I just read an article about how invasive species are presenting severe threats to the wildlife in the national parks here in the USA. It’s not just a problem in the USA: regions around the world have to face the consequences of a more interconnected world when those connections bring in a non-native species that begins to take over the environment, destroying delicate ecosystems in the process.

Of course, my thoughts made a connection to IT security. So, I’m going to write about my thoughts. 🙂

What makes an invasive species so invasive and dominant is that it doesn’t have a natural predator in the new region, so it is able to reproduce and consume resources without limit, until the land can’t support them any more. But, at that point, they’re pretty much dominant in that region. If a natural predator of that species is brought in, it could wind up being invasive in and of itself, wiping out other species that were already threatened by that first invasive species.

In IT, we have systems that are created and maintained to provide a particular level of service with a particular level of security. We expect those systems to maintain equilibrium – employees are typically told not to bring in other devices and IT staff have to comply with standardized purchasing and acquisition processes to bring in new gear, typically chosen carefully to work well with all the other systems.

An invasive species in IT is something, be it a hardware platform, a website, or piece of software that allows employees or other users of IT resources to evade security, go around processes, or even to create systems of their own that exist outside IT standards.

Once introduced, there’s no stopping these invasive IT elements without some drastic measures. Consider a scenario in which a company wants to improve productivity by blocking YouTube and Facebook on both employee and guest networks. Mobile devices become an invasive species, as employees bring those in and use LTE networks to access the prohibited material. If an employer wants to stop those mobile devices, it’s looking at introducing discipline for their users – which would destroy morale – or introducing cell phone signal jammers – which will destroy morale and possibly violate local laws.

While I’m aware that many would want to argue with the wisdom of blocking YouTube and Facebook, we can all agree that employees deciding to start using resources outside of IT’s control on a regular basis is an eventual trouble spot. What if there is a way to access company data in the cloud via those mobile devices? Then it’s possible for the data, now on those mobiles, to be shared outside the purview of any dlp software that exists on the company-managed laptops and desktops. It’s easier for the employees to share data – properly or improperly – and they’ll keep doing it. Is there a way to shut down cloud access to just company-owned devices? If so, does that then put a negative impact on the flow of business, overall? Does this introduce another layer of complexity, and will this new scheme be stable? Scalable? All the other questions we ask about the viability of a solution? Certainly, it’s an additional cost – is it worth it to implement, or does the company just abandon the cloud or DLP solutions altogether?

Abandon DLP? I’m sure some of the readers of that phrase would react with shock, horror, and disappointment. But, if we think like an executive, we have to ask the question, “Why should I pay for something that’s not able to get me what I want?”

When I was a high school teacher, I saw these invasive IT species all the time. I confess even to participating in their spread. I was a user, then, not part of IT security, so I had other concerns on my mind – getting my job done, for example.

We all had to use software purchased by the school district to provide class information. The software allowed for teachers to post links to online resources, contact information, class calendars, notes, and a discussion board. The software was also difficult to use and constantly crashed. I posted the bare minimum of information, never updated it, and ran a discussion board on my personal website that had some solid uptime numbers, if I say so myself. My students used it constantly and pretty much didn’t even look at the district system. After the district canned that system after 2 years and got another similar one that didn’t allow for teachers to port over their content from one to the other, that’s when the rest of the faculty revolted and either did the bare minimum, used an outside resource, or both.

My school district also blocked YouTube and Facebook. In the days before mobile devices, students using school-provided PCs would go for proxy buster sites. As fast as the district security could block one of those sites, another one would be discovered and quickly utilized. When I wanted to show a documentary on YouTube to my classes, it was much easier to go the route of the proxy buster than to submit the link weeks in advance for an official review. I knew the documentary on economics didn’t have any objectionable material in it, so I just went around the proxy server, just like everyone else did.

When the district just blocked YouTube on district networks, that’s when I brought in my personal PC, joined it to the unscreened guest wireless network, and plugged that into my display projector. Other teachers used their district-issued laptops, but connected them to mobile hotspots, making for the dreaded bridging between the Internet and office networks.

All along, I wasn’t trying to do anything evil. I was just wanting to get my job done. Any end-user facing a choice between finishing work or security is going to choose finishing work, and that can mean the introduction of an “invasive species” that gets adopted by many other users, once word gets out about how it lets them do their work.

