Tuesday, March 25, 2014

What was the first IoT (Internet of Things), ‘Thing’?

“The Internet is Dead, Long live the internet!”.  From the death of IPV4, The death of the PC, the rise of IPV6 and mobile devices, we now have the IoT, The Internet of Things.

Early discussions, i.e. ‘pre-history’, seem to date the IoT to discussions by Mark Weiser in the early 1990’s [1]or they can be traced back to  Karl Steinbuch, who in 1966 said “In a few decades time, computers will be interwoven into almost every industrial product”[2], or even Nikola Tesla, "When wireless is perfectly applied the whole earth will be converted into a huge brain… and the instruments through which we shall be able to do this will be amazingly simple compared with our present telephone…. A man will be able to carry one in his vest pocket."[3]

But, when was the first ‘thing’ hooked up to the internet?  …something other than a router, teletype, modem or server… something that already existed and served a useful purpose before the internet and was enhanced by or enabled by the internet?

In the 70’s, a group of students at Carnegie Mellon University, obviously fuelled by too much caffeine and pizza, decided to address what was becoming a huge problem, a problem that could have ended the promising careers of many of today’s computer science luminaries. This was a problem involving space, time, and yes the randomness availability principle.

The problem?  The coke machine on the third floor in the main terminal room for the computer department was known to run out or often serve up less than ice-cold Coca-Cola.  Students, especially computer science students, known to be lazy creative, decided to put their collective skills together to come up with a solution that would stand the test of time, and quite possibly earn them a Nobel Prize.   Since teleportation was out of the question, as was the installation of a food replicator (before the invention of the 3D printer) what did they do?  Finals were around the corner and panic set in.

What was their solution?  How did they solve this problem?  This was the computer science department, could they solve it with COBOL or FORTRAN?  What about B.A.S.I.C? (PL1?) To their unending embarrassment, this was not just a software problem.  They needed to dig into the depths of their experience and come up with a hybrid solution that included ... hardware.

They connected the Coke machine to ARPANET, the predecessor of the Internet and were not only able to tell if the life giving elixir was available, but ensure that it was at an acceptable level of tongue tingling cold.[4]
This proved to be an innovation that helped launch many other Carnegie Mellon Internet projects.

Other ‘things’ began to spring up, replicating this life saving innovation all without a Mercedes GL load of patent lawyers.  But, alas, as the dragon found out, little Jackie Paper found other things to do with his time, and this long list of internet coke machines now brings up the dreaded ‘Error 404’ page.[5]

Let’s all mourn the passing of the first of the Internet of Things with a moment of silence and a round of ‘Puff the Magic Dragon’.[6] Life will never be the same.

(Bookmark or rss this blog and watch for my article on the very first cloud computer ever.. circa 1969)

[1] Weiser, M.: The Computer for the 21st Century. Scientific American 265(9):66–75 (1991)
[2] http://postscapes.com/internet-of-things-history
[3] http://mikecane2008.wordpress.com/2008/12/03/quotes-nikola-tesla-in-1926/
[4] https://www.cs.cmu.edu/~coke
[5] http://cseweb.ucsd.edu/users/bsy/coke.html
[6] http://www.lyricsfreak.com/p/peter+paul+mary/puff+the+magic+dragon_10205000.html

Monday, March 17, 2014

Lessons from a Frog and an Ostrich

We have all heard that an Ostrich will bury its head in the sand when frightened, ignoring the danger around it with an ‘out of sight out of mind’ attitude.  You have also heard warnings based on the story of how a frog will sit in a pan of water, and if the temperature is increased slowly, it will sit there until it boils.

These are stories that we tell our children, trying to impress upon them the importance of danger signals, and to continue to pay attention to the situation around us, even if it is only a little uncomfortable right now.

Recent revelations that the CIO for Target resigned, and executive management is working on revamping the Information Security team to include a CISO, coupled with stories about Target ignoring malware warnings by their newly installed FireEye system would seem to bring these stories to mind.  Didn't the CIO ever have story time in Kindergarten?  Where was the InfoSec Team when these alarms were going off?  Did they have their head in the sand, or were they overwhelmed with alerts and vulnerabilities?

