Hey, if ya can’t access it, what good is it? Well, it ain’t no good. Also, “half-information” isn’t any good either (grammar mode back on). You have to have comprehensive access to a little thing called “reinforcing content” in assembling the bloom and yield of the enterprise’s best information… content… knowledge…
“Hey, I heard about this great new restaurant…”
“Excellent! We were looking for somewhere new to go tonight!”
“Um, I forget the name, and I don’t know where it is…”
In accessing any organization’s information assets – its content, data, knowledge-base, etc. – one has to have an efficient access to the broad swath of existing and enhancing content, for a whole “best picture” view (within qualification for access, of course). Business projections have to be accurate, statistics must be up-to-date (and therefore relevant), choices and new initiatives must not only be surveyed, but accurately splayed for the qualified eyes that have to assess initiatives and options.
Within these necessities, forward-thinking employees want to employ ever more devices (most personally owned) in accessing organization data. Of course, personally owned assets generally do not enjoy the same, rigorous, scrutiny in relation to security – either for the devices’ status, nor for their actual use – a challenge for sure.
According to a survey sponsored by Trend Micro, 88% of small and medium sized business (SMB) report that some of their employees are using their own smartphones and tablet PCs for their business purposes. In the past, we’ve discussed the peril in “friending” one moment, and “businessing” the next (please review if necessary): Essentially, employees can be social networking one moment, and then accessing organizational resources and conducting business the next. The danger in sending content to the wrong party is high; further, it is easy to blur business communications with over-familiarity, slang, jokes, etc., in this blurred environment.
Ready access to business process and content enhances efficiency. Not only that, personally owned devices generally don’t cost the organization in terms of overhead: The employees own their devices, service plans, and update their own assets. Thus, no TCO (total cost of overhead). What’s not to like? Ah… but that pesky security issue.
Part of the answer may lie in a recent report by Quocirca: A value proposition for IT security. Check out the free download, which discusses prudent, responsible, and secure ways to integrate the wealth of collateral devices into your enterprise, in making business process ever-more efficient and cost-friendly through ready access.
Access, access, access. Access is King. Or Queen. Just make sure it’s not the Joker.
NP: I Thought About You, Miles Davis, jazz24.org
In some quarters, it’s being estimated that most enterprise web applications are insecure.
According to a study by Imperva, WhiteHat Security and the Ponemon Institute, 70% of respondents don’t believe web security is a strategy in their orgs, with appropriate budget targeted to web application security and associated risk.
This poses a major threat to the enterprise. Most organizations today grant access to mission critical apps through their websites. However, executive management doesn’t focus much on security – indeed, they may not even really understand it – and thus the proper emphasis and protections are not driven downward, into that bulk of managers and staff who actually do the doing in implementing security.
In all regards, security must be a central design element; in systems as well as human endeavors. In other words, security must be inherent in functionality, and process must reinforce – even force – adherence to security. In terms of human instruction, interactions, training, and use of systems, there must be the dissemination of appropriate protocols and refreshers and reminders for best security awareness. And, of course, all necessary updates.
Most organizations lack a cohesive, coherent, monitoring system for intrusion detection/attempts. Often, even simple event logs are not monitored, and logs are not synchronized across the enterprise in leveraging enhancing information, nor capturing an efficiency of review.
Unfortunately, security is a rather ho-hum endeavor. The excitement and attraction is always the “next big thing,” with resultant mods of bells and whistles that further use and delivery; time and budget are precious, and developers are pointed forward. They do not have time to look at the present lay of the land, in assessing or advancing security – until a breach forces them to, that is, by grabbing everyone’s attention by the throat.
It all starts with awareness. Do your part as you can, within the limits of your power and authority: Once the vulnerabilities are exposed (both systemic and organizational), the senior executive class understands that a breach can not only take some or all of business offline for some measure of time, it can result in the longer lasting liabilities in exposure of content, revenue loss, and compromise of reputation.
NP: Rapid Shave – Shirley Scott / Stanley Turrentine, jazz24.org
Did you ever notice the similarity between the words “Sony” and “Sorry”? I’m just sayin’ – it’s uncanny.
“Sorry” – so says Sony’s Chief Executive Officer Howard Stringer. Sony’s recent breach, which I talked a bit about here, and here, is thought to be the biggest ever. Data from more than 100 million accounts has been compromised. One. Hundred. Million.
Sony’s PlayStation blog carried the CEO’s apology: “As a company we – and I – apologize for the inconvenience and concern caused by this attack.”
