Security Lessons from Nature – Salamanders

All amphibians have poisonous skin secretions, which means that the common salamander is coated with a thin poisonous film. While not terribly useful for finding food or mates (the two things that salamanders really care about), it is a good defense against being eaten by passing dogs (or eagles, whatever). Over time, predators have learned to avoid certain amphibian coloration patterns as, not only is poison pretty bad for you, but it probably doesn’t taste too good either (despite the rumors).

So, what we have is a collection of animals who tend not to stray too far from water, aren’t very fast and have almost no practical defenses. To a predator, they would be little yummy blobs of protein but for the little poison problem. What can we learn from this?

The trick is in adapting this technique to business. It’s important to remember that being poisonous doesn’t really protect the particular salamander, as once the poison is ingested, the salamander probably has been as well (and while some salamanders can handle fire, hydrochloric acid probably still burns them).

Since slathering employees in gelatinous strychnine has certain implementation difficulties, we should probably abstract the idea a bit. What we need is a way to let predators know that an attack would be unwise without actually being attacked.

This is often done through the legal system. As Brett Trout has said, a company that has taken legal action in the past is less likely to require legal action in the future. So, one thing to do is to ready your business should court action be needed in the future. This requires a bit more preparation and a bit more attention, but can pay off hugely. For starters, you need to make sure that terms of access are clear and delineated. Practically, this means that each network-accessible service needs to have a banner that makes it clear what is and is not allowed. It means that employee handbooks should put forth clear policies and that local login pages also lay out the rules clearly.

Secondly, you should have some sort of technology in place so you can detect when policies are violated. This could be as complex as an SIEM and Log Management system, or as simple as just looking at access logs every day. Lastly, you should have a lawyer around so that when you do detect something, you can take immediate action.

This way, you have a defense that only needs to be active when under attack (lawyer) and warning coloration (banners). It may not prevent a predator from attacking you, but it would make them unsuccessful and, in the long run, warn other predators away from your business.

Security Lessons from Nature – Elephants

As I write this, I am sitting in my living room watching Tomb Raider: The Cradle of Life. Which, when you think about it tells you several things. First of all, modern technology is pretty neat. Second, if you believe the movie, the technology of the ancient Romans was even cooler. Third, my taste in movies could stand some improvement. However, one thing is certain… the movie has elephants in it, even if only by reference. Since elephants are profoundly more interesting than firing guns and shattering glass, I think I’ll talk about them instead.

Elephants are big. Really big. They’ve also been around for a long long time. (Despite the fact that the Wikipedia entry on their evolution is the most pathetic I’ve ever seen.) They’ve lived this long by staking their survival on their size and the fact that they’re big enough and strong enough to handle anything that comes their way. This strategy, of course, has it’s own costs.

They have to eat hundreds of pounds of food each day.
It takes them almost two years to gestate their young, and even then, it’s only one at a time.
Babies require a significant amount of care, monopolizing the attention of several adults.
It takes a lot of time to move… or to stop.

In exchange for all of this, they get to be the biggest, baddest, floppy earsyest animal on the savanna. They get to rip up trees with their noses… which is useful when they need to smack lions around. And on top of all of this, they have two spears sticking out of their faces for when they are in a stabby mood (and those pesky lions just won’t take a hint).

And there in lies the problem. The ivory in the tusks and the fact that they make “good” trophies caused a hunting spree that dropped their population to 1,300,000 by 1981 and to around 50,000 today. Though they were well adapted for life before humans invented guns, they’re not faring so well now (along with many others, actually).

The business lesson here is, I suppose, to not take anything for granted. A business model could work perfectly well for years and then one small change can come along and reduce your profit to 1/26th of what it once was. It’s happened before.

Just as, over time, elephants can develop new strategies, so can we. If something isn’t working, or a strength becomes a weakness, it can be changed. Who knows, if they survive, maybe elephants will eventually evolve shootable tusks or bulletproof skin. Maybe I will learn that sequels to action movies are never good. Perhaps your business can change and adapt to new conditions.

