Security, privacy and disaster recovery for the project manager
I can't imagine a project manager in 2002, practicing his or her skill without using a computer … if for nothing else then for email and creating documentation. I'm not implying a project manager is inept without a computer; it's just that automation enhances productivity. If you are using a typewriter, slide rule, and telex as your primary project management tools, perhaps this paper will not be significant to you.
Security, disasters, and privacy are risks to a project (and to a project manager). But project managers are trained to deal with risks. These risks are best addressed when the project manager fully understands them. In this paper I have only included the security risks facing a project manager. As an example, a “Denial of Service” attack (DOS) is a security attack against a running website. Since a running website would be considered life cycle, it is normally beyond the scope of a project manager's responsibility.
Security is a risk to project managers for both implementing a project and perhaps the project itself if it is IT or telecom related. Remember the days of “sneaker-net” when we would exchange files using floppy disks. Keeping malicious software in check was a matter of scanning a disk for a virus. And we usually didn't fear a mainframe being compromised by Code Red, Melissa, or I Love You (the last infamous mainframe virus was the IBM Christmas Worm in 1987). Enter the Internet. With the Internet comes the ability to pass data, voice and video ubiquitously. But the door swings both ways. For every new path to the world the Internet provides, the same path is now open for the bad guys to get to our computers.
Computer and network security has recently gained high visibility. “Hackers,” “Blackhats,” and “Script Kiddies” have become the modern day pirates. But these outlaws need no ship or crew. And they are not limited to shipping lanes, weather, and schedule to capture their plunder. These pirates work anywhere there is Internet access, day and night. And unlike the individual attacks of years past, today's pirates release software robots, forever alive on the Internet, rattling doorknobs to see who forgot to lock their doors and reporting back to the pirate the next time he or she goes online.
But, we have technology! We have firewalls and antivirus software and intrusion detection systems. How can a pirate get past those defenses? In the 2001 CIS/FBI study, of the 583 survey responses 90% reported security breaches and 95% of those companies had a firewall in place. I credit Bruce Schneider as first coining the phrase “security is a process, not a product.” It is evident from Exhibit 1 that security incidents are increasing exponentially.
Why security products don't solve the problem.
• Antivirus Software—Antivirus virus software scans for known malicious code. But what about new malicious code? The Code Red virus spread quickly because no anitvirus software knew what it looked like. And antivirus software can't detect custom malicious code such as ‘time bombs” (defined later).
Exhibit 1. Number of Security Incidents reported to the CERT Coordination Center in 2001 (In just the first quarter of 2002,26,829 security incidents have already been reported to CERT.)
Exhibit 2. 2001 CIS/FBI Computer Crime and Security Survey
• Firewalls—Firewalls, like the Great Wall of China, will slow an intruder down, but they are not impregnable. A castle with a moat has a drawbridge for the king and queen to come and go. What if that drawbridge was compromised? Same with a firewall. A firewall has to have doors to allow some data to come and go. Firewall doors can be compromised. But often, firewalls are not even configured correctly. Firewalls are often referred to as having a hard crunchy exterior and a soft chewy center. This analogy refers to the engineering practice of keeping outsiders out, but not managing internal threats. For many years it's been accepted that 80% of all security threats come from within a company. However, the CIS/FBI report indicates a decrease in the number of internal attacks versus total attacks.
• Intrusion Detection Systems (IDS)—These systems are supposed to warn us when an attack is occurring. However, IDS are still in their infancy, they require monitoring, and a security engineer with extensive company knowledge is needed to setup filters and profiles.
And security products cannot protect against one of the biggest threats of all—social engineering. Kevin Mitnick has become the poster child of Hackers. Incarcerated for five years from 1995–2000 for copying software online from companies like Sun Micro Systems and Motorola, Mitnick credited most of his hacking achievements to social engineering. “Through social engineering, I gained the ability to obtain any number, listed or unlisted,” Mitnick, told a group of wannabe hackers at a conference in 2000. Social engineering is the attempt to have a legitimate user of a computer system provide the Hacker with useful information, which is most often a procedure such as a name and password to gain entry to a system. Despite the great automation of machines and networks today, there is not one single computer system in the world that is not dependent on human operators at one point or another. There are always humans who have to provide the networks with information and maintenance.
Security Risk Management
Identifying and Understanding Security Risks
The 2001 CIS/FBI Computer Crime and Security Survey provide the following statistics on the most prevalent security incidents and the industry loss of the incidents.
What is evident from the statistics is that the most prevalent security incidents are not necessarily the most costly.
