In some quarters, it’s being estimated that most enterprise web applications are insecure.
According to a study by Imperva, WhiteHat Security and the Ponemon Institute, 70% of respondents don’t believe web security is a strategy in their orgs, with appropriate budget targeted to web application security and associated risk.
This poses a major threat to the enterprise. Most organizations today grant access to mission critical apps through their websites. However, executive management doesn’t focus much on security – indeed, they may not even really understand it – and thus the proper emphasis and protections are not driven downward, into that bulk of managers and staff who actually do the doing in implementing security.
In all regards, security must be a central design element; in systems as well as human endeavors. In other words, security must be inherent in functionality, and process must reinforce – even force – adherence to security. In terms of human instruction, interactions, training, and use of systems, there must be the dissemination of appropriate protocols and refreshers and reminders for best security awareness. And, of course, all necessary updates.
Most organizations lack a cohesive, coherent, monitoring system for intrusion detection/attempts. Often, even simple event logs are not monitored, and logs are not synchronized across the enterprise in leveraging enhancing information, nor capturing an efficiency of review.
Unfortunately, security is a rather ho-hum endeavor. The excitement and attraction is always the “next big thing,” with resultant mods of bells and whistles that further use and delivery; time and budget are precious, and developers are pointed forward. They do not have time to look at the present lay of the land, in assessing or advancing security – until a breach forces them to, that is, by grabbing everyone’s attention by the throat.
It all starts with awareness. Do your part as you can, within the limits of your power and authority: Once the vulnerabilities are exposed (both systemic and organizational), the senior executive class understands that a breach can not only take some or all of business offline for some measure of time, it can result in the longer lasting liabilities in exposure of content, revenue loss, and compromise of reputation.
NP: Rapid Shave – Shirley Scott / Stanley Turrentine, jazz24.org
Did you ever notice the similarity between the words “Sony” and “Sorry”? I’m just sayin’ – it’s uncanny.
“Sorry” – so says Sony’s Chief Executive Officer Howard Stringer. Sony’s recent breach, which I talked a bit about here, and here, is thought to be the biggest ever. Data from more than 100 million accounts has been compromised. One. Hundred. Million.
Sony’s PlayStation blog carried the CEO’s apology: “As a company we – and I – apologize for the inconvenience and concern caused by this attack.”
Something for companies to keep in mind in the overall swim of risk we’re in: Sales, revenue, and reputation, are heavily weighted within bad outcomes such as security breaches. A big one like this makes a consumer think twice before buying something, before subscribing to a service, before entering crucial personal information online – things like credit card numbers in the service of a purchase, and all manner of other central personal data.
The Zone: The really, really, really bad thing about any data breach is that… even if it’s the first and (thus far) only one, a company is now in a particular zone. That zone is a sort of permanent breath-holding posture: Will there be a second breach, whether soon or down the road?
A second breach could well sink a company’s reputation permanently. Ensuing that there’s never a first breach is paramount. Companies must actively survey for risk, must continually make present circumstances better, and must evaluate new products, services and implementations against new avenues of risk. All of this must be done with prudent concurrent survey for what’s going on, on the outside – breaching entities are ever-more sophisticated and powerful.
Employees must be oriented upon hire according to best security practices generally, and to practices specific to the company’s position, products, and potential vulnerabilities (absent strong controls) that are unique to its market and presence in it, etc. Going forward, all employees must then undergo regularized security training. That schedule is up to each individual company, within its own assessment of risk, vis-a-vis budget, time, and potentials.
As we’ve noted before: All activity must be viewed through a security prism. For anything you do: What effect does this action have on “the other end”? Does this process/transmission/implementation put data at risk of exposure? Does what we’re doing open a hole into our environment, or weaken a defense posture, for creating potential breaching conditions?
Stay safe out there.
On this day: In 1906, a “temporary” permit was issued in San Francisco to erect overhead wires on Market Street.
We’ve spoken of social media perils in the past. For companies, there is liability in “friending” (on work time) one moment, then bringing an undue voice and sensibility to “businessing” the next, having just exited the party of social networking on social media such as Facebook and MySpace.
Let’s look at the personal for a moment, and related peril: Social media is now being used in 90% of a Florida attorney’s divorce cases.
Carin Constantine says, “You get a little bit of everything, that happens on Facebook. Everything from clients coming in with pictures of the opposing party doing a keg stand with high schoolers… to teenagers drinking alcohol served by a parent… to a picture of a husband at a nightclub dancing with a babysitter.” (Source: 10News, St. Petersburg, FL)
At present, Facebook is cited in a fifth of divorce cases in the U.S., according to the American Academy of Matrimonial Lawyers.