The good news is that you’re not an elephant, and businesses can adapt faster than genomes can. You just have to keep your eyes open.

Security Lessons from Nature – Prairie Dogs

It must have been quite the surprise as American settlers moved Westward and encountered their first prairie dog town. As they traveled, they would have seen first one strange little rodent, then another, then a few more, then maybe thousands. They would have observed that they live in a large subterranean community and work together to protect the colony. Lewis and Clark themselves observed that they could pour five barrels of water into a hole without filling it.

While this may seem somewhat cruel by modern standards, one has to note that it’s not like prairie dog colonies never encounter rain. In fact, that’s the point of today’s post. Prairie dogs work together to build a massive underground complex. They will raise their children below ground and forage for food above ground. Over the millions of years that they have been honing this system, they have learned to maximize their security infrastructure.

In the prairie dog’s world, there are many threats. For a subterranean colony, the threat of rain is pretty significant. If insufficiently reinforced, the tunnels could collapse and crush the little critters. If improperly designed, water could flow into the nursery areas and drown the pups. Simply being underground protects the prairie dogs against predators like hawks and coyotes. However, other predators like snakes and weasels have managed to adapt. To defend against incursions from predators such as these, the colonies have a very complex array of tunnels that only the prairie dogs know how to navigate. (Though this has proven less effective against some.) Prairie dogs supplement their security with a complex warning system of alarm calls where the sentries will stand on a high outlook and issue a shrill “eep” when danger approaches.

So, while all of this is useful if you happen to be one of many communal rodents, what does it mean for those of us who happen to work in the business world instead? The first thing to remember is that infrastructure planning is important. Consider building in excess capacity. Your network may be able to handle ordinary traffic, but could it handle the torrential downpour of traffic that would result from sudden Internet popularity? That said, it’s important to realize that not even prairie dogs built infinite capacity. They withstood the attempted denial of service attack by Lewis and Clark, but they wouldn’t have survived a distributed attack by thousands of Lewises and Clarkses (sorry). So, while capacity planning is important, it’s not everything… your infrastructure also has to be adaptable.

Instead, it would be wise to build a slight excess of capacity to handle the peaks of usage and then invest in some sentries. Just as prairie dogs monitor for specific dangers and issue alarms for birds of prey, snakes and canines (and, at the zoo, monorails), you could monitor your network for malware, DDOS attacks and internal intrusions.

I would, however, recommend that the alarms not involve standing atop your building and “eep”ing. Email or SNMP might make better sense.

subterranean

Security Lessons from Nature – Cacti

Recent research has shown that some species of cactus manage to grow on bare rocks with the help of bacteria. Basically, the bacteria breaks down the rock to give the roots crevices into which to grow as well as provide nutrients to the cactus. In turn, the cactus likely shelters the bacteria and allows it to grow and spread.

There are two items of interest in the article. First, there is the basic observation that, though neither plants nor bacteria are capable of living exposed on bare rock (well, mostly), through combining forces, they manage to live in an inhospitable environment. Since the environment is also inhospitable to many competitors, they can expend more energy towards growth and less towards defense. Second is the realization that the cacti have managed to shelter the bacteria within their seeds. This way, not only do the cacti themselves manage to thrive but their children get the same benefit.

From a security perspective, it’s important to remember that the ultimate goal of security is to maximize protection while minimizing resource expenditure. Commonly, this is done by erecting barriers and monitoring them to make sure that only the right people can get through. However, alternate methods do exist. Taking a lesson from the cacti, one would look for business niches that difficult for other businesses to thrive within. Then, one would seek out business partnerships to make it easier.

Such a path would not be for everyone, and after all, live as a cactus may be a tad… prickly. However, if you are starting a new business, this sort of partnership may allow you to protect your business simply by making it more difficult for competitors to gain a foothold, and allow you to focus more directly on growth.

Security Lessons from Nature – Anachoresis

Anachoresis. The word can mean many things referring to hermitages, animals or bacteria. Now, as interesting as the medical definition is, I am more interested in the zoological context today. When the word is used in reference to little critters, it describes the habit of hiding in crevices to avoid predators. If you’re a mouse, such a strategy works great. You just scurry about eating seeds all day and when it’s time to sleep, you find a nice little hole and hide from all the cats that hunt at night.

