Shadow IT: Treat the cause, not the symptom

I just posted an article at Toolbox.com about the business risks associated with shadow IT.  Many organizations see shadow IT as a disease to be cured.  However, as I write in my post, shadow IT is a symptom of a deeper issue.  It is this issue, related to IT remaining stuck in the past, that must be addressed.

MIT Report Troubling

In a recent report (MIT Report: U.S. Manufacturing Hits a Wall When It’s Time to Scale), Curt Woodward writes that a group of MIT researchers discovered an almost impassable chasm when looking for investment dollars.  The investment dollars were for needed for 150 production companies wanting to move to full-scale production, and they were only available from foreign investors or if moved off-shore.

Why is this a security issue?  Because it has been clear for a long time that no one wants to build manufacturing plants in the US.  I’m not talking about steel mills; rather, the 150 companies (many started or supported by MIT students, professors, etc.) focused primarily on hi-tech products.  Just what we need… move all hi-tech production–the kind of production that is crucial to our economy and our national security–off-shore or make it vulnerable to the whims of foreign investors.

I don’t care whose fault this is; we spend far too much time in this country pointing fingers when we should be sitting down together to solve problems.  China is laughing is collective butt off as it steals our intellectual property and increasing builds our technology.  I just don’t think it’s that funny…

IDCATU strikes Google, Apple, and Microsoft…

The Register published an article today describing Adblock Plus angst over Google seemingly trying to take down their ad blocking software on Android.  See Ad-titan Google blocks Adblock Plus in Android security tweak • The Register.

While reading the article, I began to get the feeling that Google is intentionally blocking Adblock because it interferes with Google store functionality.  Interesting…

This is one more reason I am very pis… uh… angry this week.  When I first purchased my iMac last year, I was able to do 99% of what I could do on my Windows 7 laptop.  Today, Google Chrome for Mac is significantly crippled on many sites.  Further, I have to use IE 10 on my Windows 8 laptop to have access to several features I use during research.  We seem to be going backward.

When I started in IT (1983), I encountered a score of different standards from the same number of companies.  It was a compatibility nightmare until business simply accepted the IBM PC and MS-DOS as the de facto standard.  Vendors got on board or went out of business.

During the growth of the Internet, browser choices had gotten to the point that I could use the browser of my choice–the browser I felt most comfortable with–and I could be fairly confident that I would be able to be productive.  This was until recently…

Speaking only from personal experience, I believe I am suffering from a disease spreading across Microsoft, Google, and Apple: IDCATU syndrome.  As it spreads, market share and out doing the competition become more important than user productivity.  Those suffering from I-Don’t-Care-About-The-User use double-talk to assuage the unwary into believing incompatibility between solutions is for their own good. BS.

I am seriously considering moving everything to open source.  The problem is that IDCATU also forces the big players to force the creative and unafflicted to the sidelines.  Some people are simply getting too uppity for their own good… and ours.

Nyuh-uh… wasn’t me…

Read this article first. Unit In China’s PLA Behind Massive Cyber Espionage Operation: Report | SecurityWeek.Com.

Now we can talk…

It should come as no surprise that China is aggressively hacking into anything it can.  In 2009, Gurmeet Kanwal wrote in the Journal for Defence Studies,

“The Chinese call their pursuit of information warfare and other hi-tech means to counter Washington’s overwhelmingly superior conventional military capabilities “acupuncture warfare”, a term that first surfaced in a 1997 PLA National Defense University publication entitled “On commanding Warfighting under High-Tech Conditions.”  Acupuncture warfare (also called “paralysis warfare”) was described as ‘Paralysing the enemy by attacking the weak link of his command, control, communications and information as if hitting his acupuncture point in kung fu combat.'”

So the Chinese have hacked, wheedled, and otherwise slunk into our national infrastructure.  They seem to be expanding on their initial acupuncture approach with theft of information needed to catch up with or impede Western technical and financial progress.  Of course, the Chinese deny they are anything but victims.

Yes, it is naive to believe we aren’t just as aggressively going after the Chinese.  However, public and private organizations still fail to understand the threat.  In China, the government has no problem applying pressure where needed to protect national infrastructure.  In fact, it is highly probable the Chinese government can disconnect China from the Internet on command.  In both areas, Western nations are at risk.

The path we must take in the West is to force government, financial institutions, utilities, healthcare organizations, and other critical service providers to secure their networks or face severe sanctions.  After all, we can do little about what China sees as behavior in support of its national security.  What we can do is remove the vulnerabilities it exploits and closely monitor for what is obviously continuous malicious activity.  We’ve waited long enough for government and private management to do the right thing.  It’s now time to pick up Teddy’s big stick and domestically whack some heads.

Facebook employees should know better

While I believe that posting any private information to a social networking site is… well… nuts, I also believe we should have a reasonable expectation of privacy.  This means companies like Facebook must do a good job of protecting themselves from potential attacks.  So why were laptops used by Facebook employees targets of a recent zero-day attack?

Yes, it was zero-day.  We can’t foresee all possible attack vectors.  The threat agent used a hole in Java to infect the laptops.  Further, the Java exploit was setting on a developer site.  Doh!  Didn’t see that coming, Facebook?  You should have.

Java is full of holes.  It is an exploit waiting to happen, and it is not the first time attackers circumvented the Java sandbox to get at the underlying platform.  Some, like Andrew Storms at nCircle Security, believe Java needs a complete overhaul (via Gregg Keizer, Computerworld).

 “Oracle should just take a mulligan and redesign Java before everyone completely loses faith in it…”

Apparently, Facebook didn’t get the memo.  Why would a social network company allow its employees to visit risky sites and then connect back to a network where customer and other sensitive data reside?  Why would any organization?

For more information on end-user device security, see Chapter 6 – End-user Device Security.