No doubt the Target CIO was imminently qualified for her position.  You aren't given that responsibility without a proven track record in large scale ERP and delivery systems.  Should she have taken the blame for this failure, or was this an overall failure of the culture at Target?  Why didn’t Target have a CISO?  They spent almost $2million on a malware system that they ignored.  Would moving the InfoSecurity out of IT and into Enterprise Risk Management have helped?

Why did the CIO hang onto InfoSecurity when the Federal Government mandated CISO’s for all agencies? Are major organizations moving towards allowing the CISO a seat at ‘the big table’ finally?

Back to the Frog and Ostrich:

No Ostrich has ever been seen in the wild with their head in the sand.  Either this works very well, or, the Ostrich is smarter than his human counterparts.

Same with the Frog.  A slight increase in temperature and the frog will jump out of the pot.  It seems that only humans will happily ignore the increasing danger around them until it is too late.

The size of your organization will dictate the size of your executive management staff and the size of your round table.  A small organization may have a CTO/CIO/CSO handling all of these functions, much like this smaller organization may have one VP Sales and Marketing.  Larger organizations that rely on technology have already split the CIO and CTO functions.  It is time to help your organization by working with your existing InfoSec staff, ask them what they need, implement a mature InfoSec program that includes a CISO instead of endlessly chasing vulnerabilities and malware.

Will a CISO fix all vulnerabilities?  Is this a 100% guarantee?  No, but they are better equipped by training and temperament to deal with the rapidly decaying information security environment.  And they can be your best friend.

InfoSec professionals:  Re-read your CISSP CBK book and see where your organization’s InfoSec maturity is.  Help your CIO by focusing on Risk Management, not Security Management.  You will never fix all the holes, but you must help your Executive Management team prioritize and control risks.

For reference, please see:
Bank Info Security:  How much is a good CISO worth:  The story of the SC DOR.  For the lack of a CISO's salary, the SCDOR’s breach cost them $20 million.  http://www.bankinfosecurity.com/blogs/how-much-good-ciso-worth-p-1387

This article, nearly 4 years ago in SC Magazine:  “Want to reduce IT Risk and Save Money: Hire a CISO” http://www.scmagazineuk.com/want-to-reduce-it-risk-and-save-money-hire-a-ciso/article/169823/

Target CIO Resigns, looks for security and compliance makeover: http://www.darkreading.com/attacks-breaches/target-begins-security-and-compliance-ma/240166451

Frog Fable brought to boil: http://conservationmagazine.org/2011/03/frog-fable-brought-to-boil/

Animal myths busted:  http://kids.nationalgeographic.com/kids/stories/animalsnature/animal-myths-busted/

Wednesday, March 12, 2014

Happy PI Day: Engineering Jokes

3.14 is π Day.   It is also Albert Einstein's birthday.  Help celebrate the genius in all of us with these engineering jokes.  For the 'unofficial' website, visit http://www.piday.org

If you think  π  is irrational, then continue.

Computer Nerd T-Shirt Slogans

  • Cannot find REALITY.SYS. Universe halted.
  • COFFEE.EXE Missing - Insert Cup and Press Any Key.
  • <-------- The information went data way --------
  • Best file compression around: "DEL. = 100% COMPRESSION
  • The Definition of an UPGRADE: Take old bugs out, Put New Ones In.
  • BREAKFAST.COM Halted...Cereal Port Not Responding
  • BUFFERS=20 FILES=15 2nd Down, 4th Quarter, 5 Yards to Go!
  • Access denied-nah nah na nah nah!
  • C:\> Bad command or file name! Go stand In The Corner.
  • Bad command. Bad, bad command! Sit! Stay! Staaay...
  • Why doesn't DOS ever say "EXCELLENT command or filename!"
  • As a computer, I find your faith in technology amusing.
  • Backups? We don' NEED no Steenking backups.
  • E Pluribus Modem
  • .... File not found. Should I Fake It? (Y/N)
  • A mainframe: The biggest PC peripheral available.
  • An error? Impossible! My Modem is Error Correcting.
  • CONGRESS.SYS Corrupted: Re-boot Washington D.C. (Y/N)?
  • A computer's attention span is as long as it's Power Cord.
  • Windows: Just another pane in the glass.
  • SENILE.COM found . . . Out Of Memory . . .
  • Who's General Failure & why is he reading My Disk?
  • Ultimate office automation: Networked Coffee.
  • RAM disk is not an installation procedure.
  • All computers wait at the same speed.
  • Smash forehead on keyboard to continue.....
  • ASCII stupid question, get a stupid ANSI!
  • Error: Keyboard not attached. Press F1 to Continue.
  • Hidden DOS secret: Add BUGS=OFF to your CONFIG.SYS
  • Press any key to continue or any OTHER key to quit...
  • Buy a Pentium 586/200 so you can reboot faster.
  • 2 + 2 = 5 for Extremely Large values of 2.
  • Press any key...... no, No, NO!! Not THAT one!
  • 25.8069 is the root of all evil.