This ubiquitous use of social media exists in the workplace, too. Increasingly, employees are wasting work time on social media, holding business work at bay. It’s ok to utilize social media for marketing, business contacting, business communications, and other sanctioned business use. However, employees are frequently frittering away precious business time, during the business day, updating friends and acquaintances on purely personal matters – and other things.
Those “other things” frequently regard ruminations on the boss, co-workers, or some measure of business that is characterized in a less than flattering way.
Take heed: An increasing number of employers are monitoring employees through social media – both in terms of personal behavior, in adjudging suitability for promotion or even continued occupancy in the organization – as well as for the aforementioned lack of judgment in discussing business matters, and for simple waste of business time. Your boss may be making regular checks – how will you know? – and increasingly, Human Resources departments are assembling documentation in backing up personnel actions involving discipline and dismissals.
If you are the boss – any measure of management with any measure of people reporting to you – apprise those people of the proper sanctions and expectations. Provide orientations and warnings regarding social media: Its use (if any), the limitations, and the perils to avoid.
In all regards, personal and business, be circumspect in your use of social media and networking.
Remember: People judge you by the company you keep, and for the things you say and do. That holds true for the online world too, in this still relatively new world of social media.
Yesterday: Congratulations to Navy SEAL Team 6.
Mistakes will happen, as we all know.
Somehow, my latest blast of The BTW included an e-mail address in the subject line. I’m scratching my head on that one – I can’t figure out how that happened, and in trying to replicate the error, I can’t manage to do it or figure how it might have happened. Within minutes, I successfully recalled the vast majority of messages to the list, but a small number of recalls failed.
I apologize to all concerned. I don’t employ a service for my e-mail blasts, I just blind-carbon (BCC) a list – so the error is between me, my keyboard, and MS-Outlook. However, there’s a rather simple solution, in my environment, for avoiding this or any related errors in the future. ***(And please note a warning toward the end of this article – there is definitely something suspect about Windows cut-and-paste feature…)***
Back to my environment: It’s simple enough to compose the message, set the subject, and then send the e-mail to myself. In fact, I often do that, just to verify that the link works (true, I can use Ctl+click to execute the link in the draft e-mail’s body, prior to send, but I like to verify the actual recipient-experience).
My procedure should have been, and will be going forward:
1. Compose the e-mail, with link to the blog
2. Review it, including the subject
3. Send the e-mail to myself.
4. Open and confirm the content
5. Forward the confirmed e-mail to the list
As I say, I invoked a recall of the message within minutes of Send (I’m always a recipient, and immediately noticed the incorrect subject line). Naturally, many of the recalls failed – of course, a fail notice does not mean that any specific recall, to any specific intended recipient, didn’t work – but I imagine some mail remained delivered, and do reside in some measure of Inboxes.
Well, I’d like to blame this on Microsoft, but maybe it was a matter of being a quart low on coffee this morning. At any rate, your humble correspondent is… humbled, and maybe just a little more simpatico in regards to other human error situations… However, please take note of the following:
***Warning*** – – – One wrinkle I’ve encountered in the whole MS-Windows (7), Outlook, copy-paste-hyperlink drill: I believe that every time I’ve copied my URL…
… for purpose of setting a hyperlink to all articles in the blog, upon paste it usually resolves as the link to the latest article (which is the top article in the chain) – the back of the link is highlighted, as below, indicating the specific article’s hyperlink info as being included, extra to the original Highlight and Copy…
In other words, the link that is pasted (but not highlighted (nor indicated as being copied as anything but above) resolves as this…
(using today’s example) – and I have to take care to delete the back of the unwanted measure of hyperlink. I dislike that. If I don’t delete the back portion, recipients merely get the latest blog entry, rather than a link to a review of a reverse-chronological list of all articles, the latest month’s being on top.
That is not what I’m copying, and I suppose Windows somehow thinks it’s being helpful by suggesting a full link to the top article in the blog – with the “caboose” of the latest article highlighted. (Shades of HAL here? – 2001: A Space Odyssey).
Did something similar happen with my e-mail blast this morning – is that what’s going on? I was doing some editing of my e-mail address list – however, I don’t employ multiple cut-and-pastes with harbor in memory – and at any rate, there’s no reason for a system to append various cuts, into an amalgamated paste… at least, not in my environment – and I never set or asked Windows to do that.
Live and learn.
NP: The Dave Brubeck Quartet: Take Five – from the album Time Out. If you like jazz, if you think you might like jazz, if you don’t know what jazz is… get this.
