Campaign Hacking a Reminder for Email Security

Posted by K Krasnow Waterman on Fri, Nov 07, 2008 @ 12:11 PM

Tags: access control, technology for lawyers, data protection, technology for business managers, information security, technology management, forensics, cyber-security

Computer hacks were the topic of tech news on the day after Senator Obama's historic election. On Wednesday, Newsweek reported that the Obama and McCain campaigns were the subject of computer hacks during the campaign.  The Obama campaign reported a possible email phishing attack this past summer.  They were ultimately told by federal authorities that both the Obama and McCain campaign computers had been compromised. Reports are circulating that the attacks came from a "foreign entity" and lifted significant amounts of data from both campaigns.

Also on Wednesday, malware creators took advantage of the tremendous interest in the election and began sending emails with "Obama" somewhere in the subject line.  The most common subject lines promised video of a speech, additional election coverage, or new interviews.  One security company alone reported that it had filtered more than 10 million emails in less than 6 hours on Wednesday morning.  Apparently, hundreds of thousands of people sought to open them and were instead infecting their computers with malware.

These two events highlight the importance of email security.  This is the first major election heavily conducted, financed, covered, and influenced on the web.  It reflects the transition to technology for ever-increasing numbers of the population.  And, it reflects our ready acceptance of the transition.

Too many people assume that their spam filter, anti-virus software, etc will protect them.  Yet, any technology professional will tell you that firewalls and software alone are not enough to protect a computer from data theft or destruction.   They'll also tell you that emails are the easiest means of attacking computers because people still act before they think. A huge percentage of hacks rely on "social engineering" - convincing a person to do something that works to the hacker's benefit.  

Education is still a significant tool in the computer security arsenal.  Users must learn to stop and ask themselves whether the email is likely to be what it seems.  First the easy questions: How likely is it that some stranger will really send you millions of dollars?  Is your US bank really going to send you any request from an email address that doesn't contain the company name?  And, if your friend really did lose a wallet on a spur-of-the-moment vacation how likely is it that she'd email you for a credit card number instead of calling her husband, the consulate, or American Express for help?

Is it possible to go the next step and teach users a little technology?  They should always check to see if the attachment they're about to open like a present on Christmas morning ends with ".exe" (a file that will execute some program).  If it does, they should beware and seek tech support.  Or can we teach them to look at the "properties"  of the link they're about to click, see the web address ("URL") and recognize that the source is the wrong country?  A quick look at the domain registry will make it pretty obvious that something that purports to come from around the corner has a two letter code that means it's really coming from a country around the the world.

With so much hacking going on, the problem is no longer just a technical one. More laws are creating responsibility to take reasonable care to protect other people's information and liability for failing to do so. It is important to remember that with these changes, the standard of care is expected to improve, and what was reasonable yesterday may be unreasonable today.

Article has 0 Comments. Click here to read/write comments

Software Development Cost Overruns & the Titanic

Posted by K Krasnow Waterman on Sun, Dec 16, 2007 @ 22:12 PM

Tags: technology for business managers, technology management, software development, software development cost

What do software development and the Titanic have in common? They both hit icebergs! It sounds like a bad joke, but there's an important kernel of truth here.

The software development process, unfortunately, has a predictable pattern. You, as the business leader, meet with software developers and reach agreement on "system requirements." The programmers toil and arrive with the new software and both sides are immediately unhappy. Developers think you change your mind. You think developers don't listen.

What really happens is what I call "the iceberg" phenomenon. Both sides believe they have a meeting of the minds and don't realize that their agreement rests upon a tremendous number of assumptions. You and the developers each understand the words, phrases, and concepts of any requirements document in the context of your own experience and environment. Like an iceberg, the words that are used are the 10% that both sides can see; under the surface lies the 90% that defines their differences and creates the many risks that increase time and cost.

For example, programmers don't know if a particular design will have legal implications or will cause problems for someone in the supply chain. Business professionals are facing time pressures that keep them from providing the tiny details of date formats (12/31/2007 vs 31/12/2007) or country codes which may be critical to the business. On the other hand, I once discovered business professionals phrasing a requirement in a way that was about to cause ten weeks of programming, when the right question reduced the issue to a ten minute text change. That's an iceberg!