Drugs vs. Software

Drug Dealers
Software Developer
Refer to their clients as "users".
Refer to their clients as "users".
"The first one's free!"
"Download a free trial version..."
Have important South-East Asian connections (to help move stuff).
Have important South-East Asian connections (to help debug the code).
Strange Jargon:
  • "Stick"
  • "Rock"
  • "Wrap"
  • "E"
  • "Stash"
  • "Drive By"
  • "Hit (LSD)"
  • "Source"
  • "The Pigs"
Strange Jargon:
  • "SCSI"
  • "RTFM"
  • "Packet"
  • "C"
  • "Cache"
  • "Hit (WWW)"
  • "Source-code"
  • "Microsoft"
Realize that there's tons of cash in the 14 to 25-year-old market.
Realize that there's tons of cash in the 14 to 25-year-old market.
Your clients really like your stuff when it works. When it doesn't work they want to kill you.
Your clients really like your stuff when it works. When it doesn't work they want to kill you.
Job is assisted by the industry producing newer, more potent product.
Job is assisted by the industry producing newer, more potent products.
When things go wrong, a "fix" is just a phone call away, but may be expensive.
When things go wrong, a "fix" is just a phone call away, but may be expensive.
A lot of successful people getting rich in this industry while still teenagers.
A lot of successful people getting rich in this industry while still teenagers.
Their product causes unhealthy addictions.
DOOM, Quake, SimCity, Duke Nukem 3D. 'Nuff said.

Programming today is a race between software engineers
striving to build bigger and better idiot-proof programs,
and the Universe trying to produce bigger and better idiots.
So far, the Universe is winning.

Here is a list of some of the more insidious computer virus from recent years:
  1. Paul Revere Virus - warns of an impending virus infection: 1 if by LAN, 2 if by C:\
  2. Hillary Rodham Clinton Virus- instantly turns 1 KB of disk space into 1 MB of disk space
  3. Ollie North Virus - plays a patriotic .WAV while it shreds your files
  4. Joey Buttafuaco Virus - only attacks minor files
  5. Sandy Berger Virus - stuffs files into it's folders, then deletes them
  6. Denise Austin Virus - attacks your hard drive's FAT
  7. Tonya Harding Virus - turns your .BAT files into lethal weapons
  8. Oprah Winfrey Virus - your 200MB hard drive suddenly shrinks to 80MB, and then slowly expands to 300MB
  9. AT&T Virus - every three minutes it tells you what great service you are getting.
  10. Verizon Virus - every three minutes it reminds you that you're paying too much for the AT&T virus
  11. Politically Correct Virus - never calls itself a "virus," but instead refers to itself as an "electronic microorganism."
  12. Ross Perot Virus - activates every component in your system, just before the whole darn thing quits
  13. Arnold Schwarzenegger Virus - terminates and stays resident: it'll be back
  14. Government Economist Virus - nothing works, but all your diagnostic software says everything is fine
  15. Federal Bureaucrat Virus - divides your hard disk into hundreds of little units, each of which does practically nothing, but all of which claim to be the most important part of your computer
  16. Jane Fonda Virus - aids and abets other viruses on your system while your antivirus program tries to delete them
  17. Adam and Eve Virus - takes a couple of bytes out of your Apple computer
  18. Congressional Virus #1 - the computer locks up, screen splits erratically with a message appearing on each half blaming the other side for the problem
  19. Congressional Virus #2 - runs every program on the hard drive simultaneously but doesn't allow the user to accomplish anything
  20. Airline Virus - you're in Dallas, but your data is in Singapore
  21. PBS Virus - your computer stops every few minutes to ask for money
  22. Jimmy Hoffa Virus - your programs can never be found again