Malicious software (malware) is often generically referred to as a virus. But actually, malware can take on several forms intending on its purpose. Following are definitions of other attacks that often get combined into the virus category.
Virus—Computer viruses are so named because of being similar to biological virus. Biological viruses are unable to replicate without a host cell and typically not considered living organisms. The metaphor of a computer virus is accurate. A computer virus is a string of computer code that attached itself to another computer program (it can't live on its own). Once attached it replicates by coopting the program resources to make copies of it and attach them to other programs, and so on (e.g., the Melissa Microsoft Word Macro Virus, 1999).
Worm—A worm is a piece of malware particular to networked computers. It's a self-replicating program that does not hide in another program like a virus does. Instead, it exists on its own, meandering through computer networks as best it can doing whatever damage it is programmed to do (e.g., ILOVEYOU worm, 2000; WORM.EXPLOREZIP worm, 1999).
Exhibit 3. Lines of Code in Microsoft Operating Systems
Trojan Horse—A Trojan horse is a piece of malware embedded in some normal piece of software designed to fool the user into thinking that it is benign. According to legend, the Greeks won the Trojan War by hiding in a huge, hollow wooden horse to get into the fortified city of Troy. Today, it is not just Hackers that are practicing the art of the Trojan horse. Spyware is Internet jargon for code that is imbedded in software and reports on your computer activities. Most prevalent on free software, spyware sits on a computer, compiling activity and then reporting it to a marketing company, using your Internet connection. Spyware is also used by law enforcement agencies. The program DIRT (Data Interception by Remote Transmission) is a Trojan horse developed by the U.S. government and available to police.
Time Bomb (also called a Logic Bomb)—Do you ever wonder what actually goes into your food? Whether it's processed food from a grocery store or from your local restaurant you have an idea what you're eating, but you may not be 100% sure. Software is much the same. Programmers have been known to leave “Easter eggs” in programs. Software Easter eggs are programs within programs that only execute for someone who knows how to trigger it. Or the programs can be designed to execute based on time. In 1996, Timothy Lloyd a network engineer at Omega Engineering planted a logic time bomb that was set to go off at a point in the future unless he was around to stop it. When Lloyd was fired from Omega, the logic bomb went off and Omega was crippled. It cost Omega millions of dollars and resulted in the layoff of 80 employees. Lloyd was sentenced in February 2002 to 41 months in federal prison and ordered to pay over $2Million in restitution.
Most logic exploits try to take advantage of bugs in software. Complexity is the worst enemy of security. As software becomes more complex, it is becoming impossible for software vendors to test security for every possible setup the software may be configured for. Look at the number of lines of code in Microsoft's operating systems.
Estimates from Carnegie Mellon University show that a thousand lines of code typically have 5–15 bugs. Most of these bugs are minor and do not affect performance, and are never noticed. All have the potential of compromising security.
To quote Einstein “everything should be as simple as possible, but no simpler.”
Security is getting worse, not better.
Laptop Theft—Laptop theft is a huge problem. Statistics are hard to come by, but according to Safeware (www.safeware.com), an Ohio-based insurance firm specializing in PC policies, nearly 320,000 laptops valued at $800 million were stolen in 1999, a 5% increase over the previous year.
Social Engineering—People often represent the weakest link in the security chain and are chronically responsible for the failure of security systems. Social engineering does not require much or any technical ability. A Hacker needs only to convince another person of a false situation. There are numerous stories about a sly bad guy pretending to be someone else to obtain access information. But the Internet has also allowed an individual to wrongly present themselves as an entire company.
In 1999 an employee of Pairgain Technologies posted fake takeover announcements to the Internet, designed to look like they came from the Bloomberg New Service, running the stock up 30% before the hoax was exposed.
Dumpster Diving—Many times paper in trash is more valuable than the same data in a computer. It's easier to steal and less likely to be missed.
TEMPEST—For years the U.S. government has required contractors to supply them with TEMPEST certified computers. The TEMPEST standard ensures adequate electrical shielding of a computers CRT screen. Sensitive detection equipment can determine what is being displayed on a non-TEMPEST CRT screen by the electrical radiation the CRT emits.
Following is one of my favorite examples of a physical exploit.
In April 1993, a small group of criminals wheeled a Fujitsu model 7020 automated teller machine into the Buckland Hills Mall in Hartford Connecticut, and turned it on. The machine was specially programmed to accept ATM cards from customers, record their account numbers and PINs, and then tell the unfortunate consumers that no transactions were possible. A few days later, the gang encoded the stolen account numbers and PINs onto counterfeit ATM cards, and started withdrawing cash from ATMs in midtown Manhattan. They were eventually caught when the bank correlated the use of counterfeit ATM cards with routine surveillance films (The Risks Digest, 14 (59), May 11,1993).
