Digest: March 2014 – War of the Cyber Worlds

By IAITAM

2014 ACE Events

IAITAM 2014 Spring ACE update: Only 10 days remain to register for the IAITAM Spring ACE at the M Resort in Henderson, NV USA.  The entire schedule is available on the IAITAM website.
Also – registration is now underway for the IAITAM 2014 Fall ACE at Kalahari Resorts in Sandusky Ohio, USA.  The theme is Tame your ITAM Jungle for the Fall event, and from what we’ve heard the past months, it is a jungle out there – between balancing the needs of the organization and fitting the program into those goals to the overwhelming issues of license compliance and mobility, the IAITAM ACE puts you together with industry experts and your peers that have cut a path through a similar ITAM jungle.

For questions or additional information on this or any IAITAM ACE event, reach out to your IAITAM Member Service representative today at info@iaitam.org or call +1.330.628.3012.


Member IMUG’s
The IAITAM ACE IMUG session will be held for all those in attendance in Las Vegas and not broadcast live anywhere else.  Join all your fellow IAITAM Members, Tuesday, April 29th at 4:45 – 5:45 for the Spring ACE IMUG session.

Guest Speaker is: Sherry Irwin, President and Principal Consultant
Topic Description: ITAM success is highly dependent on other practices in the IT asset lifecycle – within IT, outside of IT and even outside the organization. In this interactive session, the ‘what’ and ‘why’ of major dependencies will be discussed, as well as related challenges and possible solutions.
IAITAM Members can register for one or all and participate in none or all monthly.  For questions or to suggest a speaker or topic for the IMUGs, please email imug@iaitam.org.


War of the Cyber Worlds
Balancing Fear (and Protection) Against Fluidity (and Productivity)

We all remember the old story about the radio reading of Orson Welles’ novel The War of the Worlds [1].  The story claimed that the audience overreacted, causing widespread panic, running and rioting in the streets and a general paranoia.  The story ends with a slow realization of no immediate danger.  We learn two things from the story and its continuing propagation:  one is that panic is a common and expected reaction to an unexpected attack.  Two, while the threat of an alien invasion exists, panic after the fact is completely unproductive.
Cyber security follows this same thought process, although the panic phase seems to be real and continuing.  Every device that connects to the internet or some other network has the ability to be hacked.  With refrigerators [2], televisions, computers, cell phones, and now your car (with Tesla vehicles so computerized and sophisticated [3]), it stands to reason that there is a constant threat to the data stored on the various devices.
As IT Asset Managers, we know that it is not feasible to manage an IT environment solely based on the fear of data corruption or loss.  A completely locked down environment restricts the movement of data between employees, significantly reducing productivity.
This conflict in IT goals is the classic struggle between risks vs. reward.  How much data exposure risk is worth the reward of the free travel of information and the subsequent increased productivity?  Will the fear of having a data breach overwhelm an environment’s ability to support the business?  The answer to these questions is also a classic and fundamental solution.
In almost any situation, there are choices to be made when implementing processes that require an IT Asset Manager to make risk vs. reward decisions. To make choices that create and preserve maximum effectiveness, an IT Asset Manager needs to conduct a cost/benefit analysis prior to taking action.  This simple discipline of calculating risk factors associated with specific actions and comparing it to the benefits measured through costs works well for IT Asset Managers in almost all areas.
For example, what if an IT Asset Manager is presented with acid washing or incineration of hard drives as the best choices available to completely eliminate any risk of data exposure at asset end-of-life?  Unfortunately, these types of disposal create questions about the impact to the environment that in turns leads to concerns about legal restrictions and the potential of escalating costs.  The decision requires assessing risks, beginning with the thorough examination of consequences.  A cost/benefit analysis provides the insight needed to make a decision.
Assessing risk vs. reward to make a decision is not a new problem unique to cyber security. Even though data breaches are a fairly new threat, the best defense comes from using old methods.  Proper diligence in choosing disposal methods, physically securing the devices and documenting processes, audits and results are all standard actions of an IT Asset Manager that reduce the risk of a data breach or data theft.  In each of these actions, the risk vs. reward balancing act was considered.
Of course, it is clear from the actions of organizations such as the NSA (National Security Association) and Target [4] that preparedness can only do so much.  When a breach does occur, stopping it and recovering as much data as possible is the best solution – not panic.  However, avoiding the breach is the ultimate solution and IT Asset Management fundamentals, with the built-in evaluation of risk vs. reward, helps eliminate the possibility of a breach.
There is a lot of fervor over data breaches and illegal entry into an organization’s data stores.  It has created quite a panic within IT circles and has had people scrambling for answers.  Similar to the Welles’ radio broadcast, it is best when exaggerated fears are met with a level-headed professional and the common sense of good business practices [5].

[1] Rosenberg, Jennifer.  War of the Worlds Radio Broadcast Causes Panic
http://history1900s.about.com/od/1930s/a/warofworlds.htm
[2] Grenoble, Ryan.  Refrigerator Busted Sending Spam Emails in Massive Cyberattack
http://www.huffingtonpost.com/2014/01/23/refrigerator-spam-email-internet-of-things-attack_n_4654566.html
[3] Constantin, Lucian.  Hacked passwords can enable remote unlocking, tracking of Tesla cars
http://www.pcworld.com/article/2138400/hacked-passwords-can-enable-remote-unlocking-tracking-of-tesla-cars.html#tk.rss_all
[4] Riley, Michael; Elgin, Ben; Lawrence, Dune; Matlack, Carol.  Missed Alarms and 40 Million Stolen Credit Card Numbers:  How Target Blew It
http://www.businessweek.com/articles/2014-03-13/target-missed-alarms-in-epic-hack-of-credit-card-data
[5] Pooley, Jefferson; Socolow, Michael.  The Myth of the War of the Worlds Panic
http://www.slate.com/articles/arts/history/2013/10/orson_welles_war_of_the_worlds_panic_myth_the_infamous_radio_broadcast_did.html

About IAITAM

The International Association of IT Asset Managers (IAITAM) is the largest organization providing education, certification and thought leadership to the management of IT as a business. IT Asset Management is the management of hardware, software, mobile and other technology to maximize the value to the organization.