From Europe comes incredible news, as reported by Juniper Networks. Amazingly, 84% of businesses have experienced at least one data breach in the past year.
Eighty-four percent. Huh. Well, at least 16% are doing something right.
But wait – I think we can safely assume that a good many of those are surviving on dumb luck. And, as stated here in The Weave, something bad can be transpiring at this very moment, with the organization as yet being unawares that a harming event or circumstance’s yield is just around the corner.
According to Juniper’s survey of 1406 IT folks, 31% indicated an increase in the frequency of breaches, and 76% report that attacks have become potentially more damaging or harder to prevent, due in part to difficulty in prevention.
Of particular concern are mobile devices such as smart phones and laptops. These privately owned elements are difficult to manage, being that they’re outside the usual realm of the enterprise’s policies and control. In fact, 34% of those responding attributed breaches to laptops.
It can’t be emphasized enough: Organizations need to make immediate identification of all outside access to the enterprise environment. Once surveyed, a policy and plan set must be drafted; a respective definition for, 1) Allowed access, acceptable use, required security features and protections – 2) paired with a plan to roll out training, ongoing user awareness, and those security features that must be harbored and adhered to at all times by anyone accessing from outside.
Anything short of this is folly. The organization is begging for a catastrophic breach of systems, data and reputation. Things are only going to get more challenging:
- Threats are going to harbor more power to harm
- Threats are going to increase in number
- Threats are going to stream into the organization’s face at an accelerating rate.
Get ahead of the curve now. Survey all security policies and measures. Do some research. Determine your level of affordability in terms of time, attention, and resources, vis-à-vis acceptable risk.
What is “acceptable risk”? Only your organization is going to know that for your organization. Engage business stakeholders and IT governance, hammer out the accepted plan, and then execute.
Get this on the table, and get it going.
NP: You’ll Never Know, Red Garland
Today, employee error and otherwise casual approaches to security is causing serious harm to a great many organizations – and to employees themselves.
Bad outcomes from abuse of systems and content abound. Employees have been busted for surfing porn, for e-mailing clients with unflattering characterizations of inside-business, for divulging sensitive business secrets and details, for defaming co-workers, for wasting business time with all manner of personal business – the list goes on…
Recognize that whatever you do is basically captured for review by appropriate organizational authorities. Further, the discipline of eDiscovery now mines data and coughs it up, splaying it for the world to see. Deleting content is of little use: Data is merely flagged as overwritable –disc space is marked as being open when needed for new content; but until it is overwritten, that data is retrievable with tools.
Further, even when data is eventually overwritten in this regard, it’s likely still available on backup media, yet gathered there before it was overwritten in the active environment, and now harbored for virtually an infinite review.
Browser histories are also available this way. Don’t count on their deletion as being any kind of protection. In the realm of data, and to be safe, assume everything is permanently available for review and use.
At many orgs, there’s no lack of training – and there’s no lack of associated policies: Acceptable Use, Content Management, a general Security policy; all regarding protection of systems, data, e-mail guidance, internet access and allowable use, etc.
There are warnings about use of systems for personal use, with thresholds of defined abuse. In other words, and in an obvious example, no one begrudges someone receiving a modest amount of personal e-mail through the “work system,” with the occasioned print of something or other. But too much use of work resources for the conduct of personal affairs is not at all prudent.
But whether quarterly, semi-annually, or annually, various training is often treated as an inconvenient interruption to business. Many employees regard it as either a nuisance, or a goof-off day.
But the real objective as concerns security is not training in and of itself – nor any particular measure, or test, of employee adherence to goals and values at some pinpoint moment in time. Rather, the objective is an ongoing, seamless, and active security awareness on the part of employees (as supported by regularized training and updates – nothing remains the same). Awareness of what not to do, and what to do.
The only real way to maintain awareness and protection is to instill a valid eCulture at your place of business. eCulture comprises many things, and we’ll examine more in coming posts, but a couple warnings and tenets apply:
- In the realm of risk, unmanaged possibilities become probabilities
- All activity in the truly modern organization is viewed through security’s prism
In fact, a useful way of embedding a modern security awareness, in support of eCulture principles, is to tell employees they must wear “security glasses” – these “glasses” force the preeminent consideration – security – for every action and activity undertaken by individual and organization alike.
