Security flaw on TV

OK,  living abroad in Asia means I don’t get to primetime shows until years after they air, so I’m sure people have spotted this one a long time ago.

On the CBS show Numb3rs, an FBI agent turns to his mathematical genius kid brother to help him solve crimes, especially serial events that have patterns emerge. In the second episode of the first series, they made a mistake. Oh not with the math, the producers put in the effort to have that checked. They make an information security blunder equivalent to saying  the second power of something is twice as big as its first power. (It isn’t twice as big: the second power is the square of the value, the first power is the value.)

A software engineer is tortured for his passwords because the criminals want to access the databases of banks using the software. The basic blunder is that developers never ever ever but never have access to production data. And developers of packaged shrinked wrapped financial software don’t build back doors into their software. The risk is too great of being sued.

Secure implementations of information systems set up servers over three tiers: a production server on which the business is run, a test server on which any change is tried out before being rolled out to the production server, and a developement server on which the developers can play to their heart’s content.

A bank might well give its own developer employees read only access to production data, but they would never allow their software supplier routine access to that data, or to the test servers, and only in restricted form to the production servers.

Oh well. I still like Numb3rs, and hey if it helps make math cool, great!

Copyright 2009 Vincent Poirier

Swine flu: controlling the damage from overhype

The WHO just raised the swine flu situation to Level 6, but is trying to reassure people that this “doesn’t mean disease is worse, but [only] that it’s in more countries”.

Right. It’s incumbent to react to such an event, but the reaction ought to be proportional to the actual risk. Putting to much stress on the danger of swine flu diverts attention and resources away from other risks, and it also reduces productive activity that contribute to the welfare of all, which in the end may cost more lives indirectly than swine flu would directly.

Seems to me WHO is trying to save face while trying to reassure us. It might be better to have a two dimensional alert system, e.g. the current spread level combined with a severity level. 

Copyright 2009 Vincent Poirier

IT Disaster Recovery Planning For Dummies

I just posted on Amazon my review of  IT Disaster Recovery Planning For Dummies by Peter Gregory.

Overall, it’s an excellent presentation of the IT infrastructure side of business continuity planning. It’s useful for both IT professionals because it helps focus on what IT is for, and to non-IT professionals because it helps explain how IT underlies business processes.

The book is practical and immediately useful. Recommended.

Copyright 2009 Vincent Poirier

Cause for alarm, but not for panic

Is the swine flu passing or revving up? WHO knows? But whenever an infection jumps from one species to another, there is cause for alarm.

A disease that has settled in one species has in evolutionary terms arrived at an agreed settlement with its host. The host species has accepted the inconvenience of the disease and built some resistance while the disease itself has gotten rid of its more lethal strains. After all, the disease cannot be hosted at all if all the hosts are dead. So the disease is now adapted to its host and, usually, only to its host species. It does not survive in the wrong environment; a pig flu organism shouldn’t survive in a horse.

Mutations occur all the time in all living things as they reproduce. Once in a while the mutations allow a disease to jump from one species to another and that can be dangerous. When a disease that is lethal but controlled in one environment successfully mutates and survives in a new environment  then it is no longer controlled and can be lethal on a massive scale because the new environment hasn’t developed its defenses. This decimated the native population  of the America in the sixteenth century.

This is why the WHO and governments around the world must take sensible precautions. The cause alarm for alarm is real, but we shouldn’t panic.

Sensible precautions means directing the existing medical infrastructure towards the problem. Also, increase surveillance at high traffic areas like aiports. Questionnaires are a little silly (would you answer “Yes” to “Do you have a fever?” if you risked being detained or quarantined?) but it might be a good idea to train immigration and customs officers to spot symptoms and select who should be examined by a qualified doctor on the spot.

So what should you do in your organization? Believe it or not, almost nothing needs to be done immediately. 

You do need to raise awareness within management. As described earlier, your initial response is to have your organization’s crisis management team hold a short well structured meeting, and to renew this exercise once or twice a week. A phone conference is best. It’s quick and efficient and keeps key people in the loop without taking too much of their time.

