TAC Talk Episode 2: Cyber Security Insurance

A conversation with TAC President Peter Schay, and TAC Founder Alan Guibord, a frequent speaker on IT leadership, organizational strategy, future trends in IT, and cybersecurity.

Recorded July 16, 2015
A conversation with TAC President Peter Schay, and TAC Founder Alan Guibord, a frequent speaker on IT leadership, organizational strategy, future trends in IT, and cybersecurity.

TAC Talk Episode 1: Why Cloud business planning is more difficult than you think – and what to do about it.

A conversation with TAC President Peter Schay and guest Bruce Guptil, TAC expert and skilled speaker, media contributor, and author of hundreds of research notes, reports, blog posts, articles, and presentations on business IT change, strategy, tactics, planning, acquisition, and value, from cloud, mobile and social IT, to digital business transformation, to changing IT roles and value.

Recorded June 30, 2015
A conversation with TAC President Peter Schay and guest Bruce Guptill, TAC expert and skilled speaker, media contributor, and author of hundreds of research notes, reports, blog posts, articles, and presentations on business IT change, strategy, tactics, planning, acquisition, and value, from cloud, mobile and social IT, to digital business transformation, to changing IT roles and value.

Monitoring Architecture

Monitoring has evolved to mean much more than just managing the network components in the IT production data center. In the good old days, a Simple Network Management Protocol (SNMP) management product was sufficient to manage all the network components. For today’s complex IT environments, we need a multi-tier monitoring architecture.

By: Mark O’Gara, TAC Expert

Monitoring has evolved to mean much more than just managing the network components in the IT production data center. In the good old days, a Simple Network Management Protocol (SNMP) management product was sufficient to manage all the network components. For today’s complex IT environments, we need a multi-tier monitoring architecture. A multi-tier monitoring architecture is a critical component to a good monitoring strategy. A sample multi-tier monitoring architecture follows:

  • Customer Experience Management (CEM)
  • Application Performance Management (APM)
  • Synthetic transactions
  • Manager of Managers (MOM)
  • Element Management Systems (EMS)

The base layer of the architecture is the Element Management Systems (EMS). The EMS layer manages the health of all the components in our IT environment to include components in our data centers, Software-as-a-Service providers and cloud providers. The EMS layer manages components such as routers, LAN switches, servers, middleware and databases. Depending on the complexity of the environment, you might have multiple EMSs and stand-alone point solutions such as an agent-less protocol monitoring tool.

The next layer in the architecture is the Manager of Managers (MOM). The MOM layer consolidates all the alarms and events from the EMS layer to provide a unified and coordinated view of the IT environment. Typical functions provided at the MOM layer include event correlation and data enrichment. The MOM provides the ability to input alarms and log files from the various EMS layer devices. The MOM layer helps to solve the problem of the EMS layer being managed in silos.

The third layer in the monitoring architecture is synthetic transactions. The synthetic transaction layer provides the ability to simulate users transaction and understand how the user will interface with the application and core infrastructure components. Typical functions provided by the synthetic transaction layer include testing a Uniform Resource Locater (URL), executing a Common Gateway Interface (CGI) on a web server at the basic level to executing the multiple steps a user would take to execute an application process. The synthetic transaction layer starts to test the horizontal aspects of how well the infrastructure supports an application transaction in the production environment.

The fourth layer of the monitoring architecture is the Application Performance Management (APM). The Application Performance Management layer provides the ability to track an application transaction from a time and resource perspective. The APM layer will timestamp transactions, store the data, and provide reporting and alerting on the transaction. Another function of the APM layer is how well, or not, an application consumes resources such as the available memory in a virtual machine (VM). The APM layer provides data on how well the application transaction performs and gives us live data on the production environment.

The last layer in the architecture is the Customer Experience Management (CEM) layer. The Customer Experience Management layer provides the ability to understand how well the external users can access our production environments. The functions provided by the CEM layer include testing remote network access from different geographical locations and running simulators to test mobile network access. A well executed CEM layer provides data on issues effecting the user that are beyond the IT production environment.

