Copyright 2001 John Zipperer.
(12/01/01) There has always been more than a little myth-making with IT true believers telling us that the tech economy was creating a world of well-paid, independent contract workers. For some, that is true; but for otherssuch as those performing the tasks that have been considered of little consequencethe reality has been low pay, little training, and poor treatment.
The problem is that those tasks of little consequence are increasingly turning out to be of major consequence, and it requires us to re-evaluate the way we train, empower, and compensate the people performing them. Consider one of the sidelights of the recent hijacking of planes that were then flown into the World Trade Center and the Pentagon.The frontline of airline security is the folks who scan your carry-on luggage and walk you through metal detectors. These are people you would want to be highly trained security experts, right?
Dream on. The Economist reports that some United States airport-security screeners earn as little as $6 per hour. (Their European counterparts earn the equivalent of $15 per hour, plus benefits.) One result is an alarming turnover rate of more than 100 percent in the U.S. compared to Belgium's 4 percent. On top of that, our domestic screeners are undertrained.
That is pertinent to the general business world because advances in software have devolved many crucial corporate taskssuch as updating online catalogs or creating Web pagesfrom IT experts to lower-level employees. [See 'The Davids Inside Goliath,' Sept. 15, 2001, p. 16.] Our exposure here is not likely one of catastrophic disaster but death-by-a-thousand-cuts from mistakes made by poorly trained, insufficiently empowered, and likely underpaid staffers.
That is important for the lower-tier jobs. But guess what? We have got a problem with our top-tier jobs, toothe people who have indeed become well-paid independent workers. Simply put, we need to promote development of those skills that are crucial to economic and political development.
Daniel Goldin has sounded the alarm after looking at the fall in enrollment for engineering programs in America. As the head of NASA, he knows the importance of having a constant stream of career-minded students feeding into university programs and from there into research and development.
His warning is worth heeding outside science. Seth M. Jutan, CEO of VeriSign affiliate Trust-Asia, has met with many Asian technology experts, and what he has seen suggests that the U.S. edge in technology training could be fleeting. He says security and encryption talent abounds in China, and India is already building a bright new IT future for itself. 'What's more, there are types of coding that certain countries do better,' Jutan says. 'C++ and Visual Basic are just two languages that Vietnam does very well.'
U.S. businesses concerned about the future of the U.S. work force should care about national competitiveness. Our challenge is to aggressively develop more talent in the high-tech field (as well as other advanced fields, such as science and the humanities), while at the same time raising the levels of training, empowerment, and pay for low-tier jobs. If we don't, we'll grow into a nation of low-tier workersall talking about what once was.
Denial of Service
A Good Offense
Companies Need Comprehensive Protection to Combat Attacks
By John Zipperer
(12/01/01) May 23, 2001, is a day that won't soon be forgotten at the Weather Channel's Web site, weather.com. A heavily trafficked Internet site-with monthly totals of 10-14 million unique users and 350 million page-views-weather.com depends on quick and easy access for its visitors. When the site came under attack from an unknown user, part of the problem was establishing that there was actually an attack occurring.
"Somebody was sending us malformed packets, and they were sending those to our routers and routers two levels above us, and they were driving up utilization to 100 percent, blocking access to the site," says Dan Agronow, vice president of quality control, testing, and site operations for weather-.com. "The hardest part was convincing our service provider that it truly was a denial-of-service attack, and they eventually switched us to a different set of routers."
The provider had a solution to route the traffic through its own devices to analyze possible attacks, but weather.com turned to a less-expensive solution from Lancope called StealthWatch. That program monitors the communication between data services, using a statistical algorithm to determine anomalies. The user sets the parameters of normal use, so it can tell the difference between an attack or what could just be improperly configured routers and servers (what Lancope executives call "friendly fire").
Some of that challenge is organizational. Is your company really set up to deal with emergencies that can take place at any time? "The big confusion companies have is that they're not sure who's on first," says Juanita Ellis, vice president of Going Beyond E-Commerce Technologies and the co-author, with Timothy Speed, of The Internet Security Guidebook. She points to banks as models of handling intrusion detection. Banks were one of the first groups of companies to discover how important their information security was in an electronic world, as well as the critical aspect of public perception of the quality of their data security. Perhaps the most important element of a plan is not technical but human: establish a chain of command and set areas of responsibility. "When it comes to security," she says, "this is an area where it really needs to be dictatorial rather than democratic."
