Today, most organizations continue to think of security as an “us” vs. “them” proposition.
Outside breaching entities try to punch their way in to networks, websites, data stores, etc., and we have firewalls, encryption, evolving practices, and so on, to prevent intrusions and thefts.
This mindset no longer serves, and hasn’t for awhile. Of course, a long-standing “inside” threat has been that of human error, which can lead to breach. But there’s more – oh so much more…
Authorities in New York City have busted the largest identity theft ring ever. Members have been charged with stealing the credit card information over a period of 16 months of thousands of Americans and Europeans.
The insider threat here? Many of the stolen credit card numbers were stolen by company staff persons who had access to cardholders’ numbers: People employed at stores, restaurants, banks, etc., using skimming devices. Imagine going out to dinner, paying with your card, and finding all manner of unauthorized charges in the ensuing weeks or months… would you have associated those charges – that breach – with a particular dinner out? Not likely.
But further, for any business, whether restaurant, bank, lawn service – anything – recognize that vetting employees and their associated honesty now takes on another dimension. Not only do you have to monitor for theft of physical assets or cash at-hand, but you must monitor the ethical practices of employees regarding credit, and use of electronic systems. Many organizations do this, and have for years. Many, many, more do not – particularly in the realm of small-to-medium (SMB) business.
This particular ID theft ring also specialized in the creation and use of counterfeit credit cards. The counterfeit cards were dispensed to collusive shoppers, who used the cards to purchase high-value items for resale, sometimes over the ‘net.
Recognize too that the ability to replicate swipe strips, holographic authenticators, complicated engraving… is becoming more basic and affordable – and that is daunting.
To business, and individuals, I again say: View every activity through a security prism: Assess every activity, and every plan, from a security perspective. Run frequent reports and track accounting very closely.
NP: Cannonball & Coltrane, LP.
Oh oh – it turns out that Facebook has been monitoring and watching members’ internet use: tracking the websites they visit and use.
Facebook is up to about 750 million members – rather mind boggling when you think about it. It certainly represents a wonderful opportunity to connect; to make “friends.” As a slight aside, I put “friends” in quotes because I’ve always maintained a healthy skepticism about friendships and associations that are purely online; however, I also have solid friends and professional colleagues now that I’ve never had the pleasure of shaking hands with. I know of others who have met online, and transitioned to “real-world” friendships. But caution is definitely indicated in both the personal and professional realms.
That said, these 750 million members also represent wide opportunities for Facebook. Therefore, I doubt it was an accident that they were not only monitoring, but continuing to monitor, the sites that members visited even after they’d logged out of Facebook.
This represents a privacy breach. The scope? Well, anything that involves 750 million online users is huge. Breaches, thefts, invasions, etc., involving mere 100s of thousands are considered newsworthy, and… large. 750 million? That’s massive. Facebook says it was all a mistake, and that their software “inadvertently” sent user data back to the company. I’m not convinced – are you?
If we were to speculate on a motivation in the realm of deliberate monitoring by Facebook, it would be the ability to reap billions of dollars revenue by virtue of targeted advertising to users (based on browsing history).
If we are to take Facebook at their word, the problem has been fixed and they’ve thanked a tech blogger by the name of Nik Cubrilovic for pointing the monitoring situation out. He was the one who discovered the installation of monitoring ‘cookies’ by Facebook. These cookies still exist, and still send information back to Facebook – but only while you’re logged in to Facebook (again, taking their word for this). Supposedly the cookies do not transmit info after you’ve logged out.
The cookies can be manually deleted. However, I don’t presently know if they are installed anew upon next login to Facebook, or if the cookies are only delivered and installed upon initial sign-up to Facebook. I’d be interested in hearing your thoughts, and as to whether anyone knows if a manual delete of cookies will clear the problem of monitoring for subsequent Facebook visits.
It’s important to note here, too, that some people don’t mind the monitoring, and want the targeted advertising. However, they should recognize that internet monitoring by outside entities can have downsides… more to follow…
On this day: (Oct. 7th) On this day in 1868, Cornell University opens in Ithaca, NY.
As a consultant, I do most of my calls and writing in my home office. But occasionally I like to work outside the home, and usually journey to my local Starbucks.
A few weeks ago I was working there when I received a jolt (not from the coffee). A popup indicated that I had less than 10% (or thereabouts) of power left on the battery of my nice, new, HP laptop.
It suggested that I plug in if I wanted to continue working. Naturally my eyes tracked along my power cord to the wall outlet… yep, still plugged in.
