If you’ve tuned into any major news outlet lately, you can’t help but have noticed the ongoing drama concerning the release of US cables by Wikileaks. Since Wikileaks began releasing snippets from their cache of secret communiques on-line activist group, Anonymous, have taken it upon themselves to enact a form of online ‘payback’.

Throughout the day, Anonymous have been directing it’s legion of constituents to conduct a distributed denial of service (DDoS) attack against MasterCard, Visa and others. Whilst I certainly don’t condone the actions of Anonymous in conducting illegal DDoS attacks, they have helped bring attention to an important issue.

When dealing with security, you’ll often hear mention of Confidentiality, Integrity and Availability — the three tenets of information security. All three of these are absolutely critical to protecting information. However, look at what most companies are doing and you’ll notice far less investment in protecting Availability, versus the other two domains.

I wanted to get a better perspective on the Anonymous actions, so I joined their IRC channel to listen in on what was being discussed. Whilst I was there, an announcement was made that the DDoS target was changing from MasterCard to Visa.com. This was scheduled to start at 4:00pm EST. I waited, and watched.

Within a matter of mere seconds, Visa’s web site was completely inaccessible. The DDoS attack was stunningly effective! In fact, it only took roughly 2,000 computers on the Internet to completely disrupt Visa’s site.

So what can we take away from this? We should be ensuring our security objectives include protecting the availability of our information systems. Sure, it’s critical to protect confidentiality and integrity… but your business may very well depend upon availability.

I attended a press conference today, where details of a TELUS-commissioned Harris/Decima survey on “Flexible Work” were discussed. The survey contains some interesting data from Canadian companies.

The stand out finding is that 89% of employees consider a flexible working program (one that includes some remote / mobile working option) makes a company more attractive. An expert panel backed-up this conclusion with supporting data showing how many job-seekers entering the market consider flexible working to just be table-stakes.

There’s no doubt that the small business sector is especially embracing of flexible work programs. Small businesses enjoy a type of agility and readiness to embrace more cutting-edge concepts that larger businesses are slow to adopt. One area that is of particular interest for me, is how we can continue to ensure good information security practices, even though our workforce is increasing mobile–working at home, in coffee shops, airports, etc.

Small businesses often don’t have the extensive IT infrastructure that larger companies are able to leverage to maintain an acceptable level of security. What type of infrastructure are we talking about? Here are just a few:

• Remote network access, such as a Virtual Private Network (VPN) connection back to the ‘office’ network.
• Remote voice communication: mobile phones, VoIP telephony, etc.
• Data backup.
• Update mechanisms for anti-virus software, operating systems and applications.

For some businesses, this means investing and building out the necessary infrastructure, which can be costly and brings with it management overhead that previously may not have existed. For others, outsourcing is a more viable option. I have seen several businesses, for example, make the transition to Google Applications as a way of ensuring their remote workforce can collaborate effectively, regardless of their location. Once these hurdles can be overcome, we must not forget to think about how these changes have impacted our information security.

There may be some concrete benefits to providing a flexible working program in your business, but it also brings some security considerations to the forefront. Maybe now is a good time to think about your flexible working strategy and review your security practices to see if they are still effective.

I should preface this post with the fact that this is to be read with tongue firm planted in cheek. I think.

Some number of years ago I worked for Nortel. One particular morning, I recall attending a ‘town hall’ meeting being held with the CEO at the time. We won’t use his name, but suffice to say it was during a period of ‘initial decline’ at the company. During this town hall session, we heard about the usual suspects: new product introductions, R&D innovations, customer success stories and financial performance. The last point was of keen interest for many; despite not being accountants, everyone had learned a little something to better understand the situation Nortel found themselves in. Even a graphic designer could tell you DSO was Days Sales Outstanding, and why that was bad if it got too big.

As the session progressed, it was explained that the Optical portfolio was seeing some decline in growth. It was pretty clear for us all to see that ‘some decline in growth’ was secret accounting-speak for ‘the bottom has fell out of the market’. What followed was a great demonstration of the difference between Generally Accepted Accounting Priciples (GAAP) and Nortel Accepted Accounting Principles (NAAP). Under NAAP, correcting this minor decline in growth was simple: just reclassify your portfolio so that almost everything becomes an ‘Opto’ product. How to achieve that? Why, if a product contains any kind of optoelectronic component, then rack up it’s revenue under the optical portfolio. Of course, almost everything had an LED power light… so we were in business! Optical revenue had never been stronger.

This redefinition hit me again today. As security professionals, we often work with a number of tools to help secure our networks, systems and information. Sure, security folks will all recognize tools like Nessus, Snort, WebInspect, nmap and so on. There’s even a nice list of the Top 100 Network Security Tools — people love lists.

But it’s flawed. The real number one security tool vendor is Microsoft.

I’ve asked a few security professionals what tools they use the most in the field. The most popular isn’t Nessus or nmap; it’s not Snort, Metasploit or Core Impact. It’s Microsoft PowerPoint.

That’s right, in my extremely unscientific survey, and re-classifying PowerPoint as a security tool (under the rules of NAAP)–I confirm that Microsoft is the #1 provider of security tools. We spend buckets of time creating presentations to pitch security, presentations to position how it will be improved, presentations to get funding, presentations to measure progress. It’s a wonder we don’t create presentations about creating presentations. Oh–maybe we do.

So congratulations Microsoft, on your great achievement in the field of information security! I do have one small suggestion… and judging from the ‘Windows 7 was my idea’ advertisements on TV right now, I think you are listening. Could we please have one of those lovely security seals, something like ‘Protected by PowerPoint’, that we could put on our web sites, or stick to our servers?

That’ll keep the bad guys out.

Ada Lovelace Day was celebrated on March 24th–a day in recognition of the contribution of women in science and technology. If you haven’t heard of Ada Lovelace, I’d certainly recommend you find out more about her short, but fascinating life, over at Wikipedia.

Ada was one of the world’s first programmers, developing a process of calculating Bernoulli numbers using Charles Babbage’s Analytical Engine. This, despite the fact that Babbage’s machine had never been built.

If you’ve ever written a computer program, give a few moments pause to consider Ada’s contribution that kick-started the discipline.

Who are your favourite women in science and technology?

Welcome to Prime Information Security’s new blog: Are You Primed?

Through our blog, we’ll be making sense of information security by looking at the hottest issues and exploring what they mean for your business. We welcome you to get involved: ask questions, share your thoughts and opinions.

If there is a topic you’d like us to explore, drop us a line and we’ll see what we can do!