Depending on the maturity of your monitoring organization, you may have one or all of the layers listed in the monitoring architecture. The key to success is to establish a good base Element Management System layer and build up!

Mark O’Gara, TAC Expert, has more than 30 years of experience as an operations and engineering IT executive with a diverse background from start-ups to Fortune 50 companies. Experienced with tactical, hands on problem solving as well as developing and implementing business strategy. Creates a high performance team by focusing on communications and leadership development. Able to lead large change management transformations that focus on improving service delivery and cost reductions. Functional expertise in monitoring, voice, data, wireless and applications.

What to Do When Your Biggest Threat to Security is a Well-Intentioned Employee

Unfortunately, employees tend to forget or disregard policies, especially mobile security policies, so they may engage in risky behavior without thinking about it. They’re generally unaware of the potential risks, and often treat their mobile device like their company PC, assuming it’s secured by IT.

By: Rick Derouin, TAC Executive Consultant

We all make mistakes. Often, we don’t realize the full ramifications of our actions until we have that “oh no” moment after something has already gone wrong. In a business environment, there may be a large number of employees with enterprise access and multiple platforms, and society’s constant impetus to move to the latest device (which may not be an “official” device) poses a constant threat to security; especially from well-intentioned but security-challenged employees.

Unfortunately, employees tend to forget or disregard policies, especially mobile security policies, so they may engage in risky behavior without thinking about it. They’re generally unaware of the potential risks, and often treat their mobile device like their company PC, assuming it’s secured by IT. In an interview with The Wall Street Journal, the chief information security officer of Blackstone Group LP stated, “The No. 1 most significant risk to every organization is your well-intentioned, non malicious insider who is trying to do the right thing for the organization and makes a stupid mistake.”

What Makes Well-Intentioned Employees Dangerous

Employee threats are sometimes hard to spot, but there are a few warning signs you can look out for. Does the employee instantly access information on their device? There’s a good chance they’re not using a passcode. Were they hired recently or do they miss meetings regularly? They may not have been counseled on the mobile security policy. Do they use multiple devices or a different device type than you’re managing? You may have an unsecured device problem.

Most employees aren’t malicious. They aren’t a deliberate security threat; they just don’t understand that what they’re doing is wrong. Here are the top six mistakes well-intentioned employees make that are a threat to security:

  • Accessing unsecured Wi-Fi
  • Using login credentials on shared or unsecured devices
  • Failing to use a passcode on devices
  • Saving company information to personal devices or cloud storage
  • Inadvertently forwarding sensitive information
  • Taking company information or login credentials with them when they leave

Mitigating the Risk Well-Intentioned Employees Represent

From a security perspective, people are hard to manage; they do all sorts of things when you aren’t looking and you can’t watch them every minute of every day. Still, there are some things you can do to educate employees and manage devices for a more secure mobile environment. Here are four steps you should take to mitigate the risks of a well-intentioned employee:

  • Create well-defined policies.
  • Set device limits.
  • Implement a mobile device management solution.

The nice thing about malicious threats to security is that dealing with them is black and white. They don’t have good intentions, and you don’t want them anywhere near your data. Dealing with the threat of well-intentioned employees is more difficult, because you want them to have access to information, but there’s always a chance that they might misuse it. It can be hard for IT personnel to understand why employees do the things they do, but remember that not everyone understands the risk. Try to put yourself in their less-educated shoes, and safeguard against their mistakes before they make them.

Rick Derouin, TAC Executive Consultant, has more than 35 years of experience in the IT and telecommunications industries, with the past 12 years focused on increasing clients’ business benefits from investments in communications technology and services and ensuring clients need what they have and are paying the best possible price. He has designed and implemented innovative approaches to performance measurement, benchmarking, and alignment of technology for increased communications (voice and data) effectiveness. Mr. Derouin began his career with 10 years at IBM, in the last 15 years of his vendor career he was Senior Vice President of TeleGlobe, Vice President of AT&T Public Sector Markets, World Wide Vice President of Steltor, and Global Vice President of Oracle’s SWAT Team.

