Security Pros Should Get Into The Cloud in 2011

ReadWriteWeb has a short but peppy write up on 2011 resolutions for SMBs to get serious about security.  The standard AV/endpoint topics are discussed, but also the need to get serious about cloud computing.  In a recent Global Information Security Workforce Study done by (ISC)2 and Frost & Sullivan, 73% of surveyed (ISC)2 professionals believe that new skills are needed to meet the demands of the cloud computing space. 

Some security professionals may choose to fight the cloud by simply waving a hand and proclaiming that it is not secure.  In the SMB space not every company handles PCI data, and many do not handle PII data that requires special treatment under the law.  The cloud makes sense for companies that are constrained by cash flow or capital budgeting.  For example, a company that operates an 8×5 IT shop may be able to have security and uptime monitored 24×7 by moving into a cloud solution.  This would be cheaper than a 24×7 local staff and the additional capital expenditure for monitoring tools.  Saving money for any company is a good thing.  That allows more money for raises and bonuses, which everyone likes. 

What should security professionals do to prepare for the cloud in 2011?

  • Learn about the cloud
    • Take at least one technical class about cloud computing technology
    • Take at least one business class that will help you with understanding ROI promised by the cloud
    • Collaborate with other security professionals regarding their experiences
  • Work with business leaders to embrace the cloud
    • Talk to your CFO or Controller about cost savings the cloud can bring
    • Concentrate on areas that make business sense. Not everything has to go in the cloud, nor should it
    • Illustrate the risks and benefits of moving to the cloud for those systems
    • The CEO should have the final say on any course of action, be a trusted advisor.

 

Security professionals should provide the expertise needed for the business to succeed.  Under ISO 27001 top management should determine and sign off on the acceptable amount of risk for the company.  At the end of the day this rests with the CEO or President, who is advised by the CISO, CFO, BizDev, and other leaders. 

How The Rich Create Jobs

After hearing a caller on Sean Hannity’s show profess that the rich never create jobs, I began to think about how this applies to the younger generation.  Being born into Generation X gives one an interesting vantage point.  We were born after the Baby Boomers and entered the work force knowing that layoffs are normal. The working relationship is no longer about loyalty, but to the benefit of the worker or the employer.  According to a friend who works in HR the mentality has gone from working for one or two companies for life to the average Generation X worker staying at one job for 5 years and upwardly mobile workers only staying for 2 years or less.  This frustrates Baby Boomer executives who expect people to stay under their hire for 10-15 years. If Generation X frustrates the Baby Boomers, what does Generation Y do?

One of the biggest problems that HR executives have encountered with Generation Y is that they don’t want a job.  At first one may think that they are bigger slackers than GenX who defined modern slacking.  Actually this is not the case.  The biggest problem facing HR executives is that GenY has entered the professional workforce as freelancers while still in college.  A large number of these young ambitious people already have Limited Liability Companies or Corporations they’ve started while in college.  One complaint that HR executives hear is that taking a full time job means only 2 weeks of vacation and you have to show up for work every day even if there is no real work to do.  GenY wants to be able to take 6 weeks off at a time if there is no work to do.

For those who have not experienced the bureaucracy of an extremely large company it is possible for there to be no work for anyone to do.  If you’re a software engineer you can’t start work on a project until sales has settled on a price with the customer.  That can take 2-4 weeks.  Then the lawyers take another 2-4 weeks to agree on the contract.  Then purchasing has to buy the equipment for the project, that has its own sales and lawyer cycle.  During that time there is nothing to do for the workforce because you don’t have a customer to bill the work to, or you don’t have the equipment to actually do the work.

The end result is that getting a job for GenY means not taking a salaried position with a company full time, but working for themselves.  If they don’t “get a job” then how do the rich fit into this?  That’s the next stop in our education about how the world works today. 

Angel Investors are individual rich people who invest their own money into other people’s businesses.  Venture Capitalists on the other hand are companies who manage a pool of money and invest into companies.  Usually that pool of money is from a group of individual angel investors.  These are the rich people that create the jobs for GenY.  Angel investors can contribute a small amount in the four digits all the way up in to the tens of millions of dollars.  If you ask a friend or relative to buy a portion of your lawn service or convenience store, they are an angel investor.  Many people in GenX and GenY whom I have worked with on launching their business ask the question early on, “Who can we find to give us money and how much can we sell our idea for?” 

For example, lets look at advertising firm trueAnthem.  I picked them because they were the most recently listed in CrunchBase, a database of start up companies that tracks investment and other facts.  They received $2 million in angel funding on 7/28/08.  They have 10 employees.  If they pay each employee $50,000 per year, they can afford to pay salaries for 2 years and still have $1 million left over for office rent and other expenses, assuming they make no money.  They managed to survive long enough to receive another $2.88 million in Series A financing at the end of 2010.

