In the old days, it was simply administrative privilege on Mainframes, root or superuser privilege on Unix and Linux systems, supervisor or admin for NetWare systems, or administrator on Windows systems that cordoned-off access to IT resources into either:

1)      you own and can control everything

2)      you do NOT own and CANNOT control everything

The architectural limit of today’s technology

The fundamental design of most modern computing systems, including the latest iPhone or Android phone (you have to “root” your phone) either let’s you control everything or you cannot; and either software applications run as privileged kernel-level superuser or administrative processes (and threads) or these run as less privileged user processes (and threads).

Design limit meets the Internet

The fundamental design-concept regarding privilege for information technology has not changed: It’s still based on the idea that you can own the device or not.

In your home this dualism works well if you are trying to prevent your children from causing problems. But, in an enterprise setting with many degrees of freedom and an untold number of interacting processes and IT systems, this simple access-dichotomy inherent in the technology – does not work.

Well, along comes the Internet and Internetworking and its applications from the hardware and link-level to the application-level that get built into every technology platform and application, and it provides an inviting target to miscreants both inside and out of the organization on both sides of the Maginot-line separating enterprise networks from the Internet.

Design limit meets regulatory rules and audits

And then, you have these regulatory and other audits (think PCI, SOX general controls audits, HIPAA audits, Euro Data Privacy, etc) that demand duties and roles be segregated and separated.

In general, most regulations on separation of duties focus on preventing the same people who can approve a transaction NOT be the same people who can initiate a transaction. Otherwise you’d have wholesale fraud and loss.

But these same rules are also extended to focus on making sure the same people who install and maintain IT systems are not the same people who manage security for IT applications and systems.

Even with logging turned-on to capture and record every change that occurs, regulators and auditors frequently want to separate or segregate roles to ensure the fox is not also guarding the hen house.

Solution: technology, organizational or both?

The problem for most of us is that there is NO simple technology solution to the problem. Even the oft-talked about “least privilege” solution that is bandied about by suppliers looking to score points is found to be simplistic or non-scalable: when you look under the covers you find it is difficult to approximate the real world.

This leaves most organizations with using the only ways they can to separate or segregate privileged from unprivileged roles, by artificially restricting who has access to “superuser” or administrative roles. Unfortunately, it’s not always a pretty sight or as clean as it sounds.

For example, relational databases are often installed as “root” and own the boxes on which they are installed. And, often DBA’s who are granted “superuser” rights can basically do whatever they want with the boxes.

Some organizations have gone to the extreme of using specially developed code (often called Role-based Access Control or RBAC) to prevent access to transaction and security logs by DBA’s whereas others have not been required to implement these steps. But the fundamental problem is the underlying architectural limit of “all access or limited access” has not changed with most RBAC extensions. Similar problems (and less common Role-based Access Controls) are being used and tried for network systems, hosts, applications and websites that act as the front-end of transactions (think online banking, etc).

In the face of expensive or strange contortions, many organizations simply reorganize who can do what to which systems: in effect implementing separation of duties the old fashioned way by imposing organizational limits and job duties on what people can or cannot do with IT systems, applications and networks.

Evaluate the risk

There is not one solution for separation of duties that can be applied equally for all organizations. Segregation of duties is an additional cost because it may involve technology and it is likely to increase head count. As a result, a risk assessment should be conducted to determine where separation of duties is necessary: don’t assume your auditor is right until management has had the opportunity to decide whether to accept or mitigate the risks.

So, how do you control the separation or segregation of duties for you organization when it comes to IT systems, networks and applications?

Let us know.

Some additional readings

- Separation of duties guide

https://financial.ucsc.edu/pages/management_separationofduties.aspx

- Separation of duties: Controllers Office at UC Berkeley

http://controller.berkeley.edu/controls/roles.htm

- Separation of duties and IT security

http://www.csoonline.com/article/446017/separation-of-duties-and-it-security

- Separation of duties in information technology

http://www.sans.edu/research/security-laboratory/article/it-separation-duties

If you’ve not been paying attention then you’ve probably missed the hype about big data, which is just fine. But beyond the hype about BIG DATA is a promise about to be born: the ability to find new insight and intelligence from a vast amount of information we are accumulating as a society.

And accumulate is a very accurate characterization of what we are doing:

Amount of data stored by 2007

• 295 exabytes (295 billion gigabytes or 295 X 10^9 bytes) were stored by humans by 2007 according to a study published by the Journal Science, as reported by the BBC (http://www.bbc.co.uk/news/technology-12419672)

Information is now almost exclusively digital

• In 2000, 75% of stored information was in analogue format
• In 2007, 94% of stored information was in digital format

Amount of data stored in 2010

• In 2010, the BBC claims we stored close to one zettabyte (10^21 bytes)
• This is more than twice the amount of stored information from 2007
• The BBC claims digital data storage grew by 60% year over year from 2009 to 2010

Amount of data stored in 2012

IDC forecasts growth of stored data to 2.7 zettabytes by2012

Unstructured versus structured data

Moreover, the format of the data being stored now appears to favor what’s called unstructured data (think of things like photo’s, music clips, email messages, SMS messages, etc). In fact, some argue that 80% of what we now store is unstructured information, meaning it’s not put into a database, relational or otherwise.

