of the network to a small set of predefined transactions shouldn’t be all that difficult, but as I continue to emphasize, I’m not an infosec specialist.

Second thought: Electronic Data Interchange (EDI) is more secure than vendor portals. Want vendors to invoice you electronically? Have them deposit electronic invoices on a server that’s disconnected from the rest of your network. Disconnect it from the Internet before importing the invoices.

Third thought: The vendor in question’s primary line of defense against Trojan horses and phishing attacks was the freeware version of Malwarebytes, a product that doesn’t provide protection against Trojan horses and phishing attacks. Click the link for details.

You’re Target. You have lots of vendors. You can’t perform an information security audit on all of them. For the minor ones, like your refrigeration vendor, you publish your requirements and trust your vendors to respond honestly on your surveys. What else can you afford to do?

At the risk of dancing beyond my bounds of expertise, a thought:

  • Right now, phishing attacks and Trojan horses are the greatest infosec threats.
  • Insider threats — disgruntled, careless, and former employees, both yours and your vendors, contractors, consultants and outsourcers who have access to your internal systems — pose bigger risks than outsiders.
  • The bad guys have no trouble flooding your employees and your vendors’ employees with phishing attacks.
  • Do it first.

I’m not suggesting you try to get employees’ on-line banking login credentials, profitable though that might be. I’m suggesting you emulate a phishing attack that tries to get vendor and employee login credentials to your own systems.

White hat phishing isn’t a new idea. Usually, it’s used to discover internal vulnerabilities.

But in 2014, as businesses increasingly source externally with portals aplenty, the distinction between inside and outside has become quite blurry.

Intruders are phishing your vendors all the time.

If you can’t beat ’em, join ’em.

* * *

Two years ago in KJR, some thoughts about the world being less than entirely flat, courtesy of a trip to Morocco, in “The world is bumpy.”

Hard to choose this week, too — lots of past columns tempted me. I couldn’t even live with just one runner up.

And so, from 2001, advice for newly hired managers on “Dealing with rivals” that wouldn’t change a bit if I were to write it today.

And from 2006 some “IT leadership musings” that wouldn’t change if I wrote them next week.

Comments (9)

  • re: Just because they’re the bad guys, that doesn’t mean we have nothing to learn from them.

    I was just recently reminded of a similar quote from Sam Clemens (Mark Twain). As best I can recall it goes something like this.

    “No one is completely useless. They can always serve as a bad example”

    Cheers,

  • I’m also not an infosec specialist but I think it would be safe to assume that any credentials you give to a vendor will get compromised. So you need to have sufficient identity-based security to make sure that vendor, or whoever is using the credentials, can’t get to anything they shouldn’t. And don’t give the user access to all the resources the backend process they’re interacting with needs. You want to be thinking about very granular security — think Domino or eDirectory.

  • Bob:

    This isn’t about infosec, but your remark “why leaders should encourage anyone to collaborate with anyone else, no matter where they sit or who they report to, to figure out whatever needs figuring out that day and to reach a reasonable decision no matter which parts of the organizational chart are supposed to have authority.”

    Many years ago, I was part of a Software Engineering group that lost its manager. Our General Manager, the seniormost executive on site, did not appoint a new SE manager but made himself the acting SE manager; this was complicated by the fact that he spent most of his time out of town, if not out of country. When there was a problem to be solved or new assignment, the SE group simply held a meeting, decided which person or persons were the logical ones to take care of it and turned him or them loose. Although I would never have believed it, this system worked for 18 months. The GM’s main role was to sign performance reviews. (I don’t know about the other SEs, but I wrote my own review.)

    After 18 months, the GM apparently got nervous about this autonomous work group and appointed an SE to be manager. We continued to function as before for a while, until restructuring and company politics dropped a monkey wrench into the workings.

    Just an anecdote about how one group managed in the absence of management. I doubt that it could work in many other situations.

    Regards
    Lou

  • Enough! I’ve received five copies of this email so far. Must I unsubscribe?

    • I thought my mail service had this fixed. Apparently not. Sorry for the inconvenience. I continue to beat on them.

      • Thanks. I have deep sympathy for the hassle dealing with your emails (rather than simply writing them), but I’ve received this six times so far today (between 10 and 3 eastern).

  • Interesting column in an area where I have next to nothing in real expertise, so thanks. But I have disagree with you, a bit, when you talked about hierarchy for defense and loose aggression for offense. In pro football, it’s the defense that is relatively loose aggression and the offense that is a tight hierarchy. On offense, the goal is the maximum global coordination of all 11 players to achieve a known goal, namely, whatever play is called. On defense, the approach is necessarily reactive. Using very limited information, maximize your resources for coordinated local response.

    On offense, the responsibility and rewards are global and hierarchical. On defense, the responsibilities and rewards are mostly local, which is not always the case in larger businesses.

    To me, it makes more sense to organize a larger business according areas of functionality are local, like sales and some fulfillment, loose aggression is a good approach, whereas other areas, like finance, plant maintenance and IT are global and need global authority to do their jobs.

    Maybe the structure should be regular uploads from Windows/Mac software to Unix/Linux distributed systems.

    But, that’s a wild guess to what seems to be a tough problem.

  • Received this post 7 times.

    • Apologies to all for this. I’ve been trying to get my emailing service (1and1.com – it’s time for them to get some public embarrassment) to take this seriously. We went two weeks without incident, so I thought they had it fixed. Apparently not.

      My apologies for the annoying repetition. Please be assured I’m not sending it out this many times.

Comments are closed.