21st Century Views

January 9, 2008

In 2008, I will be sharing insights, concerns and perspectives on issues of IT security, risk management and information assurance through regular postings in the newsletter, podcasts and blogs.

I thought we’d start ’08 with a review of investment opportunities in the industry. These thoughts will hopefully also have relevance for the infrastructure investments you will likely be considering for your enterprise.

Behind every good investment opportunities are two critical considerations which really boil down to the classical price to earnings, or P/E ratio. On the one hand, we consider where the company is going and what the expectations for growth and profitability are. On the other hand, we must weigh this against current expectations for the company which are reflected in the current price of the company’s shares. Anybody can recognize a nice car, but a good buy is when the price reflects value. Thus, while some security opportunities have very high possibilities, current expectations may already exceed the likely performance of the company making a stock a poor investment even with strong opportunities for the business.

This reflects the state of affair in the security industry. There are some tremendous opportunities, but there are also some highly inflated companies. The prudent and well- informed investor must distinguish between the two.

So let’s start with what’s hot. What drives security spending is threats and more specifically, is actual awareness of these threats. Those that have large potential economic consequences will drive the sales of numerous specialty devices. Unlike most engineering problems, with security, when a solution is found, it is quickly attacked by a variety of alternative attack strategies. The closest experience most engineers have to this kind of environment is trying to tame the flow of water. The reaction to a barrier is always an attempt to get around it!

Hot solutions will be the ones addressing our biggest security issues which for 2008 include privacy, click fraud, compliance, convergence and continuity planning. Throughout the year, we’ll speak to why these are the top plays, but for starters here are some of the drivers:

1) Click fraud – online advertising is growing and most of it is pay-per-click. The only problem is hundreds of millions may be going to fraudulent clicks. There’s a lot of real fungible money here so this will drive sales.

2) Privacy – it’s an election year and this one will be heating up, but on its own may only serve to compliment compliance. 2008 may be the year consumers realize that privacy is something they might be willing to pay for, creating a very hot market for a wide array of technologies including crypto.

3) Compliance – the costs here are more clear cut and look to trump any altruistic interest in security with mandates; special attention here to PCI and the new Minnesota disclosure law will drive spending more than SOX remnants.

4) Continuity Planning – the net is fragile and putting voice onto the net creates a whole set of potential threats including new power dependencies, the need for stronger IP device authentication and lots more … simple thinking about what might be done with a million-node botnet should give reason to invest here.

5) Convergence – while there are plenty of various convergences being bantered about this year, the one with great opportunity is linking physical and logical security. When your alarm system becomes smart, there’s lots of substantial opportunities.

So, these are the problems that will drive spending. Where should you put your money?

Well, here’s the rub. The fastest players to market continue to be agile and focused start-ups. This means the best opportunities are for early stage investments. If you go and ask your IT security team what items top their list, you might just find that the companies behind the technologies are all start-ups. The best opportunities here continue to be for what is commonly the F-Cube (that’s F to the third power representing family, friends and fools) or through Angel Funds (which we’ll see covered throughout the year in the Entrepreneur’s Column).

Venture funds are poised to grab emerging players in this space, but it will usually take a couple years of proving themselves before these companies are rolled up into some of the major public companies where you can play.

However, it’s noteworthy that the public players are extremely acquisitive and everybody from Google, Microsoft and IBM (to list the more focused security players) are buying proven technologies in hopes of scaling them through integration.

This final point is pretty important when you look at many cutting edge security tools today. Right now they usually require complex integration and sophisticated management.

It’s best to think of the market as the auto industry without any car dealers – only auto parts suppliers. The winning technologies, like intermittent windshield wipers won’t make it if you have to build it into a car yourself. However, there will be lots of great products this year that will be proven in the F-500 markets where companies can afford the complexity. Companies that demonstrate success here will be the tools that soon are integrated into the products you buy at Best Buy for your kids to configure and install.

As a serial entrepreneur, a recipient of the Deloitte & Touche Entrepreneur of the Year Award, and now working as the Dow Entrepreneur in Residence at Saginaw Valley State University, I have frequently been asked to explain what produces exceptional entrepreneurship. Today, this question takes on vital importance as we collectively seek new means of enhancing economic growth in mid-Michigan.