So, what's the "sonar" for this problem? Here are four alternatives:

1) Find a translator. If you can, find someone who has worked in both worlds and can serve as the "translator" for both sides.

2) Make everyone a translator. Assign someone to create a "lexicon" - a glossary of terms that are unknown to one side or the other. To avoid definitions filled with new inscrutable terms, ask contributors to check with a twelve year-old to see if the explanation is intelligible.

3) Create ambassadors. When possible,insist that a designer or programmer spend time at the side of the person(s) who will use the system. It's amazing how much the developers can learn through watching the workflow, overhearing an occasional conversation, or a chat at the coffee machine. If they are inalterably offsite, consider collaboration tools, giving people the ability to see and hear as much of the user's current business process as possible.

4) Require an "open" development environment. Remember that the vendor's work is not a surprise Christmas present. Consider the unorthodox approach of keeping the vendor's progress accessible at all times. Rather than waiting for benchmarks, assign someone to regularly view the developer's work. Developers using best practices will have wire diagrams, screen mock-ups, and functioning modules that will allow for course correction long before the code is finished.

I know that everyone is facing business pressure to be somewhere else, doing something else -- usually something that seems more directly relevant to the bottom line. But, I guarantee that time spent with developers while they work will save vastly greater amounts of time and money later.



Article has 0 Comments. Click here to read/write comments

Improving Business through Data - Focusing on Fundamentals

Posted by K Krasnow Waterman on Sun, Nov 04, 2007 @ 18:11 PM

Tags: technology for business managers, technology management

Business owners and managers often see Information Technology as a bottomless expense and sometimes wonder aloud what IT professionals are really doing for them. The job descriptions are an alphabet soup of acronyms and sometimes those unknown abbreviations leak into increasingly incomprehensible presentations. Slavish chasing of flavor-of-the-year certifications, software, and trademarked processes overwhelms consideration of the fundamentals.

Why, then, does IT matter? What value does it bring to every business? A computer can calculate or process things faster than a human and can store vastly greater quantities of information. For most businesses, those traits were maximized a long time ago when manual labor and paper file cabinets were replaced. Today, IT's greatest vaue is its contributions to senior management decision making.

Every manager is faced with the same fundamental questions:

1) How do we propose to generate revenue?

2) How should I allocate resources to accomplish that?

3) How well did we meet the revenue goal? Why?

From the business' existing stores of data, IT can provide information to assist in answering these questions. In addition, when needed, IT professionals should know the best sources of data about the performance of the competition, the demographics of the potential customer base, and be first to offer meaningful enhancements to analytic techniques.

Executives should ask the relevance to the business of any IT activity.  Data is "cleansed", "harmonized", and "integrated" not because it makes data processing more efficient but because it provides more accurate answers to business questions which ask "how many?" "who?" "what are they doing?" Software applications and visualization tools should not be replaced simply because enhanced technology is available, but only when these tools change the prism on available information and can provide more relevant insight to a manager or line of business. Even system security should not be enhanced to protect IT, but rather to protect competitive advantage and support client retention. The best IT professionals can and should always address their work from the perspective of the value it provides to the business and the bottom line.






Article has 0 Comments. Click here to read/write comments

Lucky 13, Nicely Nicely and User Attributes in Identity Management for Access Control

Posted by K Krasnow Waterman on Wed, Aug 15, 2007 @ 09:08 AM

Tags: technology innovation, access control, identity management, technology for business managers, technology, technology management

I've always loved the Guys and Dolls song in which a bunch of guys sing a catchy round about picking their favorite nag at the track. They're telling each other why they've made their pick. It goes like this:

"I got the horse right here
The name is Paul Revere
And here's a guy that says that the weather's clear
Can do, can do, this guy says the horse can do"
"I'm pickin' Valentine, 'cause on the morning line
A guy has got him figured at five to nine
I know it's Valentine, the morning work looks fine
Besides the jockey's brother's a friend of mine "
"And just a minute, boys.
I've got the feed box noise
It says the great-grandfather was Equipoise "

What does this have to do with computers? It provides an easy to understand example of how we make decisions. The gamblers are describing where they got their information and what categories of information matter to them. They rely on a favorite racing form, friends of friends, and gossip from the staff. In the brave new world of dynamic access control, we want to do the same thing to reach an automated decision about what data you can see. Instead of racing forms, we have "trusted sources" or "authoritative data" -- repositories we believe have reliable information. And, instead of the weather, lineage, and distance, we're looking for other categories of facts that consistently help us to reach our decisions.

