Technology – Page 49

Insecurity. It isn’t just for psychologists anymore

Imagine for a moment that a gang of bank robbers decided to target the big guys — Citi, JPMorgan Chase, Bank of America, Wells Fargo — you know, the ones where a billion dollars is petty cash.

The robberies always use the same basic techniques, and the amounts stolen are starting to add up.

Plus, it’s embarrassing. But so far nobody has managed to catch the culprits.

Do you think these companies would have the wherewithal to take care of the problem?

Listen to the apostles of capitalism and you might think so. And yet, in the contest between world corporatism and cybercriminals, the cybercriminals aren’t just winning. They’re winning with impunity, so much so that InfoWorld’s Roger Grimes — not the kind of person you’d call a hysteric – is using words like “crisis” and “catastrophe” to describe the situation.

Now I ain’t no expert. And as regular readers know I try to avoid the grand American inverse correlation between knowledge and strength of opinion, so I’m not claiming to have the solution, or even a solution.

Just some notions. Like these two for all corporations:

Spend more. No, you can’t solve problems by throwing money at them. You also can’t solve them by refusing to spend money on them.

Target, for example, expects its data breach will cost it something like a billion dollars in direct costs, and that doesn’t include damage to its brand and lost customer loyalty. And Target’s cybersecurity wasn’t all that much worse than average.

Its cybersecurity budget? Do some Googling and back-of-the-envelope scratching (I couldn’t track down the number) and you’ll probably arrive a number along the lines of $125 million. Do the math.

Practice identity management 101: I don’t have a statistically valid sample; I am invited into enough companies to think this conclusion is reliable: Way too many companies are way too sloppy about identity management.

We’re talking about the basics, not anything fancy. Lots of companies provision new employees by “making her like him” instead of by defining access rights and restrictions by role. Way too many add rights as employees take on new responsibilities without removing the ones they don’t need anymore.

This isn’t complicated. Just time consuming. Also, silo-busting, because HR should be the hub, not IT. After all, every hire, transfer, promotion and termination flows through HR, and these are the exact events that should trigger changes in rights and restrictions.

Corporations can certainly do better when it comes to protecting their cyber assets. The cyberprotection industry worries me more. In the aggregate they (truth in advertising: I’m a Dell employee. Elsewhere at Dell we have information security products and consultants, so in a sense “they” is “we”) … in the aggregate the cyberprotection industry has more money to spend on defense than the bad guys have to spend on offense.

Yes, offense is easier. And yet, if everyone involved pooled their knowledge and resources …

Phishing attacks are the biggest source of security breaches. Couldn’t, for example, IBM put Watson on the hunt? It’s a classic big-data-analytics problem. Even without creating a public repository for everyone in the world to send phishing emails they receive, IBM employs enough people to get this started.

If Watson-style technology can spot credit card fraud, surely its analytics can spot phishing attacks as well.

Here’s another: Stop with signatures already and deal with behavior. As in, the problem with computer viruses is that they make computers do things the computers’ owners don’t want them to do.

I know I’m going out on a limb here on the strongly-held-opinion-correlated-with-ignorance front. Still, bear with me.

What does malware do? It: wipes hard drives; sends out data without a triggering keyboard or mouse command; updates files and databases without a triggering keystroke or mouse command; sends out massive amounts of email without a triggering keystroke or mouse command …

How hard can it be to write features into the OS kernel that monitor for these sorts of malware tells? Pop a big message onto the screen warning users in plain English about what their computer has been instructed to do and ask if it’s something the user wants it to do.

These are probably naïve and simple-minded suggestions. I’m not, after all, an expert in the field and besides, I’m giving these ideas away for free.

Unlike yours truly, the cyberprotection industry has all the expertise it needs. It has, in the aggregate, big R&D budgets. How about coupling these resources with the same level of innovative thinking cybercriminals put into their attacks?