The strategy, of course, is less effective when implemented by elephants.

As with most security strategies, this one works better for some animals than for others. The same applies to businesses. The equivalent strategy in the small business space is to try to “fly under the radar”. Much like mice hiding in holes, this strategy is only effective so long as there are other mice around for the predators to pursue. As soon as the easy prey is eaten, predators start learning other techniques to get at the more difficult prey. Lizards may lose their legs and evolve into snakes. Mammals became more slender and supple and grew into weasels.

True, in the business space, an attacker would be much happier to take control of a multi-million dollar business than a sole proprietorship. However, if all the big attackers are pursuing the bigger prey, the smaller attackers are free to go after all the little businesses hiding out in holes… and they’ve been busy.

Just like snakes and weasels, worm-based malware will crawl around the Internet looking for the little cracks and crevices in the security around small businesses. Like shrews, automated malware spread and look for juicy targets, which, when found, can be targeted by all. Similarly, like biological viruses, digital viruses can infect a small business and just wait for the right conditions to execute a payload.

The point of this isn’t to scare you. Realistically, small businesses don’t face the same threats that large enterprises do. However, that doesn’t mean that they don’t face any. It’s one thing to use that justification to avoid spending large amounts of money on expensive protection that you may not need, but it’s quite another to think that just because there are fewer threats that you are safe. No matter how good it is at hiding, a mouse is not safe from a snake. Just as a mouse uses more than one security technique, businesses of all sizes should consider how much of a target they are, who wants to attack them and take appropriate action.

Hiding in the sand will only take you so far.

Security lessons from Nature – Lichens and Cooperation

OK, I’ll admit it. I like lichens. I have for years. One summer I even cultivated a pretty orange one that grew in a railroad tie where I parked, which is not the sort of thing that wins you friends in high school. Even in the rural Midwest, lichen cultivation just doesn’t count as “farming”. I find them neat, both to look at and to consider scientifically.

According to Wikipedia (at least, as I write this), a lichen is a “composite organism consisting of a symbiotic association of a fungus (the mycobiont) with a photosynthetic partner (the photobiont or phycobiont), usually either a green alga (commonly Trebouxia) or cyanobacterium (commonly Nostoc).” Isn’t that fascinating?

You see, the fungus and the algae work together and even though they are separate, they function as one organism. The algae (or cyanobacterium, which is a different essay altogether) provides energy from the sun, as it can photosynthesize and the fungus cannot. The two lifeforms then exchange nutrients and grow together. (This is really glossing some things over. If you’re truly interested, get the book Lichens of North America, it goes into much more detail.)

The thing is, each party provides something that the other one needs, and as a unit, they are successful in ways that they would not be separate. You’ve all heard this analogy before, so I won’t bore you with it. Instead, I’ll go one level deeper.

Did you know that the fungus eats the algae? That’s how this “nutrient exchange” thing works. As a team, the composite organism succeeds because, even though the dominant partner (the fungus) literally consumes the subservient partner (the algae), it works because the algae grows faster than the fungus can eat it. It works for the algae because it can compete in places it otherwise wouldn’t have. The fungus provides a level of protection.

Which gets to the point. There are a lot of uneven partnerships in the business world. There are a lot of small companies, especially in the VAR space, that enter into partnerships with the big players. There’s a lot of talk about how the small companies don’t really gain much from it, but they have to keep paying these “partnership fees” in order to compete against the other small companies. However, that’s not exactly it. The “partnership fees” keep the even smaller companies and startups from directly competing against you. The partnership may provide a lot of resources that you don’t really need… but so does the fungus in a lichen.

See, the algae grows faster than the fungus. The small company is more agile than the big one. Profit margins can be higher, the work can be more flexible. However, it is very difficult to grow beyond the partnership, as the very things that make the partnership successful also constrain the growth of the small business outside of the brand of the large company. In short, so long as the large company can consume your output (clients), it can continue to protect you and provide you with room to grow.

