May 26, 2011 1:09 PM
Posted by: David Scott
attacks on the cloud
, best IT practice
, cloud attacks
, Cloud Computing
, cloud contract
, cloud security
, software as a service
, the cloud
Several things are on the rise as concerns the Cloud.
Ever more organizations are taking advantage of the Cloud: Its universality; its ready storage potential for shared data (or even static, backed up, data); its grant of access to networks; its dispensation of services, and so on. Rising use by a rising number of organizations and org-types is paired with something else, however…
Also on the rise are attacks on the Cloud, and resultant successful breaches. Darn! Every time I begin to sense a perfect world, something comes along to burst my bubble.
The Cloud is attractive in that it is cost efficient: Storage is inexpensive, easily mounted and maintained, and again – there’s the ready access as enabled by the web. How about Software as a Service (SaaS)? Again, ready access and use. Further, utility and production easily “drop” from the Cloud to any desktop, any device (with proper access and authentication) – and a user is off and running.
But recognize that whether it’s data, apps, tools or services, something very fundamental – perhaps as fundamental as it can possibly get – is shifting. The enterprise, the organization, no longer harbors security. The organization no longer controls security – as in the days of an in-house discreet network, with a room of servers, and a workstation population largely within four walls (whether literally or figuratively) of… the organization’s control.
When things move to the Cloud, recognize that a service provider, a vendor, a solutions partner – whatever you’re using and/or deem to call it – is now running the security show. You must ensure that they have best security practices in place: Constant survey, adjustments, upgrades, risk assessments, notifications – in service to a leading security edge, not a lagging one – a proactive security posture.
You’d better do some due diligence. Why? Who manages security in these circumstances? The answer – the only answer that counts from the enterprise’s perspective is - Someone other than the enterprise. And this leaves you vulnerable: Ensure you get the actual security you need, demand, and pay for in these circumstances.
And yet: Indemnification for breaches and losses is always difficult to negotiate. Cloud services providers (including storage as a service) aren’t exactly in a posture of “Use at your own risk”, but because attacks are always evolving, and breaches can expose providers to catastrophic loss, it’s tough to ascertain just how secure any environment is in the Cloud – and contracts can be difficult to negotiate and discern.
But don’t get lazy and sign off on something you’re not comfortable with. Search and select your partners carefully. Then, survey contracts, guarantees, and remunerations. Don’t rush to the Cloud faster than providers are willing to mount, and stand behind, appropriate security.
NP: Cakewalk Into Town, Taj Mahal, jazz24.org
May 23, 2011 11:58 AM
Posted by: David Scott
, cookies expiration
, identity theft
, LinkedIn security
, LinkedIn security flaw
, security flaw LinkedIn
There is a potential problem at LinkedIn – a social networking site bringing professionals together for creating and networking with business contacts, and for furthering one’s career prospects and opportunities.
There’s a claim that a liability with LinkedIn’s authentication cookie creates a breach potential. A New Delhi researcher, Rishi Narang, claims hackers can exploit LinkedIn’s storage of authentication information in a cookie that doesn’t expire for an entire year, from date of creation.
Further, LinkedIn, according to him, does not ask whether you’d like to store this information, as does Google and many other sites. For that matter, Google and other sites only store cookies’ information for a few weeks.
Anyone breaking the cookie can gain access to a user’s account. Given the liability of a year’s expiration, that use could obviously continue for a year. Particularly for people who use public computers, such as those at libraries, or even devices in a work environment, they could be leaving themselves open to identity theft.
Narang has reported his findings to Reuters news agency, as well as posting details on his blog:
“There exists multiple vulnerabilities in LinkedIn in which it handles the cookies and transmits them over SSL. This vulnerability if exploited, can result in hijacking of user accounts, and/or modifying the user information without the consent of the profile owner.”
According to LinkedIn’s own site statistics, one million new members join each week; faster than one per second. With more than 100 million members in over 200 countries and territories, it is the world’s largest professional network, and just recently became the first U.S. social networking company to go public.
LinkedIn has said that it takes the privacy and security of its members seriously.