All sorts of useful examples and analogies can be created, but what’s worked for me, quite well, is to counsel organizations to put on their security glasses, with lens of security prisms.
Employees quickly learn to view everything through that security prism: Exercising safe and best practices.
The “glasses” (with signage, reminders, etc.) force awareness. It is simple… and powerful.
On this day: In 1893, the first Ferris wheel premiered at the Chicago Columbian Exposition
[Note: When referring to “Business” here, with a capital “B,” we’re referring to business people and associated business leadership. When employing a small “b,” we mean “the business” such as business practice…]
Frequently, in the course of my travels and counsel, I hear from Business: Our IT team just doesn’t get it. We discuss and deliver requirements in good faith, but it’s still a struggle getting what we want and need in order to conduct sound business. IT constantly asks for more money, and even so, we don’t see a direct correlation to better fits with the dispense of more dollars…
As frequently, I hear the IT side: Business makes unreasonable demands, they “don’t get it,” they ask the impossible. The impossible includes demands for robust solutions and supports on miniscule budgets (in IT’s estimation), demands for programs that support the most hapless users, programs that make business “mistake proof” (here, even I must say – this is not possible, of course), and naturally there’s always that most venerable of complaints: They want everything immediately.
Something’s got to give, and you know what I say? I say it’s… IT. Why? IT is a service endeavor. IT wouldn’t have anything to do without a business to support. Even a tech company has a business element, and a technical, IT, element.
But also, in a world with no perfect parity, something’s got to give in – and again, that’s IT. But that doesn’t mean that IT is a doormat. A good IT leader, and associated department, knows how to manage Business – and “the” business of getting things done and into service.
It is IT’s job to figure out what Business wants and certainly what Business needs – by listening, communicating, digging – by engaging. If IT comes away from the table without all requirements, exposure of needs, and understanding of Business expectations, then IT has to go back in and get these things. Sometimes it can be difficult, and it’s going to require tact and patience. However, for best success, you have to smash ambiguity. Smash it with a velvet hammer, though. As difficult as it may be to pin Business down, it will be far more painful in the long run if you don’t.
Only a qualified understanding of business will allow IT to partner on the alignment of support to business. Remember that, in addition to IT’s place at the planning and execution tables, IT can and must actively survey business. Ask Business what it wants! The simple survey will yield needs from the bottom of the organization on up. Depending on your organization’s size, you will decide whether to issue a survey on a regularized basis, or to do a survey based on other triggers. It’s always wise to survey the organization prior to large-scale change. It’s also good to survey where the organization is in terms of level of comfort with present business tools, and to assess training needs. IT can then sit down with supervisors and business managers to help plan strategies and best progressions.
Realize that if you’ve established credibility, and achieved sanction in the past, you stand your best chances for success. If you’re in a challenging business environment, and you feel there’s a gap in understanding on Business’ part, with possible negative outcomes to the organization, then concentrate on “doing what you can do.” Communicate concerns to the appropriate level. Be decent throughout: It’s your reputation – your own personal and professional #1 asset – maintain it.
Therefore, be certain to go through channels, and don’t skip levels of authority. At any level where there’s a major sticking point, advise the necessary parties that you’d like to involve the next higher authority. Communication is key.
If you, as an IT person, hit a wall with a concern, then your duty is to carefully go on record with your view of potential negative outcomes. You’ve done what you can. The point here is that IT must tactfully come back to the table, again and yes again, in the good faith, fully informed, and engagement-ready posture that is imperative in a professional IT team. Today, there are security liabilities that simply make “going along to get along” an unwise practice in delivering the necessary business returns.
The exception would be knowledge of illegal or bad-faith business activities – those issues have discreet channels for resolution, beginning with your internal Human Resources team.
For now, IT must recognize their point position in aligning business and technology for secure, effective, business outcomes.
NP: Unsquare Dance, Dave Brubeck, jazz24.org
I was reading an interesting article the other day, Apple, Google Under Fire at Hearing.
You may read the article for yourself, and I recommend it. But of interest to me, and hopefully others here, is the tracking that is performed by Google and Apple for optimization of services. This tracking can have privacy implications: Google and Apple (and by extension, anyone hacking critical data) can establish your whereabouts – either pinpointing, or exposing, virtually your exact location.