So, just like in the wild, success has to be measured in terms of the joint organism, not as one alone.

Security lessons from Nature – Eyespots

Now, butterflies aren’t generally considered to be terrifying. Nor, unless you were chased by one as a small child, are peacocks. And, though five of the six ends of a tiger are pointy, the tail is also generally viewed to be fairly innocuous.

Interestingly, all of these generally harmless examples protect themselves through the use of eye spots. Butterflies often have them on their wings, so when they are fully unfolded, they resemble a face. Peacocks have them all over their tails, so when they are fully spread out, they resemble the eyes of many creatures. The white spots on the back of a tiger’s ears resemble eyes as well.

The theory in all of these cases is that an attacker will think they are being observed and halt an attack. It may only cause a brief pause, but that might be just enough for the eyespotted animal to get away.

The security lesson here is twofold.

First of all, it’s a generally good idea to let an attacker think you’re paying closer attention to them than you are. That way the attacker is more likely to move on to a victim that would be a little bit easier to take on. Perhaps one that is paying a bit less attention. Practically, the technique only works when it takes fewer resources to mount a pseudo-defense than it does to to mount an actual one. This is one of the reasons that fake surveillance cameras are popular. If there are 10 cameras in a place, it’s a lot cheaper for 8 of them to be fake, so long as an attacker doesn’t know which ones are which. It would not make sense to create a fake IDS system that detects security incidents and fakes a response, as it would take just as much work to fake a response as it would to make a real one.

The second lesson is that you have to pay some attention. After all, attackers aren’t stupid. If they figure out that the butterfly with the weird eyes isn’t really watching, the butterfly will be lunch if it doesn’t fly away soon. A distraction technique, be they eyespots or fake cameras are only good so long as the real eyes and real cameras are being used.

How you can you fake out your attackers?

The Red River Zoo Needs Your Help

I know that many of you only read this blog for the security and business information. However, I have hopes that you enjoy the Tuesday natural history musings, and in that vein, I want to make you aware of the situation going on in Fargo, ND. This is a bit more personal that most of my other postings, but I hope that you’ll understand the reasons why this post has little to nothing to do about I.T. or security.

Some of you may have heard about the massive flooding in Fargo, ND. Well, for the moment, the Red River Zoo is safe, but many of the homes and businesses in Fargo are not. To help out, the zoo is accepting people’s exotic pets so that they can be cared for while the rest of Fargo flees. It’s a small zoo, but a good one. Some of you may recall the photos I’ve taken there.

This zoo is special. It’s fairly young and has a very small staff. Yet, they have managed to:

Breed Russian Red Tree Squirrels (See the blog)

Raise Pallas’ Cats

Breed Sichuan Takins (See the blog)

Raise Red Pandas

Along with many many others. (See the blogs for the porcupines and wolves.)

But here’s the thing. Unlike some of the larger zoos out there, this zoo is funded entirely with donations, and have managed to do one heck of job without using public funds. During and immediately after a disaster like what is impacting Fargo, the monies that are available tend to dry up. At the same time, we have a zoo that operates on a skeleton staff bending over backwards to save people’s pets. They need money to pay for the new animals and to keep things going until things start to get better.

I’ve made a quick PayPal account for them. I know that many of you are focusing efforts on things like:

These are all worthy causes, and I’m not asking you to take anything away from them. All I ask is that if you have a spare $5, $10 or $20, can you toss it towards the Red River Zoo to help feed some animals.

I’m going to let this run for a few weeks, sweeping the account every Friday. I’ll send them a check for whatever is there to help them operate during the crisis. When it’s all done, I’ll close the PayPal account. There will be no auction and not a lot of bugging. All I’m asking is:

If you can afford to drop a few dollars, please do so.
If you can direct people to this post, so that others can drop a few dollars in the account, please do so.

The donation button is here:

If you prefer to send a check, you may do so to:

Flood Contributions
The Red River Zoo
4220 21st Ave SW
Fargo, ND 58104

If you have any questions, please leave a comment.

Thank you.

