Archive

Archive for October, 2011

RIM or Precipice

October 31st, 2011 No comments

News of RIM’s apologies concerning the multiple-day outage of its services beginning Saturday morning October 8 illustrates a very important point. At the retail level it may be okay to remain silent or mumble about the circumstances of an outage (as my cell provider did in this case).  However, when dealing with enterprises which purchase services in mass quantities as part of a broader strategy of delivering services to their customers through a well-equipped employee base the reverse is true.  RIM had remained silent for five days about the details, causes – and most importantly – the estimates for remediation of this outage. This is inexcusable for anyone offering an enterprise class product.

A company that understands the process of maintaining its systems and services and guaranteeing the reliability of those systems and services (and the revenues they support) will over-communicate about the circumstances of any unplanned outage.  By over communicating about an outage, the company shows the extent of its understanding, preparation, and detailed response plans. Obviously, developing incident response in a professional way is time-consuming and requires a great deal of maturity on the part of the company.  After all, you might never need these procedures and processes.  Most companies discover that developing incident response processes, tests, metrics, and plans is in and of itself a developmental activity for any large organization. These benefits can take many forms but two that are relevant here are: (1) improvements in the processes that underpin reliability itself such as reliable systems and applications development and (2) improvements in the incident response process such as better root cause analysis.  A company that can discuss these issues openly with its customers can subtly communicate that it has already brought a high level of professionalism to the problem and is in a position to leverage that professionalism for the benefit of its customers and for the reputation of the company. No amount of promise making or apologizing can substitute for this.

RIM did not do this and apparently cannot do it.  In the absence of communication during an outage, one of two explanations can be considered. The company either cannot figure it out (the most generous explanation) or they know the answer but the answer is so ugly they cannot afford to tell their customers the truth. No matter how heartfelt the apology, RIM’s enterprise customers don’t want or need apologies. What they need is information, substantial and detailed assurances about future support and possibly refunds. In a sense the damage to RIM is done. Emails were dropped and the corporate processes they supported were let down in a very public way. This debacle comes at a critical and unfortunate moment for RIM in light of iPhone and Android successes. As the outage unfloded, many people were already questioning RIM’s competitiveness and the longevity of its product line.  While it is true that no other provider even comes close to the quality of RIM’s product and service design and specifications for mony corporate procurement officers, the execution in this case shows that RIM is not able to walk the talk. This brings into question the true definition of “enterprise class.” And the tide of “bring your own device to work” is coming in inexorably and threatens to isolate RIM on a shrinking island of customer loyalty.

I can’t think of a worse time for RIM to be facing serious questions about its product and service reliability. In 30 years of professional information security practice, I have often observed that ways can be found to cut corners when it comes to the security of information systems and “bring your own device to work” is a perfect example of this. However, when it comes to reliability enterprise buyers stick to their guns and insist on the contracted reliability or else take their business elsewhere. I wonder what deals RIM has cut over the past weeks for aggrieved companies who were harmed by RIM’s outages.  Since I am a retail, second tier customer, I have been offered “free premium applications” by RIM.  What a scream! It might be more successful to take out an ad in the Wall Street Journal apologizing for RIM’s lame offer of compensation.  I probably spent four hours trouble shooting the problem at the time.  Oh, well.   It would also be interesting to see how many inquiries have been received by insurers lately about the availability of insurance against an outage of RIMs BlackBerry enterprise service. Not a good sign for RIM in the future.

Categories: Incident Response Tags: , , , ,

The Changing Nature of Incident Response: Part 3

October 30th, 2011 No comments
The ultimate test of the value of an incident response team is how that team handles crises. Crises are generally not everyday occurrences. In fact, most issues with which an incident response team must deal are not of a bona fide emergency nature. That is why from the very onset of computer incident response teams I have objected to any incident response team name that includes “emergency” or “crisis” in it, because these terms represent little more than massive embellishment of the true nature of most of their activities.

Read more…

Categories: Network Security Tags:

The Changing Nature of Incident Response: Part 2

October 26th, 2011 No comments
Perhaps the biggest single step in the life cycle of an incident response team is going operational. The major problem with getting the Department of Energy’s incident response team operational was that there was nothing–no policies, no standards, and virtually no procedures concerning incident response at that time. The CERT/CC team claimed that it was operational at that time, but if that were true, there would have been some kind of indication that operations were taking place, and there was no indication whatsoever. One of the best ways that my management ever helped at that time was to inform me of other emergency response teams and to try to get me in touch with people who managed such efforts. One such team was the Nuclear Energy Search Team (NEST) at Lawrence Livermore National Laboratory. Discussions with the manager and some of the more senior staff members of this team helped me better understand the kind of procedures that would have to be performed, the kinds of communication that would have to occur, and how action priorities would have to be determined. Still, the nuclear arena is not all that closely aligned with the information security arena, and after I was finished meeting with NEST members I developed a kind of sinking feeling that there was much more to do than I had ever imagined. And at the time the team I managed consisted only of myself.

