|By Jason Bloomberg||
|August 23, 2012 06:00 AM EDT||
The latest Cyberattack to hit the news: a worm called Gauss, a relative of Stuxnet, targeted certain Lebanese banks. Kaspersky, a Russian security firm, discovered the attack. On their blog post, the Kaspersky researchers note that “after looking at Stuxnet…, we can say with a high degree of certainty that Gauss comes from the same ‘factory’ or ‘factories.’ All these attack toolkits represent the high end of nation-state sponsored cyber-espionage and cyberwar operations, pretty much defining the meaning of ‘sophisticated malware.’” They go on to say that “this is actually the first time we’ve observed a nation-state cyber-espionage campaign with a banking Trojan component.”
And this after a New York Times article exposed Stuxnet as being a joint US-Israeli covert operation targeting the Iranian nuclear industry, authorized by President G. W. Bush and further authorized by President Obama. The article further suggests that Iran is now mounting its own Cyberwar initiative, a result that the Obama administration understood and feared.
It seems that Cyberwar is no longer science fiction. It’s a reality, and we’re in the midst of one.
Whether you think the Stuxnet and Gauss worms were a good idea or not, this article is not the place to debate moral or ethical questions. Rather, we’re here to help you understand the reality of the situation in order to provide insight. And like it or not, we have a Cyberwar on our hands—and as with other wars, technology defines and constrains the rules of engagement. Yesterday we may have spoken about tanks or guns; today we speak of viruses and worms. But as with traditional machines of war, the human element is every bit as important as the technology, if not more so.
Problem between Keyboard and Chair
Here are some examples of what we’re talking about. When the press heard about the Gauss exploit, they asked the obvious question: who would benefit from attacking Lebanese banks? The obvious answer: anyone interested in the secret financial dealings of Hezbollah, the terrorist organization based in Lebanon. In other words, Israel and the US. The appearance of Gauss led many people across the world to come to a similar conclusion.
Assume for a moment, however, that someone wanted to make Israel and the US look bad, say the Iranians. Could the Iranians have come up with Gauss in order to gain political advantage against Israel and the US? Unlikely, perhaps, but possible. How would we know? After all, if the US and/or Israel were behind Gauss, they could have hidden their motivation simply by expanding the target to banks outside Lebanon. So maybe the fact that Gauss had such a narrow target should suggest that someone was trying to frame the US and Israel?
Here’s another twist: Kaspersky Lab was founded by Eugene Kaspersky, a Russian cryptography expert who learned his trade from the KGB’s cryptography school. Presumably he has substantial ties with Russia’s current secret police as well. Perhaps the Kaspersky report on Gauss was either fictitious or somehow skewed, a dastardly Russian plot of some sort? We have no reason to believe so, but again, how would we know for sure?
Sounds like a Robert Clancy spy novel, and for good reason—subterfuge has been a part of warfare (and in particular, espionage) since the Stone Age. But the problem is, the more we focus on the technology, the less we focus on the human aspects of the Cybersecurity problem. And that lack of focus both makes us more vulnerable, and prevents us from mounting efficacious attacks of our own.
Agile Architecture and Cyberwarfare
In a recent ZapFlash we recommended a “best defense is a good offense” approach: preventing future attacks with agile, self-innovating software. But even the most cutting-edge code is only a part of the story, because it still doesn’t address the human in the system. Targeting people is nothing new in the world of Cyberattacks, of course. Social engineering is becoming increasingly sophisticated as hackers plumb the weaknesses of our all-to-human personalities. Not a day goes by without a phishing attack arriving in our inboxes, not to mention how easy it is to talk people into giving up their passwords. But while social engineering works with individuals, Cyberwar is presumably between countries. How, then, might we go about what we might call political engineering: the analogue to social engineering, only taking place on the global stage? And how do we protect ourselves against such attacks?
The answer to both questions is to focus on how technology-centric actions will influence human beliefs and behavior. Creating a sophisticated computer virus and releasing it may achieve a technical end, the result of the software itself. But it will also likely achieve a variety of human ends, as well: it might arouse suspicion, cause people to shift their priorities or spend money, or it might make someone angry enough to retaliate, for example. Furthermore, these human ends may be more significant and desirable than the actual impact of the software itself.