What happened here is a rich person gave someone a job by providing $2 million in start up capital, who then hired a several employees.  In the world of GenY, to say that a rich person never gave you a job is inaccurate. The average person may believe that because a wealthy person did not hire them directly they did not get a job from a rich person.  Once you follow the money trail it usually leads back to someone with extra money to spare.   In a future article I will cover why taking money from a rich person for a job is better than going to the SBA or your local bank to get a loan.

The Danger of Over-Classifying

Information security professionals can learn a lot from WikiLeaks.  It seems that there are always new lessons available to us every day.  One topic that came to light early in the release of the cables was that most of the information seemed rather trivial, which made it difficult to see why politicians were so upset over the incident. 

The Center for Public Integrity has an excellent piece on examples of over classifying data that is in fact trivial.  According to the Information Security Oversight Office report , the government spent $8.8 billion on safeguarding classified information.

“Over-classification is not in the interest of the government,” said Bosanko. “Finite resources are best deployed when they are focused on the information that truly requires protection.”

Over-classification a problem that creates inefficiencies, weakens accountability, and financially weakens an organization.  Some security professionals believe that security for the sake of security defines what security is.  This may be done to create perceived job security or because the individual believes it is the right thing to do.  If sometimes there is a temptation to label all data as the most important and critical for simplicity.  In the end this creates unnecessary expense in both equipment and personnel resources.  The proper thing for all security professionals to do is to deliver a customized solution that suits the customer or employer needs.

Security professionals should be aware of the organization’s operating objectives.  In an economic downturn this may mean under protecting some assets in favor of deploying finite resources to protect the organization’s critical areas.  Even in good times the security professional should accept that all businesses exist to provide benefits to the shareholders.  This includes government because the taxpayers are the equivalent of shareholders.

The security professional should be prepared to interact with various business unit heads to get their view of what is important.  Each department head or staff member will have their own opinions and these should be collected for senior management review.  Senior management with the assistance of the security professional will determine the appropriate level of protection needed for the organization’s data.  This may be driven by the sensitivity of the data or it may be a financially driven decision where a total budget number is given in the organization must find a way to secure the most critical information only.

Under the ISO 27,001 standard, "top management" should be involved in the security and risk decisions made by the organization.  The security professional should work with top management to find the best solution that suits the organization in terms of both costs and efficiency. Security professionals can increase their visibility and bring value to their organizations through partnering with upper management.

RINO Class Action Lawsuit Deadline

 

The environmental remediation company RINO International Corporation has been delisted due to some questionable business practices.  RINO had a recent peak of around $20 near the beginning of November and dropped like a rock since then.  If you were an owner of RINO between May 28, 2008 and Nov 17, 2010 you have until January 14, 2011 to get in on the action.   The class action alleges that :

  1. That the Company did not enter into at least two customer contracts and 20-40% of the Company’s other contracts had problems for which it reported revenues during its 2008 and 2009 fiscal years
  2. That the Company’s reported revenues for fiscal year 2009 to the SEC that were inflated by 94%
  3. That the Company’s management was draining cash from the Company for its own business and personal uses
  4. That the Company lacked adequate internal and financial controls
  5. That, as a result of the foregoing, the Company’s financial results were materially false and misleading at all relevant times.

If you are a shareholder who purchased RINO securities during the Class Period, you have until January 14, 2011 to ask the Court to appoint you as lead plaintiff for the class. A copy of the complaint can be obtained at www.pomerantzlaw.com . To discuss this action, contact Rachelle R. Boyle at rrboyle@pomlaw.com or 888.476.6529 (or 888.4-POMLAW), toll free. Those who inquire by e-mail are encouraged to include their mailing address and telephone number.

This is a serious blow to the environmental movement since RINO was one of the companies that makes equipment to reduce pollution from industrial processes.  If the first issue is true, then RINO was doing a lot less for the environment than they were leading shareholders to believe.

We were bullish on the stock earlier in the year and had identified several limited gain/risk strategies. We had used a 13/12 Bull Put Vertical in October cash in on an upward movement of the stock.  Our max loss would have been limited $100 per contract had RINO gone against us.  Imagine going from $20/share down to $2.  Having an exit strategy using stop loss orders or put options is essential when bad news breaks.  Using option credit spreads allows you to exit the stock each month while still collecting premium.

China Biofuel Pull Back

China Integrated Energy appears to be on a decline.  The chart shows several technical reasons to be bearish. 

  • The stock is making lower highs and lower lows.
  • Persons Proprietary Signal has given us a sell indicator along with an impending crossover
  • MACD is also showing lower highs and lower lows.  It is about to crossover.
  • StochasticSlow has lower highs and lower lows. It is about to crossover.
  • RSI Wilder has lower highs and lower lows.  The past two days are declining.
  • MoneyFlow has lower highs and lower lows.  The past 3 days are declining.  This means money is continuing to move out of this stock.