Ok, I’m being a little facetious.
However, 3.5 million people are to receive free credit monitoring, courtesy of Texas Comptroller, Susan Combs, according to The Dallas Morning News. The monitoring may cost the state up to $21 million. Why is the state doing this?
Ms. Combs announced that Social Security Numbers and other personal information had been available via a public server at her agency for more than a year. That’s almost as bad as things can get – just short of a state actually colluding with breaching entities – when you’ve got publicly accessed resources, with sensitive personal information of millions of people exposed, laying out for the taking. Rather incredible, when you think about it.
According to the comptroller’s office, they discovered this problem March 31st, however, they didn’t notify the attorney general’s office for a week’s time. They then waited another 10 days or so before informing the public.
The time lapse was defended, though, and we can certainly trust the comptroller’s office’s judgment, no? (Facetious mode back on, just then – ok, back off now –>) They needed time to study the problem; and it’s good that they set up a call center and informational website in readying for public notification.
Still – anything could have happened in the approximately 3 weeks lag: I know that if my personal, critical, data was hanging out there for over a year, I want to be told now, and I want to know the vulnerability is sewn shut, also as of now.
While there is no evidence of misuse (as of… er, now), we can note something besides the necessity for timely notification to stakeholders (in this case, the public). That something is the enormous leverage to be had in proactive protections. Imagine the simple security procedures – that is, security and data audits, paired with the best progressions of security reviews, policies and plans – that can be cost-apportioned over the entire Texas state server and application farm – in making all information activity and related data as secure as possible.
What we here in the Weave call:
A modern arena for doing things right – right on time.
But you have to have a Business-Technology Weave with all modern, leading, sensibilities and practices in thwarting new threats, evolving threats, and stupid old threats – like someone setting up and running servers that contain critical data, with wide-open access.
Might be a good reminder to audit your own security standing and practices.
As a final thought: Is human error, such as laying out the wrong data for potential public consumption, really a breach? Isn’t that a measure of simple human error? If you dynamite a bank vault and make off with money, you’ve breached that vault. However, if a bank leaves a vault open overnight, with the front door wide open, and we then stroll in and fill suitcases with money and plunder – is that a breach? It’s not quite the same thing. Stay tuned… I think breach vs. human error merits a little more thought…
NP: Thin Lizzy, Live and Dangerous, on CD. (But some vinyl will spin tonight)
(With apologies to Mick Jagger/Rolling Stones – NYC, Madison Square Garden, 1969).
I was going to title this particular article, “If I can breach it there…, I can breach it… anywhere…”
Followed by “…with apologies to ‘New York, New York’…”.
This data incident is not a breach (at least from the perspective of the originating organization).
It is an incident of human error:
A New York Yankees employee accidentally exposed the personal data of approximately 17,000 fans. Credit card info is not thought to have been exposed, but – you can imagine the drill: How are you going to know you’re safe, short of one of two things? Either you cancel a card, or you cross your fingers and hope unauthorized charges don’t show up. For at least a few weeks’ time your peace of mind is significantly impacted.
This much is known for sure: Included in the spilled information are names, addresses, phone numbers, and e-mail accounts. When considering the Yankees, not all errors occur on the field: This data spill comprises about half of all season ticket holders. It is, simply, unfortunate.
It’s interesting to note that as of yesterday, the 28th, not all season ticket holders (approximately twice the 17k thus far exposed) have been apprised that their information either: 1) Has been – or – 2) Might be compromised. There really is no valid reason for any lag in a timely notification that sensitive data is at risk.
So how the heck does an employee expose sensitive information about 17,000 people? Well, according to the Yankees Organization, the employee “accidentally” (there’s that word again) attached a spreadsheet to an outbound e-mail. As stated in I.T. Wars: Errors have efficiencies too. Bad outcomes are no longer relegated to the travel of physical paper and a couple carbons… errors travel at the speed of electrons, to destinations of extraordinary number.
Mistakes will happen, but in this case it seems rather incredible. Spreadsheets and all files should have accurate names – particularly for sensitive information – that reflect, in a concise way, the sensitivity for each file’s contents.
Further, passwords and controls can be attached to files (upon their creation), forcing authentication when attaching sensitive information to e-mails. Also control systems are easily developed such that, when anyone attempts to attach/include particularly sensitive files (password protected or not) with an e-mail, a simple dialog box invokes a warning: This file has been marked as “Sensitive” – or – “Classified” – whatever… -it can even be auto-triggered by content (hey…), followed by: “Are you sure you want to include this file to these recipients?”