An Engineer in Hell

An engineer dies and reports to the pearly gates. St. Peter checks his dossier and says, "Ah, you're an engineer -- you're in the wrong place."

So the engineer reports to the gates of hell and is let in. Pretty soon, the engineer gets dissatisfied with the level of comfort in hell, and starts designing and building improvements. After a while, they've got air conditioning and flush toilets and escalators, and the engineer is a pretty popular guy.

One day God calls Satan up on the telephone and says with a sneer, "So, how's it going down there in hell?"

Satan replies, "Hey, things are going great. We've got air conditioning and flush toilets and escalators, and there's no telling what this engineer is going to come up with next."

God replies, "What??? You've got an engineer? That's a mistake -- he should never have gotten down there; send him up here."

Satan says, "No way. I like having an engineer on the staff, and I'm keeping him."

God says, "Send him back up here or I'll sue.

Satan laughs uproariously and answers, "Yeah, right. And just where are YOU going to get a lawyer?"


Heisenberg and Schrödinger get pulled over for speeding.
The cop asks Heisenberg "Do you know how fast you were going?"
Heisenberg replies, "No, but we know exactly where we are!"
The officer looks at him confused and says "you were going 108 miles per hour!"
Heisenberg throws his arms up and cries, "Great! Now we're lost!"
The officer looks over the car and asks Schrödinger if the two men have anything in the trunk.
"A cat," Schrödinger replies.
The cop opens the trunk and yells "Hey! This cat is dead."
Schrödinger angrily replies, "Well he is now."

Friday, March 7, 2014

To Achieve Good Security, you need to Focus on Business

In September 2001, as the Nimda computer worm devastated networks worldwide, we in IT security thought that the management will finally wake up and see how important it was to secure our networks. They would begin to pay attention to the warnings from their network security, we thought, and we would finally have the budget we needed and recognition for what we do. But, we were wrong.

In 2003, the Slammer worm shut down ATMs, call centers, even 911 emergency dispatch centers. People died. “We would finally get the CEO’s and CFO’s attention,” we thought again, and we were wrong again.

In the next 10 years we witnessed a succession of worms, Trojans and viruses shut down and compromise Department of Defense networks, banks and nuclear facilities. We are constantly told that our critical infrastructure is at risk: terrorists can take control of our railroads, power systems and other critical infrastructure. The time has finally come for management (and the world) to listen to us!

We had seminars and Gartner symposiums with CIO’s around the world. We have written whitepapers. Cisco, Symantec, IBM and 3com spent billions building or buying technology to stop the attacks and secure networks.

And… It didn't work. Nothing we did could stop the attacks. We made laws, fined people, and increased penalties for hackers. We held companies liable for leaking personal private data and made them pay millions in fines.

Then, we - and I speak here as a CISO with 20 years of experience – blamed the management.

Surely, it was the CEO’s fault for not understanding cross-site scripting, SQL injection, APTs and other risks associated with the Internet.

Maybe it was the CFO who didn't understand that it’s impossible to calculate the ROI of securing the network. So we tried to come up with a strange formula called Return on Security Investment (ROSI), but the CFO saw through this and called our bluff.

We had CISO and CSO forums, councils, worldwide meetings, whitepapers, and endless PowerPoint presentations - all to come up with programs to educate the CEO and CFO. We came up with simple marketing slogans like “self-healing network”, “Security Transcends Technology” and “Security is a process not a product”. Whole companies were created to teach the CEO and CFO.