Something for companies to keep in mind in the overall swim of risk we’re in: Sales, revenue, and reputation, are heavily weighted within bad outcomes such as security breaches. A big one like this makes a consumer think twice before buying something, before subscribing to a service, before entering crucial personal information online – things like credit card numbers in the service of a purchase, and all manner of other central personal data.
The Zone: The really, really, really bad thing about any data breach is that… even if it’s the first and (thus far) only one, a company is now in a particular zone. That zone is a sort of permanent breath-holding posture: Will there be a second breach, whether soon or down the road?
A second breach could well sink a company’s reputation permanently. Ensuing that there’s never a first breach is paramount. Companies must actively survey for risk, must continually make present circumstances better, and must evaluate new products, services and implementations against new avenues of risk. All of this must be done with prudent concurrent survey for what’s going on, on the outside – breaching entities are ever-more sophisticated and powerful.
Employees must be oriented upon hire according to best security practices generally, and to practices specific to the company’s position, products, and potential vulnerabilities (absent strong controls) that are unique to its market and presence in it, etc. Going forward, all employees must then undergo regularized security training. That schedule is up to each individual company, within its own assessment of risk, vis-a-vis budget, time, and potentials.
As we’ve noted before: All activity must be viewed through a security prism. For anything you do: What effect does this action have on “the other end”? Does this process/transmission/implementation put data at risk of exposure? Does what we’re doing open a hole into our environment, or weaken a defense posture, for creating potential breaching conditions?
Stay safe out there.
On this day: In 1906, a “temporary” permit was issued in San Francisco to erect overhead wires on Market Street.
We’ve spoken of social media perils in the past. For companies, there is liability in “friending” (on work time) one moment, then bringing an undue voice and sensibility to “businessing” the next, having just exited the party of social networking on social media such as Facebook and MySpace.
Let’s look at the personal for a moment, and related peril: Social media is now being used in 90% of a Florida attorney’s divorce cases.
Carin Constantine says, “You get a little bit of everything, that happens on Facebook. Everything from clients coming in with pictures of the opposing party doing a keg stand with high schoolers… to teenagers drinking alcohol served by a parent… to a picture of a husband at a nightclub dancing with a babysitter.” (Source: 10News, St. Petersburg, FL)
At present, Facebook is cited in a fifth of divorce cases in the U.S., according to the American Academy of Matrimonial Lawyers.
This ubiquitous use of social media exists in the workplace, too. Increasingly, employees are wasting work time on social media, holding business work at bay. It’s ok to utilize social media for marketing, business contacting, business communications, and other sanctioned business use. However, employees are frequently frittering away precious business time, during the business day, updating friends and acquaintances on purely personal matters – and other things.
Those “other things” frequently regard ruminations on the boss, co-workers, or some measure of business that is characterized in a less than flattering way.
Take heed: An increasing number of employers are monitoring employees through social media – both in terms of personal behavior, in adjudging suitability for promotion or even continued occupancy in the organization – as well as for the aforementioned lack of judgment in discussing business matters, and for simple waste of business time. Your boss may be making regular checks – how will you know? – and increasingly, Human Resources departments are assembling documentation in backing up personnel actions involving discipline and dismissals.
If you are the boss – any measure of management with any measure of people reporting to you – apprise those people of the proper sanctions and expectations. Provide orientations and warnings regarding social media: Its use (if any), the limitations, and the perils to avoid.
In all regards, personal and business, be circumspect in your use of social media and networking.
Remember: People judge you by the company you keep, and for the things you say and do. That holds true for the online world too, in this still relatively new world of social media.
Yesterday: Congratulations to Navy SEAL Team 6.
Mistakes will happen, as we all know.
Somehow, my latest blast of The BTW included an e-mail address in the subject line. I’m scratching my head on that one – I can’t figure out how that happened, and in trying to replicate the error, I can’t manage to do it or figure how it might have happened. Within minutes, I successfully recalled the vast majority of messages to the list, but a small number of recalls failed.
I apologize to all concerned. I don’t employ a service for my e-mail blasts, I just blind-carbon (BCC) a list – so the error is between me, my keyboard, and MS-Outlook. However, there’s a rather simple solution, in my environment, for avoiding this or any related errors in the future. ***(And please note a warning toward the end of this article – there is definitely something suspect about Windows cut-and-paste feature…)***
Back to my environment: It’s simple enough to compose the message, set the subject, and then send the e-mail to myself. In fact, I often do that, just to verify that the link works (true, I can use Ctl+click to execute the link in the draft e-mail’s body, prior to send, but I like to verify the actual recipient-experience).
