Keil Hubert shows us how replacing his flooring taught him an invaluable lesson about security… -TEISS® : Cracking Cyber Security
People / Keil Hubert shows us how replacing his flooring taught him an invaluable lesson about security…
1 October 2018
From small home projects to multi-year enterprise-level initiatives, it’s difficult and risky to try and make significant changes to an established business process. Multi-stage operations need to be planned, monitored, and constantly tweaked to ensure that the vulnerabilities aren’t exposed during the chaos that marks interim phases.
Operations and logistics sequencing plans are highly challenging to craft and manage, especially when you’re trying to coordinate activities between multiple independent people, teams, or departments. Leaders who have never been held responsible for a major distributed campaign tend to ‘blow off’ the importance of planning, monitoring, and GO/NO-GO checks. These are the leaders who often ignore their project managers, fail to involve their critical stakeholders, and wind up going waaaaaaay over time and over budget. Don’t be one of them!
As a very small-scale example of this principle: I recently replaced most of the flooring in my home. My family and I have been meaning to do this for nearly 20 years, but could never afford the time or expense. Much of the carpeting in the back of the house was original to its 1977 construction. Flash floods prompted our own amateurish attempts to fix some ruined carpet. Regardless, the original carpet was already overdue for replacement back when we first moved in. After a year of careful saving, we finally managed to hire a firm to strip everything out and put in new floors.
This wasn’t a huge project because we don’t have a huge house. We had just over a hundred square metres of floor space to fix. The problem was, we couldn’t afford to move out of the house or put all of our clothes and furniture into storage while the craftsmen did their thing. That meant that we had to evacuate one room at a time on a rolling basis so that the craftsmen weren’t held up. That, in turn, required planning. Lots of planning.
To be fair, I’m not advocating for planning to take 3-5 times more effort than actual execution (the way a major corporate initiative might). Rather, I’m arguing that success requires drafting a plan and then working from it (rather than ‘winging it’).
Complicating matters, a small house and 25 years of family life meant there wasn’t much space to use as temporary storage. The family room (FR) was our first staging point for the overflow from the first bedroom (1BR). Then, based on the craftsmen’s attack plan, we hurriedly cleared the second bedroom (2BR) into my office (OFC). When the crew moved from 1BR to 2BR, we evacuated the 3rd bedroom (3BR) into the first, effectively choking it shut until that night, when a few things could be shifted back into 2BR to make just enough space for someone to sleep.
Further complicating matters, I had to work out of the house during the week of construction so that someone was always present to authorize the craftsmen’s activities while the other adult could make runs to the builders’ supply store to pick up additional materials. That means I had to keep the home’s network up and move a small home office from space to space so that I could stay in constant contact with my team in the office.
Finally, we had to box each room’s contents up and move those boxes in a particular sequence: the most-important items being very last boxes to move so that they could be the first restored to minimize downtime. Rather important that university students have their textbooks; working adults have access to dress code-compatible outfits and ID badges, etc.
This may seem like a minor inconvenience; just put things anywhere and it’ll all be cleared up in a week or two. Consider, though, the consequences of not planning what-moved-when, not checking each box to be sure it went to the right place, and not pausing the chaos regularly to double-check with the craftsmen about their plans, needs, and schedule. All it would have taken was a lapse in situational awareness and there could have been temporary-but-painful economic consequences. Missing a day of work or a day of class is no joke when you’re not an obscenely-wealthy cartoon cattle baron. 
The cowboy hats and boots are real, but anyone can buy those. No ranch experience or affiliation required.
As I said: this was a little project. As an example, though, it scales upward to business-grade level very quickly. Imagine that I’d said that I was replacing the raised floor in my data centre instead of the ratty old carpets in my home. The exact same considerations are in play: order of operations, packing plan, sequencing, communicating, monitoring the workers, keeping critical services up throughout the project, and so on. Or, instead of the floor, imagine replacing your data centre’s whole-floor Uninterrupted Power Supply unit. Or installing and testing emergency standby generators. Or swapping out the data centre’s dedicated HVAC units during the hottest week of summer. Or executing a complete physical-to-virtual conversion into your first private cloud and re-racking the servers afterwards to make space for a new SAN. I’ve done all of these projects (some more than once), and they all required the same sort of project management skills and discipline that my floors replacement project required.
If you’re with me so far – if you agree that careful planning and oversight are necessary to successfully execute complicated projects – then the obvious questions is “What does all this have to do with security?” Well … consider this: if we accept that complicated projects involving multiple, distributed teams require someone watching to ensure that operational goals are met on time, what do you think the probability is that the people running the oversight and scheduling will prioritize “making things work” over “keeping things safe”?
If you said that the probability of choosing functionality over security is high, you’re right. That’s not a ‘ding’ on project managers. Not at all! Quite the contrary, that’s literally what they’re paid to do. The thing is, projects need a healthy counterbalance between production and security just like business-as-usual operations. A good project management team actively embraces security people as part of the planning, oversight, and decision-making processes specifically to ensure that security needs are always factored.
Something as simple and low-tech as an extra guard patrol might be enough to deter a would-be attacker from trying to take advantage of your discombobulated state.
That’s why – in the very first paragraph – I introduced ‘leaders who often ignore their project managers’ as the villain of the piece. Think about it: if a leader is willing to ignore the people whose job it is to make sure that their initiative runs properly, how likely do you think it is that the same leader will ignore security’s needs before, during, and after the project?
Right. Close to 100 percent. My advice is two-fold: first, don’t be that leader. Second, if you work in or around security, keep your eyes peeled for that leader. If you spot someone gearing up for a majorly disruptive project and your team hasn’t been part of the planning, take the initiative and get involved. Explain why security needs to be an integral part of planning and oversight from start to finish. Then do your part to keep the organisation safe during the inevitable turmoil and confusion.
 Contrary to popular belief, not everyone in Texas lives in a sprawling mansion and rides thoroughbred Arabian horses to inspect their acres of oil derricks while wearing a cowboy hat the size of an urban helipad. Texas is every bit as hot as you imagine, but most everything else you may have heard about us is marketing hype.
 Still no good pizza, though – Nick, the transplant from New Jersey.