You can certainly harbor your own thoughts and opinions regarding the level of liability in all of this – but before anyone makes a hasty determination of privacy liabilities, or lack thereof, consider: There are all manner of folks who benefit from not being located at any given moment in time. There are former spouses who don’t relish being tracked. There are people with some measure of public profile who like to get out and about without generating a scene. What of witness relocation? Further, there’s potential for government abuse in this realm. Other examples abound, and further, others will evidence themselves in time.
It’s an interesting puzzle: How to manage the balance of delivering beneficial information to the consumer based on location (such as GPS and navigational assists; location and distance to pizza – you get the idea…) - while at the same time providing protection to consumers’ privacies?
No less an authority than Trevor Hughes, Executive Director of the International Association of Privacy Professionals, has some interesting things to say regarding privacy:
“You know, it seems to me that there are real risks for organizations out there today, and you can knowingly violate privacy law or the expectations of privacy of your consumers…”.
“I think it speaks to a larger issue in the marketplace, and that is we all have to become privacy professionals [emphasis added – DS] at some level. We all have to have a broad environmental awareness of how data can create risks for our organizations.”
“If your customers don’t trust your privacy, they don’t trust you. And that has implications far beyond just the law; it has real implications for your business.”
When we see Mr. Hughes speak above about risks to privacy – how data “can create risks for our organizations,” and that these things have “real implications for your business”(that is, liabilities) – he’s actually talking about… SECURITY. BUSINESS SECURITY.
I don’t like to blow my own horn (wellll… actually, I do. I lean on it sometimes…), but I’ve long made the point: All activity must now be viewed through security’s prism. Everyone in the organization must become a mini-security officer: Do it now.
I posit that, rather than everyone being a privacy professional, we really need everyone to be a security officer – that condition encompasses issues of privacy, protection, and the ensuring of best outcomes for business all around.
I’ve stated this here before at The Exchange, I stated it in my 2006 book, and I continue to counsel all businesses with whom I consult that they must do this. They must qualify every employee to view all activity through security’s prism, and to take appropriate safeguards before triggering any action. It becomes natural, efficient, and ensuring. It’s fairly simple to effect.
Breach of privacy – whether exposing business methodologies and secrets, or client, customer, consumer confidences, histories, and critical business/personal data – is a breach to security and direct threat to business continuity.
Update plans and training: Security; Acceptable Use; Content Management; Business Continuity; Disaster Awareness, Preparedness, Prevention and Recovery; and others of your own. Be certain to conduct semi-annual or quarterly refreshers: Most organizations likely have regularized refresher training, or monthly All-Staff meetings, where security and privacy concerns can easily be accommodated without too much overhead to the organization’s time and other resources.
If I may quote I.T. Wars: Sooner or later, everyone in the organization will be made a mini-security officer: Do it now.
Word to the wise.
On this day: In 1965, the Kinks arrive in New York City to begin their first U.S. tour.
I don’t mean to beat up on Citigroup. But there’s an important lesson that’s just evidenced itself. I’m also very surprised at what I’ve just learned about the breach.
As we discussed a couple days ago, the breach resulted in the exposure of 200,000+ names, account numbers, and e-mail addresses of Citigroup credit card holders. That number has now been revised upward – to over 360,000. That is not the surprising element of the story, however.
Now comes word of how these “sophisticated” hackers did the trick. They simply logged in to the site – that’s all. Then, they noticed that the browser’s address bar contained the credit card number of the account that was logged in, as part of the URL.
A quick test for the hackers in these circumstances is to simply alter the number – one digit or a couple – hit refresh – and presto! You’re in another account. By the way – this is a very old trick for web pages, apps and programs that are dumb enough to use critical content, such as account numbers, Social Security Numbers, Customer IDs, etc., as part of the URL. The idea that a major credit card company was doing this in 2011 is scary.
Once the exposure was noted, the hackers merely wrote a simple program to automate the spin of numbers through the URL, with an interim step such that each resulting page could be stripped of the critical information – again, names, account numbers, and e-mail addresses. Upon that strip, a command for a simple refresh with new number, strip – and repeat…
That is, repeat 360,000 times – before Citigroup happened to catch what was happening through a routine security check. In other words, it wasn’t even a proactive, interactive, monitor that watched for suspicious activity, and caught what was happening based on unusual activity: It was a routine, cyclical, check.