Security Risk Analysis
As with all project risks, security risks need to be evaluated before actions are taken. In the United States alone, the credit card industry loses $10 billion to fraud per year; but neither Visa nor MasterCard are showing any signs of going out of business.
One of the first steps in analyzing security risk is to determine if the risk is even real. In April 2002 I received an email with the following content:
Please read the following carefully and send it to EVERYONE you know. Send it to all contacts you have, for I agree with the message, I'd rather receive this 25 times as to not at all…
A new virus has just been discovered that has been classified by Microsoft (www.microsoft.com) and by McAfee (www.mcafee.com) as the most destructive ever! This virus was discovered yesterday afternoon by McAfee and no vaccine has yet been developed. This virus simply destroys Sector Zero from the hard disk, where vital information for it's functioning is stored. This virus acts in the following manner: It sends itself automatically to all contacts on your list with the title “A Virtual Card for You.” As soon as the supposed virtual card is opened, the computer freezes so that the user has to reboot. When the ctrl+alt+del keys or the reset button are pressed, the virus destroys Sector Zero, thus permanently destroying the hard disk. Yesterday in just a few hours this virus caused panic in New York, according to news broadcast by CNN (www.cnn.com). This alert was received by an employee of Microsoft itself. So don't open any mails with subject “A Virtual Card for You.” As soon as you get the mail, delete it. Please pass on this mail to all your friends. Forward this to everyone in your address book. I would rather receive this 25 times than not at all. Also: Intel announced that a new and very destructive virus was discovered recently. If you receive an email called “An Internet Flower For You,” do not open it. Delete it right away! This virus removes all dynamic link libraries (.dll files) from your computer. Your computer will not be able to boot up.
This message was first determined to be a hoax in March of 2001, but it is still convincing enough to fool someone into sending it to me one year later.
If you want to validate the authentication of a malware threat, check with the following websites: http://hoaxbusters.ciac.org; http://www.symantec.com/avcenter/hoax.html; http://f-secure.com/news/hoax.htm.
Currently, quantitative security risk analysis is the holy grail of the IT security industry. Since most economic impact from security breaches go unreported, security practitioners find it difficult to produce a return on investment (ROI) number for an expenditure. Budget justification often is based on the Annual Loss Expectancy (ALE)
ALE = (expected loss per incidence) x (number of incidents per year)
Threat modeling is for the most part ad hoc. You think about the threats until you can't think of any more, then you stop. And then you're annoyed and surprised when some attacker thinks of an attack you didn't.
Security Risk Response Planning
This quote by Yogi Berra sums up the project manager's need to plan: “You've got to be careful if you don't know where you're going ‘cause you might not get there.”
Following are some simple tactics a project manager can utilize and encourage his or her project team to also utilize that have a tremendous return on security.
• Stay patched. Several reports have estimated that 99% of all Internet attacks could be prevented if the system administrators would just use the most current versions of their system software.
• Use antivirus with auto updating.
• Use personal Firewalls.
• Use strong passwords. Password policy often creates a dichotomy. Strong passwords are a combination of upper and lower case letters, numbers and punctuation marks. But strong passwords are difficult to remember and subsequently written down (available to steal). Weak passwords (e.g., the name of your dog) are easy to remember, but also easy for a hacker to crack. To understand and generate a strong password visit this website: http://www.winguides.com/security/password.php
• Don't open unknown email attachments.
• Don't run programs of unknown origin.
• Disable hidden file name extensions.
• Turn off computer or disconnect from network when not in use.
• Disable scripting features in email programs.
• Make regular backups of critical data.
• Make a boot disk in case your computer is damaged or compromised.
• Allow only appropriate physical access to computers. Maintain the concept of “least privilege,” only giving someone the privileges they need to accomplish a task.
• Develop and promulgate an acceptable use policy for workstations.
• Consider encryption of email.
• Use common sense.
Additional detail on securing project technology can be found at CERT's website: http://www.cert.org/tech_tips/home_networks
I was a volunteer Firefighter/EMT for nine years. In all the that house fires I went to during that time I found a common thread among those that had just experienced this tragedy; they never thought it would happen to them. As a project manager in IT, I witness the same misconception when someone's PC begins to screech and the individual suddenly becomes concerned with when his or her last data backup was performed.
