As regular readers know, I frequently consult with and counsel small-to-medium businesses (SMB). I also work with non-profits, volunteer groups, and sole-proprietorships. A specific warning is coming to the small-to-medium environment, and being that October is National Cyber Security Awareness Month, I wanted to pass it along.
First, “large business” is certainly welcomed to today’s post, but there is a specific warning coming to these smaller environments (in terms of numbers of people, size of budget, sophistication of technical supports; and allied policies). This warning is coming from a rather robust set of agencies: a U.S. House of Representatives committee, as delivered by agents of the Department of Homeland Security, the FBI, and the Secret Service.
The Warning: Large organizations have adopted, and generally evolve, sophisticated protections against breach, theft, and exposure: Therefore, this situation has turned cyber criminals to the softer target of the aforementioned SMBs, non-profits, etc.
Smaller organizations don’t have the same budget, or depth of personnel, to always mount the most sophisticated protections. And, a continuous upgrade path in match to evolving threats is not always sustainable, particularly in periods of slow business.
Of particular target are retail systems and online financial accounts. Even today, many SMBs and related environments are more concerned with the physical security of locks on doors, zones, safes, etc., and many don’t give much of a nod to cyber security. This is a mistake.
As their contribution to National Cyber Security Awareness month, The National Cyber Security Alliance has some good free material online – for students, parents and, in particular, for business. Have a look at their tips, tools and resources.
Microsoft also has some good free resources.
Focus on a variety of areas: You need to protect your employees. Obviously you need to protect, and best serve, your customers, clients, consituents, etc. And overall, you must protect your business. I frequently ask organizations, large and small, “What is your number one asset?” Folks almost invariably answer, “Our people.”
Any organization, whether Fortune500, volunteer group, or sole-proprietorship, has this in common: Their number one asset is their reputation. Lose your org’s reputation, and your people won’t have a place to work.
Mount a pro-active security awareness. Stay safe in October. Stay safe year-round.
Most organizations most emphatically do not suffer threat of attack from inside. That is, employees are for the most part loyal, educated, and careful. Sure, they gripe, gossip and drag their feet once in awhile (I know I did, albeit – ahem – rarely) – but hopefully, on balance, they’re glad to have a job and they’re glad to be working where they’re at.
On the other hand there is always human error with which you must contend: Both its potential and often its manifestation.
At the same time, of course, you must have the full complement of the “technicals” firmly in place: Network (and application) access control systems; firewalls; intrusion prevention/detection; anti-virus tools; and other collateral systems depending on your specific environment.
But these tools alone aren’t a comprehensive defense. A robust, ongoing, employee education program must be firmly in place, with regularized and updated training in match to threats of laxity, unawareness, and potential errors.
According to the Identity Theft Resource Center (ITRC), “insider” caused breaches are on the rise. To cite one real-world example, Verizon Business recently received the unhappy report that half of all internal breaches were caused by IT administrators. So, no one group should be overlooked by business and IT governance when crafting and delivering requirements for training and care.
Of course, threats can include inappropriate and even illegal behavior, such as inside people breaching and stealing data or resources for financial gain. Too, there is the disgruntled employee out to harm the organization on occasion. In those cases, a formal oversight process by managers and Human Resources should provide a careful track of oversight and care. Here we’re concentrating on a more common threat: Simple human imperfection – that is universal.
Most common is the occasional employee who loses USB storage, or a whole laptop. Perhaps the organization suffers unmonitored and unregulated use of smartphones, whether personal or org, and the employees have inappropriate and sensitive data stored on these devices. Again, loss or theft puts the data and the organization at risk. The potential for pain is enormous: An employee of the U.S. Veterans Affairs department took a laptop home with records of approximately 26 million veterans – and had it stolen out of his home. The exposure was enormous.
Craft and define policy that spells out specifically what your employees can and cannot do with data and devices – to include portable storage (thumb drives, laptops, smartphones, etc.) and what they can do with means of communication (e-mail, phone, web, and so on).
First expose all possibles and contingencies; craft policies and plans that fit your organization like a glove; then build a common sense schedule of employee orientation, training and refreshers.
Also, business and IT leaders must review and adjust security and appropriate use policies in accordance with the overall environment and associated changes. Have that on a regularized schedule of review too, inside the appropriate management team(s).