Answering this question has become more difficult as interest in entrepreneurship has exploded. The same desire for entrepreneurship we seek in Saginaw is being sought in Singapore, Sacramento and Saigon. Business schools around the world are embracing entrepreneurship and new courses and programs abound. Yet, it is surprising how little consensus exists on just what it is we’re trying to foster.

My answer has traditionally been quite simple. Entrepreneurship is having a “fire in the belly”. The problem with this explanation is apparent. Those who are real entrepreneurs all know instinctively the precise meaning of this “fire” while everybody else gives me blank stares and, I assume, begins thinking about abdominal cramps or ulcers as they imagine what it’s like to be a real entrepreneur. It’s now clear that my “fire in the belly” definition lacks practical value in helping us embrace strategies of expanded entrepreneurship in the region.

To give a more precise explanation of entrepreneurship, I’ve adapted a more practical explanation. When we say we want to embrace and enhance entrepreneurship, I think the focus should be on the rapid realization of a positive economic outcome. While that’s still pretty abstract, it goes beyond the fire and tries to address what’s burning.

While trying to develop an understanding of entrepreneurship amongst those who don’t understand the “fire”, a second and equally important aspect of entrepreneurship comes into the discussion. Is entrepreneurship just for starting new businesses, or does it have something to do with renewal and revitalization that could have value for existing enterprises? Clearly, there is something very important being lost in some of today’s popularization if we limit the discussion to only new businesses. Rapid realization of economically important outcomes can occur in a Federal government department, in GM, in a hospital or a school district. All are in vital need of radical transformations and entrepreneurship.

While there has been a large body of literature that addresses how to accelerate change in large companies, it’s important to realize that the fundamental forces and issues are the same for all. The same forces that drive change in the auto industry drive changes in our hospitals and schools. The forces rebuilding our world today are global competition and the internet. These forces are the forces of change, but change is not new to economics. The forces are usually thought of as the marketplace, what Adam Smith called the “invisible hand”. Smith’s Wealth of Nations , published in 1776, to this day serves as the capitalist’s declaration of independence. It validates the importance of free choice by consumers. These choices are reflected in what is bought and sold in the markets throughout the world. The economic outcome of the entrepreneur is the free and willing acceptance of their work by the market. The important point is that it applies to every aspect of our economy. Entrepreneurship isn’t just for start-ups and small businesses!

So what causes the fire in the belly? What drives new entrepreneurs? How do teach and inspire others to be creative, to invent and to grow? How do we drive constructive change in our economy, in our community, in our companies?

I don’t think great athletes, musicians or actors do it for the money. Rather, they love what they’re doing. The same is true for entrepreneurs. While entertainers play for applause, entrepreneurs play for acceptance. The acceptance of the market is reflected in dollar votes. It involves money being spent on the output of the entrepreneur’s work effort. It means the customer buys what we offer. That’s success but it’s not for the money – it’s for the acceptance of our work-product. It’s the recognition of value for what we do. It’s the market’s applause. I’ve never met a successful entrepreneur who did it for the money rather than the acceptance and endorsement the money reflected. Profits are the markets standing ovation. When, as CEO of a public company, I could report beating the analysts’ expectations, our stock went up, but the thrill was not the stock price per say, it was the felling of a standing ovation.

So the fire is a desire to succeed in the eyes of the market, not the eyes of the boss. It is not to be the most popular team player but to score. Success requires teamwork, but the point is the focus, which, for the entrepreneur, is the burning desire to win in the market and not just around the office.

The news of successful growth in our region is often summarized by reports of major new investments in facilities and infrastructure. This is only a starting point. The rapid realization of sales, of cash flow from customers, is very different than landing successive rounds of loans, venture capital or investments in a company. Getting money to spend on the business from investors is the easy part compared to getting money from customers. Selling a promise or a vision to the investor is different than selling the product or service to the customer. The former can be enhanced by hype, exaggerations or simply having the right connections, while the latter requires every aspect of the company to work constructively to a common outcome defined by the customer.

The customer is always the most demanding judge of your work efforts. They have to give up real money and all of the opportunities that they could have spent elsewhere to buy your offerings. That’s the hardest test in the world and that’s what every employer in the state must address.

The test, to win with the customer, to generate cash flow from customers applies to us all. Hospitals, schools, churches as well as our largest corporations must past the test. Every job in every enterprise, public or private, health care or automotive, in the end, relies on that job being supported by a willing customer. The start-up entrepreneur is so close to this linkage to the customer that they can’t take their eyes off it. It’s vital that we all understand our roles as entrepreneurs. We all must assist in forcing the changes demanded, not by the boss in management, but by the absolute boss, the global customer.