But ultimately, the CEOs and the CFOs weren't the problem – we were: CISOs, CSOs, and VPs of Network Security didn’t understand business. We refused to see that ROI was – and has to be - the driving factor for the CEO and CFO.
We need to learn their language rather than attempting to make them understand ours. We need to understand senior executive management. We need to align our priorities with theirs. It is not our job to lock down the network, keep the hackers out and prevent data loss. That should be a side effect of our real priority and a unique and valuable side effect that only we can achieve.

Our real priority is to help our $750 million company become a billion dollar company. We can’t stop running with scissors - we have to run faster and we need to make them sharper.

Too many failed security initiatives cost the company money and have had little or no effect on the ability to protect company property or client privacy. In some cases they actually hindered the company mission.

Consider the TSA in the United States. Their mission statement is “Protect the Nation's transportation systems to ensure freedom of movement for people and commerce.” So, have you flown lately? How is your “freedom of movement” at the airport? There is a 3-year-old girl with spina bifida in a wheelchair that will never threaten the transportation system again, because she is terrified to enter an airport after her experience of “freedom of movement”.

Most IT security initiatives have taken their eyes off the ball. They focus on “prevent” when they should focus on “enable”.

We need to add real value to our company, showing that a properly run security and privacy group can reduce costs, increase customer and user satisfaction and drive revenue. We need to take some courses in finance and learn about CapEx and derivatives. We should live with the following six financial terms stapled to our foreheads (or at least on our screen savers): Bottom Line, Gross Margin, Fixed versus Variable Costs, Equity versus Debt, Leverage, and Capital Expenditures.

Once you understand the priorities of the CEO and CFO, you can prioritize security budgets. Now you have the advantage, because you understand both the security implications and the financial implications. If your security initiative breaks the bank, or makes people want to drive (to a competitor) rather than fly with you, you have failed.

Keep things in perspective; keep your eye on the ball. You can become the most important member of your firm’s executive management team if you can achieve this.

(Originally published on net-security.org, Monday, 29 July 2013)

Wednesday, March 5, 2014

Why I like the new NIST Framework. It is simple and doesn't cover anything.

Ever since the new NIST Cyber Security framework came out, it has caused a lot of discussion in cybersecurity and IT Risk management circles. (Officially named ‘Framework for Improving Critical Infrastructure Cybersecurity’)

Some people opined that this is a step in the right direction and thanked the NIST, the DHS and the C(3) community for all of their volunteer work. 

Others claimed it didn't go far enough, and compared it to the ISO27000 Information Systems Management System. 

My opinion is that the NIST framework is a step in the right direction.  ISO27000, NIST-800-53 or CoBIT   are large and comprehensive and designed to be that way.  I believe the NIST framework can be used to compliment the larger systems of controls as well as present a more understandable snapshot to upper management.

Let’s look at ‘Framework’.  A Framework is not a bridge.  It is not a building, it is not even a platform.  The NIST framework isn't a bridge to compliance, we are not building cybersecurity controls with it, and it isn't even a platform to hold up or support an existing or proposed solution.

It is a framework.  Small, light, and is designed to eventually support the bridge, building, platform and controls that you layer on top of it.  Smaller companies may only have time and resources to bolt a couple of controls on to it.

The NIST framework will allow the IT Risk/CyberSecurity group to provide concise periodic feedback to upper management.  Sending a CoBIT Gap analysis document, or ISO2700x report to the CEO or CFO might look impressive, 750 pages of your finest work, months of collecting statistics, documents and measuring controls and their effectiveness, but this collection of three rings binders will do nothing but collect dust.  You already know that.  They won't read it and you will be frustrated.

I am not saying you should not do this work. If you have selected CoBIT/RiskIT, ISO27000 or NIST-800-53, it is my opinion that the NIST framework can also be used to distill your findings, gaps, risks, vulnerabilities, exposures and controls in a smaller, easier to grasp concept.  “And it is government approved”.

Lastly, my only worry is that this framework will be used INSTEAD of a more comprehensive system - that it will be used as an excuse, or as the only basis for measuring the effectiveness of your Cyber Security controls.

Below are reference links:
[Update, March 23:  DOD Abandons DIACAP in favor of NIST Framework ]