My procedure should have been, and will be going forward:
1. Compose the e-mail, with link to the blog
2. Review it, including the subject
3. Send the e-mail to myself.
4. Open and confirm the content
5. Forward the confirmed e-mail to the list
As I say, I invoked a recall of the message within minutes of Send (I’m always a recipient, and immediately noticed the incorrect subject line). Naturally, many of the recalls failed – of course, a fail notice does not mean that any specific recall, to any specific intended recipient, didn’t work – but I imagine some mail remained delivered, and do reside in some measure of Inboxes.
Well, I’d like to blame this on Microsoft, but maybe it was a matter of being a quart low on coffee this morning. At any rate, your humble correspondent is… humbled, and maybe just a little more simpatico in regards to other human error situations… However, please take note of the following:
***Warning*** – – – One wrinkle I’ve encountered in the whole MS-Windows (7), Outlook, copy-paste-hyperlink drill: I believe that every time I’ve copied my URL…
… for purpose of setting a hyperlink to all articles in the blog, upon paste it usually resolves as the link to the latest article (which is the top article in the chain) – the back of the link is highlighted, as below, indicating the specific article’s hyperlink info as being included, extra to the original Highlight and Copy…
In other words, the link that is pasted (but not highlighted (nor indicated as being copied as anything but above) resolves as this…
(using today’s example) – and I have to take care to delete the back of the unwanted measure of hyperlink. I dislike that. If I don’t delete the back portion, recipients merely get the latest blog entry, rather than a link to a review of a reverse-chronological list of all articles, the latest month’s being on top.
That is not what I’m copying, and I suppose Windows somehow thinks it’s being helpful by suggesting a full link to the top article in the blog – with the “caboose” of the latest article highlighted. (Shades of HAL here? – 2001: A Space Odyssey).
Did something similar happen with my e-mail blast this morning – is that what’s going on? I was doing some editing of my e-mail address list – however, I don’t employ multiple cut-and-pastes with harbor in memory – and at any rate, there’s no reason for a system to append various cuts, into an amalgamated paste… at least, not in my environment – and I never set or asked Windows to do that.
Live and learn.
NP: The Dave Brubeck Quartet: Take Five – from the album Time Out. If you like jazz, if you think you might like jazz, if you don’t know what jazz is… get this.
Ok, I’m being a little facetious.
However, 3.5 million people are to receive free credit monitoring, courtesy of Texas Comptroller, Susan Combs, according to The Dallas Morning News. The monitoring may cost the state up to $21 million. Why is the state doing this?
Ms. Combs announced that Social Security Numbers and other personal information had been available via a public server at her agency for more than a year. That’s almost as bad as things can get – just short of a state actually colluding with breaching entities – when you’ve got publicly accessed resources, with sensitive personal information of millions of people exposed, laying out for the taking. Rather incredible, when you think about it.
According to the comptroller’s office, they discovered this problem March 31st, however, they didn’t notify the attorney general’s office for a week’s time. They then waited another 10 days or so before informing the public.
The time lapse was defended, though, and we can certainly trust the comptroller’s office’s judgment, no? (Facetious mode back on, just then – ok, back off now –>) They needed time to study the problem; and it’s good that they set up a call center and informational website in readying for public notification.
Still – anything could have happened in the approximately 3 weeks lag: I know that if my personal, critical, data was hanging out there for over a year, I want to be told now, and I want to know the vulnerability is sewn shut, also as of now.
While there is no evidence of misuse (as of… er, now), we can note something besides the necessity for timely notification to stakeholders (in this case, the public). That something is the enormous leverage to be had in proactive protections. Imagine the simple security procedures – that is, security and data audits, paired with the best progressions of security reviews, policies and plans – that can be cost-apportioned over the entire Texas state server and application farm – in making all information activity and related data as secure as possible.
What we here in the Weave call:
A modern arena for doing things right – right on time.
But you have to have a Business-Technology Weave with all modern, leading, sensibilities and practices in thwarting new threats, evolving threats, and stupid old threats – like someone setting up and running servers that contain critical data, with wide-open access.
Might be a good reminder to audit your own security standing and practices.
