September 30, 2011 10:54 AM
Posted by: David Scott
I saw an interesting report regarding the Idaho National Laboratory. Established in 1949 or thereabouts, the Lab’s earlier efforts include improvements to the means of combat and defense: Such as nuclear propulsion for the Navy, and improvements to armor for military combat vehicles.
Today, the lab is further involved in areas that will interest many here, and they include the Homeland Security missions of critical infrastructure protection, defense systems and technology.
Infrastructure and technology: The lab has three cyber centers, which are unmarked for security reasons. It is here that thought leaders, technicians and educators operate at the forward edge of security concepts and implementations. Of particular concentration and interest to business is their efforts regarding the securing of banking/finance; power (the nation’s, and any region’s electrical grid), computer networks, and basic communications systems: computer; phone; media; the emergency broadcast system, etc., and all collateral systems of support and enablement.
Examples of large liabilities that are considered are such things as an attacker’s mass theft of financial information, thus money, creating chaos in the banking system, and other things such as the potential for the shutting down of power in multiple states.
In one training session, awareness of liabilities was imparted by an instructor who exposed the fact that many chemical plants in the U.S. had control systems that were implemented in the ‘60s and ‘70s… their present condition makes them extremely vulnerable to attack. The lab helps these sorts of entities patch, bolster, and migrate to a better security posture.
In fact, 81 groups from the private sector have asked for the lab’s help in just the past year.
Today, the Department of Homeland Security has what are characterized as “cyber fly teams,” able to respond to major cyber events – similar to other Federal emergency response such as responders who go to flood or tornado ravaged areas to help.
So far this year, these teams have been dispatched to seven cyber events. I recommend a regular visit by business and IT readers to the site. Have a look at their top-right area, “Critical Infrastructure Protection” – and glean what you can for affordable ideas for your environment, in leading and beating threats before they manifest.
Again, that’s the Idaho National Laboratory.
NP: Big Chief, Professor Longhair, jazz24.org
September 29, 2011 8:20 AM
Posted by: David Scott
, cyber attack
, cyber awareness
, cyber crime
, cyber espionage
, cyber security
, cyber security and government
, cyber threat
, cyber war
, cyber warfare
, data and overseas travel
, data security
, IT security
Staying ahead of threats and potentials is the name of the game today… in the realm of risk, unmanaged possibilities become probabilities. Therefore, manage your security.
Cyber espionage, the unauthorized surveilling of data or outright theft of it, is a problem in virtually every part of the world utilizing computers and harboring electronic content.
However, what’s happening in China is quite another thing… and may even point to what’s coming to the U.S. and elsewhere. I hope not.
Security experts warn travelers to China that contents of smartphones can be ripped off in seconds. “I’ve been told that if you use an iPhone or BlackBerry, everything on it — contacts, calendar, e-mails — can be downloaded in a second. All it takes is someone sitting near you on a subway waiting for you to turn it on, and they’ve got it,” said Kenneth Lieberthal, who is a former senior White House official for Asia.
In the matter of laptops, you must realize that the Chinese government owns all of the networks – making it very easy to monitor and capture everything going in and out of the country. Once you jump onto a transport for e-mailing and web browsing – you may as well assume you’ve been compromised. Many travelers to China have resorted to disposable phones and rented laptops – free of any sensitive data. Other folks store data on thumb drives, and only use that data on stand-alone computers, completely offline.
And yet, China’s embassy spokesman, Wang Baodong, says, “It’s advisable for all international travelers to take due precautions with their computers and cellphones. China is not less insecure than other countries.” I do think he meant to say ‘China is not less secure than other countries’… but the former may indeed be true.
Equal concern for networks and corporate data back home is evidenced by a 2008 incident where Chinese malware was inserted into visitors’ cellphones by remote means. The cellphones were then carried home, and subsequently infected servers in the U.S. Thus, there is enormous potential for danger of compromise to all manner of environments. Amazingly, but perhaps not surprisingly, intrusions have been discovered at the State Department and Defense Department, and those intrusions are alleged to have been from China.
When traveling, consider using a rented laptop devoid of sensitive info. Work offline with discreet data stored on thumbs. Consider a rented phone.