Disasters come in all sizes. Normally when we think of disasters we think of floods, fire, hurricane, ice storm, tornado, etc., Mother Nature at her worst. More probable and yet over looked are the day-to-day disasters. A stolen laptop, a crashed hard drive, a virus that takes out data, a PC being dropped, these could all bring a halt to a project
Project managers are ultimately responsible for bringing a project in on time, on budget and on quality. If a portion of a project team was located remotely and they experienced a disaster, degrading their input to a project, the project manager would have to evaluate the impact and deliver the news to the project sponsor and customer. The project manager needs to include disaster recovery for every aspect of a project as part of their risk evaluation.
Hopefully, every company a project manager is working for has already transferred much of the risk of a major disaster with business continuation insurance. So a project manager needs to concentrate on disasters affecting just their project. Project disasters ranked in severity include:
• Loss of project data
• Loss of project resources (human and nonhuman)
• Loss of facility or access to facilities (natural disaster, fire, hazardous material incident)
• Loss of communication
• Loss of computers.
Loss of Project Data
Hard drives have become very reliable. Many hard drives installed in laptops today advertise a meantime between failure (MTBF) of 300,000 hours (12,500 days or 34 years). The extended MTBF means our hard drive may not wear out, but what if it breaks from an external event. MTBF does not include dropping the laptop. MTBF does not include the laptop being stolen. MTBF does not include the laptop being destroyed by a natural disaster or fire. MTBF does not include the laptop's data being scrambled by malware.
The level of backup used is directly proportional to the speed with which you can recover from loss of data. I am a backup extremist, as I have two identical laptops, synchronized on a weekly basis. And since I keep both laptops in my house (single point of failure), I also have an external hard drive with the same laptop data, which I update weekly and store offsite. Call me paranoid. There are web services that provide offsite storage online, which is great for data but not for applications. Since I own all my own applications (Microsoft Office, Project, Visio, etc.) and keep them in my home-office, any disaster that took out my laptops would also destroy my software. One issue I haven't addressed yet with my configuration is Microsoft's new software activation feature. Although I have two laptops for redundancy (I'm the only user) I can't install a single copy of Microsoft Office XP on two machines. I will continue to use Microsoft Office 2000 until I determine a solution.
Loss of Project Resources (Human and Nonhuman)
When I worked in the telecommunications department for Delta Air Lines, every data device, connection and circuit (well over 100,000 elements) was documented manually in a book we called “the Peggy pages.” We called the book the Peggy pages because there was a woman named Peggy who maintained it. Until the Peggy pages were automated in the early 90s, Peggy was responsible for documenting the daily changes to the network. The impact to Delta's ability to service the network would have been severely impacted if something happened to Peggy (not to mention there was only a single current copy of the Peggy pages at any one time). A project manager needs to closely analyze his or her resources to determine which would have the greatest impact to a project if the resource were removed. Contingency plans need to be developed to protect these resources.
Loss of Facility or Access to Facilities (Natural Disaster, Fire, Hazardous Material Incident)
A facility does not have to be a total loss to impact a project; it just has to be inaccessible. Weather is the number one reason for a facility to become inaccessible (you can't get to it). Also, there are an incredible amount of hazardous materials passing through our cities and towns everyday by rail and truck. Evacuations and quarantines are become more prevalent. A project manager's best personal protection against lost of a facility is to learn to work with only a laptop computer and a cellular phone. In this configuration the project manager does not “go into the office,” the office is wherever he or she is located.
Loss of Communication
I instruct for University of Phoenix Online part-time. Classes are asynchronous (no conferencing) and completely online (over the Internet). Part of the student's grade is based on attendance (they must log on a specific number of days per week) and participation (they most post responses to discussion questions, homework assignments, etc.). A technology failure is not an accepted excuse for missing attendance or participation. Students must ensure they have alternate Internet access if necessary. In a project, how many communication paths are out of your control? The local LAN? The Local email server? The company Internet connection? What would be the impact to your project if email were not available for a week?
Loss of Computers
Loss of a computer is the least threatening disaster if you have addressed the four issues above. Hardware is cheap and readily available.
Anonymity is probably not possible on today's web. But there are measures you can take to protect you and your company during a project.
There are some 20,000 or so personal databases (in the United States) held by corporations listing data such as financial details, medical information, lifestyle habits, etc. In the United States, personal data does not belong to the person whom the data is about, it belongs to the organization that collected it. Your financial information isn't your property; it's your banks. Your medical information isn't yours; it's your doctor's. Doctors swear oaths to protect your privacy, but insurance providers and HMOs do not. The federal government has attempted to resolve some of these privacy issues and for healthcare they enacted the Health Insurance Portability and Accessibility Act of 1996 (HIPAA). HIPAA touches every entity that is involved in healthcare from your local drugstore to a hospital clerk. But the broad nature of HIPPA has delayed its activation for some participants until as late as April 2004.
