The Business-Technology Weave


May 2, 2011  10:57 AM

Data, Human Error, and an Apology [bonus: a Warning]



Posted by: David Scott
application error, content management, content security, cut-and-paste, cut-and-paste error, data breach, data security, e-mail blast, human error, MS-Outlook, MS-Windows, program error, Windows 7

 

Mistakes will happen, as we all know.

 

Somehow, my latest blast of The BTW included an e-mail address in the subject line.  I’m scratching my head on that one – I can’t figure out how that happened, and in trying to replicate the error, I can’t manage to do it or figure how it might have happened.  Within minutes, I successfully recalled the vast majority of messages to the list, but a small number of recalls failed.

 

I apologize to all concerned.  I don’t employ a service for my e-mail blasts, I just blind-carbon (BCC) a list – so the error is between me, my keyboard, and MS-Outlook.  However, there’s a rather simple solution, in my environment, for avoiding this or any related errors in the future.  ***(And please note a warning toward the end of this article – there is definitely something suspect about Windows cut-and-paste feature…)***

 

Back to my environment:  It’s simple enough to compose the message, set the subject, and then send the e-mail to myself.  In fact, I often do that, just to verify that the link works (true, I can use Ctl+click to execute the link in the draft e-mail’s body, prior to send, but I like to verify the actual recipient-experience). 

 

My procedure should have been, and will be going forward:

 

1.      Compose the e-mail, with link to the blog

2.      Review it, including the subject

3.      Send the e-mail to myself.

4.      Open and confirm the content

5.      Forward the confirmed e-mail to the list

 

As I say, I invoked a recall of the message within minutes of Send (I’m always a recipient, and immediately noticed the incorrect subject line).  Naturally, many of the recalls failed – of course, a fail notice does not mean that any specific recall, to any specific intended recipient, didn’t work – but I imagine some mail remained delivered, and do reside in some measure of Inboxes.   

 

Well, I’d like to blame this on Microsoft, but maybe it was a matter of being a quart low on coffee this morning.  At any rate, your humble correspondent is… humbled, and maybe just a little more simpatico in regards to other human error situations…  However, please take note of the following:

 

***Warning*** – - -  One wrinkle I’ve encountered in the whole MS-Windows (7), Outlook, copy-paste-hyperlink drill:  I believe that every time I’ve copied my URL… 

 

http://itknowledgeexchange.techtarget.com/business-technology/

 

… for purpose of setting a hyperlink to all articles in the blog, upon paste it usually resolves as the link to the latest article (which is the top article in the chain) – the back of the link is highlighted, as below, indicating the specific article’s hyperlink info as being included, extra to the original Highlight and Copy…

 

In other words, the link that is pasted (but not highlighted (nor indicated as being copied as anything but above) resolves as this…

 

http://itknowledgeexchange.techtarget.com/business-technology/no-one-ever-talks-about-the-positive-aspects-of-breaches%E2%80%A6/

 

(using today’s example) – and I have to take care to delete the back of the unwanted measure of hyperlink.  I dislike that.  If I don’t delete the back portion, recipients merely get the latest blog entry, rather than a link to a review of a reverse-chronological list of all articles, the latest month’s being on top.

 

That is not what I’m copying, and I suppose Windows somehow thinks it’s being helpful by suggesting a full link to the top article in the blog – with the “caboose” of the latest article highlighted.  (Shades of HAL here?  - 2001:  A Space Odyssey).

 

Did something similar happen with my e-mail blast this morning – is that what’s going on?  I was doing some editing of my e-mail address list – however, I don’t employ multiple cut-and-pastes with harbor in memory – and at any rate, there’s no reason for a system to append various cuts, into an amalgamated paste… at least, not in my environment – and I never set or asked Windows to do that.

 

Live and learn.

 

NP:  The Dave Brubeck Quartet:  Take Five – from the album Time Out.  If you like jazz, if you think you might like jazz, if you don’t know what jazz is  get this.

 

 

 

April 30, 2011  6:10 AM

No One Ever Talks About the Positive Aspects of Breaches…



Posted by: David Scott
data breach, data breach expense, data security, human error, social security numbers exposed, ssn exposed, susan combs, texas data breach, texas state comptroller

 

Ok, I’m being a little facetious. 