If you don’t feel you have particularly sensitive data on your own devices, feel free to take your chances. However, for corporate business travelers, be certain to protect your patents, ideas, and information.
And, it’s not just China that presents risks. For U.S. readers, I would advise that any travel outside the U.S. be done with circumspection.
On this day (Sep. 29th): Scotland Yard is formed in London in 1829.
September 28, 2011 10:31 AM
Posted by: David Scott
, computer virus
, content management
, data protection
, data theft
, e-mail spoof
, IT security
, online spoof
, remind me later
, Security Plan
, security policy
, security update
, software patch
, update now
, virus removal
A colleague recently made a cogent argument for timely – in fact immediate – application of all suggested updates as they pop up on various devices; desktops, laptops, smart phones, etc. He examines it from a security perspective, being that many of these updates address security issues. A week doesn’t go by that I don’t get at least one “recommended update” or another on my laptop from various software providers.
The colleague is not a fan of the “Remind Me Later” option/button – he claims that it’s “the most dangerous button you can push” (hmmm… my vote might go to the “Delete Permanently” option…). He likens “Remind Me Later” to discovery that your home alarm is broken, and then deciding to post a reminder to your calendar to look at it later. Another (false) analogy he uses is: Leaving your car unlocked, and asking someone to remind you later to go back and lock it. More on his analogies in a bit…
However, it’s now well-established that hackers and crafters of malware are providing their own “update” notifications: Spoofs of legitimate updates, that upon acceptance install viruses, keystroke monitors, collection of authentication info, website tracking, information relays, and other nefarious things you most definitely want no part of. Further, they employ various tricks in “legitimizing” the look and feel of their activies – one of which is an actual “Remind Me Later” option, figuring you’ll accept it at some point.
A little examination may be in order before reflexively clicking that “OK,” “Install,” or “Update Now” button. Look the popup over carefully: Its aesthetics (does it look typical? If you’re able to remember the last update, that is); the way it’s worded; and further, is it an update that corresponds to your environment (that is, is it for something you’re actually running)? If you receive an Adobe update, and you don’t have Adobe in your environment – don’t install.
Another consideration: Oftentimes updates will create a conflict between the updated application, and another one. There is published documentation of known problems and conflicts between resources, and frequently there is published counsel to forgo a particular update, because another non-conflicting one is due to be released by the software publisher, applications developer, plug-in provider, etc.
A really savvy user will know certain schedules. For example, if receiving a Microsoft operating system update, it would be useful to know if MS was actually sending one out. Googling around for this type of info can help. There are also some great message boards that discuss this topic, and subscription can yield solid info and protections.
But here’s today’s take-away for you: Just because you don’t update an element immediately doesn’t mean you’re completely unprotected (such as leaving your car doors unlocked, or home unsecured). Security elements are still in your environment, running, and protecting: A good provider will LEAD threats, so that you may indeed have a little room for a “Remind Me Later” – particularly if you suspect an update might be a spoof; a threat masquerading as a legit update.
When all is said and done, any specific user, and any specific organization, has to make its own decisions regarding notifications of updates. You’re tasked to know your environment better than anyone.
But keep in mind that “Remind Me Later” can be a legitimate buffer as you research and vet an update notification. It’s not just a procrastination tool.
NP: Soul Bird, Cal Tjader, jazz24.org
September 27, 2011 7:51 AM
Posted by: David Scott
, cloud operations
, cloud platform
, cloud services
, migrating to the cloud
, migration to the cloud
, the cloud
Should we migrate to the Cloud? I hear this question frequently, particularly from small and mid-sized business.
Cloud solutions can provide robust, internet-based, IT solutions absent the need for heavy capital investments in infrastructure. Too, there is the ability to scale according to business growth and change: necessity for new storage capacities and scales of processing; perhaps demands from personnel for sophistication in the handling of systems’ related process – things the organization may lack, and which the Cloud provider can offer.
Of course, the question must be asked: What of security? Anything in the Cloud is not within the “four walls” of the organization. (An org may, of course, have multiple locations – but here the “four walls” concept is a metaphor, vis-à-vis the fact that data and process are now harbored outside any direct physical location of the organization).