NP: Waltz for Debbie, Cannonball Adderley and Bill Evans, jazz24.org
The Washington Times has an interesting article about future combat, and its involvement of cyber warfare (Computer-based Attacks Emerge as Threat of Future, General Warns, Sep. 13, 2011).
General Keith Alexander, commander of the U.S. Cyber Command, warns of electronic strikes, yielding widespread power outages. Too, there is the threat of destruction of physical computers, machines, and allied infrastructure. Of course, the attendant loss of data and power would likely cause mass chaos in large geographic regions, and recoveries would be hampered.
General Alexander is also the director of the National Security Agency. He cites among examples an August 2003 electrical outage caused by the simple act of a tree causing damage to two high-voltage power lines. Software controlling the electrical power grid erroneously entered a “Pause” mode – shutting down power to millions of people across several states.
Amazingly, General Alexander says that cyber attacks are only outranked by nuclear attack or other means of mass destruction. Maybe the General doesn’t want to alarm anyone too badly, but what of Electro-magnetic Pulse (EMP)? EMP pairs perfectly with cyber warfare.
In the case of EMP, a modest nuclear burst over the continental U.S. wouldn’t cause much physical damage – and even nuclear fallout would be modest (comparatively speaking for what’s coming next). But EMP’s destruction would be comprehensive: All power would be removed from general society. All data would be wiped out. All electronic communications, to include computer and phone, would be nonexistent. Emergency actions would be mounted and prioritized strictly on a “line of sight” basis.
No one would be able to summon help – other than through their voice. Large regions would soon run out of food and potable water, as there would be no refrigeration and no water plants able to pump water.
A revisit to the last chapter of I.T. Wars might be in order. The chapter What’s At Stake clearly documents the threats and challenges – and further, suggests what any “local” organization (that is, yours) can do.
It’s worth a thought.
NP: On this day (Sep. 14th) in 1916, Christy Mathewson pitched his final game. He won.
(Note: By the time you read this, this problem may have been fixed).
Regular readers of this blog will notice that I almost never refer to specific applications or other products. I make no specific endorsements, nor do I condemn or compare products.
However, something happened to me today and I think it a service to readers to make you aware of something. I received an alert, via my preferred browser – Firefox, that an update was ready (6.0.2). I went ahead with it.
I received a dialog box indicating “Update 1 of 1 being applied” – or words to that effect. Once the update finished, my browser restarted. Apparently one of the big features of the new version is the “grouping” of Tabs. I didn’t have an opportunity to explore that (um, no pun intended), because upon update, Firefox began crashing – that is, spontaneously closing shortly after launch.
After the first close, I noticed a small crash report screen – I checked a box to send the report to Mozilla. After that resolved, I launched Firefox again – I was able to get to a site, was scrolling for a second, and the whole browser closed again – just disappeared. Again, the crash report option.
Fortunately, I was able to complete my day’s work through Explorer. But I’m surprised at the Firefox problem. Another annoying thing is that, for the short time I could see it, Firefox launched with two Tabs – one, my normal, preferred, homepage: Google. The top Tab was a Firefox announcement about the update, and an explanation of grouped Tabs. I’ll have to clear that when I can. Soft and hard re-boots haven’t overcome the problem as of yet.
If you get this, and haven’t been prompted to update Firefox, you might want to wait a few days to do it if you do get a prompt. Then again, all may be well by now – or, perhaps something in my specific environment is causing a problem.
Just an FYI. At any rate, stay safe out there.
On this day (Sep. 7th): In 1927, Philo Farnsworth demonstrates the first use of television in San Francisco.
In thinking about today’s post, I wondered if the title was a bit of hyperbole. Upon reflection, I don’t think so.
Consider: How many people use the same User ID and password for multiple accounts? Many, many people do – and this practice bleeds across personal (social) and professional accounts to a very dangerous degree. Consider too: One hack should not have the potential to daisy-chain and wreak havoc through multiple domains and accounts, by virtue of simple clues granted in one account’s initial breach.
The reason I got to thinking: There’s no shortage of security breaches and leaks, as indicated by the Privacy Rights Clearinghouse’s Chronology of Data Breaches . But I also happened to be reading an international news story: Back in July, SK Communications Company of Korea reported that the personal information of its 35 million users had been hacked.