I've recently done a project in which we attempted to define how many things you really need to know about a system user to decide whether or not s/he can have access to particular government work-related information. The idea was to see if there was an universal core of attributes that most system access rules are seeking. In other words, does the decision about what you can see in the human resources system rely on the most of the same categories of information about you as the decision about what you can see in a criminal case file or a person's tax filing. Our answer is "yes," if you create the right sort of categories. And, much to our surprise, our core list is only thirteen attributes.

What's the right sort of category? Other proposals have made each fact its own category. For example, imagine an attribute which indicates whether someone is a law enforcement officer and a different one for whether someone is a lawyer. Organized that way, you would need thousands (millions?) of attribute categories. But, if you say the attribute is "job description" then you can include officer, attorney, and a million other jobs in one attribute category.

Having a small number of needed attribute categories has a tremendous advantage. It means the software can be less complex, handling a smaller number of variables. It means the processing time should be faster. In this design, each system needs to know only the values it cares about. For example, if the access rules for a system only permit government auditors and law enforcement officers to view the data, the particular system doesn't need to know that a person can be a doctor or a dog catcher. It only looks to see if the person seeking access matches (or has an equivalent to) "government auditor" or "law enforcement officer" in his "job description" attribute.

We think the 13 user attributes are:

Employer Name
Employer Subgroup (as many hierarchical levels as needed)
Employer Type (e.g., federal government, private hospital)
Employment Type (e.g., permanent, temporary assignment, contractor)
Job Designation
Location (physical and virtual)
Location Type (permanent, temporary)
Special authorities/licenses (granted by others)
Management Level
Direct Reports
Rating/Reviewing Official
Skill (ability, irrespective of outside grants)
Skill Level

So far, we haven't come across a data access rule we couldn't parse into one of these attributes. If you do, please tell me.

Article has 0 Comments. Click here to read/write comments

A Million New Chinese Surnames

Posted by K Krasnow Waterman on Wed, Jun 20, 2007 @ 19:06 PM

Tags: technology for business managers, technology management

Last week, the New York Times carried a small Reuters piece explaining that the Chinese government is considering having people combine their mother's and father's family names in order to dramatically expand the number of surnames in China.  With only 100 surnames currently in use, the police and other government officials are presumed to have significant difficulties distinguishing individuals.  The new combinations would create an estimated 1.3 million new surnames.

In the long run, such a change may aid authorities in distinguishing one person from another.  In the short run, though, it may create an unintended problem.  The designers of software for business and security are constantly creating system rules to reduce errors  As business has gone global, tremendous effort has been put into dealing with the variations of names from so many cultures and countries.  For  example, are there programs that have rules to "disambiguate" -- to properly match records from two people with the same name to the right person.  And, there are programs to identify "dirty" data and "cleanse" it -- to recognize common spelling, typing, or transliteration errors and change them.  The big question, then, is how many of those programs would fail to run or would run but reach the wrong results with the addition of a million new names.  Are there programs currently in use that would kick out as "dirty data" those records for Chinese citizens with surnames other that those on the list of 100? 

Article has 0 Comments. Click here to read/write comments

Granular Access: Information Sharing in a World of Complex Laws & Policies

Posted by Dharmesh Shah on Sun, Nov 06, 2005 @ 10:11 AM

Tags: technology innovation, technology for lawyers, technology management

Here is the presentation I gave at an NSF Workshop on November 8, 2005

Granular Access Presentation (PDF)
Article has 0 Comments. Click here to read/write comments