On this day: In 1701, Captain Kidd was hung after conviction for piracy and murder, in London.
May 20, 2011 12:20 PM
Posted by: David Scott
, data breach
, data security
, online security
, security policy
, security practices
, sony online entertainment
, Sony PlayStation
, virtual points
, virus removal
Security is not evidenced merely through the absence of harm. A harming event may be transpiring in this moment, not yet apparent. – a B-TW warning.
You may remember my discussion of Sony’s earlier breach in my article, “Sony is Sorry.” I don’t mean to be mean, but that can be taken a couple of different ways.
It was an apology, but now Sony is looking to be in rather a sorry state of affairs: They’ve been hacked again. Sony in Japan’s customer rewards site was broken into by an intruder, and that intruder stole virtual points worth the equivalent of $1,225 from account holders. Not a whole lot in terms of theft, but the fact that access was gained is a very worrisome thing – particularly as a follow-on to what happened at Sony earlier.
What happened earlier was the stealing of personal information when the Sony PlayStation network was hacked, as well as Sony Online Entertainment.
“What we’ve done is stopped the So-Net points exchanges and told customers to change their passwords,” So-Net, Sony’s ISP unit in Japan, said in a statement.
At present, the company says that the breach seems to be limited, and no accounts are at risk other than those immediately affected.
The company further states, “At this point in our investigations, we have not confirmed any data leakage. We have not found any sign of a possibility that a third party has obtained members’ names, address, birth dates and phone numbers.”
Unnamed security experts have said that Sony’s world-wide networks remain vulnerable, according to Reuters news agency.
For that matter, I supposed we’re all vulnerable. As noted, the mere absence of evidence of something harming is not necessarily a “secured state.” Only through ongoing survey of systems, and a forward-thinking security posture, can you be reasonably certain that you are secure; that the environment is secured. Even then, there are no guarantees in this world.
Do your best, and then quickly do better.
Firewalls, intrusion preventions, virus scans, surveys for malware, antispyware, e-mail protection, and so on – are no good if someone is not surveying reports and taking note of the warnings yielded.
Also, you must take note of the successfully thwarted attempts, to remain cognizant of where attempts are coming from and what sort of entities are mounting them - in making best attempt to project and predict where threats are going in their nature, and where they’ll be coming from in the future.
You need a very proactive, evolving, and agile posture as regards threats and security.
Ensure that those who are on the forefront of securing your organization get it.
Is Sony sorry? They said they are…
NP: Thelonious Monk, Straight, No Chaser. On CD (cleansing with vinyl later…)
May 19, 2011 12:05 PM
Posted by: David Scott
, acceptable use policy
, e-mail policy
, mobile phone policy
, work distractions
, workplace distractions
Many people get distracted at work. No, seriously, they really do. It was hard for me to believe at first, too. Once I “get to it,” I’m hard at it, focused, and efficient. Further, it’s hard for me to stop working… I know you’re the same way.
But it seems that for many others, distractions are a recurring nuisance, and these folks are susceptible to them. Huh.
According to software company harmon.ie (formerly Mainsoft) and uSamp (a polling company), a 1000 member firm wastes $10 million per year due to the distractions of social media, e-mail, and badly designed software applications.
This blinding news comes from a survey of 515 white collar workers. It seems that more than half of them waste at least an hour a day: 60% of this waste is due to interruptions from electronic devices and e-mails (if these are work related, are they really “interruptions”?), and the remaining 40% is phone calls and talking to colleagues. I dunno – I had an office back in my pre-consulting days – simply closed my door. I dimly remember working in a cube or two way back when. I also remember saying, “Sorry Fred, I’m really crunching on something just now. Can we cycle past the front desk to see what Linda is wearing a little later?”
As to these interruptions: Phone etiquette demanded the answer of calls. E-mails were routine too.
Apparently, according to the study, two-thirds of people space out at meetings, reading voicemail and checking devices. Here’s a simple solution: Unless expecting something critical, instruct folks in the meeting to leave devices in their holsters. (I don’t recommend turning them off, due to possible emergency notifications from family, etc.). Make it a part of new employee orientation to mention respect for meetings, speakers, etc., and what the expectations for behavior are.
