Saturday, 6 March 2010

Scenario thinking - the security officer is a serial killer

More inspiration on scenario thinking. I picked up another Michael Connelly thriller. I've read about 20 of his thrillers and almost al of them are hard boiled thrillers often with serial killers. In about 15 of his books Harry Bosch a LAPD detective is the main character. Harry doesn't know anything about computers and the way the books are written it is described as if it should be like that. In the other 5 books two of them the lawyer is the main character, one a journalist, one an ex-cop with a new hart, the brilliant Blood works and one a ex-con. In some of the books the different main characters meet, making feel like one sees different parts of the puzzle of crime.
In none of them computers or internet played a big role. But the books are a great read with a lot of pace and reasonable scenario's with a dark edge.
I was more than pleasantly surprised when I picked up "The scarecrow" and it starts with Due Diligence visit of CIO of a data hosting centre. Ok the Due Diligence check doesn't go as it should go, but the way it is described with a visit to a girly bar to settle the deal it might go the way it goes with some CIO's. At least that is my security officer view of it. But in the mainstream book with millions of readers, SAS 70 reports, SOX and Hipaa are mentioned too.
In the book a serial killer is running around and choosing his victims from the internet. He also uses the internet, social websites, public self service interfaces of credit card companies and company e-mail systems, to isolate the journalist that is chasing him. All threats that currently exist and could with some skill indeed be used. The journalist is the one that was in a earlier Connelly book the Poet. He just got fired from the job, because newspapers need to cut back on costs, very real life too.
What makes this book very useful for scenario descriptions for a board meeting is the fact that the security officer of the data center turns out to be a serial killer . (I'm not ruining your join of reading, this is clear from the start of the book.). Ok according to the book the guy is called CTO, Chief Thread Officer, a title I’ve never heard off, but this could also be used in some presentations. And the name of the book is related to the way CTO scares away hackers of the data center, a name I’ve also never heard in this relation.
Still that a main character of a mainstream thriller is a security officer must mean the profession still has future even though is a vicious killer. Wasn’t the main character in American psycho a stock broker, just before that profession became a Master of the universe ?

Tuesday, 2 March 2010

Scenario thinking

To explain IT security risks to the business or customers it is good to tell a story. The story should take the listener into the story to explain why an IT solution has certain risks. The story shouldn't start with the "bigbang accident" that could to the system, but gradually taking the listener along its path.
Scenario thinking is part of architecture books like Software System Architecture - working with stakeholders using viewpoints and perspectives. The method of scenario thing is described, but one would need inspiration too. Popular literature could give this inspiration.
Lately a number of good samples were published as regular thriller stories. Daemon by Daniel Suarez is sold in Amsterdam bookstores in the Science Fiction section, but in fact it uses mainly of existing technology.
Core in the book is the use of VOIP systems that are activated by a daemon process, that scans the Internet news sites for certain news facts. When a certain news fact happens the Daemon using VOIP calls people and using voice recognitions lets them generate new news facts. So on and so forth. This part is the best part of the book. Existing technology "miss used" to break the system of society. The security specialists in the book use standard security technology to find where a daemon or Trojan is running. Off course the book also has its standard I don't understand and don't want to understand IT character, but allot of people in the book take it serious and are not putting IT security in the Geek corner.
The story further develops into a "Hollywood" Armageddon style in which "Autonomous Vehicles" and "Laser-Induced Plasma Channel Weapons". This is also based on existing technology, but for a simple IT person, just a bit too much. I like it better when it is not right away that the whole world is collapsing, but just the world of a few people. e.g. this part of the book would have been better if this was Hitchcock style instead of Bruce Willis. That is the way the first 200 pages develop.
But all in all the book to read for IT and specifically IT security people.
I'm not going to tell you how it ends, because I don't know. The IT consultant that wrote the book, was at page 1200 when he decided that two books might be better for sales.
The second part called Freedom, I still need to read. Hopefully this will give some inspiration for more scenario thinking too.

The fact that IT security is not just a "front runner thing: anymore. It is on its way into the mainstream. Hopefully IT business will follow on its path ......