This can be applied in addition to other security measures of course: Access and control by virtue of login accounts with associated class-of-user, group network identities, and – limits to, and graduated levels of, access to areas of data based on experience, nature of work, and need.
Stay safe out there.
April 29th: On this day, in 1892, Charlie Reilly is baseball’s 1st pinch hitter.
Just kidding – it’s only Part 2. (Please see first article, just below this one for reference).
Sony has said that this information has been compromised: User name; address; country; e-mail address; birthdate; PlayStation Network/Qriocity password and login; and handle/PSN online ID.
Wow – that’s quite a bit. But it gets worse, and I always hate the “maybe(s), might have been(s)…” etc. – there may have been breach of user billing address, purchase history, and various password security answers. Ouch.
I had to laugh at some counsel from the Washington Post Business with Bloomberg section (which I saw online – I no longer reside in DC, but have many fond memories…):
This is certainly a big data breach and spells a lot of trouble for Sony’s image, but there’s no need for consumers to panic. Just deal with it the same you deal with any data breach…
Yah. No big deal… handle it like that last breach you suffered through – and, hopefully the next one won’t be any bigger a deal than this one either.
Now, I don’t advocate panicking – I’m all about serious, straight-ahead tackling of problems – establishing empirical measures and solutions, for meritorious outcomes and protections.
But frankly, a rather casual attitude seems to exist here – paired with some good advice, make no mistake – I like it the advice. But, in the realm of risk, unmanaged possibilities become probabilities.
And here, Sony had tipped into the realm of probability: Given the outcome, there can be no argument. Let’s understand this fully for anyone and their position in today’s Weave:
1. Sony was in the realm of risk – we’re all there, particularly if we have any kind of online presence and business. Risk – assumed and beyond: Acknowledged.
2. Sony entered a zone of unmanaged possibilities; again, given the outcome, there can be no argument. The possibilities were engendered by someone who was not surveying the environment adequately, nor putting in place the prudent, forward, security posture and measures necessary. (Note: This is not fault-finding; the “someone” or “someones” may not have been able to survey adequately; may have been inhibited by budget; lack of training; or maybe the appropriate “someone,” department, security posture, etc., was simply missing in action at Sony).
3. As usual, the unmanaged possibility manifested as a probability – and – the probable happened, as it always must – simple odds favor the probable, to the point that an unmanaged probable will always manifest.
Odds favor the probable, and left unattended, the probable will always manifest.
Thus, in the realm of risk, unmanaged possibilities become probabilities.
Survey your domains.
NP: Yardbird Suite, Charlie Parker, www.Jazz24.org – followed by Keep on Gwine, Stanton Moore… all I can say is… wow – each over 13 minutes of fine, fine, fine jazz…
Oh my: Even children at play (and adults, too) are not safe – but we knew that. It’s a cold, cruel world.
Apparently birthdates, e-mail addresses, and purchase histories have been “accessed” (therefore, for purpose of liability assessments, assume: “Stolen”). Too, credit card info may have been stolen, but Sony doesn’t know for sure – last time I checked. (I guess you could say last time they checked!).
However, PlayStation users are advised to check their accounts. I’m glad I’m not a “player,” at least in this context. For those of you who are parents, with kids, with PlayStations, you’re going to want to run this to ground to your own satisfaction. Check with your card providers – and I’d do it by phone…
Sony says the attack is “malicious” in nature, and has hired an outside security firm to investigate. Hmmm… methinks they hired the outside firm about a week too late.
Going forward, beware e-mail spoofs and phishing schemes: That is, official looking e-mails that purport to be from your bank/credit card provider(s), and while we’re at it, from Sony too. Breaching entities can strip official logos and authentication screens – an entire website’s “oeuvre” – allowing you to think you’re logging in to “XYZ-CreditCardCo.com” – you fill in credentials (ID and password; again filling a hack situation)… when in fact you could leave the fields blank and access the dummy site. But, you’ve entered the critical info… and then… the site asks for all sorts of “further authentication.” Oops.
How the heck does Sony get breached, hacked, violated… anyhow? Aren’t they… big? Protected with the latest security measures? Are they not on the RFE (Responsible Forward Edge)? Don’t they know what they’re doin’? Um…
When Sony’s system is back up, change your ID(s), password(s), and any other authenticating/security/credentialing information. Immediately.
Just to be sure.
NP: Powerage – AC/DC. Ok, a departure from my usual old-school, straight-ahead, jazz references. But… someone here at S-bucks mentioned the band, and I just had to weigh in with my 3 concert experiences; two with original singer Bon Scott – and those were… simply… amazing.