I work as a consultant now, but my office days are relatively recent, and of course I consult in offices similar to the ones I used to work in. Everyone needs a mental break, and whether that’s sauntering down to the kitchen for coffee, soda or snack, and a little tete-a-tete with whomever else has to space out for a couple minutes, I’m not sure much has changed.
Hire solid employees, set expectations, explain work, distribute work fairly and evenly, and I think things are going to be just fine.
Stay sensible out there. :^ )
NP: Feeling Good, Gerry Mulligan, Jazz24.org
May 14, 2011 1:18 PM
Posted by: David Scott
, Burson-Marsteller Washington
, personal information security
, Social Circle
, social networking
By now, many if not most people have heard about Facebook’s so-called “secret” hire of an outside public relations firm to plant less-than-flattering stories about Google as regards security. That public relations firm, it is now known, is Burson-Marsteller – one of the biggest, and… er… one of the best (?).
In the interest of full disclosure, your humble correspondent was Information Technology Director at one of Burson-Marsteller’s (B-M) largest regional offices: Washington, DC. In fact, I was actually a Young & Rubicam employee, positioned at the DC office of B-M: Young & Rubicam owns Burson-Marsteller.
That said, it’s a rather interesting story about a lack of judgment, and a rather unsound understanding of The Business-Technology Weave that we all inhabit. The Daily Beast has reported that Facebook’s initiative to put Google in a bad light backfired when Burson-Marsteller tried to enlist a blogger in furthering negative privacy implications surrounding Google’s Social Circle social networking service.
That blogger, Chris Soghoian, a former Federal Trade Commission researcher, published his e-mails with B-M, and this exposure was ultimately reported by USA Today. The flavor of events became such that it is now clear that Facebook was engaging in an anti-Google campaign.
Here’s the kernel of what has Facebook, and perhaps Google, in a bit of hot water: Google’s Social Circle service is intended to help Gmail users maintain connection with people they chat with or e-mail – “direct connections.” But beyond, this service sends Gmail users the names of what they call secondary connections; these are any people that the direct connections follow publicly through the internet. Thus, there’s an uncomfortable mixing of private and public connections… further, Google is constantly refining the “Google experience” – mixing all manner of people, associated information, and online activity into an ongoing evolution of the web experience. It usually happens seamlessly, and many people may not be aware of what their presence within Google’s circle actually represents.
Google also prompts Gmail users to connect other outside accounts to the Social Circle: Facebook, Twitter, Yahoo, LinkedIn, Flickr, as well as others. More uncomfortable mixing, at least according to my taste. The stew can have too many ingredients; there’s always a point of diminishing return…
I like managing things very tightly, and I communicate in different styles according to different individuals and audiences – I’m sure most readers here do too. That’s the crux of the matter – what is it that you’re doing, and to whom might it inadvertently be exposed? Are you completely knowledgeable about access to your vital information – content – and do you harbor a similar knowledge as to where any of your “sends” go? (Whether e-mail, Twitter, post, etc.).
I’ve often asked of Business: What is being done in the name of your domain? But now I say to the individual social networking user: What are YOU doing in the name of your domain? That is, under the umbrella of your own personal good name?
For example, I know that when I publish in the domain of David Scott, my content is appropriate, and goes to appropriate entities and eyes.
Do you know that in your own regards?
NP: Light-Foot, Lou Donaldson, www.Jazz24.org.
May 12, 2011 11:13 AM
Posted by: David Scott
, content security
, data access
, data security
, employee access
, employee security
, information access
, information security
, security training
, small and medium business
, small-to-medium business
, smartphones and business
Hey, if ya can’t access it, what good is it? Well, it ain’t no good. Also, “half-information” isn’t any good either (grammar mode back on). You have to have comprehensive access to a little thing called “reinforcing content” in assembling the bloom and yield of the enterprise’s best information… content… knowledge…
“Hey, I heard about this great new restaurant…”
“Excellent! We were looking for somewhere new to go tonight!”