Not all invasive species in IT are themselves IT. How many times have those annual security trainings been foiled by lists of answers for the test at the end of the training? Given a choice between paying attention to the training or just clicking through it while getting real work done, nearly all employees are going to click through with the sound off and then go CBBADECCAE for the test at the end, just like the answer list tells them to do. Jumble up the questions? Not a problem, as the list of letters is annotated with notes like, “Question about mouse hovering – C”. Jumble the answers? “Question about mouse hovering – different link revealed.” Give them an honesty affirmation at the start? That gets clicked through, too, if the pressure is high enough to get stuff done.

So how can we deal with invasive species? All I can think of are proactive measures. Make sure that the only way to interact with the corporate network is with a corporate device, be it through NAC or VPN, or both. For situations where employers want to control online activities of employees, perhaps the solution lies with human resources and one-on-one meetings instead of proxy servers and firewalls. When employees complain about how lack of IT response isn’t letting them get their jobs done, listen to them and respond to their satisfaction. Once those complaints stop, it’s too late – they’ve found the invasive species and your security posture is likely compromised, with a high chance it’s a severe compromise.

There are reasons why nations highly dependent upon agriculture will fumigate your checked bags before you’re allowed to collect them. They don’t want any invasive species. We can’t fumigate our employees, so we instead have to be sure that security policies and practices don’t create a need for an employee to introduce an invasive IT species.

First of all, let’s take a look at an actual spy:

That’s John Walker, who was a US Navy Warrant Officer from 1967 to 1985. 1985 was when the FBI found out he had a second career passing cryptographic information to the USSR. And you know what they say about moonlighting without telling your employer…

And you know what, he looks like one of us! This is not James Bond, not Austin Powers, not Jack Ryan, not any of those guys. This is the AIX guru that sits two cubicle rows over. One of us.

The difference between Walker here and a security guy is only in what information is gathered and who it is passed on to. That’s what a spy does, after all. All that Hollywood stuff is just that – make believe for the movies.

If you want a real spy movie that shows the security side of things, watch a 36-minute US Army training film from 1969 about counterintelligence work. It’s set in West Berlin and goes through the steps of gathering intelligence and then using that intelligence to develop operational plans. https://www.youtube.com/watch?v=E3hAUTGm1D8

I watched that short film and it totally clicked with me. The heroes of the film are guys that look like me and my co-workers, doing things me and my co-workers can do. Namely, gathering information and following up on leads. To be sure, the baddies, like Walker up there, also look like me and my co-workers… after all, it’s the admins that outsiders want to turn to working for them, right? But I digress. Gather information, follow leads, document everything, that’s us.

An important note in the film is that an intelligence operation in which information is passed up to a superior is a successful operation. Think about that. We may think what we have discovered may require immediate action, but it’s not always our call to make. We inform the decision makers and leave it at that.

For what it’s worth, the film underlines the importance in gathering information in such a way as to not alert the target – this helps me to deal with the urge to act immediately. Now, there are routine checks that we do for compliance and such, and I’m sure clever attackers will learn to avoid those patterns, but when we run a check and find something out of the ordinary, we report on the details and then coordinate with other groups to see what kind of follow-up is needed.

In current terms, coordination with other groups often means coordinating data from different systems. Putting all the data together helps to build a complete picture of activity. Packet captures, DNS traces, all that fun stuff – assemble it to show the whole story as far as we can tell. That’s what counterintelligence agents do… and what we do in security.

It’s pretty easy to take old-school information and translate it into updated ideas, especially since the core best practices and procedures remain the same. There are plenty of other training films out there to watch where you get to see how any person, with proper training and expectations, can do security work. You don’t have to be James Bond and you’re not fighting Dr. No. Everyone involved is human.

Thanks to these old training films, when I hear the word “spy”, I don’t think of James Bond. I think of me.

There are some amazing ideas out there in vendorland, but not all ideas are backed by the same kinds of companies. This impacts how those ideas, those vendor products, will fare in your environment.

Of course, I’m going to sort vendors into three size categories: small, medium, and large. How they intersect with customers that are small, medium, and large will also come into play. Here goes!

Small vendor, small customer: Small customers tend to also mean “small budgets”, so they’ll go with a small vendor if it looks like it can *almost* deliver the performance of a more expensive product from a bigger vendor. If it can match the big guy or beat it, even better. Price is king in the initial purchase decision. After that, there’s a good chance that the small company gets some excellent tech support – it’s likely that the entire development team is also taking turns fielding support calls. Now, there may be features that never get implemented and the product may never stretch to cover additional areas or integrate with other products, but in a best case, it’ll be a stout little mountain pony that gets the job done.