Other anonymity disablers when using a PC and/or the Internet include:
• Microsoft Office applications automatically embed identity information in all documents. This is how David Smith, the author of the Melissa virus was caught.
• Intel Pentium Class III microprocessors and above each have a unique ID which could be activated.
• Ethernet network cards all have a unique and permanent hardware address.
• “Cookies”—Cookies have gotten the reputation that they can steal data from your computer. A cookie is simply a way for a web page to write a small amount of data to your PC via your browser. Looking at a web page is basically a stateless event meaning as you move between pages on a web site, the web server has no way of knowing who you are. So when you first access a web page, the web server writes a small amount of data to your PC identifying you with a generic name such as customer 123. However, when a single company hosts many websites, they may not know you by name, but they know you by their assigned customer ID. DoubleClick is infamous for this practice. Because they advertise for companies on so many different sites they can track you as you move around the web. DoubleClick has taken Internet tracking a step further. By sending you email in HTML format, DoubleClick can often intercept your email address. If you ever register on a DoubleClick site, they would then have your name and can associate it with your surfing history.
• Email—Most of the history of each individual email is contained in an email's header and not usually seen by the sender or recipient. Knowing what to look for reveals items such as where the email was sent from, when the email was sent and who actually sent it. Another danger regarding email privacy is simply being careful whom the email is addressed to. In April 2002, the law firm managing the bankruptcy of the telecommunications firm Global Crossing, mistakenly sent an email to all the confidential bidders of Global Crossing's assets identifying the bidders to each other. The email was then leaked to the New York Times and published the next day.
• IP addresses—While few of us have permanent IP addresses assigned to our machines, ISPs maintain logs of which customer was assigned an IP address during a certain time frame. This was a benefit back in 1999 when someone sent a bomb threat using a hotmail account. The hotmail account included the IP addresses that the person's browser was using at the time, which was registered to AOL. Because AOL had the record of who was using what IP address the FBI was able to apprehend the person making the threat.
Identity theft is not as prevalent as some news reports have indicated. However, it has become much easier with the Internet and is expected to increase. Identity theft may not bring financial ruin to an individual, but it could severely complicate his or her credit rating. Individuals who have had the misfortune of experiencing identity theft have spent years getting their personal credit history corrected. For the project manager (or anyone) it is wise to subscribe to a credit report watch service from one of the three credit report companies, Equifax, Experian/TRW and Transunion. By subscribing to this service, an individual is notified each time new credit is issued against his or her SSN number.
As a project manager you have responsibility to the project sponsor and customer to adhere to the same privacy regulations in place for them. If you're working for a health care company, you will need to be familiar with HIPAA. IT projects require extra diligence regarding privacy, especially when it comes to testing. New applications are always tested offline, but often use real data. If the data includes information of a personal nature, a project manager needs to follow the same guidelines as if the application was in production.
This paper is the tip of the iceberg regarding a project manager's role with security, disaster recovery and privacy. The “double edge sword” analogy of the Internet will only propagate the need for project managers to expand their risk analysis to include these topics. As the Internet is still in it's infancy, risks will get worse before they get better.
All Internet links used in this paper were valid as of April 2002.
Anderson, Ross. 2001. Security Engineering. New York: John Wiley & Sons Inc.
Bahadur, Gary, Chan, William, & Weber, Chris. 2002. Privacy Defended, Protecting Yourself Online. Indianapolis, IN: Que Publishing.
Computer Security Institute. 2001. CSI/FBI Computer Crime and Security Survey.
Garfinkel, Simson, & Spafford, Gene. 2002. Web Security, Privacy and Commerce. Sebastopol, CA: O'Reilly & Associates.
http://www.cert.org/stats/cert_stats.html. CERT Security Incident reporting Statistics.
http://www.safeware.com/99pressreleases.htm. Safeware Insurance's 1998 Loss Study, May 1,1999.
Lemos, Robert. 2000. Mitnick teaches “social engineering,” ZDNet News, July 16.
McClure, Stuart, Scambray, Joel, & Kurtz, George. 2001. Hacking Exposed Third Edition. Berkeley, CA: Osborn / McGraw-Hill.
Romero, Simon, & Fabrikant, Geraldine. 2002. Secret List of Potential Suitors for Global Crossing Exposed. The New York Times, April 10.
Schneier, Bruce. 2000. Secrets and Lies: Digital Security in a Networked World. New York: John Wiley & Sons Inc.
Proceedings of the Project Management Institute Annual Seminars & Symposium
October 3–10, 2002 • San Antonio, Texas, USA