One bellwether worth watching is the banking industry. Banks, like any responsible organization, are constantly on the watch for means of enhanced productivity – and here the Cloud has ready offerings. Whether it’s infrastructure savings, operating expenditures savings, or new cloud-based business models, the goal is to best leverage the mix of private, public, and community-based resources that are in the Cloud.
Of course, banking is wary, because of data’s location, and the potential influence on steady availability, and the necessity for rapid recoveries in case of loss or corruption. Data’s integrity, related issues of confidentiality, and means of authentication are also concerns. Banks, and perhaps you too, are leery of outsourcing customer data to third-party Cloud providers and operators.
If you’re considering any measure of move to the Cloud, take a hard look at various providers. Assess their history, client base, and financial stability. Also examine their functionalities and services levels: Look into their ability to integrate data and process across various platforms and through a variety of cloud services.
On this day: Sep. 27, 1905, the first published blues composition goes on sale – W.C. Handy’s “Memphis Blues”
September 25, 2011 11:27 AM
Posted by: David Scott
, business plan
, business policy
, business startup
, IT plan
, IT policy
, small business
, small-to-medium business
Many small businesses today are enamored of their technology – whether the possibilities engendered by social networking’s contribution to marketing, or smartphones and their ready tether to the ‘net, with the further grant of ready communication to co-workers, customers, business partners, etc.
But particularly in the case of start-ups, I’ve noticed something: Many young entrepreneurs seemingly have no clue on the successful setup and sustenance of a business: That of determining their market, best serving it, remaining competitive in securing it, and in the crafting of plans and policy that ensure their fledgling organization’s ongoing health and longevity.
It’s not strictly about automation and the ready availability to the world via the ‘net and allied social networking opportunities. Everyone is on the ‘net, in the Cloud, interconnected… but not everyone is a successful entrepreneur, nor are they mounting successful business.
Recognize the financial planning and forecasting that goes into a successful business of any size. Recognize the necessity for founding documents: A valid business charter; a mission statement. Have valid plans: One-year, five-year, disaster recovery, change management, etc. Have valid policies: Content management; privacy, acceptable use, customer service, billing, returns, etc.
Automation and tools are great: but when all is said and done, your business is about people serving people.
Make sure that the people you work with, who may work for you, and with whom you do business (vendors, solutions partners, etc.) understand that you’re delivering value to other people.
Want a great example? Ever try to access customer service at some companies that only provide online assistance – with no real human interaction? Many companies merely refer you through links of information, based on keywords of your particular problem or question.
Even “Live Chat” isn’t the same as a caring customer support rep on the phone.
Don’t let tools, bells, and whistles blur your focus: Get your small business on a solid footing in terms of fundamentals – then accent your possibles and potentials with the right tools.
NP: Decision, Sonny Rollins, jazz24.org
September 20, 2011 2:24 PM
Posted by: David Scott
5 year plan
, business and IT
, business and technology
, business challenge
, business plans
, business plans and policy
, business policy
, five-year plans
, IT challenge
, IT governance
, IT plans
, IT policy
, IT security
, one-year plans
, work challenge
, work challenges
Business is increasingly sophisticated. Business is routinely conducted twenty-four hours a day, seven days a week. Organizations are increasing their global outreach. Travel no longer means that people are “out-of-the-loop.” As people can stay connected to their work they often find, or at least feel, that they must stay connected. The requirement for effective business and information systems, their proper utilization, and the pressure for the most return possible has never been greater.
As we consider the increasing requirements for immediate access to data, the security of data, the management of data’s content (that is, the treatment of business information as a leveraged advantage), and the growing demand for time in maintaining the highly technical “back-end” of business information systems, we realize that we face an increasing risk to a most important asset. At risk is business information itself – or business intelligence – and its effective management and use. In addition to the business reliance on steady information, we must realize too – whether factory, farm, hospital, distribution point, port, Fortune500 endeavor, volunteer group, sole-proprietorship, etc. – that operations, process, production and delivery are increasingly or completely dependent on technology.
Everyone must gain a thorough understanding for managing the combination of business and technology now, and for what is coming in future burdens. To illumine the problem another way – without a remedy to current inefficiencies, the divides of communication and understanding will compound exponentially during the coming demands of any business-technology environment. With accumulating vulnerabilities, not always readily seen, you can face a very real danger to your continued business existence.