In a statement, SK said, “The specific scale of the hacking is still being investigated, but it is estimated that some of the personal information of 35 million Nate and Cyworld members have been leaked.” Nate is South Korea’s third-most popular search engine. Cyworld is the country’s largest social networking site; with 25 million users, it accounts for half of the country’s population.
The Biggest Security “Hole”? By virtue of SK’s recent breach, and just a general peek at the Chronology, consider again carefully: How many people – in any country – use the same user ID and password for multiple sites? How many people have the same authenticating credentials for multiple personal accounts… and sensitive work accounts?…
Answer: Too many. Ok, that’s not a very empirical, scientific, report. But I just did a survey of people around me, and… most people have a measure of the same credentials for all sorts of environments.
It could be worse – and it is: What does this mean? This means that if one site is hacked, and credentials are stolen… other information that may point to other sensitive accounts can lead the hackers to those accounts, and they can spin your credentials through all of them. Consider accounts such as: Banks, mortgage companies, work, professional associations, schools, and on, and on, and on…
For the professional business and IT audience: Make it a part of your Security Policy, and any other relevant policies and forums (such as user orientations, quarterly security refresher training, etc.) that user ID(s) and password(s) for business systems must be unique, separate, and apart, from all personal user IDs and passwords. Even security questions and answers should be unique, and used only for the specific work environment.
For the individual: I strongly urge you to consider separate and unique authenticating credentials for personal accounts such as Facebook, MySpace, YouTube, dating sites, and so on – and further, your bank(s) and other related accounts of high sensitivity – whatever you have and wherever you’re involved.
Again: One hack should not have the potential to daisy-chain and wreak havoc through your entire life’s online and subsequent real world existence.
Think about it – and act.
On this day (September 2nd): In 1930, the first non-stop airplane flight from Europe to the US was completed in 37 hours.
I was speaking with a colleague and friend yesterday. He’s just left an organization in the outlying Washington, DC Metro area for a larger one directly downtown.
My friend is about as savvy as they come regarding computer use, online peril, and so-called netiquette. But surprisingly, he doesn’t know what the Acceptable Use policy is at his new organization, or if they even have one.
He did know the situation at his former place of business: They most definitely didn’t have one. The place was a mess in terms of Content Management, Acceptable use, Security, and other formalizations, expectations, and just simple courtesies of informing workers about standards, adherence, and expectations.
But this new place is supposedly a little more refined, larger, has a bit of longevity, and certainly should know better than to be remiss about standard policies – to say nothing of a prudent survey for budding challenges and timely considerations of those – in establishing and evolving policies in match.
I don’t know about you, but I like knowing what’s allowed, and what’s not, and I like remaining squarely within best practices and operational principles in not only leveraging systems and access to best business outcomes, but also leveraging that for best protections. Call it general business surety.
The overwhelming majority of people (at least in this readership) want to do the right thing. People are interested in:
1. Remaining outside the sphere of trouble.
2. Upholding and bolstering their organization’s reputation through solid
contributions and deliveries.
3. Remaining within safe and sure business, and allied technical operations.
Organizations, for their part, must perform due diligence for states of security – inside and out – and keep policies up to date. Any workforce is entitled to know its organization’s stance regarding threats and protections, and the position of those to the organization’s vulnerabilities. They then must be made aware of the subsequent bouquet of policies, procedures, schedule of training, and pro-active notifications – all in service to thwart of threat.
Business should have their IT department survey for what other organizations are doing: Orgs of your similar size; in your market; in your geographic area. It’s a start. Begin to determine what low-cost/no-cost protections can be mounted inside, by institution of appropriate behaviors and practices. Then, forecast (budget) what protections need to be mounted through the help of solutions-providers… vendors.
If you don’t have budget presently, at least get the markers on a 5-year plan or something similar. Whether you’re on the “business” side or “IT” side of the equation, you can also write tangential position papers regarding future’s streaming challenges, with the matching answer to them.
But whatever you do – don’t remain vulnerable. Be fully informed, reasoned, and straightforward in making any gaps and concerns known.