Centralization of control-but from the technical end-is the focus of Cryptek, a maker of an intrusion-detection hardware system called DiamondTEK. (Cryptek, until recently, worked exclusively with the Department of Defense.) Calling central control "crucial," Cryptek's Garber says systems are getting geometrically more difficult to protect as more systems are added to networks. "That is a real show-stopper," Garber says. "For effective security inside a network, one component has to be a central policy-based control system."
One technology-side suggestion he offers is a lesson from his government experience: Whatever security functions you decide to implement, move them off the operating systems and into the hardware devices that you want to protect. You don't depend on the OS for security because, well, there just aren't secure operating systems. "When you buy a commercial OS, you can't buy a secure one," Garber says. "That's just understood."
"Last year, the really big providers-the tier-1 guys-knew what to do," says Paul Robertson, director of risk assessment for TruSecure Corp. "Now I think more tier-2 and -3 guys know the procedures and who to call." The vulnerability of companies themselves could be greatly reduced by a phrase that has gone out of style but that is still appropriate: good Net citizenship. In this case, that means keeping your Internet-connected systems patched with the latest patches, something that in itself Robertson believes would tremendously cut down on the number of attacks.
And here as in
so many areas, a good offense is the best defense. "You can never
be 100-percent protected," says weather.com's Agronow. "We
know from user feedback that our site is important to our users, so
we are making an investment in security and security monitoring, and
we will continue to make that investment as time goes on and new products
come out or as new attacks are identified."
* Establish a formal chain-of-command and action plan that can be brought into use to deal with any attack on your company's systems.
* Your IT staff should have baseline metrics of your system during "normal" times, so they can better detect abnormalities.
* Make sure your ISP or carrier is doing its part to protect your system from attack. Also check with it and any other connected partners of yours to make sure their systems don't pose a threat to you.
* There are many products designed to protect your system and deal with intrusions. Use one or more, but don't forget the human aspect: train your IT staff (and anyone else who has contact with your systems) to know the signs of an attack.
* Have back-up machines (what the CERT Coordination Center calls "hot spares") that can be brought online rapidly if a machine is disabled.
* Formalize and enforce a regular IT back-up and checkup schedule.
* Log any suspected or actual incidents, details of the type of attack, what systems were compromised and how, and anything gleaned about the attacker's origins or identity.
* Secure your servers, so someone can't use them as a base to stage distributed denial-of-service attacks on other companies. One answer may be to install filters on your routers to the Internet that won't let packets escape that aren't from your network.
(12/01/01) Few people complain more than I do about the lack of human services when it comes to customer service from modern corporations. For many of those companies, the model is to spend tremendous amounts of time, effort, and money on integrating databases with call centers and such, but to shortchange the training and guidance of the customer-facing human agent.
Imagine my joy when I found a large company that avoided that pitfall. With my recent relocation from Internet World's New York offices to our Silicon Valley office, I had the most basic of needs: arrange local phone service at my new home. So I contacted Pacific Bell, a part of giant SBC Communications, to order my phone service. They tried to search for me in their national database first by driver's license number and then by Social Security number, but they had no luck with either. Because I know well that both are active and legitimate ID accounts for me, I knew they had a problem with bad information.
But they had a solution: I could go to one of their stores and show my photo ID, and then they would approve the service connection. Irritated but seeing light at the end of the tunnel, I went to the store, which turned out to be a liquor store that provided services for the phone company on the side. At the store I was politely informed that they no longer did ID verification, but there was a special Pacbell phone on the wall I could use. Of course, it was after Pacbell's office hours, so that phone was useless.
So I had a solution. The next day I called Pacbell, explained the situation, and suggested they tell me what to do next. (Okay, my solution was to make them find a solution, but it was their faulty database that was the problem in the first place.) The customer service representatives said there was nothing they could dothey had no backup process to go to if their database failed to give them good information (which I knew it had failed to do, because my driver's license was still valid and my Social Security number has been active for decades). They said they didn't know that the liquor store no longer provided ID servicesso they had more bad data in their recordsand they suggested another store in yet another suburb. (At that point, I contacted a consumer assistance organization. But the consumer group was unable to do anything more than suggest that I keep traveling to other suburbs to find a store that would verify my ID for Pacbell.)
Here's the problem that no one I spoke with at the phone company or at the consumer group seemed to even realize was a problem: The company was doing business with bad data in its database; it was causing their customers problems (and, in this case, losing them business); and they were uninterested in addressing it.
But they got part of the networked, customer-friendly company solution right. Their customer-service representatives were incredibly friendly, sympathetic, and polite. They just had bad organizational and technological infrastructure behind them, which is a little hard to understand about a communications giant in 2001.