Windows 10 : Windows 8 :: Windows 7 : Windows Vista

I’ve been using the Windows 10 Technical/Insider Previews (slow ring, now build 10130) on my primary work laptop since October, and it’s clear to me that in Windows 10 Microsoft has successfully salvaged the Metro/WinRT technology, introduced with Windows 8, to create a winning new OS version.

by Peter Schay, President and CEO of TAC.

I’ve been using the Windows 10 Technical/Insider Previews (slow ring, now build 10130) on my primary work laptop since October, and it’s clear to me that in Windows 10 Microsoft has successfully salvaged the Metro/WinRT technology, introduced with Windows 8, to create a winning new OS version.

Beginning with the introduction of Windows Vista in 2007, Microsoft seems to have fallen into a cycle of overreaching “failure” followed by corrective success in its Windows versions (keeping in mind that for Windows, “failure” still means hundreds of millions sold).

(I should point out that, in the case of Vista, TAC was far more positive in our assessment than most pundits at the time [see SmartTip “Cutting through the Nonsense about Windows Vista, Windows 7, etc.”].)

As explained in the SmartTip cited above, the highly successful Windows 7 is basically a “cleaned up” version of what Vista should have been, with mostly incremental improvements. The one major new feature in Windows 7, Windows XP Mode, was added specifically to address the application software compatibility problems that plagued Vista.

Our advice regarding Windows 8 was, like the product itself, bifurcated. Microsoft’s emphasis on the “mobile first,” touch-oriented Modern (a.k.a. Metro) side of Windows 8 was an immense turn-off for desktop users with non-touch PCs, i.e., most of the Windows-using world. At the same time, the development of the Modern environment was an absolutely essential strategic move for Microsoft in the face of the Apple iPad and various Google Android tablet devices. (See the blog postings below, “Windows 8, BYOD, and IT Leadership,” “Yes, Windows 8 Is Bad…,” “Windows Reimagined,” and “A Learning Curve with Windows 8? Much Ado About Nothing, but Stick With Windows 7 for the Enterprise,” for our comments at the time.)

Now, on the threshold of the July 29 general availability of Windows 10, there is no doubt that Windows 10 is to Windows 8 as Windows 7 was to Windows Vista. The clunky awkwardness of the dual Windows 8 environments has evolved into a more-or-less seamless — and far more desktop friendly — experience which, on 2-in-1 devices (e.g., Microsoft Surface 3, Lenovo Yoga) includes the “Continuum” capability of automatically adjusting on-the-fly to changes in physical configuration.

Bottom line, Windows 10 is a winner. Any organization that has not yet deployed Windows 8 devices should wait for Windows 10.

The Anthem Hack: Sophisticated? Maybe, Maybe Not.

How could Home Depot and Neiman Marcus fall into the same trap that Target did months earlier? Could it be that this is not considered material enough to spend money on both the technology (to prevent & detect data losses) and the human behavioral changes needed to minimize incidents?

by Jim Noble, Director TAC International

The news on Wednesday that Anthem’s systems had been compromised ranks among the largest ever such breach. Simply on the basis of the number of people affected, it is double the size of the Target incident. But therein lies the complexity of this subject. Many companies suffer a breach, but it is not “material” in a business risk context, and so it attracts little publicity. The formula says Materiality = Threat x Vulnerability x Consequence.