On this day (Sep. 1st): In 1858, the first transatlantic cable failed after less than one month. If at first you don’t succeed…
There’s a number of first-time readers joining the group, so I want to preface today’s post by saying it’s a bit of frivolity – it’s Saturday, after all. (Click here for all articles, and scroll for those that may interest you).
But as to today’s post: I had an interesting, totally unexpected, situation while discussing needs with a client on the phone the other day. I was in my home office discussing the theme of a needed white paper, the nature of the intended audience, and so on. Our mobile call began to break up, and so I asked my client to hold for a moment while I transferred outside.
I took my laptop and phone to my deck, and sat down at an outdoor table. It’s one of those with an umbrella in the middle. I cranked the umbrella open, sat down, and resumed my conversation with the client while typing notes.
Suddenly, a bat flew into my face, abruptly turning and flying past my head. It had been overnighting under the closed umbrella in the folds. I had abruptly opened its “bed,” and rudely disturbed its rest…
Amazingly, I resisted the temptation to blurt, “Yikes! A bat just flew into my face!” – or worse. I remained focused, continuing to converse, make and take suggestions, and type notes. Meanwhile, the bat wasn’t about to give up – it kept flying back under its roost – landing on the spokes of the umbrella, or hanging off the cloth, and then flying back out, about, and back in. For some reason, its preferred path remained in the vicinity of my face and head. Soon, a complicating factor arose (don’t they always?)…
My cat Rex jumped up on the table and began batting and leaping at the flying bat… inches from my laptop, but more importantly, near my morning-lifeline: My coffee.
Did I lose focus? No. I remained calm, level-headed, and contributed and captured for the day’s deliverable (but did protect my coffee). Eventually, the bat flew off. Rex turned his attention to other pursuits, and the client and I wrapped the call. The client was none-the-wiser for what had just transpired, although it doesn’t really matter (he may read about the episode here, I imagine).
But the unusual confluence of events reminded me about something very important: It served as a reminder to “expect the unexpected” – to get out of your comfortable box, to survey your environment with some imaginative views: Employ some “What If?”s and “What Would We Do?”s. It doesn’t have to be a big consumption of time, but get off the beaten path of the day-to-day and near-term project focus and be certain you’re on a responsible forward edge for evolving threats and challenges.
It doesn’t have to be a consideration for possible bat infestation (unless it’s concerning
co-workers’ belfries), but remember this: No organization ever went into a project expecting overruns. No one plays for a breach. No one wants to hobble business with poor-fit solutions.
Things happen all the time.
Interweave business and technology: It’s a culture that yields immediate benefits, spreading an “umbrella” of protection and influence over the environment. You won’t have many unexpected moments and situations. But – when you do, be sure to have an agility in place: People who remain calm while having the reflexes to act quickly, with appropriate knowledge, with appropriate ability, with appropriate scale and placement of effort – within sanctioned authority. Define these things, hire according to spec, hammer out plans in match not only to actuals, but also to the ”bats” of contingencies.
Craft an efficient, effective, business-technology weave – and maintain it.
As to my bats (there are now three), I rather like them. They probably just like the view:
NP: Who’s Got Rhythm, Gerry Mulligan/Ben Webster, jazz24.org
Often, their position is some measure of: “No one but our [customers/clients/constituency, etc.] knows about us, and they’re certainly not going to harm us.”
Another refrain is: “We’re small; under the radar for the moment. Sure, we’re evaluating better security… we’re going to get to that…”.
And then there are the orgs that think they’re already “water-tight” – until the flood of bad results pour in from a breach.
We spoke of the hacking group Anonymous a few days ago. Now it seems that this group has hacked into approximately 70 rural U.S. law enforcement websites, taking information regarding investigations and posting it to the internet, as well as tips from the public, e-mails from officers and, rather amazingly, credit card numbers.
In a statement by Anonymous, this theft of data was in retaliation for arrest of sympathizers in the U.S. and Great Britain – to the tune of 10 gigabytes. They further stated their leak was “a massive amount of confidential information that is sure to discredit and incriminate police officers across the U.S.” and that this would “demonstrate the inherently corrupt nature of law enforcement using their own words” to “disrupt and sabotage their ability to communicate and terrorize communities.”
Ah – sort of a public service, eh? But what do we take away here in the Biz-IT community?