This column is not about my complaint. Pacbell lost me as a customer, but that is no loss to me. Between cell phones and alternative Internet connections, my communications needs will be met. But we have all heard enough about connecting our personnel and databases together for the very purpose of providing seamless support to all aspects of our businesses. That is what this phase of the Internet revolution is about. It is what this magazine is about.
Any company can and will have problems with its data and technology from time to time. That is reality. But that can be handled well if you complete the circle, arming your customer service agents not only with good skills training but also with good information. Having one or the other isn't good enough, especially now that your customers and business partners are expecting you to deliver on the full range of benefits from being truly connected.
(11/26/01) If Stratify, Inc. president and CEO Nimish Mehta seems to be aiming high when he talks about creating companies that will dwarf Oracle and Sybase, it's because he's convinced that he has a business-intelligence approach that will make it happen. Citing Merril Lynch estimates that structured data makes up only about 15 percent of corporate data, Mehta sees a huge opportunity in making that other 85 percent available to corporate-decision makers.
He points to the structured data stored in columns in database files on Oracle or Sybase or DB2 as the popular notion of corporate data. "That has made Oracle and Sybase and DB2 and so forth a required piece of infrastructure in large corporations," Mehta says. But the other 85 percent is his potential gold mine, where information is stored in Word, PDF, PowerPoint, and other programs, and he says traditional structured-data systems don't take advantage of them. "Our vision is that over the next five or ten years there will be the emergence of a whole category of applications built by the new Oracles and Sybases of the world that will combine structured and unstructured information" and let company leadership make more-informed decisions based on a broader and deeper set of data, he says.
In their first quarter of availability, Stratify's first enterprise products are the Stratify Discovery System (which collects, organizes, and presents information to users from internal and external corporate resources and even the Web) and the Stratify Classification Server (for application developers to build software). The server is a subset of the Discovery System.
Customers include Inlumen, InfoSys Consulting, and WSJ.com. Even the Central Intelligence Agency (CIA) is interested in Stratify's ability to crawl through and catalog extensive Web pages and other electronic documents. Stratify recently received between $1 million and $5 million in funding from In-Q-Tel, the CIA's venture-capital firm. (Though completed after the terrorist attacks, the deal was reportedly in the works before September 11.)
In Mehta's view, the difference between mining structured data and unstructured data is similar to the difference between being able to input a query to "Tell me the three products with the lowest sales" and "Tell me the top-three issues customers ask about the three products with the lowest sales." You could have your research department carry out a survey, or you could get it from that unstructured information already in the company's files. Stratify's Discovery System aims to tell you what a text file is about. "Not what words are in it, but what it's about," says Mehta.
Focused on text, Stratify doesn't have a way yet of handling video and audio files, though Mehta agrees that such a capability will come one day. "There's not enough know-how to describe a picture today," he says. "I don't know if that technology really exists in a robust way for video and audio files."
Security Matters Newsletter Commentary
Managing the Expected Increase in Security Funding
By John Zipperer
(11/22/01) Perhaps you've heard this story. It concerns a company that had its internal, private designs hacked, but the company didn't do any monitoring of its system, so it didn't even know it was hacked. The first time it found out was when its employees saw their own designs posted online from another continent. That company learned very quickly the value of improved security. Now security officials at luckier companies need to deal with turning the funding spigot to the right spot and using the resources correctly.
Speaking at the recent Trusted Computing Forum 2001 in Mountain View, Calif., Christopher Klaus, founder and chief technology officer of Internet Security Systems, said that most of the companies he talks to don't understand security beyond recognizing that it's an important issue. They still fail in their responses, lacking security budgets, failing to do initial security assessments, failing to do monitoring of system security, using authentication that is "very poor to abysmal," and not even trying to do passwords correctly -- their systems are still riddled with "admin" logins and "password" used as passwords. How will those companies spend security money now that they (presumably) are drawing up plans and making budgets?
It's also a question you'll have to confront. As a reader of the Security Matters newsletter, you and your company have a higher-than-normal interest in and involvement with security. But you'll still have to answer how you'll spend the money that will be coming your way.
Richard Clarke, President Bush's special advisor for cyber security, told the Trusted computing audience that our Internet infrastructure is fragile, having been built for different purposes than those for which it is now being used. As a result, companies are going to have to make investments to overcome those shortcomings. Security professionals disagree about how deeply the changes have to be made; some will say as long as we have backward compatibility to old legacy systems, there's no way the system can be made secure; others will say it's not reasonable to talk about redoing everything-that would be too expensive and would take too much effort. We agree with the latter group, and we urge companies to look at what they can do to their systems and databases and user communities and any other aspect affecting their security to tighten things up.