“Um, I forget the name, and I don’t know where it is…”
In accessing any organization’s information assets – its content, data, knowledge-base, etc. – one has to have an efficient access to the broad swath of existing and enhancing content, for a whole “best picture” view (within qualification for access, of course). Business projections have to be accurate, statistics must be up-to-date (and therefore relevant), choices and new initiatives must not only be surveyed, but accurately splayed for the qualified eyes that have to assess initiatives and options.
Within these necessities, forward-thinking employees want to employ ever more devices (most personally owned) in accessing organization data. Of course, personally owned assets generally do not enjoy the same, rigorous, scrutiny in relation to security – either for the devices’ status, nor for their actual use – a challenge for sure.
According to a survey sponsored by Trend Micro, 88% of small and medium sized business (SMB) report that some of their employees are using their own smartphones and tablet PCs for their business purposes. In the past, we’ve discussed the peril in “friending” one moment, and “businessing” the next (please review if necessary): Essentially, employees can be social networking one moment, and then accessing organizational resources and conducting business the next. The danger in sending content to the wrong party is high; further, it is easy to blur business communications with over-familiarity, slang, jokes, etc., in this blurred environment.
Ready access to business process and content enhances efficiency. Not only that, personally owned devices generally don’t cost the organization in terms of overhead: The employees own their devices, service plans, and update their own assets. Thus, no TCO (total cost of overhead). What’s not to like? Ah… but that pesky security issue.
Part of the answer may lie in a recent report by Quocirca: A value proposition for IT security. Check out the free download, which discusses prudent, responsible, and secure ways to integrate the wealth of collateral devices into your enterprise, in making business process ever-more efficient and cost-friendly through ready access.
Access, access, access. Access is King. Or Queen. Just make sure it’s not the Joker.
NP: I Thought About You, Miles Davis, jazz24.org
May 10, 2011 6:24 AM
Posted by: David Scott
, security awareness
, security developer
, security development
, web applications
, web management
, web security
In some quarters, it’s being estimated that most enterprise web applications are insecure.
According to a study by Imperva, WhiteHat Security and the Ponemon Institute, 70% of respondents don’t believe web security is a strategy in their orgs, with appropriate budget targeted to web application security and associated risk.
This poses a major threat to the enterprise. Most organizations today grant access to mission critical apps through their websites. However, executive management doesn’t focus much on security – indeed, they may not even really understand it – and thus the proper emphasis and protections are not driven downward, into that bulk of managers and staff who actually do the doing in implementing security.
In all regards, security must be a central design element; in systems as well as human endeavors. In other words, security must be inherent in functionality, and process must reinforce – even force – adherence to security. In terms of human instruction, interactions, training, and use of systems, there must be the dissemination of appropriate protocols and refreshers and reminders for best security awareness. And, of course, all necessary updates.
Most organizations lack a cohesive, coherent, monitoring system for intrusion detection/attempts. Often, even simple event logs are not monitored, and logs are not synchronized across the enterprise in leveraging enhancing information, nor capturing an efficiency of review.
Unfortunately, security is a rather ho-hum endeavor. The excitement and attraction is always the “next big thing,” with resultant mods of bells and whistles that further use and delivery; time and budget are precious, and developers are pointed forward. They do not have time to look at the present lay of the land, in assessing or advancing security – until a breach forces them to, that is, by grabbing everyone’s attention by the throat.
It all starts with awareness. Do your part as you can, within the limits of your power and authority: Once the vulnerabilities are exposed (both systemic and organizational), the senior executive class understands that a breach can not only take some or all of business offline for some measure of time, it can result in the longer lasting liabilities in exposure of content, revenue loss, and compromise of reputation.
NP: Rapid Shave – Shirley Scott / Stanley Turrentine, jazz24.org
May 6, 2011 11:41 AM
Posted by: David Scott
, data breach
, data risk
, data security
, internet risk
, organizational security
, services management
, sony data breach
Did you ever notice the similarity between the words “Sony” and “Sorry”? I’m just sayin’ – it’s uncanny.
“Sorry” – so says Sony’s Chief Executive Officer Howard Stringer. Sony’s recent breach, which I talked a bit about here, and here, is thought to be the biggest ever. Data from more than 100 million accounts has been compromised. One. Hundred. Million.