As a final thought: Is human error, such as laying out the wrong data for potential public consumption, really a breach? Isn’t that a measure of simple human error? If you dynamite a bank vault and make off with money, you’ve breached that vault. However, if a bank leaves a vault open overnight, with the front door wide open, and we then stroll in and fill suitcases with money and plunder – is that a breach? It’s not quite the same thing. Stay tuned… I think breach vs. human error merits a little more thought…
NP: Thin Lizzy, Live and Dangerous, on CD. (But some vinyl will spin tonight)
(With apologies to Mick Jagger/Rolling Stones – NYC, Madison Square Garden, 1969).
I was going to title this particular article, “If I can breach it there…, I can breach it… anywhere…”
Followed by “…with apologies to ‘New York, New York’…”.
This data incident is not a breach (at least from the perspective of the originating organization).
It is an incident of human error:
A New York Yankees employee accidentally exposed the personal data of approximately 17,000 fans. Credit card info is not thought to have been exposed, but – you can imagine the drill: How are you going to know you’re safe, short of one of two things? Either you cancel a card, or you cross your fingers and hope unauthorized charges don’t show up. For at least a few weeks’ time your peace of mind is significantly impacted.
This much is known for sure: Included in the spilled information are names, addresses, phone numbers, and e-mail accounts. When considering the Yankees, not all errors occur on the field: This data spill comprises about half of all season ticket holders. It is, simply, unfortunate.
It’s interesting to note that as of yesterday, the 28th, not all season ticket holders (approximately twice the 17k thus far exposed) have been apprised that their information either: 1) Has been – or – 2) Might be compromised. There really is no valid reason for any lag in a timely notification that sensitive data is at risk.
So how the heck does an employee expose sensitive information about 17,000 people? Well, according to the Yankees Organization, the employee “accidentally” (there’s that word again) attached a spreadsheet to an outbound e-mail. As stated in I.T. Wars: Errors have efficiencies too. Bad outcomes are no longer relegated to the travel of physical paper and a couple carbons… errors travel at the speed of electrons, to destinations of extraordinary number.
Mistakes will happen, but in this case it seems rather incredible. Spreadsheets and all files should have accurate names – particularly for sensitive information – that reflect, in a concise way, the sensitivity for each file’s contents.
Further, passwords and controls can be attached to files (upon their creation), forcing authentication when attaching sensitive information to e-mails. Also control systems are easily developed such that, when anyone attempts to attach/include particularly sensitive files (password protected or not) with an e-mail, a simple dialog box invokes a warning: This file has been marked as “Sensitive” – or – “Classified” – whatever… -it can even be auto-triggered by content (hey…), followed by: “Are you sure you want to include this file to these recipients?”
This can be applied in addition to other security measures of course: Access and control by virtue of login accounts with associated class-of-user, group network identities, and – limits to, and graduated levels of, access to areas of data based on experience, nature of work, and need.
Stay safe out there.
April 29th: On this day, in 1892, Charlie Reilly is baseball’s 1st pinch hitter.
Just kidding – it’s only Part 2. (Please see first article, just below this one for reference).
Sony has said that this information has been compromised: User name; address; country; e-mail address; birthdate; PlayStation Network/Qriocity password and login; and handle/PSN online ID.
Wow – that’s quite a bit. But it gets worse, and I always hate the “maybe(s), might have been(s)…” etc. – there may have been breach of user billing address, purchase history, and various password security answers. Ouch.
I had to laugh at some counsel from the Washington Post Business with Bloomberg section (which I saw online – I no longer reside in DC, but have many fond memories…):
This is certainly a big data breach and spells a lot of trouble for Sony’s image, but there’s no need for consumers to panic. Just deal with it the same you deal with any data breach…
Yah. No big deal… handle it like that last breach you suffered through – and, hopefully the next one won’t be any bigger a deal than this one either.
Now, I don’t advocate panicking – I’m all about serious, straight-ahead tackling of problems – establishing empirical measures and solutions, for meritorious outcomes and protections.
But frankly, a rather casual attitude seems to exist here – paired with some good advice, make no mistake – I like it the advice. But, in the realm of risk, unmanaged possibilities become probabilities.
And here, Sony had tipped into the realm of probability: Given the outcome, there can be no argument. Let’s understand this fully for anyone and their position in today’s Weave:
1. Sony was in the realm of risk – we’re all there, particularly if we have any kind of online presence and business. Risk – assumed and beyond: Acknowledged.