I did what anyone would do – I pulled the plug and reseated it – still no power to the laptop… my systray battery icon did change to “Plugged in – not charging.” Hmmm.
So, I tried the other outlet on the double-plate. Same thing. I moved to another outlet altogether. No luck. I pulled and reseated the cable at the laptop – still no luck. I tried a reboot – I reseated the battery – everything. Ultimately, I wrapped things up, did a graceful shutdown, and went back to my home office, where a curious thing happened.
Upon bootup, my icon indicated that I was now charging! I was greatly relieved, as I had a lot of work for the day. However, I called HP to report the problem. After some measure of troubleshooting, the tech recommended sending the laptop in for warranty service. They’d send me a shipping box, and I’d have the laptop back in about 7 or 8 days from time of shipment.
I didn’t really want to do that: I do have a backup laptop, and a “whole-drive” backup to an outboard drive – but my other laptop is older, slow, and cranky (you know what I mean). Therefore, I resisted sending in the HP, and decided to monitor the situation.
Next visit to Starbucks, guess what? I was plugged in, and at 100% of battery: However, after about 30 minutes of work, I noticed I was at 92% power – wha…? I again had to wrap up earlier than usual, and come home.
Once again, I began charging immediately upon plug in.
Now here’s where it gets really interesting, and it involves a little nightlight: Upon my next visit to Starbucks, I verified that I was 100% charged – but after logging in to the laptop, I held off signing in to Starbucks’ network (for WiFi access). I went and got my coffee and chatted a bit. Upon return to my table, I was still at 100% power, and the systray icon indicated that I was plugged in. I logged into the network – and guess what? I immediately lost power –my battery began to click down, and my adapter lost its warmth – it went cold. My icon no longer indicated that I was plugged in…
I plugged the nightlight into the same outlet – and it lit.
Now, how is it that my laptop could not get power from an active outlet? A couple possibilities: Is Starbucks employing a measure of intelligent power management, and shutting power to laptops? This would require something like this, and I’m doubtful:
1. A laptop that occupies a wall outlet for some specified time is surveyed by Starbuck’s WiFi system: a machine code or other device ID is surveyed and captured, and then reported to the intelligent power management system. That system then shuts off the outlet. (Subsequent disengagement, and plug-in of a non-monitored device, returns active power to the outlet).
– Or –
2. There is a characteristic in standard power that must be in place for typical laptop adapters to work. Certain Starbucks locations could filter, alter, or “season” their power with something that creates a confusion, or a protection, in the laptop adapter – and the adapter enters a “protective” mode, and power is not passed to the laptop.
I only know this: I consistently cannot get power for my laptop at my local Starbucks. Each and every time – and it’s only upon access to WiFi. Everywhere else, I have no power problems.
I’d welcome readers’ thoughts on this, and reportage of any similar experiences.
Starbucks – are you listening? I may call Starbucks for comment… but business travelers may want to pack an extra battery… or go to an alternate location like another coffee shop or the public library.
NP: Jimi Hendrix, Axis: Bold As Love, vinyl. Perhaps Hendrix’ most cohesive, best, studio effort.
I saw an interesting report regarding the Idaho National Laboratory. Established in 1949 or thereabouts, the Lab’s earlier efforts include improvements to the means of combat and defense: Such as nuclear propulsion for the Navy, and improvements to armor for military combat vehicles.
Today, the lab is further involved in areas that will interest many here, and they include the Homeland Security missions of critical infrastructure protection, defense systems and technology.
Infrastructure and technology: The lab has three cyber centers, which are unmarked for security reasons. It is here that thought leaders, technicians and educators operate at the forward edge of security concepts and implementations. Of particular concentration and interest to business is their efforts regarding the securing of banking/finance; power (the nation’s, and any region’s electrical grid), computer networks, and basic communications systems: computer; phone; media; the emergency broadcast system, etc., and all collateral systems of support and enablement.
Examples of large liabilities that are considered are such things as an attacker’s mass theft of financial information, thus money, creating chaos in the banking system, and other things such as the potential for the shutting down of power in multiple states.
In one training session, awareness of liabilities was imparted by an instructor who exposed the fact that many chemical plants in the U.S. had control systems that were implemented in the ‘60s and ‘70s… their present condition makes them extremely vulnerable to attack. The lab helps these sorts of entities patch, bolster, and migrate to a better security posture.
In fact, 81 groups from the private sector have asked for the lab’s help in just the past year.