 

The Linear Regression Channel shows a mean price of 7.87 and a top/bottom of 11.20/4.54. The channel is also down trending.  Prices should gravitate toward the mean of the channel.  Close to the outer edges means the stock is very expensive or very cheap in relation to the mean. 

CBEH doesn’t appear to be available for short selling.  One approach is to use options.  While it is possible to go buy a FEB 7.50 put the cost of the put can be lowered by selling a Feb 5.00 put against it.  This may be a reasonable strategy since the lower regression line is at 4.54.  The strategy allows flexibility for legging out of the trade by selling the long FEB 7.50 and holding the FEB 5.00.  There is also an opportunity to sell the FEB 7.50 and accept assignment for 5.00/share with the short put if it is barely ITM.  There does appear to be some support around the 6.05 low, so getting an options assignment may not be an issue.

 

Copy & Paste into Think or Swim: BUY +5 VERTICAL CBEH 100 FEB 11 7.5/5 PUT @.60 LMT
Break Even Stock Price: 6.90
Max Profit: 950
Max Loss: 300

Long term CBEH might be a worthwhile stock to hold.  The balance sheet shows increasing total assets and decreasing liabilities.  The income statement also shows an increase in Total Net Income and EPS.  The complete 2009 Annual Report will have even more information to research.  At 4.54 this could be worth getting into for a few weeks or months.

 

 

Stock-Chart---CBEH-2010-12-23a

Ethanol Protectionism Not A Bad Thing

Harry de Gorter and Jerry Taylor have written a nice piece on the need to let ethanol protectionism expire.  There is a current subsidy of 45 cents per gallon and an import tariff of 54 cents per gallon.  Even Al Gore admits that ethanol is not what we had hoped for. 

 

The House passed HR 4853 on December 17 and it was signed by President Obama that day.

  • Section 701 extends $1 per gallon tax credit through 2011 and also add a credit for diesel fuel made from biomass. 
  • Section 704 excludes black liquor ethanol from tax credits
  • Section 708 extends the subsidies and tariffs on ethanol until 1/1/2012.
  • Section 711 extends tax credits to alternative fuel vehicle refueling property placed into service after 12/31/2010

 

We know ethanol producers will be receiving special treatment from the government we can try to use that information for our own purposes.  We know that some of these ethanol producers will not be going out of business immediately, but are they a good place to park your money?  The ethanol industry has been lobbying for subsidies because they are not operating from a position of strength.  On 12/20/2010 these might see a rise in price because of the news.  Green Plains Renewable Energy bounced off its lower Bollinger Band has started to hove upwards to the upper band at around 11.50.  Green Plains managed to post 19.79M in earnings in FY2009.   Green Plains might be worth considering if it breaks out into an upward trend after being in a tight range since dropping off in early November. 

Pacific Ethanol Inc on the other hand posted a net income around –300M.  The chart also shows us a downward trend after the gap up continuing a downward trend. Pacific Ethanol and the other companies in this space look like good short sell opportunities since they are still in a downward trend. 

China Integrated Energy is not in the US and not affected by the subsidies or tariffs.  They have a nice balance sheet and a very nice PEG Ratio of 0.28.  For some reason the Chinese manage to stay ahead of the US in terms of alternative fuel production.

In an ideal libertarian world there would be no subsidies or tariffs and the people would keep more of their money, rather than have it distributed to other parties.  I am not questioning the wisdom behind extending the subsidies for ethanol producers. If we disagree with what the government does with our tax money, we have the option of taking action that makes us whole again.

The clever combatant imposes his will on the enemy, but does not allow the enemy’s will to be imposed on him. – Sun Tzu

 

 

Green Plains Renewable Energy Inc

Stock-Chart---GPRE-2010-12-19

BioFuel Energy Corp

 

Stock-Chart---BIOF-2010-12-19

Pacific Ethanol Inc

Earnings:  -308.15 M

Stock-Chart---PEIX-2010-12-19

 

Rex American Resources Corp

Downward channel.  Stay away until it turns up or go for a short sell at the top of the channel.

Stock-Chart---REX-2010-12-19

China Integrated Energy

Broken out of the downward trend.  Potential entry point if it holds.

Stock-Chart---CBEH-2010-12-19

As always do your own research.  These examples are educational tools used to teach chart reading.  Other evaluations should seriously be considered before buying or selling any investment.