You'll require money to do it, and smart companies are already budgeting more. Spend some of that money on usability. You're doing two different-but-related things: you are making the system more difficult to undermine (from outside or within) and you're making the system easier to use security on -- by its nontechnical users and by the IT professionals, some of whom are guilty of those "admin" logins and "password" passwords.
If you are unlucky enough to have leadership that still doesn't see the need for investing in security, then you may be asked to quantify what your security efforts will save the company. Good luck. One security expert recently suggested that in a worst-case scenario, in which someone gets access to all of your company's database information, you can figure out the potential damage by looking at your company's market capitalization and using that as the value of the loss. That's overstating it a bit; even catastrophic losses aren't necessarily terminal.
Your best case is the one made by Richard Clarke, who says he talked about terrorist threats before September 11, and many people didn't see it as a real possibility. It happened. Similarly, we can see that our networked systems are vulnerable and that we are using them for more business-critical applications every day. "We have to recognize that as the Internet and the IT economy have saved us vast amounts of money in doing the many things that we ask it to do, and we have reduced the cost of operations in business after business after business to do specific functions, and it's saved a lot of money and we think of it as a way of driving costs down, it's not free," said Clarke. He goes on to criticize "corporations that think they can do IT on the cheap, that think they don't have to pay for a good IT security officer and staff, that think they don't have to outsource to a good IT security firm, that think they don't have to buy that added functionality."
We've received a grace period to convince the unbelievers, and it's also a time to show that we know what to do with the money that flows into enterprise information security. Our best case to make is that it's not an add-on, but it's an integral cost of doing business. That will convince some folks. Darwinism will take care of the others.
(11/22/01) Microsoft's .Net initiative is so wide-reaching that much of it was left unexplained when it was announced last year, and the various blocks are still being filled in today. But no one can blame the software maker in Redmond of lacking vision as it fills out the picture, and this is true in the security arena as well as in other areas. It has sometimes led the company to promise things it didn't know how it was going to deliver, but it's recognizing a fundamental truth: business and user needs are determining the pace and direction of technological development, not the other way around.
HailStorm was the original codename for Microsoft's idea for bringing together a user's private information in one place, where it could be managed by the user and kept out of reach of some potential abusers. HailStorm has been renamed .Net My Services and is being fleshed out in terms of what it will actually offer. Brian Arbogast, .Net's core-platform services vice president, noted recently that when the company made marketing videos for the service last year in which a number of scenarios showed users taking advantage of HailStorm's abilities, "We didn't know how one would ever deliver on these scenarios," he told attendees at the Trusted Computing Forum held recently on Microsoft's Mountain View, Calif., campus. "This was pure vision stuff."
Now, Microsoft can point to some actual progress made, and it knows more clearly where it is going.
Microsoft, in making the case for .Net My Services, still relies heavily on the idea that things are just too complicated for users. In a white paper introducing My Services, Microsoft claims, "People are frustrated and confused . People are not in control of the technology that surrounds them." Maybe. But Microsoft learned some of the lessons with earlier versions of Office when it tried to do too much for the masses, an error it reportedly has undone in Windows XP versions.
Microsoft is on stronger ground with its talk about security and privacy as important factors for adopting .Net My Services. Today, Arbogast talks about security and trust and authentication and enterprise use. For that last part to be included, there will need to be an ironclad -- or at least iron-appearing -- security framework in place. Arbogast told his Mountain View audience that that is in the works, and this time the company knows how it's going to deliver.
Kerberos-based authentication is to be the foundation of .Net My Services security. Kerberos is an MIT-created network authentication protocol that uses secret-key cryptography to provide strong authentication for client/server applications. (If you're curious, Kerberos' namesake is the three-headed dog of Greek mythology that guards the gates to Hades.) Kerberos is intended to work well in a "federated" security system, with systems connected with other systems hosted wherever -- at an MSN data center or in a corporation.
With a lot riding on .Net My Services as a potential revenue generator (funded by user subscriptions, not advertisers) and as a part of the critical .Net initiative, Microsoft is commendably candid about the importance of security to the whole scheme. Arbogast noted that the company doesn't claim perfect security -- that's impossible. "What we do is we invest an insane amount of effort and focus on improving our security, day to day, week to week," said Arbogast.
The future Microsoft is betting on (and is building) is one of mutually assured security, right down to those licensing agreements. "As we are talking to more and more potential partners, who are interested in making more and more business use of this kind of a platform, it's become clear to us that we need to be able to get very clear on what we are doing around all the trust issues and operational issues, and then have somebody come in and represent that that, in fact, is the case," said Arbogast. "And we recognize that this is also what other platform operators are going to need to do."