Today, the Department of Homeland Security has what are characterized as “cyber fly teams,” able to respond to major cyber events – similar to other Federal emergency response such as responders who go to flood or tornado ravaged areas to help.
So far this year, these teams have been dispatched to seven cyber events. I recommend a regular visit by business and IT readers to the site. Have a look at their top-right area, “Critical Infrastructure Protection” – and glean what you can for affordable ideas for your environment, in leading and beating threats before they manifest.
Again, that’s the Idaho National Laboratory.
Staying ahead of threats and potentials is the name of the game today… in the realm of risk, unmanaged possibilities become probabilities. Therefore, manage your security.
Cyber espionage, the unauthorized surveilling of data or outright theft of it, is a problem in virtually every part of the world utilizing computers and harboring electronic content.
However, what’s happening in China is quite another thing… and may even point to what’s coming to the U.S. and elsewhere. I hope not.
Security experts warn travelers to China that contents of smartphones can be ripped off in seconds. “I’ve been told that if you use an iPhone or BlackBerry, everything on it — contacts, calendar, e-mails — can be downloaded in a second. All it takes is someone sitting near you on a subway waiting for you to turn it on, and they’ve got it,” said Kenneth Lieberthal, who is a former senior White House official for Asia.
In the matter of laptops, you must realize that the Chinese government owns all of the networks – making it very easy to monitor and capture everything going in and out of the country. Once you jump onto a transport for e-mailing and web browsing – you may as well assume you’ve been compromised. Many travelers to China have resorted to disposable phones and rented laptops – free of any sensitive data. Other folks store data on thumb drives, and only use that data on stand-alone computers, completely offline.
And yet, China’s embassy spokesman, Wang Baodong, says, “It’s advisable for all international travelers to take due precautions with their computers and cellphones. China is not less insecure than other countries.” I do think he meant to say ‘China is not less secure than other countries’… but the former may indeed be true.
Equal concern for networks and corporate data back home is evidenced by a 2008 incident where Chinese malware was inserted into visitors’ cellphones by remote means. The cellphones were then carried home, and subsequently infected servers in the U.S. Thus, there is enormous potential for danger of compromise to all manner of environments. Amazingly, but perhaps not surprisingly, intrusions have been discovered at the State Department and Defense Department, and those intrusions are alleged to have been from China.
When traveling, consider using a rented laptop devoid of sensitive info. Work offline with discreet data stored on thumbs. Consider a rented phone.
If you don’t feel you have particularly sensitive data on your own devices, feel free to take your chances. However, for corporate business travelers, be certain to protect your patents, ideas, and information.
And, it’s not just China that presents risks. For U.S. readers, I would advise that any travel outside the U.S. be done with circumspection.
On this day (Sep. 29th): Scotland Yard is formed in London in 1829.
A colleague recently made a cogent argument for timely – in fact immediate – application of all suggested updates as they pop up on various devices; desktops, laptops, smart phones, etc. He examines it from a security perspective, being that many of these updates address security issues. A week doesn’t go by that I don’t get at least one “recommended update” or another on my laptop from various software providers.
The colleague is not a fan of the “Remind Me Later” option/button – he claims that it’s “the most dangerous button you can push” (hmmm… my vote might go to the “Delete Permanently” option…). He likens “Remind Me Later” to discovery that your home alarm is broken, and then deciding to post a reminder to your calendar to look at it later. Another (false) analogy he uses is: Leaving your car unlocked, and asking someone to remind you later to go back and lock it. More on his analogies in a bit…
However, it’s now well-established that hackers and crafters of malware are providing their own “update” notifications: Spoofs of legitimate updates, that upon acceptance install viruses, keystroke monitors, collection of authentication info, website tracking, information relays, and other nefarious things you most definitely want no part of. Further, they employ various tricks in “legitimizing” the look and feel of their activies – one of which is an actual “Remind Me Later” option, figuring you’ll accept it at some point.
A little examination may be in order before reflexively clicking that “OK,” “Install,” or “Update Now” button. Look the popup over carefully: Its aesthetics (does it look typical? If you’re able to remember the last update, that is); the way it’s worded; and further, is it an update that corresponds to your environment (that is, is it for something you’re actually running)? If you receive an Adobe update, and you don’t have Adobe in your environment – don’t install.
Another consideration: Oftentimes updates will create a conflict between the updated application, and another one. There is published documentation of known problems and conflicts between resources, and frequently there is published counsel to forgo a particular update, because another non-conflicting one is due to be released by the software publisher, applications developer, plug-in provider, etc.
