Minefield of Bananas

Posted by Jeff Kirsch on June 16, 2009 · 3 Comments 

riskybusiness_150by Jeff Kirsch

As adults we like to have some sense of order. We get into a routine; get up at the same time, take the same route to and from work, eat our meals, and head to bed all on a schedule. Sure, we like to think we add some randomness to our lives by not going to eat at the same place each day, but we go to eat at those “different” places at the same time every day. It’s not bad to have a routine; that is what gives you a sense of control in what sometimes seems like a chaotic world. The question is, how much tolerance do we have for randomness?

Me vs. Random

I have a morning routine that helps me get the kids ready so I can leave on time. Part of that morning routine is feeding my daughter. Recently she decided she likes to eat bananas. She also prefers to have the banana cut in half, and this is what turns out to be my demise. I go through the rest of the morning routine and lean over my daughter’s high chair tray to give her a kiss goodbye. I give a kiss, hug, and high five to my sons, and then I am off to work. A few hours into work, I push back from my desk and happen to look down to find a giant banana stain on my shirt. I came to work and walked around the office with this very noticeable stain on my shirt, without ever having realized the spot was there. As I wash the stain off my shirt I contemplate my options to avoid this situation in the future.

A few days later, my daughter was again eating her banana. As I leaned in to kiss her, I bent in a way that ensured she couldn’t get me with her banana.  I gave a kiss, hug, and high five to my sons, then I went off to work. As I walked into my office building, I noticed my reflection in the window. Lo and behold, there was something on my pants around knee level.  I looked down to find a nice banana stain just above the knee. I let out a sigh and headed up to the office, making a quick stop at the restroom to wash off my pants. I realized my strategy has not worked, so I began to reformulate a plan to ensure I didn’t continue showing up with stains on my clothes.

A week later I gave my daughter her morning banana, but this time I cut it up into small pieces. My thinking was, if I give it to her in small pieces she can’t jab me with it, and if she throws it I’ll notice. I went through the routine thinking I won this round – even though my daughter has already won the first two rounds. I saw she was done and walked over to get her out of her highchair to get her dressed, and that’s when it happened. First, let me tell you that the last thing I do before leaving for work is to put my socks and shoes on. I can’t say why that ends my morning routine, but it does. So as I walked over to my daughter in my bare feet, I stepped right into a minefield of banana pieces my daughter had thrown on the floor. Game, set, match. My one-year old just beat me three games to none.

Ordered Randomness

As IT professionals, we spend our time planning for the random event that could take down our critical systems. We design our systems and find order in a mostly random world, but we always know there is still the unknown. So it all comes down to how well we handle the response. By designing a program that balances order and randomness we prepare for suprises. If our first response to random events is to be disorderly, our designed responses will fail. However, if we maintain order while responding to random events, the chances of containing the event and minimizing the potential loss increases. My response to the situation presented by my daughter was meant to add order to the randomness. Perhaps the better response would have been to check my clothes before I left for work. Detecting random events early, maintaining order, and executing the response is how we avoid the banana minefields.

Bookmark and Share

Filed under Blog, Security Catalyst Contributors · Tagged with , ,

Daydreams of Failure

Posted by Michael Starks on April 8, 2009 · Leave a Comment 

daydreamby Michael Starks

Fellow Catalyst Blogger Adam Dodge recently wrote about failure. In his blog entry, he muses about how failure can lead to increasingly better results. Fail better, he offers, rather than try for perfection.

What is information security if not the study of how systems fail? While consumers of information systems expect them to succeed, a seasoned security professional is looking for the obvious and arcane ways in which an apparently healthy system can fail.

When computer systems are patched, policies enforced and viruses quarantined, we presume to have succeeded. Yet when unsubstantiated rumors affect the company stock price, we relegate that failure to someone else. But the end result is the same: a system has failed and the company has been adversely affected.

Failures of computer systems are well understood in our profession, but failures of information systems are rarely as appreciated. Information takes many forms and the risk to information is not always at the end of an electrical socket. If a water line were to break, would that be an information systems failure? Certainly it is a failure, but who considers water line failures a risk to information? However, if the water line were to break and the office flooded, would the filing cabinets be affected? Are they full of original, historical documents?

What if the marketing team orders t-shirts with the names of all of the employees who succeeded at delivering a project on-time? This is great for morale. Is it equally as morale-boosting to a social engineer?

The evolution of information security will certainly involve a re-examination of how we define systems and how they fail. Freed from the bridles of IT, the future information security practitioner will look around the environment and start asking questions based on what he sees. He will see interactions between seemingly ordinary objects as creating ad-hoc systems, with information freely flowing among them. He will daydream and begin asking questions like, “What happens to the business if it gets 1000 bad reviews on Amazon.com? How does the elimination of the training budget affect our ability to retain veteran employees?” Or, to put things in a more recent context, “What would happen if the bank reduced our business line of credit?”

What systems do you see around you? How can they fail? How would a failure lead to harm for the company? Kick back your feet and stare at the sky for awhile. You might be surprised.

Bookmark and Share

Filed under Blog, Security Catalyst Contributors · Tagged with ,