Small vendor, medium customer: Maybe someone heard good things about the small vendor and wanted to try it out in a bigger environment. Here, there’s an expectation that it will play well with other apps and systems. While the small customer may have re-done some things about its environment to accommodate its budget-friendly solution, the medium sized customer will not have that much flexibility, as it’s likely other systems are dependent upon things staying exactly as they are for them to function. If that vendor’s product can’t fit into the bigger environment, it’s out. There’s also the consideration of scalability. Is there a management dashboard for the product? Does it integrate with syslog? What are the upper limits of the vendor’s software and/or hardware? How many widgets are needed to make all this work, and will all those widgets work with each other?

Small vendor, large customer: Is this vendor on the list of approved vendors? If not, will it still be around after that process is completed? For the large customer, the vendor has to be something that looks to be capable of being around for the long run. Large customers don’t like having to buy a different solution in the middle of a system lifecycle because the vendor went out of business. Can the vendor provide follow-the-sun coverage? Can the vendor produce features that are required for specific customer environments? How big is that dev team, anyway? The product may be amazing and best in its class, but if it can’t scale its internal resources to meet the demands of the large customer, it’s not even a consideration as they choose products.

Medium vendor, small customer: This vendor may still be budget-friendly, but it’s unlikely that any special requests from the small company are going to be incorporated by the vendor unless other companies are asking for them. It’s also likely that the small company may have enough for the initial purchase, but might decide to not renew support until there’s a major outage – meaning that small company may be using an unpatched version of that gear because it is forced to accept the risk due to budget concerns.

Medium vendor, medium customer: The vendor is no longer small, but an up-and-coming firm that’s maybe ready for prime time. If so, maybe it “dropped its pants” in purchase negotiations in order to break into a larger tier of customers. Your firm, possibly with a handful of other firms, is commanding all the attention of this vendor – until it can land a larger customer. The good news is that it may very well answer all your questions about integration and interoperability. The bad news is that it may possibly be peaking out at this point and won’t be able to mature its product properly to keep up with your business.

Medium vendor, large customer: This can happen from time to time… and it’s usually to get leverage on a larger vendor during contract renewal negotiations. If it performs well enough to not only beat the big guys at their own game, but also well enough to justify a purchasing decision that can ruin the discounts the firm may be getting on other gear from that bigger vendor, then it’s a keeper. If that happens, the medium vendor may be poised to get a lot bigger, but it will also be pounded with requests from that large customer to develop features that take it beyond being a cool tool and into becoming an enterprise solution. This might break the medium vendor if it can’t keep up with the demands from its biggest customer – as those demands may well mean leaving behind the founders of the company and their culture.

Large vendor, small customer: What I said for the medium vendor/small customer applies here as well, with even more emphasis on the small customer’s lack of voice and likelihood of coasting along with unpatched gear. The big vendor always has a bigger customer, and that’s the one that’s going to dictate how development team hours are allocated.

Large vendor, medium customer: Nobody ever got fired for buying the large vendor, but they do cost a lot for support, don’t they? Is this where, in order to have the features and power of the large vendor’s gear that the medium company has to contemplate outsourcing in order to keep a handle on costs? It doesn’t matter if it was a small company that got big or a big company that stayed big – the costs will increase. At the same time, your firm may as well be a small firm as regards its ability to leverage new features. So, yes, it does everything you might need it to do now, but that may well be that.

Large vendor, large customer: Here’s where the large vendor meets its match in terms of demands for scalability and support and new features. The challenge to the large vendor is whether or not it’s able to move quickly enough to deliver to those demands. It’s a large firm, itself, and can’t move as quickly as it used to do. It’s also got so many customers that it’s inevitable that when it releases a new feature, it’s bound to break something, somewhere. Maybe that medium-sized vendor can deliver a solution that won’t break things for its largest customer, but there are no sure things if your firm is one of a vendor’s largest customers. Test carefully and upgrader beware…

So, just as most of you suspected, those great little apps you see in the tiny booths on the fringes of the security conferences may stay in those tiny booths or eventually vanish. It breaks my heart, but I’ve even seen some firms that had medium-sized booths fade from the scene. They might keep a small and dedicated group of customers, but they’re also victims of how those customers themselves might fade away. Once a company can rise above the churn of the violent waters where small and medium sized companies swim, it risks becoming a dinosaur that can’t adapt itself to changing long-term trends. Just let someone who did IT from 20+ years ago get to talking about Banyan Vines, OS/2, Sun Microsystems, Digital, and Novell, and you’ll realize that no firm is so big that it can’t crumble away.

At least with the bigger companies, you have a better shot at getting a complete product lifecycle before they totally fade from the scene…

I also did one on cabling – working on a series of networking basics videos.