While entrepreneurism is most often associated with starting a new business, it is not only about start-ups. That’s the point of rapid realization of an economic solution. Clearly the small start-up has a short fuse. They don’t have other options. The restaurant needs customers immediately. The private practitioner, consultant or artist needs customers immediately, or they go hungry. However, these same pressures apply to our schools or hospitals today. The organizations must find new economically viable solutions and respond rapidly to the new world order too. They need to stay focused on the outcomes. Cash flow from customers means programs that voters endorse, patients elect or that pay for themselves.

Together, we are all embarking on a new campaign to enhance the regional economy, to find ways to create and sustain better jobs in the region and higher quality of life. More jobs bring with them a larger tax base for our schools and police force. Higher paying jobs bring more support of our public institutions. Economic success is a community goal and to this end we should all embrace a campaign for increased entrepreneurship – a campaign for rapid realization of economic outcomes.

Ken Kousky

We’ve honed our skills, systems, defenses and management practices.
It’s now time to put them to use and it’s a great time to prove our capabilities and competencies.

Over the last two years we’ve discussed the evolution of malware in our Strategy to Reality executive forum.

The key point we’ve been making was that most of the worms and viruses we’ve seen were evolving best practices for propagation but didn’t carry destructive payloads. However, every one of the open vulnerabilities which allowed for the virus or worm COULD HAVE BEEN or MAY HAVE BEEN exploited with hostile code.

This lead to extensive focus on the “you don’t know what you don’t know”
problem and the potential for singularities - not signatured exploits.

Now, the second issue seems to be rearing it’s ugly, and I mean ugly, head.

Destructive payloads are being propagated. Yes, these ones go boom. The code is simple, the carrier could be any worm or virus channel.

This one is has been named BlackWorm and SANS referenced the worms tracking site as having logged 300,000 infected machines. So, it’s now the scale or reach that has people concerned. Rather, it’s the payload.

Three common aspects of the payload.

First, it has a retro-virus, aka an anti-virus virus. Retros go back a long way. We first started to make a big deal out of them when they were started appearing with other malware in assembled packages like BugBear, circa September, 2002.

Second, it has a propagation routine and third it has an additional payload.

THE BIG DIFFERENCE is that the payload is destructive. It overwrites data.
It can destroy DOC, XLS, MDE, MDB, PDF, ZIP and other files.

Fortunately there are signatures so current AV devices should work well provided the retro virus component doesn’t disengage them.

What you should all be doing ????

Running the drill. Logging the process. Proving the system.

You’ve got a serious warning … so, make sure your AV’s are all running and up-to-date ON ALL SYSTEMS.

Remember, the number one way for data to get past the firewall is to WALK.
You’re “inspect to connect” architecture, be it NAC, NAP, TCG-TNC or a hybrid use of 802.1x or 3rd party tools, you need to be sure they’re installed AND working.

THIS IS NOT A TEST should be your mantra. Lets prove out our systems and management practices with a log of an attack we property defend and mitigate.

Balls in our court, as is BlackWorm.

By Ken Kousky

I’ve commented on several listservs this month on the question of a degree or a certification. Having helped launch the certification industry starting at Novell where we created the CNE program as a channel development effort, to Wave where we started the bootcamp craze and had a $40 million dollar certification business to the work I training programs we provide at IP3, I’ve always been a champion of the education which serves as the foundation for certifications.

But over the past year the question continues to arise - should I get a degree or a cert. I find the question horrifying since it’s like asking should I wear pants or a tie to work today. Start with the pants, please!

I know I jumped on this issue in many discussion groups early with shock that anybody would compare a college degree with any or even all of the available industry certifications and then was shocked to see the ongoing interest in finding a short cut to success without the hard work.

But lots of people have said “get the cert, don’t sweat the degree”.

Three observations - those who found their college work to be meaningless I can only say it’s your own fault. I’ve taught at Ivy League universities and community colleges. Both had lots to offer but if a student wanted to spend $30,000 a year and waste their time or simply log credits and a degree at the local CC, both were certainly possible.