While the Threat is widely acknowledged, there seems to be widespread denial of the Vulnerability. As in the case of Sony, it is tempting to pardon this sort of lapse as “inevitable and inescapable” because of the sharply focused and sophisticated nature of the attack. But that is a pathetic excuse, and deserves a robust challenge in a lawsuit on the basis of neglect of their fiduciary Duty of Care on behalf of their shareholders. Instead of taking the issue seriously and dealing with basic deficiencies, companies are throwing technology (hardware and software products) at the problem and installing more and more sophisticated equipment, which is often poorly configured and managed. If you look at the root causes of healthcare breaches on HHS.gov you will be amazed at how trivial most are. But companies always say they were the subject of a sophisticated attack. I guess this protects against negligence law suits. Healthcare breaches have continued to increase after HIPAA was implemented.That complacency also extends to Consequences. For companies handling credit card data such as Target, Home Depot & TJ Maxx, the consequences were fraudulent transactions on their customers’ accounts, which can be addressed by the card issuers, or credit watch companies like Equifax. For companies with sensitive intellectual property like Sony Pictures Entertainment, knowing what has been stolen helps them to take steps to mitigate the consequences. In the case of Anthem, the consequences could be much more serious, because the personal data could result in identity theft, which is a more complex situation to recover from.

So how is it that avoidable incidents keep happening? How could Home Depot and Neiman Marcus fall into the same trap that Target did months earlier? Could it be that this is not considered material enough to spend money on both the technology (to prevent & detect data losses) and the human behavioral changes needed to minimize incidents? Maybe it is just the cost of doing business, and we should just buy insurance to cover for the results of incompetence.

Cyber Crime – Why “Prevent, Detect, React” Doesn’t Work

“You don’t know when they were there, when they left, what they took, and what they left behind”. And until you acknowledge that, you will leave gaps in your defenses or your monitoring that the bad guys will easily exploit.

by Jim Noble, Director, TAC International

While I am accustomed to presenting to IT audiences and university students, last week I had a most unusual audience. The occasion was the annual conference of the New York Stock Exchange, and the audience consisted of 450 Directors of the Boards of NYSE member companies.

They are accustomed to thinking of business risk in terms of their familiar frame of reference. So cyber crime is just another business risk, comparable with physical crime. My message was rather stark – thinking in that frame of reference is a serious mistake, and contributes to much of the complacency we see in businesses everywhere. With physical crime, you lose something (e.g. an asset). You know that you have lost it, and you do something about it. So fraud, theft etc. are relatively easy to discover. But businesses are becoming increasingly digital, and with cyber crime nothing goes missing. Your assets (e.g. intellectual property) are still where you left them, and there is no evidence of compromise. Cyber criminals copy the asset, rather than taking it away. This contributes to the phenomenon “Its takes them minutes to break in, and it takes a company weeks or months to discover the incursion”.

Actually, it is worse than that. Most companies never discover that they have been compromised, and it is virtually impossible to block a determined, sophisticated attacker.

So the conventional wisdom in digital security of “Prevent, Detect, React” rarely applies – you can’t prevent, you probably won’t detect, and so how could you possibly react?

I don’t want to spread fear, uncertainty and doubt; but I was determined to shake these Board members out of their complacency! So I tried to balance the bad news with some good news – while it is impossible to defend all your petabytes of digital assets equally, it is possible to defend the crown jewels (the 5% or so that really matters, such as your Board meeting minutes, your M&A plans, your product R&D, your Q2 results due to be published tomorrow…). I asked how many companies had a data classification scheme, allocating (say) Unclassified, Restricted, Confidential and Secret categories to their data. You guessed – almost none of the companies did this. The usual rebuttal is that their company is not a bank, or a military contractor, or the White House… and so it not a target for cyber crime. But of course that is a popular misconception, and even if your company is not the primary target, you might be a supplier to another company that is, and your privileged access is what the bad guy wants.

So I rest my case with the famous quote from the Director of the US National Security Agency – “You don’t know when they were there, when they left, what they took, and what they left behind”. And until you acknowledge that, you will leave gaps in your defenses or your monitoring that the bad guys will easily exploit. The recent case of Edward Snowden was a good example of this. His employers thought that his government clearance of Secret and his exemplary record were sufficient controls for a Systems Administrator with proper access to highly sensitive data, but they could easily have implemented “a separation of duties” to block data access without at least two authorized people. Now that their awareness has been raised, I think security will be better in future.

Will it take an incident at your company before you take this seriously?

