History, Security

Sleep and the 25% breached

Leave a comment

CDW has published a Data Loss Straw Poll with the headline “One in four organizations has experienced a data loss in the last two years.”

CDW’s Data Loss Straw Poll surveyed 654 IT professionals from business, financial services, healthcare and higher education about data loss and what’s still keeping them up at night.

That is a typically low sample. As I have explained in my RSA presentations since 2009, sample size really does matter. There are nearly 6 million companies in America. Are we confident to extrapolate from these 654 people?

They also make a strange assumption that IT managers actually sleep at night. I thought the whole idea of alerts and mobile devices was to prevent anyone in IT from ever sleeping again. CDW’s report centers around the obvious connection between a device that is always with you, delivering bad news, and a resulting anxiety that makes it difficult to relax or rest.

DATA LOSS = SLEEP LOSS […] MOBILITY TRIGGERS SLEEPLESS NIGHTS

I think it’s more accurate to say change triggers sleepless nights. Mobility is not new, but the changes in mobility that has been driven by consumers keeps IT from settling down. CDW also tries to make a statement of who is less tired, but I don’t buy this analysis at all:

Financial services organizations can sleep more soundly than their colleagues in other markets

I could make the argument, for example, that those sleeping more soundly have their phones turned off, or have their alerts disabled, or are simply unable to detect issues in real-time — they wake up rested and only then discover data loss. So there’s a false dichotomy of sleep versus security. You might actually be more secure when you are losing sleep…SLEEP LOSS = SAFETY?

In my 2010 presentation at RSA I used the Siege of Yodfat in 67 CE as an example of this exact issue.

The sentries slept at a particular time. An insider leaked that information to the Roman armies and enabled them to finally breach an impenetrable perimeter. In other words, they slept soundly because they thought they were safe enough to rest, which actually in itself created a weakness. The flip side of this argument is sustainability. Sleep loss is a resource management issue and begs the question of reserves, offsets (e.g. Basel II), etc. but rather than get into the deeper economics and history of managing loss here (I do that in my presentations) I just wanted to point out that the CDW report needs further analysis.

History, Poetry

Wuti by Li Shangyin

1 Comment

Li Shangyin (義山) was a Chinese poet of the Tang Dynasty (618 – 907). He wrote in the format of Lu Shi — eight lines of five or seven words each.

Exposition (qi) was called for in the first two lines; the development of the theme (cheng), in parallel verse structure, in the middle, or second and third, couplets; and the conclusion (he) in the final couplet.

Hundreds of Shangyin poems may be called “Wuti” (無題 – Untitled). It makes for an interesting challenge to select one to read. With that in mind, here is one such “Untitled” poem: number 215 from “300 Tang Poems” as posted online by the Chinese Text Initiative of the University of Virginia

嚙諛剁蕭嚙踝蕭嚙踝蕭嚙瞌嚙踝蕭嚙踝蕭嚙璀
嚙瘤嚙踝蕭嚙盤嚙瞌嚙褊迎蕭嚙豎。
嚙皺嚙踝蕭嚙趣死嚙踝蕭嚙踝蕭嚙褕,
嚙踝蕭嚙踝蕭嚙踝蕭嚙褒淚嚙締嚙踝蕭嚙瘠
嚙踝蕭嚙踝蕭嚙踝蕭嚙確嚙踝蕭嚙皺嚙踝蕭嚙璀
嚙稽嚙線嚙踝蕭覺嚙踝蕭嚙踝蕭嚙瘡嚙瘠
嚙踝蕭嚙豌佗蕭嚙篁嚙盤嚙篁嚙踝蕭嚙璀
嚙瘠嚙踝蕭嚙踝蕭嚙諂穿蕭嚙踝蕭嚙豎。

Here is my translation:
The time since she left is hard to bear,
as flowers wither after they lose their petals to the east wind.
Only in death do spring worms stop weaving silk;
as candles provide light while they cry themselves into ash.
Clouds in the early morning mirror reflect her hair changing colour,
the chant of the month feels cold in moonlight.
Magic mountain is near when you see no more road,
pay attention green bird and carry her message to me.

Green Magpie

For reference, here is the Google Translate output

When you meet difficult Bie Yinan,
the Dongfeng weakness flowers residues.
Till death do us part,
wax torch ashes tears dry.
Xiao-Jing but worry shallow change,
night Yin should feel the moonlight cold.
Penglai this multi-channel,
Bluebird attentive to peek.

And here is the translation by Witter Bynner.

Time was long before I met her, but is longer since we parted,
and the east wind has arisen and a hundred flowers are gone.
And the silk-worms of spring will weave until they die,
and every night the candles will weep their wicks away.
Mornings in her mirror she sees her hair-cloud changing,
yet she dares the chill of moonlight with her evening song.
…It is not so very far to her Enchanted Mountain,
O blue-birds, be listening!-Bring me what she says!

Security

US Gov Drops Oracle

2 Comments

The U.S. General Services Administration has announced Oracle’s contract is cancelled.

April 18, 2012: Oracle no longer available on IT Schedule 70

Effective May 17, 2012, IT Schedule 70 is canceling [sic] Oracle America’s Schedule contract GS-35F-0009T in accordance with GSAR 552.238-73, Cancellation.

This is a big step up from just issuing fines for non-compliance issues. Oracle has been in trouble with regulators lately, as reported by major news sources.

Le FBI et le ministère de la justice américain ont ouvert une enquête visant le géant du logiciel Oracle, soupçonné d’avoir versé des pots-de-vin pour obtenir des marchés dans des pays africains, révèle le Wall Street Journal.

That’s French for Oracle has been importing a suspiciously large amount of wine to Africa. I have heard people say Oracle databases make them whine, but I had no idea it was criminal…bada bing. I’ll be here all week.

It seems that the recent compliance enforcement efforts related to civil and criminal investigations such as fraud / overcharging the goverment and false advertising has not done enough to course-correct Oracle management so the U.S. government has made the public decision to terminate the relationship.

Energy, Security

Co-tenancy risk for Polar Bears

Leave a comment

I get asked all the time whether it is “safe enough” to run different levels of security on the same physical hardware if you have a hypervisor separating the load. The answer is, of course, it depends. We have complex control models and detailed explanations that prove hypervisors can reach even the highest (e.g. FISMA High) level of measurement. But the issue is really not about controls available, it is about management decisions and configuration.

To put co-tenancy in a broader context, consider the latest decision by the Obama administration regarding the obvious plight of Polar Bears. The U.S. Fish and Wildlife Service today published in the Federal Register a proposed rule and draft environmental study. This new draft is meant to replace a Bush administration 2008 attempt at a rule that was voided in 2011 by federal court. The public has two months to comment and already there is a clear backlash based on broad risks of co-tenancy.

A proposed rule aimed at protecting endangered polar bears doesn’t even mention how the federal government will address global warming, which is seen as the primary threat to the Arctic predators.

[…]

Both the current proposal and the previous Bush rule exclude activities occurring outside the range of polar bears — such as the greenhouse gas emissions of industrial polluters like coal plants — from regulations that could help stop the bear’s extinction.

Unfortunately, it seems bears have no service level agreement with their provider that they can use for leverage against the harm that is coming from their neighbours. The administration also presents an interesting argument against controls that seems completely upside-down.

In the new environmental assessment, Fish and Wildlife managers argued that not issuing an exemption for harm to polar bears outside the Arctic would lead to a plethora of citizens’ lawsuits which, the agency said, had little chance of prevailing. Such suits would take up agency staffers’ time that could better be spent helping polar bears, they said.