2. Sony entered a zone of unmanaged possibilities; again, given the outcome, there can be no argument. The possibilities were engendered by someone who was not surveying the environment adequately, nor putting in place the prudent, forward, security posture and measures necessary. (Note: This is not fault-finding; the “someone” or “someones” may not have been able to survey adequately; may have been inhibited by budget; lack of training; or maybe the appropriate “someone,” department, security posture, etc., was simply missing in action at Sony).
3. As usual, the unmanaged possibility manifested as a probability – and – the probable happened, as it always must – simple odds favor the probable, to the point that an unmanaged probable will always manifest.
Odds favor the probable, and left unattended, the probable will always manifest.
Thus, in the realm of risk, unmanaged possibilities become probabilities.
Survey your domains.
NP: Yardbird Suite, Charlie Parker, www.Jazz24.org – followed by Keep on Gwine, Stanton Moore… all I can say is… wow – each over 13 minutes of fine, fine, fine jazz…
Oh my: Even children at play (and adults, too) are not safe – but we knew that. It’s a cold, cruel world.
Apparently birthdates, e-mail addresses, and purchase histories have been “accessed” (therefore, for purpose of liability assessments, assume: “Stolen”). Too, credit card info may have been stolen, but Sony doesn’t know for sure – last time I checked. (I guess you could say last time they checked!).
However, PlayStation users are advised to check their accounts. I’m glad I’m not a “player,” at least in this context. For those of you who are parents, with kids, with PlayStations, you’re going to want to run this to ground to your own satisfaction. Check with your card providers – and I’d do it by phone…
Sony says the attack is “malicious” in nature, and has hired an outside security firm to investigate. Hmmm… methinks they hired the outside firm about a week too late.
Going forward, beware e-mail spoofs and phishing schemes: That is, official looking e-mails that purport to be from your bank/credit card provider(s), and while we’re at it, from Sony too. Breaching entities can strip official logos and authentication screens – an entire website’s “oeuvre” – allowing you to think you’re logging in to “XYZ-CreditCardCo.com” – you fill in credentials (ID and password; again filling a hack situation)… when in fact you could leave the fields blank and access the dummy site. But, you’ve entered the critical info… and then… the site asks for all sorts of “further authentication.” Oops.
How the heck does Sony get breached, hacked, violated… anyhow? Aren’t they… big? Protected with the latest security measures? Are they not on the RFE (Responsible Forward Edge)? Don’t they know what they’re doin’? Um…
When Sony’s system is back up, change your ID(s), password(s), and any other authenticating/security/credentialing information. Immediately.
Just to be sure.
NP: Powerage – AC/DC. Ok, a departure from my usual old-school, straight-ahead, jazz references. But… someone here at S-bucks mentioned the band, and I just had to weigh in with my 3 concert experiences; two with original singer Bon Scott – and those were… simply… amazing.
Not to sound too forward-thinking, but McAfee just released an interesting report: In the Dark: Crucial Industries Confront Cyberattacks.
It’s rather amazing that whole industries, as well as the entities that populate those industries – large, medium and small business – are lagging in the face of crucial threats.
Those threats not only comprise cyber war, cyber attack, and even “inside jobs” mounted by dissatisfied employees, or preventable breaching incidents manifested through human error, but also enterprises face peril from large-scale threats to infrastructure as manifested by terror attack or destructive weather events.
Consider a pre-Katrina business in New Orleans. Yep – be sure to lock those doors, set the nightly backup, and while we’re at it, let’s minimize all the single-points-of-failure elements we can… In the meantime, all that care and concern – and business – washed away in the comprehensibility of a flood because no one heeded the warnings about under-spec’d levies.
What of sole-proprietorships? Given all the tornados in the mid-West at the moment, what is a prudent plan for business continuity if the house blows away? Life does go on… and so must business.
I felt the gap between awareness for potential of large-scale bad events (both internally sourced, and external), and solid security postures, even in Fortune100 environments. Here, you might expect best awareness and allied practices, but no: Often, the business element, IT’s governance, would be unwilling to engage, and then only grudgingly make budget available for the thinnest of security standings for recoveries. It was a vulnerable feeling, I must tell you.
I like to think that I’m a little ahead of the pack. In the last chapter of I.T. Wars: Managing the Business-Technology Weave in the New Millennium (Ch: What’s at Stake) I discuss large perils to enterprises, and what the “local” organization (that is, yours) should begin to think about doing. I propose regional BizSec teams (business security), comprised of leading minds from a variety of regional organizations. Solutions always start with discussion by proactive people…
It’s something to think about doing in this, still, new millennium. Stay safe!