We take this: This isn’t an attack on the NYPD, the LAPD, the CPD (Chicago). This is theft from rural areas in places such as Arkansas, Kansas, Louisiana, Missouri and Mississippi. Thus, mischief makers and individuals and groups with chips on their shoulders will look for soft targets: the naïve, the ignorant, and… after this… the unwise.
One of the chief difficulties in putting off security evaluations and initiatives is that it becomes difficult, expensive, and consuming (of resources such as $$, time, and people) when you finally get around to tackling it. And that’s the significant enough rub assuming you don’t have a breach or loss. It’s like you’re standing at the base of a cliff, looking to scale a challenge all at once, with immediate need for egress to the top.
If your security initiative is paired with a recent breach, and an “Oh sh… sh… should we tackle security now?”-moment, then it’s all the more difficult. You’re facing the fire of fallout, more potential breach, and you have to mount and complete initiatives in a rush.
Make no assumptions: not about outside threat, your risk about being targeted (or found), nor about what “invitations” your staff may be making in terms of their outreaches to nefarious domains and entities: Whether intentional, accidental, or through ignorance. Survey security now: Inside and out (in terms of products and protections that are available). If you’re comfortable with your security initiatives, survey the market anyway. Survey what other organizations are doing that are in your domain, your market, that are your size with similar budgets.
When security is managed as an ongoing initiative, with monthly or quarterly assessments (as well as ad hoc ones based on exigencies – let’s not forget that), paired with the annual review of all states of business and IT, we find that we have something very important:
We have a manageable, affordable, and protecting forward-posture as regards the overall state of security.
NP: Skoshuss, Bluesiana, jazz24.org
Oh, the irony. Vanguard Defense Industries (VDI) was hacked by the hacking group Anonymous.
I don’t mean to sound too critical, or unsympathetic. After all, if an industry with the word “defense” in it’s very corporate name and charter can be breached… what hope is there for the rest of us?
And yet, what the heck? (I resisted the temptation to say “What the hack?”). Don’t we have to persevere in the belief that true progressions, true protections, and ultimate measures of true security can, will and do trump threats and potentials of breach? The short answer is: Yes.
Things have to fall one way or another – with the simple strength of a push. Organizations need to be constantly pushing security… lest a breach pushes itself into and onto you. What does this “push” really mean?
It means being vigilant with a proactivity and focus that extends to the horizon – and beyond. You must survey the current risks that are out there, survey for ones that are developing, and survey for those rumored to be developing. You then must pair this awareness, vigilance and survey with your present environment: Bring necessary security solutions and practices to its supports, its protections, its plans, its projected progressions. View everything through a security prism.
In the case of Vanguard, a top official had his e-mail account broken into. Messages were stolen from the Senior Vice President’s account. According to Anonymous’ own statement, 1 gigabyte of data was stolen, comprising personal information (never good), meeting notes and worse: Purportedly taken too were counterterrorism documents marked “law enforcement sensitive” and “for official use only.” Internal meeting notes were also breached.
Here is the real payout to us, here in the IT and business community: The e-mails were stolen from the Senior VP’s private Gmail account. Wow. Here are the questions that are raised:
1. Is Gmail an authorized, sanctioned, mail system – endorsed by Vanguard Defense Industries for internal and external use?
2. If so, what is VDI’s guidance for what levels of information can be transmitted and stored in a system that is outside the direct scope and control of VDI’s security standards and measures?
3. What are Gmail’s own standards of security? Do they match and/or exceed those of VDI? Or are they considerably lower?
4. Regardless of present standards, what guarantees can Gmail offer regarding continuity of security over time; such as a prudent forward progression as threats evolve and increase? We all know wonderful companies and products of yesteryear that failed to grow with the times…
5. Will outside standards remain high in the face of business challenges, such as any budget constraints, and competing avenues of attention/progression such as new online products and features?