At the same time, whether it be core mission-critical business applications, association management systems, accounting systems, e-mail systems, content management systems, shelf applications, etc., all organizations are challenged to implement, upgrade, or change outright these systems on a periodic basis. There is an ongoing requirement to expand systems’ capabilities for services and deliverables while sustaining support of daily business operations.
The “fruits” of this technology, for example the ability to mine, analyze, and deliver data in providing useful information to Business with accuracy, speed, and efficiency, is not only desirable, it is an absolute necessity. In tandem, you need an attendant, informed, user class that can leverage technical business tools and their output for maximum effect. For organizations of today it is now your business to jump, perform, and deliver with an immediacy that wasn’t necessary ten years ago – or even five.
Organizations also must anticipate and build accommodation for whatever the future of business holds: Changing markets; new products; faster deliveries; improved services, increased competition; and rising security challenges. In the case of governments and aligned agencies (with mutually reinforcing and united missions) there are new and emerging requirements to work together. Their objectives and success in achieving them affect safety and security of entire nations. We can fairly ask: Will government achieve the necessary agility in responding to the accelerative change of threats?
For all of these reasons, we realize that we must emplace a culture that supports ultimate outcomes. In your organization, craft a culture that fosters and encourages open discussion regarding business and technology.
As possible, leave the normal “box” of your routine day, your desktop… step back from the day-to-day and near-term focus: Solicit ideas, listen, speak, and contribute – in maximizing your own, and your organization’s, present use of systems. Be a contributor in securing them, and in progressing them to the best future possible.
NP: Unit 7, Wynton Kelly Trio, jazz24.org
September 19, 2011 5:37 AM
Posted by: David Scott
, cyber security
, National Cyber Security Alliance
, national cybersecurity awareness month
As regular readers know, I frequently consult with and counsel small-to-medium businesses (SMB). I also work with non-profits, volunteer groups, and sole-proprietorships. A specific warning is coming to the small-to-medium environment, and being that October is National Cyber Security Awareness Month, I wanted to pass it along.
First, “large business” is certainly welcomed to today’s post, but there is a specific warning coming to these smaller environments (in terms of numbers of people, size of budget, sophistication of technical supports; and allied policies). This warning is coming from a rather robust set of agencies: a U.S. House of Representatives committee, as delivered by agents of the Department of Homeland Security, the FBI, and the Secret Service.
The Warning: Large organizations have adopted, and generally evolve, sophisticated protections against breach, theft, and exposure: Therefore, this situation has turned cyber criminals to the softer target of the aforementioned SMBs, non-profits, etc.
Smaller organizations don’t have the same budget, or depth of personnel, to always mount the most sophisticated protections. And, a continuous upgrade path in match to evolving threats is not always sustainable, particularly in periods of slow business.
Of particular target are retail systems and online financial accounts. Even today, many SMBs and related environments are more concerned with the physical security of locks on doors, zones, safes, etc., and many don’t give much of a nod to cyber security. This is a mistake.
As their contribution to National Cyber Security Awareness month, The National Cyber Security Alliance has some good free material online – for students, parents and, in particular, for business. Have a look at their tips, tools and resources.
Microsoft also has some good free resources.
Focus on a variety of areas: You need to protect your employees. Obviously you need to protect, and best serve, your customers, clients, consituents, etc. And overall, you must protect your business. I frequently ask organizations, large and small, “What is your number one asset?” Folks almost invariably answer, “Our people.”
Any organization, whether Fortune500, volunteer group, or sole-proprietorship, has this in common: Their number one asset is their reputation. Lose your org’s reputation, and your people won’t have a place to work.
Mount a pro-active security awareness. Stay safe in October. Stay safe year-round.
September 17, 2011 7:41 AM
Posted by: David Scott
Most organizations most emphatically do not suffer threat of attack from inside. That is, employees are for the most part loyal, educated, and careful. Sure, they gripe, gossip and drag their feet once in awhile (I know I did, albeit – ahem – rarely) – but hopefully, on balance, they’re glad to have a job and they’re glad to be working where they’re at.