ZapThink considers the focus on human issues as well as technology to be an aspect of Agile Architecture. We’ve spoken for years about the role governance plays in Agile Architectures like SOA, because governance is a best practice-driven approach for bringing human behavior in line with the goals of the organization. The big win for SOA governance, for example, was leveraging SOA for better organizational governance, rather than simple governance of the SOA initiative. The essential question, therefore, is what architectural practices apply to the human side of the Cybersecurity equation.
Our Cybersecurity example is analogous to SOA governance, although it turns governance inside out: we’re no longer trying to influence human behavior inside our organization, but rather within the world as a whole or some large parts of it. But the lesson is the same: the technology influences human behavior, and furthermore, the human behavior may be more important than the technology behavior. Protecting ourselves from such attacks also places us in the greater context of the political sphere as well.
Education is the key to protecting yourself and your organization from human-targeted Cyberattacks. Take for example a phishing attack. You receive an email that looks like it’s from your bank. It tells you that, say, a large withdrawal was just made from your account. If you don’t realize it’s a phishing email, you might click on the login link in the email to check your account to see what the problem is. The link takes you to a page that looks just like your bank’s login page. But if you attempt to log in, you’re only giving your credentials to the hackers.
There are automated anti-phishing technologies out there, of course, but the hackers are always looking for ways around them, so you can’t rely upon them. Instead, you must proactively influence the behavior of your employees by educating them on how to recognize phishing attacks, and how to avoid them even when you don’t recognize them. Still not foolproof, but it may be the best you can do.
Protecting against political Cyberattacks would follow the same pattern, but would be far more difficult to implement, as educating a populace is far more difficult than educating your employees. Instead, the most effective course of action may once again be a good offense: you can use the same techniques as your opponent to influence beliefs and behavior.
Let’s use the hacker group Anonymous as an example. Any member of this loose association of hackers can propose an action—from taking down the MasterCard Web site to finding the location of a fast food worker who stepped on the lettuce, to name two real examples—and any member can vote to take that action. There’s no central control or consistent strategy. Now, let’s say you worked for a government Cyberwar department, and you were responsible for creating a Gauss-like worm with a narrow target, only you didn’t want anyone suspecting it was your country who created it. Could you make it look like Anonymous created it? Even the members of Anonymous might not realize their group wasn’t actually responsible.
The ZapThink Take
Your sphere of concern might not involve international espionage, but there are important lessons here for every architect. All too often, techies get techie tunnel vision, thinking that technology problems have technology solutions, and furthermore, the only interesting (or important) problems are technology problems. Architects, however, must also consider the human in the equation, whether you’re fooling the Iranians, making sure interface specifications are properly followed, and everything in between.
This principle is no truer than when you’re protecting against Cyberattacks. No password scheme will prevent people from writing their passwords on Post-It notes and sticking them to their computers. No firewall will prevent all phishing attacks or stop people from visiting all malware-infected sites. Education is one technique, but there’s more to governance than education. And whatever you do, always cast a skeptical eye toward any conclusions people draw from news about Cyberattacks. The technology is never the whole story.
If your job, however, is mounting Cyberattacks, understanding the human in the equation is a critically important tool—and often far less expensive and time-consuming than a purely technical attack. As any good poker player will tell you, the secret to winning isn’t having good hands, it’s knowing how to bluff, and even more importantly, knowing how to tell when the other guy is bluffing.
Early in my DevOps Journey, I was introduced to a book of great significance circulating within the Web Operations industry titled The Phoenix Project. (You can read our review of Gene’s book, if interested.) Written as a novel and loosely based on many of the same principles explored in The Goal, this book has been read and referenced by many who have adopted DevOps into their continuous improvement and software delivery processes around the world. As I began planning my travel schedule last...
Sep. 2, 2015 06:00 AM EDT Reads: 557
Puppet Labs has announced the next major update to its flagship product: Puppet Enterprise 2015.2. This release includes new features providing DevOps teams with clarity, simplicity and additional management capabilities, including an all-new user interface, an interactive graph for visualizing infrastructure code, a new unified agent and broader infrastructure support.