Read more…

Categories: Network Security Tags:

The Changing Nature of Incident Response: Part 1

October 22nd, 2011 No comments
I’ve been affiliated with incident response in one way or another since 1988. I am not saying this boastfully, as I’ve made many mistakes both in responding to incidents technically and in managing incident response efforts. At the same time, however, when I first entered the incident response arena, there were no policies, standards, and procedures, and not really any requirements, either, to guide incident response efforts. Everyone who played in this arena originally had to use a combination of intuition and learning from mistakes just to get by.

Read more…

Categories: Network Security Tags:

To Share or Not to Share, That Is the Question

October 18th, 2011 No comments
The Obama Administration (and in particular the U.S. State Department) continues to take the heat for the massive leakage of U.S. government documents courtesy of WikiLeaks (and allegedly originally because of the actions of PFC Bradley Manning). The volume of vitriol directed at President Obama and Security of State Hillary Clinton is astounding; members of the information security community have contributed more than their fair share of it. How could the U.S. government, they say, have been so negligent regarding access control that even a lowly private in the U.S. Army could allegedly gain access to these documents?

Read more…

Categories: Network Security Tags:

A DLP Success Story

October 14th, 2011 No comments
Those of us who are information security professionals know all too well that success stories in our arena are too few and far between. When we hear of one, we thus need to savor the moment. This kind of moment recently occurred within Nationwide Insurance, which not too long ago had implemented a data loss prevention (DLP) tool enterprise-wide. The DLP tool issued an alert that a Nationwide employee had sent a spreadsheet from his personal email account to his Nationwide email account. A follow-up investigation revealed that the spreadsheet contained information such as credit card numbers, Pay Pal and eBay account names, and bogus identity information, prompting an investigation by Nationwide officials who contacted law enforcement soon afterwards. The FBI Cybercrime Task Force and the U.S. Postal Inspection Service launched an investigation and ultimately determined that Bi was copying computer games to CDs and then selling the CDs for a greatly reduced price. Between 2005 and late 2009, Bi sold more than 35,000 copies valued at $700,000 on eBay and using the eBay and Pay Pal account names he had stolen as well as his own account.

Read more…

Categories: Network Security Tags:

2011: A Better Year for Information Security?

October 10th, 2011 No comments
The year 2010 is behind us; a new year is beginning. Last year will not go down in history as a particularly good year from an information security perspective. Attacks funded and initiated by countries (particularly the Peoples Republic of China) continued to occur frequently. So many denial of service (DoS) attacks came from China that domain name registrars began to distance themselves from entities in this country. The Stuxnet worm, which surfaced last year, proved for the first time that a virus or worm could actually cause physical damage to SCADA systems and, unfortunately, was almost certainly only the harbinger of a new, more formidable generation of malware. Data security breaches continued to occur at an astounding rate, as exemplified by recent statistics from the Privacy Rights Clearinghouse–nearly 600,000,000 pieces of personally identifiable information have fallen into unauthorized hands since this organization began counting in 2005. No one could have guessed the amount of information leaked to the wikileaks.org Web site, allegedly because of the actions of Private Bradley Manning of the US Army. And nobody would have imagined the ferocity of the DoS attacks that wikileaks supporters launched against Visa, MasterCard, and other credit card companies after these companies quit allowing their credit cards to be used for contributions to wikileaks. U.S. Government security efforts continued to flounder haplessly, and no major federal cybersecurity-related legislation was passed in the U.S. last year. Efforts to get a global treaty on cybercrime in place failed. Crime rings operating in Eastern Europe, Brazil, and elsewhere continued to rake in large amounts of money through a plethora of computer crime methods.

Read more…

Categories: Network Security Tags:

In Memory of Justin Peltier and Fred Villella

October 6th, 2011 No comments
In many ways 2010 was a good year, yet in many ways it was a bad one. Part of the bad side was the loss of two standouts in the information security arena, Justin Peltier and Fred Villella.

Categories: Network Security Tags: