Blog

Home/General News/In the Blink of an Eye

In the Blink of an Eye

Today’s guest post blog is from Mark Toomey from Infonomics and author of Waltzing with the Elephant.
Mark Toomey is a specialist in Corporate Governance of IT and an Expert in ISO 38500 and related standards.

Some time around the middle of June, one or more malicious individuals breached the security controls of an Australian web-hosting provider known as Distribute.IT, gaining access to several servers which were used to run websites owned by Distribute.IT customers. These malicious individuals then ran programs that effectively destroyed the data storage facilities of four servers. For the uninitiated, this can be likened to exploding a bomb in a library, destroying all the library catalogues and shredding most of the books. Given that computers do their work very quickly, it should be no surprise that the damage was caused in a very short amount of time.

What is significant and unusual in this case is that the hackers also destroyed all of the backup copies of the data stored on those servers. To do this, the hackers had to gain access to separate storage devices onto which the customer data should have been copied. As a result, all of the data stored on four machines has probably been permanently and irrevocably lost. According to news reports, this has resulted in 4,800 separate web sites simply disappearing.

Some of those web sites would have belonged to businesses. Almost certainly, some would have been interactive, designed to at least capture information from and about the people who used them. Some may have been live e-commerce sites, processing transactions and taking orders. It is highly likely that all data collected by these websites has been lost.

Just two months ago, in the April 2011 edition of The Infonomics Letter, we discussed the risks of cloud computing in an article titled ― ‘Rocks Hiding in Clouds‘. Companies like Distribute.IT are examples of cloud providers – they provide infrastructure for shared use by other entities on a commercial basis. It is likely that many of the companies that used Distribute.IT facilities would have regarded the company as an arms’ length IT department that should ―look after all the IT issues‖. Many would have paid no attention to perceived ―technical issues‖ like backup of data.

Now they have paid the price for failing to understand that users of information technology have significant responsibilities that are separate from those of the suppliers of information technology. The emergence of cloud computing, in all its diverse forms, has brought this into stark relief.

The possibility of a legal remedy would be cold comfort to those businesses that have been severely damaged by the breach of Distribute.IT’s security. At best, obtaining compensation will be a tedious affair. In all likelihood, the company won’t have any significant realisable assets, partly because the cost of establishing a hosting service is not all that great, with the probability that most of the equipment would have been subject to finance and partly because the loss of customers and the loss of reputation will have very quickly rendered the business unviable. In actual fact, a commercial transaction has already been completed with another hosting provider taking over the assets of Distribute.IT, leaving the husk in the care of its owners and directors to deal with the aftermath of the hacking event.

As with most cases of loss and damage, the old proverb ―an ounce of prevention is worth a pound of cure‖ is highly applicable. Those who used the Distribute.IT service should have taken steps to ensure that their business was adequately protected against the things that might have been reasonably identified as risk. The six principles in ISO 38500 serve as a framework for discussion.

 

Responsibility: Just who was responsible for what in the commercial arrangements that existed between Distribute.IT and its customers? Clearly, the company provided infrastructure and it should have provided an adequate security shell around that infrastructure. Perhaps it was required as part of its service to make backup copies of customer data – but what exactly were its obligations in this regard? Was it also responsible for ensuring that backups were retained on media that is physically removed from the network and impossible to access?

Regardless of what responsibility was assigned to Distribute.IT, what responsibility did the owners of affected businesses have for safeguarding their data, and where applicable, the data of others who were using their websites? Would it not have been prudent for them to assume at least a responsibility for ensuring that the data was safe from loss, harm and exposure? Contemporary best practice in information management is strongly oriented to responsibility for the data being first on the shoulders of those who are its owners and custodians, with a lesser responsibility being imposed on those who operate the infrastructure.

 

Strategy: According to ISO 38500, the plans for IT must serve the needs of the business, while the plans for the business take into account the current and future capabilities of IT. In an arms’ length supply context, the plans for Distribute.IT’s technology should have met the reasonable needs of its customers, and that should have included an effective and secure approach to backup. However, the businesses that use the Distribute.IT service should also have been aware that most forms of cloud computing are immature, lacking standards, key disciplines and controls. They should have planned for the possibility that Distribute.IT might fail, leaving them with no infrastructure service and no access to their data.

 

Acquisition: The decision to use an external provider to host a web site is one of acquisition, and carries the expectation that the buyer will make the decision ―for valid reasons, on the basis of appropriate and ongoing analysis, with clear and transparent decision making, and with appropriate balance between benefits, opportunities, costs, and risks, in both the short term and the long term (ISO 38500)‖. No doubt, the choice of an external provider is a completely legitimate choice in many cases today – as long as the purchaser understands that the balance between benefits, opportunities, costs, and risks will be completely different to an in-house supply arrangement. The crucial question that comes from the Distribute.IT case is: ―Do the increased flexibility and convenience, combined with the reduced cost, offset the risk of reduced control and the risk of inadequate practices on the part of the supplier‖?