Big data benefits

The promise of BIG DATA is not the storage of this vast amount of information, but is the ability to garner new insights from the vast sea of information being accumulated. Much of accumulated information lies outside the control of enterprise networks, and instead resides on networks across the Internet.

What’s different now is the scope of the data. The first stage BIG DATA efforts were driven by BI (business intelligence) application projects that relied on in-house data, most of which was stored in databases. The second stage BIG DATA projects relied on creating linkages between unstructured data (information not stored in databases) and structured data (information stored in databases) most of which was stored by the enterprise. A third wave of trials now just underway involves the use of data sources outside the enterprise network.

Although the number of third-stage BIG DATA tryouts and proof-of-concept efforts are in their early stages, indicators reveal that more and more organizations are starting to put their foot in these BIG DATA waters to determine how the intelligence that can be gleaned from new data sources can assist their efforts.

The promise of BIG DATA – which is about faster, smarter data-driven decision-making – is also accompanied by BIG RISKS, including the invasion of corporate and personal privacy, adverse impacts on brands and reputation, regulatory snafus (eventually regulations always catch up with the use of technology), as well as negative legal and financial outcomes among others.

Sinister outcomes?

BIG DATA promises to record, store and sift out more intelligence – from data, IT systems, organizations, and from people and their interactions – than has ever been possible before. And it is the insight into crevices never revealed before that brings with it potential sinister side-effects that are not being considered in the rush to find and exploit the benefits. In the wrong hands, the information and insights gleaned from BIG DATA can easily result in destructive rather than beneficial outcomes.

Remember to balance the big rewards and risks

The rewards and risks of BIG DATA should both be considered, articulated and estimated before the new third-stage proof-of-concept efforts go live with controls introduced to manage both the up- and down- side consequences from these new uses of technology.

Some people seem very happy to use social media sites for a wide variety of purposes, including sharing information with everyone or just friends, meeting and networking, obtaining information from friends and acquaintances, looking for jobs, sharing recipes, and almost any other purpose you can think about.

A few of the well-known sites include: Facebook, YouTube, Twitter, Linkedin, MySpace, Google+, Yahoo Answers, Pinterest, Tagged, Meetme, Wikipedia, Yelp, Badoo, Orkut and Ning among others. And these are just the tip of the iceberg when it comes to the sheer numbers of social-media sites on the Internet. There are thousands of these sites across the Internet today, and some of the more obtuse sites are sure to include darker, more illicit purposes.

People, especially younger people, share a lot of personal information about themselves — or information about their employer — with other people through these public and semi-public venues.

Most of these sites share (store) user data — and by extension some employees share (store) employer data — on these sites on servers that are located somewhere on the Internet. And many of these social media service sites employ other third-parties to store data for them. Involving some form of cloud service to share and store user provided data, social media presents some interesting conundrums for organizations.

Benefits and risks of social media for organizations

The benefits of using social media for businesses purposes include: adding qualified suspects to sales pipelines, reducing costs to reach and retain customers, and improving customer experience and loyalty among others. The risks of using social media include: mixed messages adversely impacting the brand; and loss of control over intellectual property, financial data, customer information, and other forms of confidential information among others.

Risk of using social media: Who owns the data?

One of the most important risks to consider is ownership of organizational data that makes its way onto social media sites by employees. Is such data stored on social media sites owned by the users or the organization providing the data, or is the data owned by the social media site where the data is shared and stored?

• In some cases the answer is one or the other, and in some cases it is both.

• In other cases the answer is “not quite” to “no”: leaving users and organizations without ownership of their own data once it has been moved to a site.

Who’s responsible?

In most cases you’ll find responsibility for any data posted onto social media sites resides with the original provider, the user who supplied it. Most social media sites take no responsibility for the data that is posted, and stored, through their services. But many social media sites have rather vague controls – just trust us – in place for protecting the actual data, even when they have policies in place. And if the social media brand outsources its data storage to a third party, who’s responsible?

Manipulation and reuse

The fuzzy issues governing ownership of data are also an invitation to a wide variety of ways to manipulate data, unbeknown to the user and in some cases unknown to social media brands.

Once data is public, such things as sales and advertising services sold to third parties looking to gain more qualified prospects become revenue line extensions that are easy to exploit by social media firms. In fact, these reuses of the original owner information and data are occurring, and have been for some time. Think of Facebook as well as Google search, gmail, maps and now Google+.