In most industries outside tourism, there should be no other response at this point. Stopping all business travel would harm the economy which in turn would harm people, possibly causing more harm and indirectly more deaths than would the flu itself.

It makes sense to reduce business travel to necessary trips only; but in this recession we are already doing that! Certainly a silver lining. If the infection spreads widely and deeply, affecting hundreds of thousands or millions of people world wide, then and only then should more involved plans be implemented. Otherwise we are panicking and hurting ourselves.

Copyright 2009, Vincent Poirier

Swine flu: WHO moves to phase 4

The World Health Organization has raised the alert over swine flu to phase 4.

In phases 1 to 3, an infection is detected among animals with only a few cases of human infection.

Phase 4 differs because now we find the infection spreading from person to person.

Infections usually don’t jump between species, but when they do the effects are unpredictable.

When someone is infected from an animal, the virus or bacteria isn’t necessarily comfortable in a human host, and vice versa. The common cold doesn’t kill us because we’re used to that strain of virus as they are to living inside us. The same goes for any virus in any animal species. When a virus hosted by one species contacts another, they usually just die. But not always, and sometime they survive on the new host.

An animal virus might infect someone already weak or someone who is receptive to this particular virus. In most cases the virus dies with the host.

When a virus mutation occurs and the virus is now comfortable in the human host, we find it can propagate from person to person. That’s when we’re in trouble and that’s why the alert raised is serious. Because while the virus is now used to living in people, we aren’t use to having that particular virus inside us.

Phase 5, if we reach it, will see a full fledged pandemic spread, perhaps around the world. Maybe something akin to the 1918 flu pandemic which killed more people than did World War I. However, that’s unlikely.

So why the hype? Well, it doesn’t cost much to be prepared against something with such impact. There would be a real risk if we were to do nothing but measures are being taken. Being aware and concerned motivates people to react properly.

Copyright 2009 Vincent Poirier

Swine flu pandemic: Respond!

It’s not a pandemic yet, but the swine flu could turn into one. As with any crisis, the first basic thing to do is to communicate.

If you are the BCP person in your organization but you have no authority, then here’s your chance to shine and acquire some. If do you have authority, now’s the time to use it.

1) Get your organization’s Emergency Response Team (ERT) on a conference call. If you don’t have an ERT, create one by looking at your organization’s chart.

2) Organize a conference call. Call the senior people in the ERT and get their support, then schedule a fifteen minute conference call using their authority.

3) Use this agenda, and modify it at will, but prepare the meeting!

i. The situation according to news agencies e.g.  CNN, the BBC, and Reuters.
ii. Round table discussion of who has how many people in risk areas.
iii. Round table discussion of business trips to or from risk areas.
iv. Agree to a second conference call in three days. Agree to be instantly available if situation worsens suddenly.

4) Immediately write up a diary note or a minute of the meeting and send it to the ERT.

That’s it. That’s your first response.

If you have plans in place, add its provisions to the agenda and discuss their implementation, or take that discussion offline with a few key people.

If you do not have any plan specifically for pandemics, check out the State of Pennsylvania’s BCP Checklist.

Copyright 2009 Vincent Poirier

Copyright violations, piracy, and that annoying crying girl…

I made myself comfortable as the lights dimmed in the theater. Ten minutes of annoying commercials and ten minutes of previews before the movie starts. I like the previews and the commercials wouldn’t be so unendurable if they were more interesting. In Tokyo however, the commercials in a Shinjuku theater will be about a nearby Shinjuku district pub or bowling alley. “Our food is good and the portions are generous. Please come and enjoy yourselves!”  Yawn.

But what really gets me is the anti-piracy commercial. They are tugging at our heart strings here. A girl who looks straight at me from the silver screen and a black tear rolls down the side of her sad face as she says “I don’t watch pirated films”. Give me a break!  I do want copyright protected but I don’t feel sorry for big money studios. And copyright law has gone out of control.

And do not believe that copyright has necessarily helped music. It has had an effect, for better or for worse, but that’s all we can say. A few superstars now get all the money and most musicians can’t earn a living from their work. Before recording a musician was like a barber. He performed a service in his small own and the better musicians in Paris and New York did not compete with him.