According to London’s The Daily Mail, an “expert” who is on the investigation team actually speculated how hackers would have thought to focus on the vulnerability in the browser. Words almost fail here… hackers are imaginative and adept – and pretty much always catch what’s right in front of their face. But, as stated, URL vulnerabilities have been long known. It sounds like we’re discussing something in 1995.
This unnamed expert, who wishes anonymity, stated, “It would have been hard to prepare for this type of vulnerability in the browser.”
On the contrary: This type of flaw and hack potential has been long-known, and NO responsible programmer, web-developer, applications designer, or provider goes anywhere near making an old-school exposure such as this, whereby a “key” is displayed in a URL, such that simple random substitutions unlock virtually unlimited access to other pages and related entities’ data.
Being that Citigroup had a flaw such as this, what else is lurking as extreme vulnerabilities in their systems? I would say that their overall judgment and security measures are very suspect.
On this day: In 1937, “A Day at the Races” starring The Marx Brothers opened in LA.
According to eWeek and others, approximately 200,000 card members’ accounts were accessed. The specific information compromised were names, card numbers, and e-mail addresses – perhaps other contact info depending on what you read.
Fortunately, other critical information, such as birth dates, social security numbers, card security numbers (typically on the back of your card) and card expiration dates were not compromised, as they are stored elsewhere.
It’s heartening to know that there’s a discretionary storage of critical data: That is, there is a separate repository for one set of data, but another repository (or repositories) for a complimentary set of data necessary for the “whole record” view of any one entity – in this case, person and associated credit data. This separation of data, into separate “secured” (ahem) areas makes it a little more difficult, at least, to assemble the critical info necessary to make bogus charges or acquisitions of cash at the expense of card holders.
It’s disheartening to know, however, that any measure of breach occurred to any measure of system at Citigroup. This isn’t to pick on them – for a little perspective, access the Privacy Rights Clearinghouse and their Chronology of Data Breaches. That list isn’t even comprehensive – there are far more breaches, both reported and unreported, transpiring.
Citi is going to establish “enhanced procedures” according to Sean Kevelighan, spokesman for the North American Consumer Banking Division of Citi, in order to prevent future breaches. Well, that’s all well and good, but I’m curious to know if these “enhanced procedures” are general industry established and known procedures – and if so, why were they not already instituted? Also, the word “procedure” is an interesting choice. It almost makes it sound as if internal human error compounded an insecure situation.
And, I characterize the human failing of neglect, in keeping systems updated for latest security threats and actions, to be human error: Whether someone is simply not approving budget for protections, or someone is lax in surveying for risk and matched solutions.
Security solutions must be extremely aggressive. They must constantly lead threats – by a wide margin.
It doesn’t take much for a business to lose the faith of customers. In fact, it can happen at just about the speed of a button push on a keyboard…
NP: John Coltrane with the Red Garland Trio, original Prestige vinyl LP… what more needs to be said?
And now for something (not) completely different (old-school Monty Python fans will understand):
(Please see Pt. I if you haven’t).
Squarely within the concerns expressed in my prior article regarding my local Starbucks, I read yesterday that U.S. Airways suffered a power loss at a data center. This loss took their website offline, grounded hundreds of flights nationwide, and consequently stranded thousands of passengers.
U.S. Airways released the following statement yesterday:
US Airways is experiencing a computer systems outage that has impacted usairways.com and the airline’s airport computer systems.
Early reports indicate that the systems outage is the result of a power outage near one of the airline’s data centers in Phoenix. Some airport computer systems are coming back online now and we are working to restore operational order.
We strongly encourage our customers to check their flight status before arriving at the airport by calling US Airways Reservations at 1-800-428-4322.
It’s not completely clear from this statement if the power outage involved utility mains – that is, elements of power outside the scope of their control – or something “near” the data center like its own internal power and associated management. But – what of reciprocal systems?… redundant data and process, geographically dispersed, and therefore not on the same substation, within the same power grid, nor same data center?
I’m frankly surprised that a major airline could go offline like this – and I rather suspect the problem was “local” (that is, located within systems and controls of the airline itself). However, I honestly don’t know – but the redundancy criticism is certainly valid. My gosh, if an endeavor like an airline can’t maintain its continuity of business in the face of a mundane local power outage – instead suffering a national impact – I think something is seriously lagging. Recognize: Local power at one data center had national impact.