Sep. 2, 2015 05:15 AM EDT Reads: 546
API-Driven Digital Healthcare Solution By @AkanaInc | @DevOpsSummit #API #IoT #DevOps #Microservices
Akana has announced the availability of the new Akana Healthcare Solution. The API-driven solution helps healthcare organizations accelerate their transition to being secure, digitally interoperable businesses. It leverages the Health Level Seven International Fast Healthcare Interoperability Resources (HL7 FHIR) standard to enable broader business use of medical data. Akana developed the Healthcare Solution in response to healthcare businesses that want to increase electronic, multi-device acce...
Sep. 2, 2015 04:00 AM EDT Reads: 245
Any Ops team trying to support a company in today’s cloud-connected world knows that a new way of thinking is required – one just as dramatic than the shift from Ops to DevOps. The diversity of modern operations requires teams to focus their impact on breadth vs. depth. In his session at DevOps Summit, Adam Serediuk, Director of Operations at xMatters, Inc., will discuss the strategic requirements of evolving from Ops to DevOps, and why modern Operations has begun leveraging the “NoOps” approa...
Sep. 2, 2015 03:45 AM EDT Reads: 426
SYS-CON Events announced today that the "Second Containers & Microservices Expo" will take place November 3-5, 2015, at the Santa Clara Convention Center in Santa Clara, CA. Containers and microservices have become topics of intense interest throughout the cloud developer and enterprise IT communities.
Sep. 2, 2015 03:30 AM EDT Reads: 607
SYS-CON Events announced today that G2G3 will exhibit at SYS-CON's @DevOpsSummit Silicon Valley, which will take place on November 3–5, 2015, at the Santa Clara Convention Center in Santa Clara, CA. Based on a collective appreciation for user experience, design, and technology, G2G3 is uniquely qualified and motivated to redefine how organizations and people engage in an increasingly digital world.
Sep. 2, 2015 03:00 AM EDT Reads: 522
SYS-CON Events announced today that DataClear Inc. will exhibit at the 17th International Cloud Expo®, which will take place on November 3–5, 2015, at the Santa Clara Convention Center in Santa Clara, CA. The DataClear ‘BlackBox’ is the only solution that moves your PC, browsing and data out of the United States and away from prying (and spying) eyes. Its solution automatically builds you a clean, on-demand, virus free, new virtual cloud based PC outside of the United States, and wipes it clean...
Sep. 2, 2015 02:30 AM EDT Reads: 452
It’s been proven time and time again that in tech, diversity drives greater innovation, better team productivity and greater profits and market share. So what can we do in our DevOps teams to embrace diversity and help transform the culture of development and operations into a true “DevOps” team? In her session at DevOps Summit, Stefana Muller, Director, Product Management – Continuous Delivery at CA Technologies, answered that question citing examples, showing how to create opportunities for ...
Sep. 1, 2015 11:00 PM EDT Reads: 512
Microservice architecture is fast becoming a go-to solution for enterprise applications, but it's not always easy to make the transition from an established, monolithic infrastructure. Lightweight and loosely coupled, building a set of microservices is arguably more difficult than building a monolithic application. However, once established, microservices offer a series of advantages over traditional architectures as deployment times become shorter and iterating becomes easier.
Sep. 1, 2015 06:30 PM EDT
In his session at 17th Cloud Expo, Ernest Mueller, Product Manager at Idera, will explain the best practices and lessons learned for tracking and optimizing costs while delivering a cloud-hosted service. He will describe a DevOps approach where the applications and systems work together to track usage, model costs in a granular fashion, and make smart decisions at runtime to minimize costs. The trickier parts covered include triggering off the right metrics; balancing resilience and redundancy ...
Sep. 1, 2015 03:30 PM EDT Reads: 251
SYS-CON Events announced today that HPM Networks will exhibit at the 17th International Cloud Expo®, which will take place on November 3–5, 2015, at the Santa Clara Convention Center in Santa Clara, CA. For 20 years, HPM Networks has been integrating technology solutions that solve complex business challenges. HPM Networks has designed solutions for both SMB and enterprise customers throughout the San Francisco Bay Area.
