Metrics. Not Just For Breakfast Anymore

Over the past couple of years, I have found myself being drawn back to my IT roots, looking to solve the same old problems that plagued IT when I was so much younger had a full head of hair, and still had to learn that I hadn’t learned it all quite yet.  Back in the day, my boss asked me how the systems were running, and how IT was performing.

I thought a moment, and responded, “All of the systems appear to be running well, we haven’t had any downtime lately, and the server room is humming along nicely.”  He waited.  I broke the silence with “It’s all good.”  My boss, being the patient and well mannered fellow that he was, reiterated, “So the systems are all up, but how is IT doing?  Are we at capacity on any of the systems, and are our processes working like they should?”  I couldn’t respond honestly, so I admitted it.  He had never asked me before how our processes were working, so it must have been all that golf he had been playing lately that had gotten to him.  We were blind to whether we were doing the right things, and doing them well or poorly.  My engineers and I had put together some fantastic systems and processes for the company, reliable, scalable, capable, but had forgotten to consider how we would be able to measure when we needed to scale, improve, support, or replace them.  DOH!  We did have basic system health gauges, but that was just for monitoring CPU and RAM thresholds.  Time to think bigger, and smaller.

Why do we collect metrics?  Metrics are a critical component of Management, whether it be Information Security, or Projects, and Programs.  If you aren’t monitoring your exposures and measuring your results, how will you know whether you have been successful?  IT is all about strategy.  We implement systems in order to meet business objectives.  IT systems support the objectives of the business.  The business could still run without IT.  Much slower, ineffecively, inefficiently, and at a retarded pace, but the business could still run.  Without metrics, how do you prove the value that your IT or Security team is bringing to the organization?  How do you justify continued spending on improvements, new tools, new technologies? Continue reading

Got Any iPad App Recommendations?

As I’ve been bragging all week long, my beautiful wife bought me an iPad2 for Christmas this year.  I’ve been poking around the app store, downloaded some new tunes (the kids have had it with my ragged old country music), and have scooped up as many free or cheap tools as I can find.  I’ve downloaded, tried and deleted so many apps already, but I’m still looking for a few choice ones.

What apps do you find useful?

My keepers list so far:

  • Media/News
    • Facebook
    • LinkedIn
    • ResumeHD
    • CardMunch (for Linkedin)
    • CityNews
    • TO CityMinute
    • TheStar
    • DarkReading
    • CIO Digest
    • Security Tech Reader
    • ProSec Mag
    • WordPress Blogger
    • International Gamers News
    • National Cyber Security News
    • McAffee Threat Feed
    • CP24 News
    • Toronto Metro
    • FeedlerRSS
    • Bunch of iBooks (PDF)
  • Travel
    • Toronto Path Map
    • TTC Rocket Man
    • TripIt
    • iTranslate
    • Compass
    • WeatherEye
  • Utility
    • CompassFree Spreadsheet
    • QRScanner
    • Sci-Calculator
    • Project Mgmt Flash Cards
    • Liquid Planner
    • iJobs
    • Monster Job Search
    • CCTV Tools
    • Vtrace
    • NoiseSniffer
    • Fing (Network Scanner)
    • MobiControl
    • NetStat
    • Log Caliper
    • iVulnerable (CVSS Lookup)
    • Free WiFi Finder
    • Unit Converter
    • Cisco Tech Support Tools
    • Cisco Subnetting
    • NetMon
    • 5-0 Radio (Police Scanner)
    • Gadget Guide
    • SAP StreamWork
    • AnyConnect
    • SpiceWorks (LAN Management)
    • ROVE Mobile Admin
    • Dog Trainer
  • Audit
    • Mobile Auditor
    • Device Inspector
    • iWorkFlow
    • Audit411
    • Internal Auditor Mag
    • iAuditor
    • CMO Audit Tools
    • Palm-T Home Inspector
    • Audit360Pro

Cloud Computing Challenges & Rewards

It’s Friday, and I finally don’t have an interview scheduled.  Time to post another long winded entry.  Someone ought to hire me and take away all this free time…  (My golf-pro career move didn’t fly well with the wife…)   Let’s talk about cloud computing again.

Cloud computing is a technological advance that can bring great benefits to almost any business.  Like all major shifts in technology, adoption of cloud computing brings with it inherent risks.  My opinion on cloud computing thus far is based on reading, discussion with others, and some limited observation.  I have not implemented a cloud solution, audited a cloud environment, or managed a cloud environment.  Yet.  I have been observing the technology as it has developed for the past 6 years or so, and although I do not consider myself an expert by any means, I have an understanding of the concepts and have formed an opinion.

Over the past few years, I have talked to a lot of people involved in the cloud computing and virtualization space, mostly but not entirely from a security point of view.  Many of these folks are focused on maturing the technology, scoping the solutions available, and solving the challenges for Enterprise cloud computing adoption.  I have summarized these interactions here, and will add to them as I continue to learn and understand cloud computing better.

What Is Cloud Computing

The biggest challenge for cloud computing adoption as I see it remains the fact that it is just so hard to grasp.  IT is used to protecting a perimeter and touching a server farm.  With cloud, you can’t just head on down to the server room and visit the farm to reassure yourself that all is well.  For the IT folks like me that majored in the “buck stops here” school of IT management, where command and control of the IT infrastructure are the core of the security mind-set, handing over the keys to the kingdom to some third party is initially viewed as an act of treason. Continue reading

World IPv6 Day, Adoption Tracking

Yesterday was “World IPv6 Day”, and many ISPs and large organizations participated in testing the new IP communications protocol around the world.  Computerworld reports that Arbor Networks, which provided network monitoring support for the test, observed a sharp rise in HTTP traffic as more than 400 Web sites including Google, Facebook and Yahoo began supporting IPv6 in production mode as part of the ongoing experiment.  IPv6 traffic continues to steadily increase.  No major outages or security breaches were reported at the 400-plus corporate, government and university websites participating in the trial.

