Protecting the Fish Pond: Lessons in Information Security from the Back Yard | InfoSec Perception

Former student, good friend and brilliant colleague Jan Buitron, MSIA, CISSP, MCSE tells us a whimsical tale with lessons for us in the security field. Everything that follows is Jan’s work with minor edits by Mich.

It was a big project for a homeowner. My friend set out to design, dig and decorate a fish pond out in her back yard. She dug the pond by hand, with her mother directing her in how to construct up from the bottom depth and sculpt the sides of the pond. She went to local rock and building supply stores to find just the right rocks to decorate the pond’s margins. Careful planning went into designing the plant-scaping of the pond. Shorter plants were set around the pond’s edges and, since they wanted the pond to attract birds, they made especially sure that there was at least one shallow area where the local birds could bathe easily.

They deliberately built deep areas into the pond, because the winters in the area can be quite cold, with temperatures at freezing and below for weeks at a time. The pond owner wanted the fish to overwinter in the pond, so the deeper areas allowed a place for the fish to avoid the colder upper waters. The deepest areas measured between four and a half to five feet.

I was close by at the time and watched the project progress, from first shovelful to adding the finishing touches such as floating night lights and landscaping with carefully selected rocks and rosebushes. And I had the privilege of attending their first-ever “Pond Party” where everyone was invited to bring not a covered dish, but a live fish to add to the pond, for colour and population.

Once the project was complete, the pond was a centrepiece in the yard, a haven of life, sound and colour, with the soothing sound of the waterfall cascading into the pond and the bright flashes of orange, black and white from the goldfish and koi living in its waters.

But, even a backyard project like a fish pond would have benefitted from a risk assessment and the advice of an experienced pond builder who fully understood the risks and vulnerabilities of having a fish pond in the yard.

My friend knew the problems of having dogs in the area, since two of her acquaintances owned Labrador retrievers that loved to leap into the pond on sight. However, there were additional, unplanned risks that eventually surfaced just over four years later.

It was the long Fourth of July Weekend. My friend had taken her boyfriend and dog to go camping in the mountains; they left on Friday night. I lived in her house part-time, and had decided to stay in her house part of the weekend to keep an eye on the place, arriving on Saturday afternoon.

On Sunday, the next morning, I went into the kitchen shortly after seven o’clock a.m. to prepare a pot of coffee. As I leaned toward the window overlooking the pond, I saw a huge set of wings flapping slowly next to the pond. A massive great blue heron rose elegantly into the air and flew away. His wingspan was at least five feet. I was thrilled for half a second, but my thrill melted into abject horror when I realized that he had been actively pursuing the fish in the pond! Feeling a little queasy, I delayed going out to take a look at the pond, fearing what I would see and knowing that I couldn’t do anything if any fish were gone.

Finally, when I went to check the pond with a gnawing ache in the pit of my stomach, the only fish that appeared to be left in the pond were the two large koi named Midge and Matsui. If I have ever seen fish that look frightened, those two looked terrified. The koi are larger fish, so I surmised they might have survived more easily, due to their size. The smaller fish were gone, all of them. I was saddened for the entire day.

* * *

From an information assurance prospective, the pond was built without a thorough risk assessment. While the original pond advisor had some great ideas, not all of the risks had been factored in when building the pond. A professional pond installer might have advised installing anti-heron fences, or motion-sensing water spray devices that scare cranes and herons away from fish ponds. (If one searches for videos about herons raiding fish ponds, there are some hilarious videos of failed fish pond protections. Apparently, herons regularly scope out an area for ponds and open water and are always ready to ‘dive in’ at an opportune moment.)

Thus, a pond-risk-assessor would have advised building the pond with more hardened, protective coves for fish to hide from predators. This all could have been arranged after a complete, knowledge-backed pond risk assessment.

This is how it should be in information technology. An information system should be evaluated up-front before build out. Experienced information assurance professionals should be called in to sit down with business and process owners, the systems should be evaluated regarding the most critical components and protected accordingly. And, as in our fish-pond example, system owners do not always have a full picture of the risks involved in operating an information system. Without a, ah, full-scale risk assessment, critical risks could be overlooked with disastrous results.

There was one inadvertent protection that my friend had that worked to shield the pond from previous heron attacks . . . her dog. The fact that the dog went outdoors and spent time around the pond was duly noted by the ever-watchful herons.

One last mention, about five weeks after the great blue heron visited my friend’s pond, I got an excited phone call. My friend breathlessly told me that the goldfish had appeared in the pond! All of them!! Apparently experts at self-preservation, the goldfish and smaller fish had dived down to the deepest area in the pond (over four feet), and stayed there for over five weeks, waiting for the all clear. And sure enough, there they were, unharmed and freely enjoying their pond environment.

Hmmmm, maybe that’s a way to protect data, too . . . data that protects itself by diving into a deep cryptographic pool when attacked; but that’s another article.

* * *

Jan Buitron took her first computer class in 1989, launching a long career in Information Technology.  Starting in Technical Support, she methodically progressed from providing level 1 to providing level 5 support and beyond. She relentlessly pursued industry certifications, starting with two full Microsoft MCSE certifications, along with CompTIA’s Network +. She attained the CISSP in 3.5 months. Most recently, she passed the ITIL v3 and CISM exams.

During seven years at IBM, she was introduced to information assurance as an Access Control administrator. Continuing her IA career, she participated in a Security Operations Center there, as well. Her experiences there prompted her to pursue a Master’s Degree in Information Assurance (MSIA) from Norwich University, which she finished in 2009.  She has since worked in IA for six different government agencies and the DoD

Jan currently teaches for Regis University as adjunct professor in their Masters of Science Information Assurance Program, teaching classes such as Information Security in the Enterprise and Computer Forensics.

She is an accomplished writer, with several articles in Network World.  She wrote the soon to be published chapter covering security and privacy concerns in social networking for the 6th edition of the Computer Security Handbook, (Wiley). Her near-term plans include a PhD in Information Assurance.