Security Lessons from Nature – Rats, Bamboo and Surprises

There are some plants that bloom several times a year, some that bloom every year and some that bloom every few years. However, there are also a few types of plants that bloom every few decades. This is generally viewed as a fairly big deal, and botanists get all excited and talk to bored people at parties^* for hours on end about how special and wonderful it was, and how happy they are to have finally seen such a thing. Unless you’re a botanist, you probably wouldn’t care much.

^* At least, at the sorts of parties that over-excitable botanists get invited to.

That is, unless you happened to live in Asia and the plant happened to be bamboo. Unlike the American century plant, of which individual members bloom every few decades and then die, bamboo has learned to do synchronized blooming. Now, as scary as it is when a bunch of people start synchronizing their swimming, it’s far worse when bamboo does it.

Granted, it’s not the bamboo so much as the rats.

When the bamboo blooms, it pollinates and then produces fruits and seeds. Suddenly, there’s a lot of food around and rats appear to devour all the bamboo fruits. In the process they, of course, tend to make more rats. So, for the course of a year or two, there are more and more bamboo fruits which result in more and more rats. This is all well and good until the bamboo suddenly all wise up and think “Wait a minute, what are we doing here? Rats are eating us!” and promptly go back to being placid grasses.

This leaves hundreds of rats, thousands of rats, millions and billions and trillions of rats… and no lovely little bamboo fruits to eat. Being more intelligent than the bamboo (and lacking the “hey, let’s all be grass again” gene), the rats promptly turn around and start eating everything else that they can.

In Mizoram, a state of India, this means eating the people’s crops. It means that the farmers who, for a generation or more have been easily able to feed their families and export enough to make a reasonable living are suddenly transformed into fighters that must defend their livelihood against a rampaging horde of rats. And really, there’s not a lot they can do about it. A farmer may take on a rat and win, but one farmer versus one thousand rats is much less of a sure thing.

Similarly, you may be able to defend your business against an attacker or two, but when those few attackers suddenly become a coordinated attack from thousands to millions of computers, you’re pretty much not going to win.

Distributed Denial Of Service (DDOS) attacks mostly target larger companies, but as bot nets become more affordable, the likelihood of an attack targeting you goes up. We’ll look at this in more detail tomorrow.

For now, just consider the problem facing the farmers Mizoram, and think that we don’t even know what diseases these rats might be carrying.

Security lessons from Nature – The Dinochicken

OK, so we don’t have a dinochicken yet, it’s being worked on. I just couldn’t pass up the chance to blog about it.

Building on last year’s moderate success linking a tyrannosaurus rex to a chicken (which, admittedly is being challenged), scientists are attempting to reverse genetically-engineer dinosaurs from chickens. Specifically, they’re trying to produce chickens with teeth (which can happen), longer tail and forearms.

So, what does this have to do with business, other than it’s being really neat?

Simply put, even if it’s possible to do this, it will be extremely difficult and expensive. They have to identify specific genes, figure out how to turn them on and off, find a series of stages to make the embryos viable (you can’t just hatch a dinosaur from a chicken egg, there’ll need to be steps), and eventually grow them to the point where they can self-reproduce. It’s a whole lot of work. If you wanted a dinosaur, it would have made a lot more sense to not let them go extinct in the first place.

Of course, there’s not much any of could have done to prevent the extinction of the dinosaurs, but there are certain present-day species that could probably use a bit of help. If they become extinct, they’re gone. Sure, we could try to resurrect them with technology, but we’d lose all of the learned behavior that passes from generation to generation. It would be a lot cheaper and easier to save them now… and we’d do a better job.

The same applies to your internal I.T. projects. As the economy continues to stall out, and companies readjust their spending, stop and consider more than just the immediate costs. If you have a project that is truly wonderful, but is costing a fair amount of money, don’t just kill it. Maybe shift your focus from development towards documentation. Maybe adjust your sales strategy. Maybe sell it to another company. Just don’t let the project die. Recreating it could be far more time consuming and costly than you may like.

After all, you can go extinct after economic recovery just as easily as during.