But here’s a lesson for everyone, from HelpDesk staff to senior executive class:
Survey your backup equipment, UPS devices, battery statuses, and configurations. If you manage people who do those things, survey those people, and get them on it. Take nothing for granted.
June 12th: On this day in 1979, Bryan Allen flew a human-powered aircraft over the English Channel, the Gossamer Albatross. The flight took 2 hours and 49 minutes.
A few days ago my local Starbucks lost power. The sun was shining and it was around 2 in the afternoon. Suddenly, all the lights went out, the refrigerated cases went dark, and… yes, internet connectivity was out.
What I learned that day, and the next, was interesting to me, and I hope it can provide a lesson for all of us. There had been a tremendous rainstorm the day prior to the outage. As it turns out, upon this next day’s outage, one of the baristas mentioned that they had received a call from the local utility company earlier in the day that the power might “go down” in order to work on a station. Huh.
Unfortunately, there was not only the one effect: That is, an afternoon’s loss of power. Something else occurred: Next day, the ‘net still wasn’t available - nor the next. Apparently, a hard crash had affected some measure of my local Starbucks’ backoffice (if I may deign to call it that – I haven’t seen it). And, for whatever reason, it was on Day 3 that internet connectivity was restored for customers.
On one of the days during ‘net unavailability, I worked at Starbucks, writing away. I watched customer after customer walk out of the store upon hearing of the outage. So, there was a definite business impact.
I’m wondering if Starbucks has a simple UPS with configuration for a graceful shutdown of equipment in the event of outages? Perhaps it’s a calculated cost – they’d rather suffer a hard crash, with dispatch of a tech to fix whatever server, router, or measure of corruption has occurred. (A barista also told me that she spent considerable time on the phone with someone from Starbucks who attempted to talk her through various resets and restore points – to no avail).
But – one also has to consider the lost business over the course of days due to the outage. Even if it was a wash, it’s better to expend a little $$ for some measure of protection to equipment in just securing the environment for business reputation – and the secured environment for customer convenience of internet access and use.
Next: Part II.
June 11th: On this day in 1911 the Tigers, trailing the White Sox 13-1, came back to win 16-15. Never, never, never give up.
(Note: See prior two articles if necessary)
Who drives DAPR? One Guess… Particularly for Business, it is inadvisable to rely on a simple conversation with IT regarding this area. This is not to put down anyone’s IT endeavors, or disaster recovery efforts. This is simply because IT may feel that they’ve done the best they can regarding security of business in this regard, based on the resources they’ve been able to lobby for (including Business’ attention). It also includes IT’s belief (whether erroneous or actual) that they’ve met the Business expectation, and mounted the best mission. But here again there is an ignorance in many organizations. Business may like the numb comfort they often have in this area: Walking away with a simple “Yes, we’re covered” allows Business to go back to the core business focus of the day.
There is also a certain denial at work in many organizations, or a simple pushing aside of DAPR: “We’ll get to that next quarter, next year, soon,” etc. – or – “our vendor handles that.” But like all things in the Business-Technology Weave, the IT Enlightened Organization makes disaster awareness, preparedness, and recovery a Business-driven initiative too. Who owns “business-continuity”? IT? No – after all, it’s Business’ continuity. Further, IT can only establish DAPR according to its allowance, safe-channel, and lead – from Business’ sanction and support. When IT fulfills a Business expectation, Business has to make sure the expectation is sized appropriately, filled appropriately.
To Business: You own it. It is your business that will suffer from a state of non-recovery. You must oversee DAPR, its maintenance, its evolution, its testing, and you must believe that you can rely on it to your satisfaction, values, and standards. IT will serve, participate, suggest, focus, and implement the mechanics of preventions and recoveries. IT will lead when that lead is designated by Business – but policy and planning must be driven by Business.
On this day: In 1979, The Source goes online – what some say was the first computer public information service.
The other day, we spoke of IDRU – check here for the beginning of our discussion if you haven’t already.
Before discussing DAPR, which is disaster awareness, preparedness and recovery, and its position to IDRU, let’s consider: Organizations, vendors, and practices have created a ready handle for recovery from disastrous harm – Disaster Recovery – with the attendant “Disaster Recovery Plan.” The venerable Disaster Recovery Plan is meant to secure business continuity in the face of disaster. However, security is ill served by this handle, and so too are many of the plans (and associated realities) that fall under it.