The lesson for business and IT in general? Survey and find out immediately, if you don’t presently know, what your staff is doing via free and ready services. Things such as Gmail, Facebook, message boards, Comments areas in news lists – etc. Update Acceptable Use policies, Content Management policies, Security policies… Define what is permissible. Define what is impermissible (not allowed, unauthorized, forbidden, to be avoided, etc.). However –
When defining the “Impermissible,” be certain to include specifics, but also include a caveat that it is not meant as a comprehensive list of specifics. Specify that, due to evolving and new products and avenues of breach, all general areas are included. For example, you can bar Facebook, MySpace, and others’ use at work; but also indicate that social networking in general is not allowed. That way, as new SN sites bloom, they are covered. You can also grant conditional access: A particular project or group may benefit through access, which can be qualified by training and best use. Departments may need access – those that don’t require it, don’t allow it. This is business – nothing personal.
Recognize that even senior-most staff represent security liabilities if they are under-educated regarding modern and evolving perils. Whether you’re a CXO (CIO, CTO, CFO, etc.), Senior Vice President, President, Director, Manager, Supervisor, staff person or temporary hire – make certain you know areas of risk, and best protections – you must set the example.
Further, if you’re a leader, get the right people on the solutions and protections and the related currencies and advancements.
Further still: Get the right security training and awareness in place for staff.
Stay safe out there…
On this day (August 20th): In 1896, the dial telephone was patented.
Let’s look at a common mistake on IT’s part. How many organizations have a requirement for “centralized” data, yet have full knowledge that users – the business community – are storing data on local (c:) computer drives? It matters not whether you have server virtualization, or if you harbor your own physical server(s).
In fact, it doesn’t even matter if you have virtualized desktops. If your users are storing data in the wrong virtual space, it’s in the wrong place!
Even some of the most sophisticated organizations, and the most tightly controlled enterprise environments, have this condition. This goes on even in organizations where it violates a document retention and content management policy – policies that are often imposed by outside regulatory agencies, or client bodies. Yet, if business members and leaders insist that it’s a necessary “work-around,” IT frequently goes along.
Conversely, business often assumes that policies are being adhered to, even as IT lets the environment go slack. This is a major mistake on IT’s part. Let’s leave the document retention/content management considerations aside for the moment, other than to state the obvious: If business leaders and various level users are running reports on what they believe to be a coherent data-store, in the absence of critical data that is harbored in unapproved and unrecognized repositories, then reports content can never be accurate and true. Business decisions can be weighted according to false criteria, and a true measure of any situation cannot be made. Today, let’s look at the situation from a simple backup and recovery standpoint – certainly an important enough area to highlight perils.
IT’s position in any organization should be that all data is secure: accessible according to authorization; safely and securely maintained in the technical environment; recoverable in the case of loss in the production environment through any reason (corruption, human error). Too often, especially in SMB environments, users are responsible for backing up their own local drives. This is wrong. If there is genuine business data that is not coming under the umbrella of IT’s backup domain, then that is a wrong situation and you cannot profess to have complete security. You are at risk.
You can hash out in a business-IT management team as to how to expose peripheral data, and how to manage it, secure it and back it up – at a minimum you must document exceptions to policy and put them on record. Ideally and in accordance with best practice, you’ll want to “centralize” data (whether actually or virtually) and put it squarely in the realm of IT’s secure and sure backup process. Many important caches and swaths of data have been lost by organizations because the central, qualified, authority for the safekeeping of data (IT) was unaware of it. There was no central authority guaranteeing its safekeeping under these circumstances.
Let’s look at one more area where IT is frequently remiss. Organizations overall are responsible for anything and everything that happens within: We see where large judgments have been made in favor of employee plaintiffs with complaints regarding offense and damages over electronic content containing porn, offensive jokes, inflammatory material based on race, etc., illegal advocacy, and other inappropriate content. Here, we’re speaking of content that has long been defined as this kind of liability by courts. Remember too that just because some content may be “legal” in the broader sense, it can still violate your organization’s best interest: Perhaps its internal policies, and those of clients and allied organizations.
Consider too: Should your organization’s data be subpoenaed, you wouldn’t want negative characterizations of business partners or critical evaluations of members made public, for example. Most organizations have policies to guard against inappropriate use of business resources and to explain the consequences of harboring improper content, but many don’t adequately reinforce, refresh, or train to the policy. Further, it’s apparent that a lot of IT departments haven’t picked up their responsibility, or perceived their own liability, in this area.
IT: Take care of business – and take care of business – if you know what I mean. ;^)
NP: Feeling Good, Gerry Mulligan, jazz24.org