Sep. 1, 2015 12:30 PM EDT Reads: 926
Whether you like it or not, DevOps is on track for a remarkable alliance with security. The SEC didn’t approve the merger. And your boss hasn’t heard anything about it. Yet, this unruly triumvirate will soon dominate and deliver DevSecOps faster, cheaper, better, and on an unprecedented scale. In his session at DevOps Summit, Frank Bunger, VP of Customer Success at ScriptRock, will discuss how this cathartic moment will propel the DevOps movement from such stuff as dreams are made on to a prac...
Sep. 1, 2015 12:00 PM EDT Reads: 243
SYS-CON Events announced today that Pythian, a global IT services company specializing in helping companies leverage disruptive technologies to optimize revenue-generating systems, has been named “Bronze Sponsor” of SYS-CON's 17th Cloud Expo, which will take place on November 3–5, 2015, at the Santa Clara Convention Center in Santa Clara, CA. Founded in 1997, Pythian is a global IT services company that helps companies compete by adopting disruptive technologies such as cloud, Big Data, advance...
Sep. 1, 2015 11:45 AM EDT Reads: 332
The pricing of tools or licenses for log aggregation can have a significant effect on organizational culture and the collaboration between Dev and Ops teams. Modern tools for log aggregation (of which Logentries is one example) can be hugely enabling for DevOps approaches to building and operating business-critical software systems. However, the pricing of an aggregated logging solution can affect the adoption of modern logging techniques, as well as organizational capabilities and cross-team ...
Sep. 1, 2015 11:30 AM EDT Reads: 409
Culture is the most important ingredient of DevOps. The challenge for most organizations is defining and communicating a vision of beneficial DevOps culture for their organizations, and then facilitating the changes needed to achieve that. Often this comes down to an ability to provide true leadership. As a CIO, are your direct reports IT managers or are they IT leaders? The hard truth is that many IT managers have risen through the ranks based on their technical skills, not their leadership ab...
Sep. 1, 2015 11:15 AM EDT Reads: 429
In today's digital world, change is the one constant. Disruptive innovations like cloud, mobility, social media, and the Internet of Things have reshaped the market and set new standards in customer expectations. To remain competitive, businesses must tap the potential of emerging technologies and markets through the rapid release of new products and services. However, the rigid and siloed structures of traditional IT platforms and processes are slowing them down – resulting in lengthy delivery ...
Sep. 1, 2015 10:45 AM EDT Reads: 610
Several years ago, I was a developer in a travel reservation aggregator. Our mission was to pull flight and hotel data from a bunch of cryptic reservation platforms, and provide it to other companies via an API library - for a fee. That was before companies like Expedia standardized such things. We started with simple methods like getFlightLeg() or addPassengerName(), each performing a small, well-understood function. But our customers wanted bigger, more encompassing services that would "do ...
Sep. 1, 2015 10:30 AM EDT Reads: 280
Docker containerization is increasingly being used in production environments. How can these environments best be monitored? Monitoring Docker containers as if they are lightweight virtual machines (i.e., monitoring the host from within the container), with all the common metrics that can be captured from an operating system, is an insufficient approach. Docker containers can’t be treated as lightweight virtual machines; they must be treated as what they are: isolated processes running on hosts....
Sep. 1, 2015 08:30 AM EDT Reads: 167
Introducing Containers & Microservices Bootcamp at @CloudExpo Silicon Valley | #Containers #Microservices
SYS-CON Events announced today the Containers & Microservices Bootcamp, being held November 3-4, 2015, in conjunction with 17th Cloud Expo, @ThingsExpo, and @DevOpsSummit at the Santa Clara Convention Center in Santa Clara, CA. This is your chance to get started with the latest technology in the industry. Combined with real-world scenarios and use cases, the Containers and Microservices Bootcamp, led by Janakiram MSV, a Microsoft Regional Director, will include presentations as well as hands-on...
Sep. 1, 2015 08:15 AM EDT Reads: 370
DevOps has traditionally played important roles in development and IT operations, but the practice is quickly becoming core to other business functions such as customer success, business intelligence, and marketing analytics. Modern marketers today are driven by data and rely on many different analytics tools. They need DevOps engineers in general and server log data specifically to do their jobs well. Here’s why: Server log files contain the only data that is completely full and accurate in th...
Sep. 1, 2015 07:45 AM EDT Reads: 412