IPv6 is an upgrade to the Internet’s main communications protocol, featuring an expanded addressing scheme to alleviate the looming IPv4 address shortfall, while also enabling better security and reliability.  World IPv6 Day is a 24-hour trial of the new Internet standard that is being sponsored by the Internet Society.

Dragon Research Group has provided some high level stats around adoption by visitors to their site over the past year, and a handy-dandy IPv6 Test page.   According to DRG, the top 10 countries by the routed origin of the covering IPv6 prefix for those sources since 2010 accessing were:

country code% of total IPv6 visitors
US 60%
JP 7%
CN 5%
NL 4%
GB 4%
FR 3%
BR 3%
DE 2%
CH 1%
AU 1%

Mark Richard Prior has an interesting scorecard up on his blog, indicating the successes, challenges and evolution of the testing and adoption of IPv6.  If you are interested, these are all definitely sites worth visiting.  Kudos and thanks, Mark and DRG, for showing the initiative to start gathering this intell, and for having the moxy to keep it updated.

The scorecard identifies 5 key services and uses them as an indicator of usage.

  1. Web server accessible via IPv6;
  2. Email deliverable via IPv6;
  3. DNS name servers accessible via IPv6;
  4. An NTP service accessible via IPv6; and
  5. A Jabber service accessible via IPv6

The list should update weekly and suggestions for additions are welcome.  There is also a CGI script to test a domain that is not already in the list available at the bottom of the page.


VMware Buys Shavlik

VMware has acquired Shavlik Technologies, a provider of IT management solutions for small and midsize businesses (SMBs). Terms of the deal were not disclosed, and it is expected to close later this quarter.  Following this acquisition, VMware will be offering SMBs a full portfolio for managing, monitoring and securing IT environments, including the cloud.  One more nice and timely pairing.

Microsoft Security Intelligence Report (vol 10)

Microsoft has released volume 10 of their Security Intelligence Report, covering 2010.

The SIR is the results of an  investigation of the threat landscape, analyzing exploits, vulnerabilities, and malware based on data from over 600 million systems worldwide, internet services, and Microsoft  Security Centers.  In SIRv10, Microsoft presents a short video that  calls attention to the second most commonly detected fake anti-virus software:  Win32/FakePAV.   The video describes how Win32/FakePAV steals credit card  information, and then shows how to remove the trojan.

In addition to the Win32/FakePAV feature, they continue to highlight the ongoing threat of botnets in “Battling Botnets,” which was  released in 2010.

Key Findings:

  • Application versus operating system or web browser vulnerabilities continued to account for the majority of vulnerabilities in 2010.
  • The total number of application vulnerabilities declined 22.2% from 2009.
  • Vulnerability disclosures for Microsoft products increased slightly in 2010 but have generally remained stable over the past several periods.
  • Exploitation thru Java is rising since Q2 2010.  Exploitation on the Java platform far exceeds Adobe software and OS platforms.
  • Malicious IFrames account for a large number of attacks over HTTP, likely indicating the effect of hijacked and compromised websites.
  • Conficker is the most active malware family in the Enterprise environment and only 9th in the general Internet environment.
  • JS/Pornpop is the most active malware family on the non-corporate Internet environment.
  • Phishing sites targeting social networks are increasing and they are effective in getting themselves presented to victims.
  • Overall OS level vulnerability counts is steady and browser vulnerability count is increasing slower.

Download and read this interesting report.

AlignIT – Microsoft Cloud Computing

I just spent the day at the Mississauga Microsoft campus listening to a presentation and taking part in a discussion regarding cloud computing.  Although I have read about and am familiar with the concept, this technology is new to me, and it was great to see a working environment to understand it better.  I can hardly wait to roll up my sleeves and get to work planning, implementing and managing a cloud computing environment!  I guess I need to find a like minded employer first.  Any takers?

I was quite surprised to see these interesting stats posted on the opening slide:

  • 50% of business devices are expected to be smartphones by 2014.
  • 84% of organizations have a remote workforce.
  • 85% of data center capacity is idle on average.
  • 70% of IT budgets are spent maintaining operations.

Now, the first two don’t surprise me much, as they represent the fruits of our labors from the challenges that all IT teams have faced over the past 10 years.  Mobility, connectivity everywhere, and portable device enablement.  Wouldn’t it be nice if we could optimize those last 2 figures though?  Imagine what your IT teams could do in the way of innovation and business enablement if we could take 20 points off each of those numbers.  What wonderful new solutions would you be able to provide to your customers’ IT problems with an extra 20% of budget or processing power?

Ruth Morton presented a very brief summary of how IT as we know it has evolved.  The 70’s & 80’s “hurry up and wait” mainframe days, the 90’s client/server architecture bringing power to the desktop, the 2000’s acceptance of remote and mobile access and success of the internet and web, and today’s virtual environments and sprouting implementations of cloud computing.  Ruth spent some time discussing the characteristics NIST has documented as defining a cloud computing environment.

  • On-demand self-service capable,
  • Ubiquitous network access,
  • Transparent location resource pooling,
  • The ability to elastically expand and contract based on demand,
  • A pay as you use, measured service model.

Continue reading