What is your company doing to deal with cyber crime?

You Think Your Data is Secure? – Think Again.

Should the prevalence of cyber security stories worry your company or you personally? You bet it should! The scary thing is that even with all of the media attention, there are thousands of breaches taking place daily that do not show up in the news. In many cases the hacked companies and individuals don’t even know they’ve been compromised!

by Jim Noble, Director, TAC International

It is no secret that over the last few months, there has been a torrent of cyber security stories hitting the press:

  • Syrian Electronic Army takes down New York Times website for 24 hours because the Times ran an article on “US Military Options in Syria”.
  • Booz Allen Hamilton, Edward Snowden’s employer, claimed that he had every right to access the sensitive government data in his role as systems administrator, and they couldn’t possibly have known of his support for WikiLeaks.
  • In a three-year operation, hackers linked to China’s military infiltrated US defense contractor QinetiQ’s computers and compromised most if not all of the company’s research. QinetiQ makes satellites, drones, and software used by U.S. Special Forces in Afghanistan and the Middle East.
  • Hackers routinely access the hard drives of the photocopiers in the airport lounges of Hong Kong airport, using the remote diagnostics port.
  • A hacking gang targets vehicles being returned off-lease by CEOs, and downloads the contents of the on-board hard drive to get synchronized smartphone data.
  • Motorola’s new smartphone Moto X just released this month will have an always-on listening mode. The hacking community responded by saying that they have been doing that routinely with most models of smartphones.
  • Social Network passwords compromised – millions of IDs and passwords offered for sale on the Internet. Experts say that breaking your business password could take days, but that can shorten to seconds if the attacker knows your social network password.

Should the prevalence of cyber security stories worry your company or you personally? You bet it should! The scary thing is that even with all of the media attention, there are thousands of breaches taking place daily that do not show up in the news. In many cases the hacked companies and individuals don’t even know they’ve been compromised! The Director of the US National Security Agency said it best with this quote “You don’t know when they were there, when they left, what they took, and what they left behind.”

Let’s face it – there is no realistic way for you to prevent a determined attacker from stealing your sensitive data, other than stopping using your phones & computers. So get used to it;  the cyber genie is out of the bottle and there is no way of putting it back. The sooner that you (and your company) get out of denial and accept that inevitable fact, the sooner you can start to do something constructive about it.

This awakening has already taken place in The White House, NASA, the Jet Propulsion Labs, Sony (PlayStation), RSA, The Wall Street Journal, Lockheed Martin, and the list goes on and on.  What do they all have in common? They have all suffered numerous hacking attacks and have come to the realization that it would be both impossible and cost prohibitive to even attempt to completely prevent a recurrence, and so they have instituted mechanisms to detect and react to future events. These mechanisms take many forms and companies hold these secrets as highly confidential (if they were obvious, or made public, the bad guys would find a countermeasure quite quickly).

What are you doing to prevent security breaches? And is it enough?

BYOD Hurricane

You are not going to stop BYOD from happening. Failure to actively support it will simply lead to security exposures and dissatisfied users (some undoubtedly in senior management). Moreover, unless you currently pay the mobile service charges for company-owned devices, and refuse to pay them for BYOD, IT costs are going to go up.

by Peter Schay, President and CEO of TAC.

I live on the East Coast of the U.S. When it comes to natural disasters, this part of the country rarely gets tornados or earthquakes (at least not damaging earthquakes), but every few years we do get a hurricane.

As natural disasters go, hurricanes have a “feature” not shared by tornados or earthquakes — you know when they are coming. As such, you can prepare for them.

In this regard, bring-your-own-device is like a hurricane. You can’t stop it, but you can be ready for it.

Unless you have a extraordinarily regimented (e.g., military) organizational culture — and the IT and physical security to match — you are not going to stop BYOD from happening. Failure to actively support it will simply lead to security exposures and dissatisfied users (some undoubtedly in senior management). Moreover, unless you currently pay the mobile service charges for company-owned devices, and refuse to pay them for BYOD, IT costs are going to go up.