DLP and ERM Sought By Military

In our last set of trade ideas, Trading on Fear with WikiLeaks, we had picked a few equities in the DLP and ERM space that might be interesting plays for the government sector.  Currently the military is using something called Host Based Security System for endpoint protection.  Apparently HBSS is a McAfee product that may have been slightly customized.  The contract for end point protection was awarded in 2006 so it is understandable that they are looking for better solutions.  There is a deployment of Bivio Networks appliances for Deep Packet Inspection (DPS) at certain sensitive locations on the network.  Clearly the military is moving in the right direction and it is logical that they will eventually purchase some form of host based DLP agent.  When the request for bid proposals is released our picks might be a growth opportunity.  Other governments will also be seeking to secure themselves against any leaks in the future so this can present itself as a growth opportunity as well.   Bivio Networks is privately held; however, they are partially owned by Goldman Sachs(GS).  Much like buying Intel to get exposure to McAfee, buying some of the big finance houses is a way to get exposure to the security space while being fairly diversified.

Military Implements Removable Media Policies

The military has implemented a new policy stating removable media can not be used on SIPRNET computers.  While this may seem like a good thing the implementation may be lacking.  The private sector has warned of the exposure caused by removable media for years.  From a practical stand point banning all removable media is nothing more than a good sounding idea. 

“Users will experience difficulty with transferring data for operational needs which could impede timeliness on mission execution,” the document admits. But “military personnel who do not comply … may be punished under Article 92 of the Uniformed Code of Military Justice.” Article 92 is the armed forces’ regulation covering failure to obey orders and dereliction of duty, and it stipulates that violators “shall be punished as a court-martial may direct.”

The military understands that efficiency will be impacted by their decision and they appear to be sticking by their guns on disciplining anyone who disobeys orders.  The key point here is a loss of efficiency via this policy . Private sector businesses rely on efficiency to maintain profitability.  Before implementing such a policy at your business, it is important to determine if it is the right thing to do.  The CFO is going to be interested in the impact any proposed policy has on the bottom line.  The loss of efficiency is something that will have to be weighed against security.  Based on the content of the Wired.com article it appears that no preventative technological controls are going to be used, otherwise punishing soldiers with a courts martial would not be mentioned.  The best solution would be to use technology to disable removable media as a supplement to the policy.  Policies that depend on the honesty of the workforce are seldom successful.  The anonymous sources in the article that intend to keep using removable media show that policies alone do not equal security.

Trading on Fear with WikiLeaks

In a previous post I had discussed how security professionals can benefit from WikiLeaks.  Today we we will take a look at how the security industry can benefit from WikiLeaks.  Physical security procedures can help prevent sensitive data from  leaving a secure facility; however, tracking and auditing your data is equally important.  The category of software that can help us out in this case is called Data Loss Prevention (DLP).  Most of these solutions involve a discovery component that finds all of your files on servers and workstations/laptops.  This is useful provided you know what you have and who should have it.  For example, the spreadsheet with employee salaries should probably be in payroll and HR only.  If someone in engineering has the complete list, that is probably a bad thing.  Government organizations can benefit from this more easily since workers are given security clearances and checking the document contents for a security classification, then matching it against a worker profile can be a quick way of checking for leaks.  This does not prevent personnel with access to the data from misusing it.  Some DLP products work by monitoring files traveling across the network for content that has been flagged by an administrator. Copying files to removable media or printing can also be flagged for an alert.

Enterprise Rights Management (ERM) software is similar to the Digital Rights Management (DRM) copy protection that was found on MP3 music in the early days of the iTunes store, and what you find on eBooks from Amazon and other retailers.  ERM can be applied to Microsoft Office documents and email.  It works by encrypting the documents and only decrypting them if an authorized user or computer accesses them.  If someone were to steal an ERM protected document it simply would not open on an unauthorized computer.  It is also possible to restrict documents by department within a company, but that involves fully understanding the complexities of who should have access to what.  ERM can also prevent printing, copy & paste, and print screen if needed.  Several reference customers I have talked to simply setup their ERM to prevent opening their files on computers not owned by the company.  Employees could carry documents on USB drives, but could only access them from company computers.  ERM and DLP might have prevented WikiLeaks from happening.  Oracle has a nice video of an ERM product they acquired.

Most of the companies in the DLP and ERM space are privately held and the larger ones have been absorbed by other companies in the security space.  Oracle & Microsoft are also companies that make many software products other than just their ERM offerings.  Intel acquired McAfee who also had an ERM product. Most of the examples below are from Gartner’s Magic Quadrant research on the DLP space and have and upward trend in the 50 and 100 SMA.  Will DLP and ERM become an important market in 2011 and will these companies be able to take advantage of increased data loss awareness caused by WikiLeaks?  Traders may want to keep an eye on these companies if DLP or ERM take off.  Well diversified companies such as EMC or Oracle may see some additional revenue from their acquisitions of other companies.

EMC

2010-12-06-EMC

SYMC – Symantec

2010-12-06-SYMC

WBSN – Websense

2010-12-06-WBSN
CHKP-Checkpoint

2010-12-07-CHKP

ORCL – Oracle

2010-12-07-ORCL

INTC – Intel

2010-12-07-INTC