Not to sound too forward-thinking, but McAfee just released an interesting report: In the Dark: Crucial Industries Confront Cyberattacks.
It’s rather amazing that whole industries, as well as the entities that populate those industries – large, medium and small business – are lagging in the face of crucial threats.
Those threats not only comprise cyber war, cyber attack, and even “inside jobs” mounted by dissatisfied employees, or preventable breaching incidents manifested through human error, but also enterprises face peril from large-scale threats to infrastructure as manifested by terror attack or destructive weather events.
Consider a pre-Katrina business in New Orleans. Yep – be sure to lock those doors, set the nightly backup, and while we’re at it, let’s minimize all the single-points-of-failure elements we can… In the meantime, all that care and concern – and business – washed away in the comprehensibility of a flood because no one heeded the warnings about under-spec’d levies.
What of sole-proprietorships? Given all the tornados in the mid-West at the moment, what is a prudent plan for business continuity if the house blows away? Life does go on… and so must business.
I felt the gap between awareness for potential of large-scale bad events (both internally sourced, and external), and solid security postures, even in Fortune100 environments. Here, you might expect best awareness and allied practices, but no: Often, the business element, IT’s governance, would be unwilling to engage, and then only grudgingly make budget available for the thinnest of security standings for recoveries. It was a vulnerable feeling, I must tell you.
I like to think that I’m a little ahead of the pack. In the last chapter of I.T. Wars: Managing the Business-Technology Weave in the New Millennium (Ch: What’s at Stake) I discuss large perils to enterprises, and what the “local” organization (that is, yours) should begin to think about doing. I propose regional BizSec teams (business security), comprised of leading minds from a variety of regional organizations. Solutions always start with discussion by proactive people…
It’s something to think about doing in this, still, new millennium. Stay safe!
I don’t use an iPhone, and my use of Google is strictly in my home, as opposed to using it on my particular “smartphone” – brand and model to remain unmentioned, at least for the moment.
I’m not too worried about these recent revelations that Apple and Google are noting, collecting, and transmitting back to base a record of users’ locations.
There are sound business reasons for noting, and tracking, users’ locations. As but a couple examples: By knowing where you are, these entities can deliver targeted, location-specific, search results. You might be searching for specific retailers, or locations that offer specific products, and Apple and Google each have a business interest in supplying you with best information: either reputation is enhanced when they can deliver ever-better targeted results.
A great case for tracking is made in delivering traffic information: If a particular phone is moving down the road at an acceptable pace, a smartphone can report smooth sailing. If a preponderance of phones are relatively fixed on a point, in proximity of a road, and any particular phone is requesting traffic info, it would be prudent for the phone to warn of possible congestion (as but one factor in any phone’s reportage of such events).
However, realize that just last year, Google shut down one element of its data collection efforts (StreetView) when it discovered it was “inadvertently” collecting personal information such as e-mail addresses and passwords!
Now, what is the downside in Apple’s and Google’s (and others) collection of location (and possibly other) information?
Consider: Even today, entire families carry phones. 10-year-old kids have their own phones; in the future, it’s likely that everyone is going to be “carrying.” If a nefarious entity was to breach their way to live-time updates of a family’s location, it wouldn’t be too difficult to ascertain when everyone was out of the house. An empty home presents a nice target for burgling. In a week or two’s time, someone could know each member of a household’s entire schedule. Perhaps even more frightening: A breaching entity could determine when the home was occupied by only a child – and this liability is too large to leave to chance. Lest anyone think this is over-active thinking, realize that the only way threats are held in abeyance is through active survey of possibilities, and the institution of prudent security measures. Know what your service providers are doing.
In other words, don’t laugh: Far stranger things transpire every day. And as data becomes more universally applied to individuals and their respective lives, it will not only be enhancing: It will present large liabilities that need to be managed. You’ve heard me say, for business:
In the realm of risk, unmanaged possibilities become probabilities.
Well now, for the undeniable Personal-Technology Weave that our lives have become, we can well see the looming and growing liabilities. Any person should exercise a proactive security posture. When procuring new devices and associated services, be sure to look through security’s prism: Ask questions, review contracts, and… read associated articles, reports and blogs in staying abreast of what’s being done in the name of your (personal) domain.
Stay safe out there…
On this day: In 1967, actor Tom Conway died. Considered a “B-movie” actor, I love his portrayal of “The Falcon” in that series of ‘40s quasi-film-noir movies. Check ‘em out.