What’s clear: Our current strategy … identifying the next threat and responding to it … guarantees we’ll always be a step behind.

IT is going away. Again.

By: Bob Lewis|In: Cloud|Last Updated: December 8, 2014

My friend Adam Hartung, author of Forbes‘ “Phoenix Principle” blog, is convinced we’re in the throes of a megatrend away from owning stuff. He’s further convinced this trend spells the end of corporate IT.

As covered in last week’s missive, this trend toward rentership is nowhere near an open-and-shut case. As correspondent Tim Harris points out, it’s a simple algorithm: If the costs of ownership (including intangibles), divided by total usage exceeds the cost of renting, rent. Otherwise don’t.

As for the death of IT:

According to The Phoenix Principle, the reason we wanted PCs in the first place was because of all the data we wanted to put on them. That data will now be in the cloud, so we don’t need PCs anymore.

This is bad history. I was there. We wanted PCs because of the programs we could run on them. That’s why we want smartphones too.

Yes, mobile devices can do some of what PCs can do. But does anyone seriously think you can replace a customer service rep’s PC and voice terminal with a smartphone?

The Phoenix Principle’s clincher: “What will a company need an IT department to do if employees use their own mobile devices, across common networks, using apps that cost a few bucks and store files on secure clouds?”

Answer: If?

We’ve seen this movie before. In the PC’s early days there were those who figured business users would soon be able to do on their PCs everything IT did on the mainframe, using cheap, simple programs without any need for IT involvement.

Another Phoenix Principle point: “If corporate technology is reduced to just operating some “core” large functions like accounting, how big — or strategic — is IT? The “T” (technology) becomes irrelevant as people focus on gathering and analyzing information. But that’s not been the historical training for IT employees.”

I agree. This entirely imaginary IT that never, for example, existed, will go away.

Unlike real IT, which runs, not “just” some “core” large functions like accounting. It runs systems that support every function in the enterprise, from supply chain to manufacturing to sales to finance and accounting to human resources to marketing. Oh, and information technology is required for every change business executives can envision, too.

It’s as strategic as things get.

So best of luck running an enterprise on apps that cost a few bucks with files stored on secure clouds. I can see JPMorgan Chase’s CFO right now, closing the year-end books with his Android edition of Quicken.

Or, for that matter, the CMO calculating some complex analytics on a petabyte Hadoop data set stored in the cloud with her ten-buck iPhone app. “Siri, which customer demographic and psychographic segments are most likely to want our new line of fashions? Rank them in order of size and willingness to buy, correlated with color and fabric preferences.”

This latest forecast of IT going away because it’s now all so easy completely misses everything IT has actually been doing all these years:

IT has never insisted on owning anything. IT always performs a lease/purchase analysis for hardware. As for software, IT licenses it, except when it “rents” it via a subscription. To my direct knowledge, these practices all date to the 1970s.

The historical training for IT employees hasn’t included information? News to me. Designing efficient data structures is at the heart of the discipline.

IT isn’t, at its core, about the technology. Or about information either. The heart of IT’s job is to configure and integrate … especially integrate … the multitude of applications a large enterprise needs to operate effectively. Owning vs leasing vs renting is a blip.

In ownership lies risk avoidance. As someone once said, those who ignore the lessons of history are doomed to repeat the seventh grade. This lesson goes back to 2000 when Pandesic, a cloud-based joint venture (back then it was called an ASP) between Intel and SAP didn’t pan out. The result: Intel and SAP shuttered it, giving its customers three whole months to make other arrangements.

IT isn’t going away any time soon. One wonders why, for so many years, so many management pundits have engaged in so much wishful thinking on the subject.

My guess: IT is expensive and hard to understand. Shipping it all offshore, into the cloud, or both means not having to worry about it anymore. Sure it does.

And if the logic required to accept this proposition is shaky, that’s okay, because the rules of confirmation bias are clear:

We only scrutinize evidence and logic that disagrees with what we want to be true.