TAC thought leader Beth Cohen advises, “Rather than attempting to halt the demand, the smarter path is to embrace BYOD’s by providing a safe and secure framework for their use. This framework should have two complementary components: a BYOD policy and the technology framework and administration software to enforce it. An official corporate BYOD policy would not be dissimilar to the corporate security policy. To make it easier, some companies just incorporate their BYOD device policies directly into their standard security policy that all employees are expected to adhere to. The key to successful enforcement is the implementation of the proper MDM [mobile device management] software.”

You may not like it (after all, who except weather junkies likes hurricanes), but you can put in place the BYOD policies and mobile device management technologies to successfully weather the BYOD storm. TAC has helped clients successfully address BYOD issues (policies, device management, security, etc.) in industries ranging from manufacturing to professional services. If you’re struggling with BYOD issues, contact us — we can also help you.

Windows Reimagined

Windows 8 is about moving real Windows (in contrast to Windows CE derivatives such as Windows Phone) downscale — to mobile, consumer-oriented devices. The disruptive “Metro” user experience is the most visible aspect of this strategy, but only part of the big picture.

by Peter Schay, President and CEO of TAC.

The first television ad for Microsoft Windows 8, ending with the tag line “Windows reimagined,” appeared this weekend. With its rapid video cuts, high-energy music, exploding laptop PC, children and teens playing games and videos, humorous photos, children creating artwork, etc., the ad says a lot about Microsoft’s strategy with Windows 8.

The term “reimagine” is one that Microsoft has been using since the first public demonstration of Windows 8 in June 2011. Windows 8 represents the most dramatic change in Windows since Windows NT in 1993 — but in a very different direction.

Windows NT was about bringing robust, enterprise-class operating system technology to what had previously been a fragile kludge-tower of inherently limited and insecure software. Ironically, key capabilities of NT, such as the Hardware Abstraction Layer to simplify porting to multiple processor architectures, and the ability to support multiple simultaneous API subsystems (including POSIX and OS/2 subsystems in early versions of NT), have been underutilized for years, but are the foundation for Windows 8 support of the ARM architecture and side-by-side WinRT and Win32 API subsystems.

In contrast to Windows NT, with its focus on moving upscale, Windows 8 is about moving real Windows (in contrast to Windows CE derivatives such as Windows Phone) downscale — to mobile, consumer-oriented devices. The disruptive “Metro” user experience is the most visible aspect of this strategy, but only part of the big picture.

Although the development of Windows 8 began almost a year before the appearance of the Apple iPad, one helpful way of thinking about Windows 8 is as an iPad competitor that also runs legacy Windows applications. The usage model of the iPad is as a mobile, consumer device used primary for entertainment and education (reading books, watching movies, playing games, video chats with friends, light editing and sharing of personal photos, web browsing, etc.), on which one can also read and reply to e-mail. The Metro/WinRT environment is designed for that usage model.

With PC sales essentially flat, success in the mobile device market is a strategic imperative for Microsoft. That does not, however, necessarily make adoption of Windows 8 a strategic imperative for enterprise or small/midsize business IT.

As I wrote in previous blog postings, the primary near-term opportunity for Windows 8 in business is as a platform for internal-use tablet applications — where a credible business case can be demonstrated for those applications. Unlike iPad and Google Android-based tablet devices, Windows 8 devices can be programmed and managed with tools already familiar to IT development and operations teams, significantly improving the practicality of enterprise tablet deployments.

Notwithstanding the various bells and whistles which have been added for the desktop environment in Windows 8 (faster boot, improved file explorer, improved task manager [my favorite], file history, etc.), none of them are compelling enough to put users through the disruption of introducing the Metro environment — which is unavoidable even for those whose intent is to “live in the desktop.”

The big open question about Windows 8 is the extent that it will succeed at making Microsoft a major player in the consumer tablet market. We will know that when end users start asking IT to add Windows 8 to the bring-your-own-device list.