A really savvy user will know certain schedules. For example, if receiving a Microsoft operating system update, it would be useful to know if MS was actually sending one out. Googling around for this type of info can help. There are also some great message boards that discuss this topic, and subscription can yield solid info and protections.
But here’s today’s take-away for you: Just because you don’t update an element immediately doesn’t mean you’re completely unprotected (such as leaving your car doors unlocked, or home unsecured). Security elements are still in your environment, running, and protecting: A good provider will LEAD threats, so that you may indeed have a little room for a “Remind Me Later” – particularly if you suspect an update might be a spoof; a threat masquerading as a legit update.
When all is said and done, any specific user, and any specific organization, has to make its own decisions regarding notifications of updates. You’re tasked to know your environment better than anyone.
But keep in mind that “Remind Me Later” can be a legitimate buffer as you research and vet an update notification. It’s not just a procrastination tool.
NP: Soul Bird, Cal Tjader, jazz24.org
Should we migrate to the Cloud? I hear this question frequently, particularly from small and mid-sized business.
Cloud solutions can provide robust, internet-based, IT solutions absent the need for heavy capital investments in infrastructure. Too, there is the ability to scale according to business growth and change: necessity for new storage capacities and scales of processing; perhaps demands from personnel for sophistication in the handling of systems’ related process – things the organization may lack, and which the Cloud provider can offer.
Of course, the question must be asked: What of security? Anything in the Cloud is not within the “four walls” of the organization. (An org may, of course, have multiple locations – but here the “four walls” concept is a metaphor, vis-à-vis the fact that data and process are now harbored outside any direct physical location of the organization).
One bellwether worth watching is the banking industry. Banks, like any responsible organization, are constantly on the watch for means of enhanced productivity – and here the Cloud has ready offerings. Whether it’s infrastructure savings, operating expenditures savings, or new cloud-based business models, the goal is to best leverage the mix of private, public, and community-based resources that are in the Cloud.
Of course, banking is wary, because of data’s location, and the potential influence on steady availability, and the necessity for rapid recoveries in case of loss or corruption. Data’s integrity, related issues of confidentiality, and means of authentication are also concerns. Banks, and perhaps you too, are leery of outsourcing customer data to third-party Cloud providers and operators.
If you’re considering any measure of move to the Cloud, take a hard look at various providers. Assess their history, client base, and financial stability. Also examine their functionalities and services levels: Look into their ability to integrate data and process across various platforms and through a variety of cloud services.
On this day: Sep. 27, 1905, the first published blues composition goes on sale – W.C. Handy’s “Memphis Blues”
Many small businesses today are enamored of their technology – whether the possibilities engendered by social networking’s contribution to marketing, or smartphones and their ready tether to the ‘net, with the further grant of ready communication to co-workers, customers, business partners, etc.
But particularly in the case of start-ups, I’ve noticed something: Many young entrepreneurs seemingly have no clue on the successful setup and sustenance of a business: That of determining their market, best serving it, remaining competitive in securing it, and in the crafting of plans and policy that ensure their fledgling organization’s ongoing health and longevity.
It’s not strictly about automation and the ready availability to the world via the ‘net and allied social networking opportunities. Everyone is on the ‘net, in the Cloud, interconnected… but not everyone is a successful entrepreneur, nor are they mounting successful business.
Recognize the financial planning and forecasting that goes into a successful business of any size. Recognize the necessity for founding documents: A valid business charter; a mission statement. Have valid plans: One-year, five-year, disaster recovery, change management, etc. Have valid policies: Content management; privacy, acceptable use, customer service, billing, returns, etc.
Automation and tools are great: but when all is said and done, your business is about people serving people.
Make sure that the people you work with, who may work for you, and with whom you do business (vendors, solutions partners, etc.) understand that you’re delivering value to other people.
Want a great example? Ever try to access customer service at some companies that only provide online assistance – with no real human interaction? Many companies merely refer you through links of information, based on keywords of your particular problem or question.
Even “Live Chat” isn’t the same as a caring customer support rep on the phone.
Don’t let tools, bells, and whistles blur your focus: Get your small business on a solid footing in terms of fundamentals – then accent your possibles and potentials with the right tools.
NP: Decision, Sonny Rollins, jazz24.org
Business is increasingly sophisticated. Business is routinely conducted twenty-four hours a day, seven days a week. Organizations are increasing their global outreach. Travel no longer means that people are “out-of-the-loop.” As people can stay connected to their work they often find, or at least feel, that they must stay connected. The requirement for effective business and information systems, their proper utilization, and the pressure for the most return possible has never been greater.