Beyond advertising and sales, businesses offering personal investigation services, thieves looking for additional information needed to steal assets, competitors looking for an advantage, or political subterfuge can easily occur. Some of these outcomes are also probably taking place today.

What are your risks?

What happens when the brand of the institution is impacted by the loss of data that was never intended to see the light of day, or messages contrary to your firms brand cause confusion among customers and prospects? Are you looking at social media to improve customer loyalty?

Whether you decide to allow unfettered access to social media sites from the workplace or not,and whether you take advantage of the opportunity social media presents or not, these sites are probably being accessed and used by your employees – and customers – from their mobile devices and from home.

It’s probably a good idea to articulate the benefits and risks, establish your policies, implement whatever controls you deem necessary, and knowingly accept or mitigate the risks involved.

Ignoring social media may be the biggest risk of all.

Did you know a caller from the “Internet Technical Center” is trying to reach you because “when your PC is turned on, it’s sending malicious software onto the Internet?”

Or, that a caller from the “Microsoft Internet Technical Center” wants your Microsoft product key to verify your copy of its software.

Or another caller from the “Network Technology Center” needs you to connect to a web address to resolve problems on your computer.

Thieves and scoundrels

These ruses are among a continuing rash of phone-phishing incidents making the rounds from boiler-room theft centers located in Inda. The callers are oblivious to the background sounds of their fellow pirates trying to scam other innocent victims: all easily overheard during the phone call you’ve received.

In 2010 the favored geographic attack-area seemed to center on Seattle in the US.  It’s hard to tell whether this was intentional or just an accident, given the close location of Microsoft and the thieves using the name of Microsoft in many of their pitches.

The attacks have since morphed to include other geographic areas, including locations in the UK, Ireland and the US. The latest phishing attacks seem to be focused on the Midwest in the US.

What should you do?

- Tell your employees about the problem

- Tell them to make a note of the phone number if possible

- Tell them to hang-up on the callers

Then Report the incident:

In the US, report the incident to the FTC
http://www.ftc.gov/bcp/edu/microsites/phonefraud/index.shtml

If you’ve been harmed, report the incident to the FBI and the local State Attorneys Generals in the US.

In the UK, report the incident to Action Fraud

http://www.actionfraud.police.uk/

Make sure you hang up

- Make sure employees are told to simply hang-up on these miscreants.

Some coverage of the scams

Microsoft warns of phone phishing scam (June 18, 2012)

http://www.zdnet.com/microsoft-warns-of-phone-phishing-scam-4010022765/

The infamous Microsoft phone phishing scam (April 14, 2012)

http://thundercloud.net/infoave/new/2012/04/14/the-infamous-microsoft-phone-phishing-scam/

Watch out for fake Microsoft phone phishing scam (February 7, 2011)

http://blog.seattlepi.com/microsoft/2011/02/07/watch-out-for-fake-microsoft-phone-phishing-scam/

Indian Microsoft technician phishing scam by telephone: part 1 (November 2, 2010)

http://www.youtube.com/watch?v=kOmm2W91HGM

Risk is a funny thing: if you don’t have any of it, business returns tend toward a thin range in a stochastic industry average. If you have too much risk, it can overwhelm any organization.

The recent experience of Knight Capital Group in the US proves the point that too much risk in the way IT is used is bad for business (see Knight getting costly $400 million lifeline after trading debacle)

The New Face of Risk: Stuxnet, Duque and Flame

What does this have to do with information security, audit, and the governance of IT?

If you have too little risk in the way IT is used to pursue objectives, it’s a reflection of staid practices in keeping with stochastic returns.

Similarly, too much risk in the ways IT is used to pursue objectives can result in risk that will overwhelm any organization.

Just ask the recent targets of the offensive cyber attacks known as Stuxnet, Duqu and Flame (See The Pandora’s Box of Stuxnet, Duque and Flame)

New Ground

The boundaries of risk and reward for the uses of IT are now being stretched by State actors intent on achieving objectives that go beyond those of civil, commercial enterprises. Unfortunately, the results for these new pursuits of IT are going to have ramifications we cannot fully see today, but which contain the seeds of results we can anticipate.

The new pattern emerging from the offensive cyber-uses of IT include covert intelligence, stealth behavior, information gathering, destruction of assets and property, and in the case of Stuxnet the actual loss of life.

The worry is the new tools and techniques can easily be re-employed against civilian military and intelligence interests and non-military commercial interests.

The new offensive directions being spearheaded by State actors promise to radically reshape the comfortable risk and reward boundaries that commercial enterprises have — until now — assumed for their uses of IT.

Whether commercial businesses like it or not, each is being thrust into a new age of risk and reward to which none are contributing, but one in which each will have to spend money to manage new forms of risk.