On the other hand there is always human error with which you must contend: Both its potential and often its manifestation.
At the same time, of course, you must have the full complement of the “technicals” firmly in place: Network (and application) access control systems; firewalls; intrusion prevention/detection; anti-virus tools; and other collateral systems depending on your specific environment.
But these tools alone aren’t a comprehensive defense. A robust, ongoing, employee education program must be firmly in place, with regularized and updated training in match to threats of laxity, unawareness, and potential errors.
According to the Identity Theft Resource Center (ITRC), “insider” caused breaches are on the rise. To cite one real-world example, Verizon Business recently received the unhappy report that half of all internal breaches were caused by IT administrators. So, no one group should be overlooked by business and IT governance when crafting and delivering requirements for training and care.
Of course, threats can include inappropriate and even illegal behavior, such as inside people breaching and stealing data or resources for financial gain. Too, there is the disgruntled employee out to harm the organization on occasion. In those cases, a formal oversight process by managers and Human Resources should provide a careful track of oversight and care. Here we’re concentrating on a more common threat: Simple human imperfection – that is universal.
Most common is the occasional employee who loses USB storage, or a whole laptop. Perhaps the organization suffers unmonitored and unregulated use of smartphones, whether personal or org, and the employees have inappropriate and sensitive data stored on these devices. Again, loss or theft puts the data and the organization at risk. The potential for pain is enormous: An employee of the U.S. Veterans Affairs department took a laptop home with records of approximately 26 million veterans – and had it stolen out of his home. The exposure was enormous.
Craft and define policy that spells out specifically what your employees can and cannot do with data and devices – to include portable storage (thumb drives, laptops, smartphones, etc.) and what they can do with means of communication (e-mail, phone, web, and so on).
First expose all possibles and contingencies; craft policies and plans that fit your organization like a glove; then build a common sense schedule of employee orientation, training and refreshers.
Also, business and IT leaders must review and adjust security and appropriate use policies in accordance with the overall environment and associated changes. Have that on a regularized schedule of review too, inside the appropriate management team(s).
NP: Waltz for Debbie, Cannonball Adderley and Bill Evans, jazz24.org
September 14, 2011 9:28 AM
Posted by: David Scott
, computer war
, cyber warfare
, data breach
, electro-magnetic pulse
, General Alexander
, General Keith Alexander
The Washington Times has an interesting article about future combat, and its involvement of cyber warfare (Computer-based Attacks Emerge as Threat of Future, General Warns, Sep. 13, 2011).
General Keith Alexander, commander of the U.S. Cyber Command, warns of electronic strikes, yielding widespread power outages. Too, there is the threat of destruction of physical computers, machines, and allied infrastructure. Of course, the attendant loss of data and power would likely cause mass chaos in large geographic regions, and recoveries would be hampered.
General Alexander is also the director of the National Security Agency. He cites among examples an August 2003 electrical outage caused by the simple act of a tree causing damage to two high-voltage power lines. Software controlling the electrical power grid erroneously entered a “Pause” mode – shutting down power to millions of people across several states.
Amazingly, General Alexander says that cyber attacks are only outranked by nuclear attack or other means of mass destruction. Maybe the General doesn’t want to alarm anyone too badly, but what of Electro-magnetic Pulse (EMP)? EMP pairs perfectly with cyber warfare.
In the case of EMP, a modest nuclear burst over the continental U.S. wouldn’t cause much physical damage – and even nuclear fallout would be modest (comparatively speaking for what’s coming next). But EMP’s destruction would be comprehensive: All power would be removed from general society. All data would be wiped out. All electronic communications, to include computer and phone, would be nonexistent. Emergency actions would be mounted and prioritized strictly on a “line of sight” basis.
No one would be able to summon help – other than through their voice. Large regions would soon run out of food and potable water, as there would be no refrigeration and no water plants able to pump water.
A revisit to the last chapter of I.T. Wars might be in order. The chapter What’s At Stake clearly documents the threats and challenges – and further, suggests what any “local” organization (that is, yours) can do.
It’s worth a thought.
NP: On this day (Sep. 14th) in 1916, Christy Mathewson pitched his final game. He won.