As we consider the increasing requirements for immediate access to data, the security of data, the management of data’s content (that is, the treatment of business information as a leveraged advantage), and the growing demand for time in maintaining the highly technical “back-end” of business information systems, we realize that we face an increasing risk to a most important asset. At risk is business information itself – or business intelligence – and its effective management and use. In addition to the business reliance on steady information, we must realize too – whether factory, farm, hospital, distribution point, port, Fortune500 endeavor, volunteer group, sole-proprietorship, etc. – that operations, process, production and delivery are increasingly or completely dependent on technology.
Everyone must gain a thorough understanding for managing the combination of business and technology now, and for what is coming in future burdens. To illumine the problem another way – without a remedy to current inefficiencies, the divides of communication and understanding will compound exponentially during the coming demands of any business-technology environment. With accumulating vulnerabilities, not always readily seen, you can face a very real danger to your continued business existence.
At the same time, whether it be core mission-critical business applications, association management systems, accounting systems, e-mail systems, content management systems, shelf applications, etc., all organizations are challenged to implement, upgrade, or change outright these systems on a periodic basis. There is an ongoing requirement to expand systems’ capabilities for services and deliverables while sustaining support of daily business operations.
The “fruits” of this technology, for example the ability to mine, analyze, and deliver data in providing useful information to Business with accuracy, speed, and efficiency, is not only desirable, it is an absolute necessity. In tandem, you need an attendant, informed, user class that can leverage technical business tools and their output for maximum effect. For organizations of today it is now your business to jump, perform, and deliver with an immediacy that wasn’t necessary ten years ago – or even five.
Organizations also must anticipate and build accommodation for whatever the future of business holds: Changing markets; new products; faster deliveries; improved services, increased competition; and rising security challenges. In the case of governments and aligned agencies (with mutually reinforcing and united missions) there are new and emerging requirements to work together. Their objectives and success in achieving them affect safety and security of entire nations. We can fairly ask: Will government achieve the necessary agility in responding to the accelerative change of threats?
For all of these reasons, we realize that we must emplace a culture that supports ultimate outcomes. In your organization, craft a culture that fosters and encourages open discussion regarding business and technology.
As possible, leave the normal “box” of your routine day, your desktop… step back from the day-to-day and near-term focus: Solicit ideas, listen, speak, and contribute – in maximizing your own, and your organization’s, present use of systems. Be a contributor in securing them, and in progressing them to the best future possible.
NP: Unit 7, Wynton Kelly Trio, jazz24.org
As regular readers know, I frequently consult with and counsel small-to-medium businesses (SMB). I also work with non-profits, volunteer groups, and sole-proprietorships. A specific warning is coming to the small-to-medium environment, and being that October is National Cyber Security Awareness Month, I wanted to pass it along.
First, “large business” is certainly welcomed to today’s post, but there is a specific warning coming to these smaller environments (in terms of numbers of people, size of budget, sophistication of technical supports; and allied policies). This warning is coming from a rather robust set of agencies: a U.S. House of Representatives committee, as delivered by agents of the Department of Homeland Security, the FBI, and the Secret Service.
The Warning: Large organizations have adopted, and generally evolve, sophisticated protections against breach, theft, and exposure: Therefore, this situation has turned cyber criminals to the softer target of the aforementioned SMBs, non-profits, etc.
Smaller organizations don’t have the same budget, or depth of personnel, to always mount the most sophisticated protections. And, a continuous upgrade path in match to evolving threats is not always sustainable, particularly in periods of slow business.
Of particular target are retail systems and online financial accounts. Even today, many SMBs and related environments are more concerned with the physical security of locks on doors, zones, safes, etc., and many don’t give much of a nod to cyber security. This is a mistake.
As their contribution to National Cyber Security Awareness month, The National Cyber Security Alliance has some good free material online – for students, parents and, in particular, for business. Have a look at their tips, tools and resources.
Microsoft also has some good free resources.
Focus on a variety of areas: You need to protect your employees. Obviously you need to protect, and best serve, your customers, clients, consituents, etc. And overall, you must protect your business. I frequently ask organizations, large and small, “What is your number one asset?” Folks almost invariably answer, “Our people.”
Any organization, whether Fortune500, volunteer group, or sole-proprietorship, has this in common: Their number one asset is their reputation. Lose your org’s reputation, and your people won’t have a place to work.
Mount a pro-active security awareness. Stay safe in October. Stay safe year-round.