Sony’s PlayStation blog carried the CEO’s apology: “As a company we – and I – apologize for the inconvenience and concern caused by this attack.”
Something for companies to keep in mind in the overall swim of risk we’re in: Sales, revenue, and reputation, are heavily weighted within bad outcomes such as security breaches. A big one like this makes a consumer think twice before buying something, before subscribing to a service, before entering crucial personal information online – things like credit card numbers in the service of a purchase, and all manner of other central personal data.
The Zone: The really, really, really bad thing about any data breach is that… even if it’s the first and (thus far) only one, a company is now in a particular zone. That zone is a sort of permanent breath-holding posture: Will there be a second breach, whether soon or down the road?
A second breach could well sink a company’s reputation permanently. Ensuing that there’s never a first breach is paramount. Companies must actively survey for risk, must continually make present circumstances better, and must evaluate new products, services and implementations against new avenues of risk. All of this must be done with prudent concurrent survey for what’s going on, on the outside – breaching entities are ever-more sophisticated and powerful.
Employees must be oriented upon hire according to best security practices generally, and to practices specific to the company’s position, products, and potential vulnerabilities (absent strong controls) that are unique to its market and presence in it, etc. Going forward, all employees must then undergo regularized security training. That schedule is up to each individual company, within its own assessment of risk, vis-a-vis budget, time, and potentials.
As we’ve noted before: All activity must be viewed through a security prism. For anything you do: What effect does this action have on “the other end”? Does this process/transmission/implementation put data at risk of exposure? Does what we’re doing open a hole into our environment, or weaken a defense posture, for creating potential breaching conditions?
Stay safe out there.
On this day: In 1906, a “temporary” permit was issued in San Francisco to erect overhead wires on Market Street.
May 3, 2011 3:53 AM
Posted by: David Scott
business and social networking
, facebook peril
, myspace peril
, small business and social networking
, social media
, social media and divorce
, social media in the workplace
, social media peril
, social media security
, social networking
We’ve spoken of social media perils in the past. For companies, there is liability in “friending” (on work time) one moment, then bringing an undue voice and sensibility to “businessing” the next, having just exited the party of social networking on social media such as Facebook and MySpace.
Let’s look at the personal for a moment, and related peril: Social media is now being used in 90% of a Florida attorney’s divorce cases.
Carin Constantine says, “You get a little bit of everything, that happens on Facebook. Everything from clients coming in with pictures of the opposing party doing a keg stand with high schoolers… to teenagers drinking alcohol served by a parent… to a picture of a husband at a nightclub dancing with a babysitter.” (Source: 10News, St. Petersburg, FL)
At present, Facebook is cited in a fifth of divorce cases in the U.S., according to the American Academy of Matrimonial Lawyers.
This ubiquitous use of social media exists in the workplace, too. Increasingly, employees are wasting work time on social media, holding business work at bay. It’s ok to utilize social media for marketing, business contacting, business communications, and other sanctioned business use. However, employees are frequently frittering away precious business time, during the business day, updating friends and acquaintances on purely personal matters – and other things.
Those “other things” frequently regard ruminations on the boss, co-workers, or some measure of business that is characterized in a less than flattering way.
Take heed: An increasing number of employers are monitoring employees through social media – both in terms of personal behavior, in adjudging suitability for promotion or even continued occupancy in the organization – as well as for the aforementioned lack of judgment in discussing business matters, and for simple waste of business time. Your boss may be making regular checks – how will you know? – and increasingly, Human Resources departments are assembling documentation in backing up personnel actions involving discipline and dismissals.
If you are the boss – any measure of management with any measure of people reporting to you – apprise those people of the proper sanctions and expectations. Provide orientations and warnings regarding social media: Its use (if any), the limitations, and the perils to avoid.
In all regards, personal and business, be circumspect in your use of social media and networking.
Remember: People judge you by the company you keep, and for the things you say and do. That holds true for the online world too, in this still relatively new world of social media.
Yesterday: Congratulations to Navy SEAL Team 6.