The Hindu Business Line : Art of invisibility, between the lines

SECRETS are whispered, conversations are too dull, and loud banter is usually worthless. Plain text is normally no challenge, but code messages, like locked vaults, hold the promise of value. So, routinely, e-mails and files are encrypted and transmitted as confidential communication, but there is a better alternative: Steganography. Your Word package would redline the word as unknown, but this is the old art of `hiding encrypted messages in ordinary-looking data files, making the very existence of the messages practically undetectable'. Well, that is how Finance Ministers throw bombshells of taxes during the course of boring speeches, but Eric Cole explains the whole art of `covert communication' in "Hiding in Plain Sight". Read on:

One of the earliest examples of steganography involved a Greek fellow named Histiaeus. As a prisoner of a rival king, he needed a way to get a secret message to his own army. His solution? Shave the head of a willing slave and tattoo his message. When the slave's hair grew back, off he went to deliver the hidden writing in person.

Today terrorist groups are on the cutting edge of technology. They use computers, the Internet, encryption, and steganography to conduct business. If their cryptography is good, it can take decades to crack. If they use steganography, their transmission of data may go completely undetected. I randomly downloaded 500 images from eBay, and over 150 had data hidden in them. Somebody out there is very busy.

An electronic watermark is an imprint in a document file that you can use to prove authenticity and to minimise the chance of someone counterfeiting the file. Watermarking is used to hide a small amount of information in an image and to do it in a way that doesn't obscure the original document.

Information theft in the US costs approximately $59 billion a year, according to a recent survey by the American Society for Industrial Security, PricewaterhouseCoopers, and the US Chamber of Commerce. The most common types of information stolen are R&D data (49 per cent), private customer information (36 per cent), and financial data (27 per cent).

One vision of the future is something called the Personal Net. In this scenario, we will all manage our own data, communications, and security. No longer will we trust our information and identities to a public Internet, which we already know to be dangerous and lax about security.

Do you see the writing on the wall?

Bake in, not paint on

Your company may not be world-class but does that have to stop you from having a world-class digital security system? Such a system would have security `baked in', not just `painted on'. And, according to "Defending the Digital Frontier: A Security Agenda" by Mark W. Doll, Sajay Rai and Jose Granado of E&Y, your system should have six characteristics: Aligned (with overall objectives), enterprise-wide, continuous, proactive, validated and formal. The authors introduce the `Restrict, Run and Recover' model to detect, and react effectively to intrusions, because digital threats know no borders and honour no limits. A sampler of security:

Confidentiality, integrity, and availability (CIA) are the most basic premises of information protection and therefore, are the central tenets of any digital security program.

Any comprehensive digital security program must satisfy three critical mandates: It must enable the organisation to protect and monitor access to systems and data; it must enable the organisation to operate at the highest level of productivity while enhancing performance to the degree possible; and it must enable the organisation to sustain an attack, absorb the impact, and regain full functionality, and do so within a time-sensitive context.

Knowing that everyone accessing a system is there by invitation or permission is necessary because threats and vulnerabilities can appear with little warning. When systems administrators know who is accessing a system and have defined what is normal behaviour for that system, they are better able to determine when something is not right, and better able to determine if an anomaly should be elevated to the status of a potential security incident.

2002's top 10 digital security threat vectors are: Digital infrastructure attacks, attack propagation, patch timing, evading radar, distributed tools, dynamic payload, multipurpose tools, anti-footprint techniques, wireless technology and mobile devices.

Security counter-measures must be taught on a need-to-know basis. Everyone in the organisation must learn basic logon procedures in order to be functional; everyone does not have to know what monitoring software is in place, where the surveillance cameras are, or that entrance to the executive-level floor requires biometric authorisation.

A book that can help in drawing the agenda.

Between Scylla and Charybdis

The path to corporate graveyard is laid with well-crafted strategies, and the cause of death, usually, is the chasm between the plan and the implementation. Why do so many well-intentioned businesses fail at bridging the divide? This is the question that the book "The Strategy Gap" by Michael Coveney, Dennis Ganster, Brian Hartlen and Dave King of Comshare seeks to answer. The authors suggest a process to effectively execute strategy by integrating best practices for corporate performance measurement (CPM) techniques with state-of-the-art information technologies. There's more:

Enterprise Resource Planning (ERP) is the wrong vehicle for implementing strategic plans just as a farm tractor is the wrong vehicle for taking a family on vacation. The main reasons are the complexity of these systems for users and their closed architectures, which make it difficult to integrate non-ERP data. All ERP systems are focussed on transactions, not strategy. The very reason why traditional planning, budgeting, forecasting, and reporting systems fail.

Financial myopia is not the only problem plaguing many of today's performance measurement systems in operation. Measurement overload and measurement obliquity are also major problems. It is not uncommon to find companies proudly announcing that they are tracking 200 or more measures at the corporate level. It is hard to imagine trying to drive a car with 200 dials on the dashboard.

Multidimensional databases were developed to overcome the limitations of relational databases. These store data in `cubes' that combine the various business dimensions of an organisation.

There are fundamentally two ways to increase your competitive advantage: lower costs or increase differentiation. Any analytical application that increases understanding of costs, products, or services is a strategic application, one that increases a company's competitive advantage.

Executives and organisations that develop and demonstrate strategic (financial and non-financial) thinking, understand how to apply technology to impact the organisation's strategy, and add value and communicate that value to shareholders will be able to bridge the gap from strategy to execution.

Otherwise, it would simply be the execution of the firm.

(Books courtesy: Wiley www.wiley.com)

Please e-mail us on the latest IT books you have read at Books2Byte@hotmail.com