“Recovery” is reactive, when we should have a plan that includes prevention of disaster. Some measure of prevention is within our internal control, and some lies within our agility in sidestepping much of outside disaster’s influence and potential. And, we strive to make disaster “transparent” to those whom we serve.
The “recovery” aspect is poor branding. Awareness and prevention are far better terms.
Too, mere “disaster recovery” is often given short shrift in terms of attention, resources, and any sort of test or proof of concept. Many people, particularly Business people, are left to assume their disaster recovery efforts are in place, and will work, when in fact there is no reliable evidence to support this assumption:
“Can you recover from disaster?”
“I guess so – we have a disaster recovery plan.”
Many don’t really know, because there’s never been an event to recover from. But they have a plan. (Place a check in that box. Sleep well).
Absent are identified, known, and agreed upon missions, beliefs, values, standards, and tests. Here, we’re building awareness.
¨ Mission will be defined by your requirements for prevention, recovery when necessary, subsequent assignments, and exercises. The mission will be associated with a policy, and the policy’s manifestation is achieved through a plan.
¨ Beliefs include prevention as a standard; the understanding of prevention’s true value; those things that need protection according to assessed risk and available resources; and your confidence and control.
¨ Values support your beliefs – those things valued as necessary for sustenance of business. Values will help establish that which is protected to the best point of prevention from harm. There are also those valued business elements that determine the order of recoveries according to priority, when recoveries become necessary due to the truly unforeseen or truly uncontrollable.
¨ Standards establish the degrees, or levels, to which your protection is certified, in supporting preventions. Too, when recovery from damage is made, standards establish a period of time for how quickly full recovery is expected or necessary. Standards can define increments of recovery, and they support the prioritization of the valued business elements through ranking of them.
¨ Tests will be those simulations of harm that you employ to expose your level of success in preventions, recoveries, restorations, and the employment of identified alternative resources.
You must satisfy yourself (believe) that you can meet your organization’s identified values and standards of business continuity in the face of disaster. These things are necessary in order to provide some assurance that the best efforts have been made according to acceptable risks and available resources.
When we arrive at that place, we find that what we really have is a policy, plan, posture – a mission – for:
Disaster Awareness, Preparedness, and Recovery (DAPR)
In fact, you may wish to title this Disaster Awareness, Preparedness, Prevention and Recovery (DAPPR). Suit and size to your organization, mission, position of readiness, and comfort.
When we talk about Disaster Awareness, Preparedness, and Recovery, we stand a better chance for securing business in the real world. Recognize that the recovery aspect is for the truly unforeseeable. The leverage to understanding and compliance is essential:
Consider – DAPR forces, not a different question but, a set of questions:
“Are we prepared for disaster?”
“I guess so – we have a disaster recovery plan.”
“Do you have an updated awareness for potential disasters?”
“Well, let’s see – I guess we should list them.”
“Now that you have an awareness, are you prepared?”
“No. We’ve added some events, and we have a better understanding of others.”
“Are we properly prepared to prevent identified risks and potential bad outcomes?”
“Prevention? I thought this was Disaster Recovery…?”
“Can you prevent harm where appropriate? Can you truly recover from disasters - have you tested your preparedness?”
“Well, we’ll have to develop some tests, and then conduct them…”
As usual, we can leverage understanding in a powerful way when we set simple and accurate identifiers right up front – the appropriate awareness. DAPR helps us to better know ‘where we are.’ Disaster’s potential is a part of where we are, and we need an awareness of our surroundings as a part of that. Preparedness is a route to a destination – a journey – a ‘how do we get there’ factor. It leads us to the ‘where we’re going’ zones of prevention and to our strong abilities for recovery.
Awareness is required before you can achieve preparedness, and preparedness is necessary for requirements supporting prevention and recovery. Can you see the ‘where are we?’, ‘where are we going?’, and ‘how do we get there?’, elements of the previous statement?
We then require the satisfaction of a test to indicate your level of success in arriving at a state of prevention or recovery – and in arriving at a properly sized DAPR position for any moment in time.
NP: I Get a Kick Out of You, The Dave Brubeck Quartet, www.jazz24.org