Remember that the laws were enacted originally to guarantee authors would receive the fruits of their work.  Somewhere along the line copyrighted material became an economic asset and a big money concern. I strongly believe that at some point copyright, like patents, should expire.

My rationale is that no copyrighted work was created in a vacuum. This very blog post, copyrighted of course, is written in reaction to my reading a (copyrighted) CNN article about Swedish file sharing network operators being sentence to a year in jail. I’m not advocating free for all piracy, but I would like to see a serious overhaul of copyright law. (And of patent law while we’re at it.) I have one important caveat however.

In his book Supercapitalism, Robert Reich explains how citizens have been disenfranchised from the political process by big money. It is not people who are disenfranchised, Reich explains, it is citizens. Citizens are people of course, but people are consumers and investors as well as citizens. Big money serves our investment and consumption interests but not our broader political interests. A reform of copyight law should be a citizen driven initiative. But “c’est pas demain la veille”* as we say in French.

Copyright 2009 Vincent Poirier

*Literally, “tomorrow isn’t the day before (it happens)” which implies that we can’t expect this anytime soon.

Schneier on Security

I just reviewed “Schneier on Security” , a collection of articles and blog posts by security guru Bruce Schneier. The book covers the security of everything from voting machine software to airport access. 

I like Schneier’s attitude to disaster planning.  He writes that “real disasters don’t exactly match our plans, and we are best served by a bunch of generic disaster plans and a smart flexible organization that can deal with anything” (page 143) .

Copyright 2009 Vincent Poirier

Schneier’s mantra: security is a trade-off

U.S. Defense Secretary Robert Gates understands Bruce Schneier’s mantra that security is a trade-off. Gates also understands the difference between real security and what Schneier calls security theater, i.e. things that look secure. The first actually does make us safer while the second makes us feel safer. The problem is they don’t always match, in fact they often are at odds.

But Gates just made a good call. He is proposing to reduce defense spending aimed at threats that no longer exist to shift the money to threats that do. One large saving will come from cancelling further orders for the F-22 Raptor fighter. This state-of-the-art plane was designed to combat high tech military superpowers like the now-defunct USSR and the newly emerging China. I’m sure the Raptor does this very well, but it’s obvious that Russia and China aren’t really military threats anymore. All three superpowers have way to much to lose.

The U.S. is involved in a couple of wars right now, in Iraq & Afghanistan, but the Raptors are useless against that enemy. The future ain’t what it used to be. Wars aren’t fought against large scale high tech enemies it’s being fought against clever, hidden guerillas in towns and in the wilderness.

Gates’s call for the cancellation of the F-22 program raised an outcry from Senator Chandliss, a Republican, who claims that American military personnel will be put at risk because of the Obama Cabinet’s policy. But this isn’t a Republican senator fighting a Democratic president on military matters, it’s clearly the result of a lobbied effort by defense contractors against a policy that will cost Lockheed a bundle.

But security is a trade-off. You don’t buy protection you don’t need if it means foregoing more appropriate measures. Gates proposes spending on tools soldiers can use today such as drones that can launch missiles, recently used on the Afghanistan-Pakistan border. The F-22 is security theater while the drones are useful real security today.

This makes sense and the same thinking applies to information security. Good security is a trade-off. So the next time a difficult boss or customer resists a change you want to make, point to Gates’s call as an example.

Copyright 2009 Vincent Poirier

Join BCMIX!

All BCM practitioners should join BCMIX, the Business Continuity Management Information eXchange.

CollectiveX provides business communities with a free portal service much the same way WordPress provides people with a blogging service and BCMIX is one of the communities hosted there.

Joining BCMIX is free and membership is growing. Founded and moderated by business continuity guru Denis Goulet, BCMIX acts as a forum where practitioners exchange ideas, ask questions, and debate answers.

The site is non-commercial meaning that advertising a product is not appropriate, although mentioning good products is very appropriate! For example, there were three or four member discussions about LDRPS (Living Disaster Recovery Planning System) a software package for managing disaster recovery plans that is widely considered the best of its kind. This is certainly a commercial topic, but the discussions are useful to members as users, rather than as sellers.

Copyright 2009 Vincent Poirier