How many organisations blindly choose an external supplier purely on the basis of price, with no consideration of the other matters highlighted by the ISO 38500 Acquisition Principle?

 

Performance: How does a buyer of a commercial product ensure that it performs well, whenever required? In a retail context, we have extensive legal and regulatory frameworks that ensure the quality of products and services. We cannot buy cars that do not comply with strict design rules, because manufacturers are not allowed to sell them. Financial services, telephone and electricity services, health services and many more are strictly controlled. Many contemporary services may only be provided by properly trained and licensed individuals, and many professional occupations carry an obligation to be a continuing member of an appropriate professional body.

When there is an absence of such legal, regulatory and professional control, buyers of products and services take a risk that performance may not measure up to reasonable expectation, and must manage that risk. Until relatively recently, most users of IT managed the risk by directly controlling the infrastructure and environment. They put in place management systems comprising skilled personnel, processes, tools, structure and rules through which they derived reasonable satisfaction that their IT would perform as required. Now, part of the business case for cloud computing seems to be the avoidance of these overheads. The trouble is that removing the need for the buyer to implement these management systems is not necessarily matched by an obligation on the part of the provider to implement corresponding management systems. As we have seen in the case of customers of Distribute.IT, the absence of adequate management systems on both user and supplier sides results in tragic consequences.

There is a clear imperative here. For cloud computing to achieve maturity, it is necessary that an appropriate framework of controls, qualifications and independent assurance be put in place that gives buyers of services reasonable assurance on the quality, reliability and performance of the product they have purchased.

 

Conformance: Clear, unambiguous rules are an essential part of everyday life, as are the means of educating people about the rules, and ensuring conformance to the rules. Of course, it is also important that the rules should be necessary and appropriate, and that the sanctions for non-conformance should be appropriate.

As information technology infrastructure approaches the status of ubiquitous commodity, there will need to be rules that apply to that commodity. Such rules and conformance mechanisms will be an integral part of the regime through which buyers of IT services will be assured of quality and performance.

Many of the rules for IT already exist, though they lack an effective regime in which conformance can be reasonable assured. In many cases however, the rules do not exist as a formal and universal mandate. Rather they exist as the internal policies and controls of individual organisations, backed up by an extensive body of formal and informal knowledge. One topic for which many organisations with long-standing IT environments have rules is the protection and preservation of data. The rules for backup and archival retention of data are in many cases underpinned by legal obligations, but are also often left entirely to the IT department, because backup and archival are perceived to be ―technical tasks‖.

Until there is an adequate regime of regulation and oversight for cloud computing, at least on a par with electricity and telecommunications, and preferably with the controls that apply to banking and finance (information should be regarded as, and sometimes IS money), there remains a need for buyers of services to verify that the capabilities, controls and safeguards they require are written into enforceable contracts with right of proactive verification as well as substantial remedies in the case of non-conformance. If this is not possible, the buyers will need to ensure that they put in place their own arrangements to afford the protection they require.

 

Human Behaviour: There are several aspects of human behaviour that contributed to the loss experienced through the hacking of Distribute.IT. The buyers of the Distribute.IT service were arguably too trusting and complacent – either not knowing how much risk was attached to their purchase, or simply expecting the supplier to completely manage that risk. The operators of the Distribute.IT business may have lacked the interest and motivation to provide effective security, and they may have not thought through the potential risk of leaving backup devices permanently attached to the network. They may have had unreasonably high expectations of their customers skill and understanding. They may have been reluctant to invest in what may have been a marginal business, or they may have been reluctant to spend in the hope of making a killing in an emerging market. They may have held supreme belief in their own skills, unable to recognise the possibility that their hidden opponents might have deeper skills.

But perhaps the biggest human behaviour issue that we should attach to this incident is the one linked to how we deal with the criminal act that has been perpetrated. This incident once again reminds us that not all people are committed to the well-being of others. There are many who have the technical expertise to break into computer networks and damage them, and regrettably many of them lack the moral integrity that directs them away from using their talents in a harmful way.

When people act with malicious intent and destroy or damage or deny access to or otherwise inappropriately deal with valuable property, our legal system provides for those people to be brought to justice and face the consequences of their crimes. However, the information age brings two problems of human behaviour that we must solve as we face the increasing prevalence of crimes against information. The first is the problem of presence. The second is the problem of value.

The problem of presence arises because, unlike most cases of criminal damage to a person or property where the perpetrator needs to be physically present for the crime to occur and there is thus clarity of jurisdiction, in a crime against information, the perpetrator needs only a communications network and can be physically far away – out of physical and legal reach. There needs to be a concerted international effort to develop a framework in which the perpetrators of crime against information can be brought to justice as would be the case for crimes against persons and physical property.

