Big Data: Beware Comfortable Inaction

Former US President John F. Kennedy once said, “There are risks and costs to action, but they are far less than the long-range risks and costs of comfortable inaction.” He was speaking about ways to decrease antagonism among nuclear powers, but I think there’s a lesson in what he said for those of us in the business world as well. Specifically, sometimes things arise that seem risky in the short term; we’re nervous about doing them because of potential short-term risks or disruption to the organization. But when these potential downsides are weighed against the status quo (i.e., the “comfortable inaction” Kennedy was talking about), taking the short-term risk might very well be the more optimal path when viewed over a longer horizon.

This can be seen very acutely when it comes to adoption of new technologies. New technologies have the potential to be transformative to the organization—in both positive and negative ways. Positive benefits vary depending on the technology, but possible negative impacts could be disruption to business operations, potential erosion of the value of existing technology investments (for example, adopting a new technology would decrease the value of what we have in place now), and potential new technical risks as “kinks” are ironed out of the technology and organizations figure out how to safeguard usage of it.

Despite all this, pulling the trigger and adopting a new technology is often still the optimal path. Consider two hypothetical organizations competing in the same niche market. One organization implements a change that enables it to produce goods faster at lower cost; the other decides that it cannot or will not implement that same change because the short-term risks are too high. What are the logical consequences should the first organization adopt successfully?

Clearly, the organization that realized potential benefits becomes more competitive: it can satisfy more of the market, has the option to reduce price given the lower overhead, and can potentially focus attention and resources on other areas. In short, it has an edge. Even if the change carries with it some degree of potential risk initially, the potential upside trivializes the short-term downside risks by comparison.

The point I’m making here is that looking solely at the technical risks associated with a particular change misses a huge part of the equation. In evaluating the holistic risk to our organizations and making recommendations, we absolutely need to consider risks that may be introduced through adoption of new technologies, but we need to consider the risks of inaction as well. Nowhere is this more true than when it comes to Big Data analytics.

Big Data analytics is the use of advanced analytics techniques to operate on large sets of business data. This could be data derived from existing business processes and tools, data that exist independently of the organization such as social media, or new sources of data entirely. For many in the ISACA community, we know this can present risks. We know, for example, that there are privacy and security risks that can occur as a result of the adoption of big data analytics; in fact, ISACA has published quite a bit of guidance on exactly these issues. However, to evaluate risk holistically, we need to weigh these risks against the risks to the business should we choose not to adopt and adapt. Do the business gains outweigh the technical and other risks? Do the risks to competitiveness eclipse in the long term the short-term additional risk we take on? Good questions.

To help organizations answer them, ISACA evaluated Big Data Analytics—along with a number of other business trends—using anew methodology that attempts to objectively score risk and value impacts of business trends. The goal: find a reproducible and systematic way to find out what “megatrends” have the highest value potential in light of possible technical and other risks. Much like measurements such as “signal-to-noise ratio” or “earnings-per-share” provide an objective unit of measurement that organizations can use to inform data-driven decision-making, the goal here was to find a way that organizations can systematically assess and analyze these tough questions.

Of all the trends we investigated, Big Data analytics scored the highest in terms of business value created relative to potential negative risk impact.

Now, obviously every organization is different, so your particular organization may have unique factors that impact either the risk or the value side of that equation. You’ll certainly want to examine that data point through the lens of your particular organization’s needs, circumstances and business context. That said, given that it could be so impactful, it’s almost certainly a good idea to—at a minimum—ensure that strategic discussions are taking place about the role that Big Data analytics has in your organization.

There are some key questions you should be asking about how you might use this to forward your business goals and how your competitors might be using it to gain a competitive edge. We’ve tried to distill down the most critical questions that you might want to ask in our report covering the findings from our analysis, with the hope being to provide one potential framework around which those conversations can be built and those questions can be asked.

Ed Moyle
Director, Emerging Business and Technology, ISACA

[ISACA Now Blog]

Dormant Malicious Code Discovered on Thousands of Websites

On November 3, 2015, ZScaler reported that a Chinese government website hosting the Chuxiong Archives, http://www.cxda[.]gov.cn, had been compromised and contained injected code leading to the Angler Exploit Kit. The report stated that the affected website had appeared to be remediated and cleaned within 24 hours; however, upon scanning the website using our own malicious web content detection system, we discovered that in fact, the website remained compromised. At this time, we advise users to not visit the website in the near future, even though it appears to be clear of malicious code.

Based on our analysis, the malicious code injection on http://www.cxda[.]gov.cn has not been removed, but simply placed in a dormant state. After ZScaler published information regarding this compromise, we continuously scanned and monitored the compromised website, as well as other popular websites and potentially related suspicious targets. What we discovered was that many other websites had been compromised in a similar way, where the malicious code had the ability to be placed by the attacker in a dormant or an active state.

For this article, we chose a few of the additionally discovered compromised sites found by our malicious web content detection system and continued to scan them in high frequency. The following diagram shows the vulnerability status of three of these sites over the duration of a day. The markings on the top portion indicate that the site’s malicious code was active during that time slot while the markings on the bottom portion indicate the site was benign, or dormant, during that time slot.

Figure 1

In what appears to be a technique to evade detection or analysis, the injected malicious code has the ability to hides itself when the user-agent or IP address of the request does not meet specific criteria. Attempts to launch requests from different combinations of IP addresses and user agent strings consistently produced different behaviors (benign vs malicious) depending on what was sent.

During our continuous monitoring for a 24-hour period from November 11, 2015 to November 12, 2015, eight days after the Zscaler report, the Chuxiong Archives website consistently presented malicious content injected by an attacker depending on the source IP and user agent. It is believed that if a user were to visit the compromised website a second time following the initial exposure to the malicious code, the site would recognize the source IP and user-agent and simply remain dormant, not exhibiting any malicious behavior. Because of this anti-analysis/evasion technique, it may easily cause the belief that the threat has been remediated, when in reality, it had not.

At the time of this report, using our malicious web content scanning system, we have already discovered more than four thousands additional, similarly compromised websites globally exhibiting the same ability of being able to be dormant or active depending on source IP and user agent. Investigations regarding this campaign on a larger scale are ongoing and a second report detailing the similarly compromised websites will be published in the near future.

and

[Palo Alto Networks Blog]

English
Exit mobile version