I also have managed and hired hundreds of IT professionals over the years and anybody who found that the recruiters only wanted a certification should be advised that they were being hired as a “grunt” without serious opportunity for career advancement. I NEVER saw a serious IT career position with management potential being offered based on certifications. On the other had, there were lots of needed staff positions needed to pull wire, run the back-ups, trouble shoot and grease the wheels that might have needed very specific skills which could be well documented through a Cert.

It’s true that one of the top 5 spam offerings is now a college degree.
That’s because they really are valuable. Buying one doesn’t provide an education.

The only real long term value is your education. While I give CISSP prep lectures all the time and I truly believe that certifications for professionals are vital, I hope nobody gives up their education for it.
Study math, science, history and art and be sure to enjoy it - it will last a life time.

And let us not forget Mark Twain on the subject “never let school interfere with a good education” or something like that.

Ken Kousky

�06 has already become the year of profound contradictions and conflicts. Bill Gates helped get the year going with contradictions as the WMF exploit, which exposed hundreds of millions of PCs around the world to almost anything a creative and malicious mind might produce. This can be simple spying or it could be massive destruction of data and the profound aspect is �we don�t know what we don�t know�. That is, you have no reasonable way to confirm that your system is free of malware or spyware, keystroke loggers or rootkits. You can�t trust your machines!

So, while the Microsoft vulnerability was exploding worldwide and Microsoft finally released a patch and was able to claim it was what some called a �pre-release� or it releases �early�. Wow � what spin, what contradictions. Of course, the fixes are only for currently supported products (after all the exposure has been in Microsoft code since 1991 so there will be lots of legacy systems carrying disease, spam and other exploits on the net through this opening �). Now, anybody who doesn�t buy new product from Microsoft becomes, almost literally, a leper in the community. They bought a product for life but if they don�t buy more, they now are a carrier of serious contagions, a source of viruses, ddos zombies and other evils. Should we demand they pay up or is it Microsoft that should not be allowed to discontinue security support?

The next great piece of our story occurred a week ago when Mr. Gates helped kick off the Consumer Electronics Show telling the audience that 2006 will be the year of the �digital lifestyle�.

From my perspective, Bill is right on target. There�s no better way to come to terms with the corporate IT information assurance and security issues than to fully realize the meaning of security in a world of the digital lifestyle.

Property is increasingly digital � indeed, there have been dozens of stories on the real money being paid for virtual assets in the gaming industry as if this is new. That�s right, you can get real money for virtual clothes, virtual weapons, a virtual car or plane that work only in cyberspace. >From a more tangible perspective, what does Nike get other than a premium for their virtual value since the same factories can make the same shoes without the brand. What�s in a name � well a lot today.

Virtual value-add rests on intellectual property protection and that requires strong legal enforcement and forensics capabilities. It�s all digital and it�s all about information assurance.

This means crime can be done over the wire. It means wealth can be created with bits and can be stolen the just as easily. How do we lock up property.

Privacy takes on a new meaning as well with �digital lifestyles�- where cameras on cell phones go into every locker room and bathroom, every day, but they also go in and out of the office, the research lab and the executive suites and phone calls are moving to IP with wireless making it trivial to sniff. Four more states have started the year with new privacy protection laws requiring companies to disclose exposures � all part of our digital lifestyles.

Well, this could go on and on but the big news for starting the year seem to suggest four areas for immediate attention �

1) the digital lifestyle will require a profound shift in our security to protect us against the new exploits

2) we all need to get in front of the WMF issue � it�s more than a day zero that didn�t explode on us. It means your systems were open since the time they were installed and you have no way to know if or when they�ve been compromised. Firewalls and AV don�t give you that assurance; but they help. Only absolute lockdowns of all executables, dlls and any source of compromised code (check out Cimcor) can provide real safeguards. IDS�s may find anomalous behavior after the compromise.

3) regulations will grow and expand through the year as our government responds to broad-based demands for better safeguards � from SOX to HIPAA to state and federal privacy protection and disclosure laws, the digital lifestyle will demand a new legal and policy environment;

4) the Converged Enterprise � which is our theme for this years Strategy to Reality seminar tour is based on the digital lifestyle and reflects the consumerization of critical technologies�VoIP is coming in from the desktop up, not top down, wireless is overlapping our networks from homes, branch offices and road warriors whether we want it our not and multiple medias to multiple form factors assures us that the digital lifestyle is profoundly changing the enterprise with or with out a solid security foundation

By Ken Kousky