The problem of value comes into focus when we consider the disparity in consequences handed down by some courts for crimes against information compared to those applying to crimes against property. There seems to be a tendency of the learned persons who adjudicate in the courts to regard a crime that damages information as being of lesser impact and consequence than a crime that damages property. We need, with considerable urgency, to develop a new paradigm in which prosecutors and judges fully understand the financial impact that goes with a crime against information.

No related posts.

Related posts brought to you by Yet Another Related Posts Plugin.

Written by

The author didnt add any Information to his profile yet

228 Responses to “In the Blink of an Eye”

By read more - 18 July 2013

bookmarked!!, I like your site!

By Danon Keywords - 18 July 2013

curses! i always think of more questions when i just finish posting.
. sorry for that triple post but could you recommend any flash products for macro
photography? could they be necessary when getting extremely close.
if that’s the case what would be the best ring flash to acquire?

By visit these guys - 18 July 2013

Just about all of the things you articulate is astonishingly appropriate and that makes me wonder why I hadn’t looked at this in this light previously. This particular piece truly did turn the light on for me personally as far as this issue goes. Nonetheless there is just one position I am not too cozy with and whilst I try to reconcile that with the core idea of your point, let me observe just what the rest of the subscribers have to say.Very well done.

By rs gold - 18 July 2013

i can scarcely resist mongolian sheep so i purchased these rs gold http://www.ursgold.com/ !! obvi!!! they can be so low-priced and wonderful and also the greatest aspect is they help a foriegn economic system!!! when you invest in these mongolians income!!! which could help them purchase properties, ! these boots really are a great fashion alternative!!

By Knoxville Truck Driving Jobs - 18 July 2013

Its hard to find good help…

I am regularly proclaiming that its difficult to procure quality help, but here is…

By Cure Psoriasis of The Scalp - 18 July 2013

Dreary Day…

It was a dreary day here today, so I just took to piddeling around on the internet and found…

By silver jewellery - 18 July 2013

Love the series! Wonderful way to describe folks around me why i am getting silver and why they will
too. The only thing is laughing at me and saying silver aint worth shit’. HA! We’ll see who laughs last.

That includes my Mom!

By Get baby weight loss - 18 July 2013

Looking around…

I like to browse around the web, regularly I will go to Stumble Upon and read and check stuff out…

By Talent NYC - 18 July 2013

Tumblr article…

I saw someone talking about this on Tumblr and it linked to…

By ralph lauren polo - 18 July 2013

method ofauto this baseball competitor driven. This particular, alsoreplicated this adjust coming from development

By why not find out more - 19 July 2013

Aw, this was an incredibly nice post. Spending some time and actual effort to make a good article… but what can I say… I procrastinate a lot and don’t manage to get nearly anything done.

By How To Make Money - 19 July 2013

News info…

I was reading the news and I saw this really interesting topic…

By Regional Truck Driving Jobs - 19 July 2013

Looking around…

I like to look in various places on the online world, regularly I will go to Stumble Upon and follow thru…

By BMW ACTIVATION FSC CODES 2014 - 19 July 2013

News info…

I was reading the news and I saw this really interesting topic…

By Arkansas Trucking Jobs - 19 July 2013

Informative and precise…

Its hard to find informative and accurate information but here I noted…

By lululemon sale - 19 July 2013

lululemon sale…

–…

By Louis Vuitton Speedy 40 - 19 July 2013

Louis Vuitton Speedy 40…

–…

By gucci outlet - 19 July 2013

gucci outlet…

–…

By Sac Louis Vuitton Pas Cher - 19 July 2013

Sac Louis Vuitton Pas Cher…

–…

By Truck Driving Jobs Atlanta GA - 19 July 2013

Yahoo results…

While browsing Yahoo I found this page in the results and I didn’t think it fit…

By Chicago Trucking Jobs - 19 July 2013

Its hard to find good help…

I am regularly saying that its difficult to find good help, but here is…

By Ohio Trucking Jobs - 19 July 2013

Dreary Day…

It was a dreary day here yesterday, so I just took to messing around on the internet and found…

News info…

I was reading the news and I saw this really interesting information…

By Minnesota Truck Driving Jobs - 19 July 2013

Wikia…

Wika linked to this website…

By NC Trucking Jobs - 19 July 2013

Informative and precise…

Its difficult to find informative and precise information but here I found…

By Mac Makeup Outlet - 19 July 2013

Mac Makeup Outlet…

Sydney Internet Marketing – In the Blink of an Eye | Internet Marketing and eCommerce Expert – Nigel Burke’s Blog…

By カシオ- G-SHOCK - 22 July 2013

Tired of all the japan reports? We are there for you personally!!

By coach poppy - 26 July 2013

Leave a Comment


5 + = nine