 

However, 3.5 million people are to receive free credit monitoring, courtesy of Texas Comptroller, Susan Combs, according to The Dallas Morning News.  The monitoring may cost the state up to $21 million.  Why is the state doing this?

 

Ms. Combs announced that Social Security Numbers and other personal information had been available via a public server at her agency for more than a year.  That’s almost as bad as things can get – just short of a state actually colluding with breaching entities –  when you’ve got publicly accessed resources, with sensitive personal information of millions of people exposed, laying out for the taking.  Rather incredible, when you think about it.

 

According to the comptroller’s office, they discovered this problem March 31st, however, they didn’t notify the attorney general’s office for a week’s time.  They then waited another 10 days or so before informing the public. 

 

The time lapse was defended, though, and we can certainly trust the comptroller’s office’s judgment, no?  (Facetious mode back on, just then – ok, back off now –>)  They needed time to study the problem; and it’s good that they set up a call center and informational website in readying for public notification. 

 

Still – anything could have happened in the approximately 3 weeks lag:  I know that if my personal, critical, data was hanging out there for over a year, I want to be told now, and I want to know the vulnerability is sewn shut, also as of now.

 

While there is no evidence of misuse (as of… er, now), we can note something besides the necessity for timely notification to stakeholders (in this case, the public).  That something is the enormous leverage to be had in proactive protections.  Imagine the simple security procedures – that is, security and data audits, paired with the best progressions of security reviews, policies and plans – that can be cost-apportioned over the entire Texas state server and application farm – in making all information activity and related data as secure as possible. 

 

What we here in the Weave call: 

 

A modern arena for doing things right – right on time.

 

But you have to have a Business-Technology Weave with all modern, leading, sensibilities and practices in thwarting new threats, evolving threats, and stupid old threats – like someone setting up and running servers that contain critical data, with wide-open access.

 

Might be a good reminder to audit your own security standing and practices.

 

As a final thought:  Is human error, such as laying out the wrong data for potential public consumption, really a breach?  Isn’t that a measure of simple human error?  If you dynamite a bank vault and make off with money, you’ve breached that vault.  However, if a bank leaves a vault open overnight, with the front door wide open, and we then stroll in and fill suitcases with money and plunder – is that a breach?  It’s not quite the same thing.  Stay tuned… I think breach vs. human error merits a little more thought…

 

 

NP:  Thin Lizzy, Live and Dangerous, on CD.  (But some vinyl will spin tonight)

 


April 29, 2011  12:04 PM

Ahhh, New York City you talk a lot; let’s have a look at ya…



Posted by: David Scott
access security, best security practice, business breach, business security plan, computer security, content management, content security, cost of data breach, cyber security, data breach, data disclosure, data exposure, data security, enterprise security, human error, New York Yankees, New York Yankees data breach, NY Yankees, NY Yankees data breach, security breach

 

(With apologies to Mick Jagger/Rolling Stones -  NYC, Madison Square Garden, 1969).

 

I was going to title this particular article, “If I can breach it there…, I can breach it… anywhere…”

 

Followed by  “…with apologies to ‘New York, New York’…”. 

 

BUT –

 

This data incident is not a breach (at least from the perspective of the originating organization). 

 

It is an incident of human error:

 

A New York Yankees employee accidentally exposed the personal data of approximately 17,000 fans.  Credit card info is not thought to have been exposed, but – you can imagine the drill:  How are you going to know you’re safe, short of one of two things?  Either you cancel a card, or you cross your fingers and hope unauthorized charges don’t show up.  For at least a few weeks’ time your peace of mind is significantly impacted.

 

This much is known for sure:  Included in the spilled information are names, addresses, phone numbers, and e-mail accounts.  When considering the Yankees, not all errors occur on the field:   This data spill comprises about half of all season ticket holders.  It is, simply, unfortunate.

 

It’s interesting to note that as of yesterday, the 28th, not all season ticket holders (approximately twice the 17k thus far exposed) have been apprised that their information either:  1)  Has been – or -  2)  Might be compromised.  There really is no valid reason for any lag in a timely notification that sensitive data is at risk.

 

So how the heck does an employee expose sensitive information about 17,000 people?  Well, according to the Yankees Organization, the employee “accidentally” (there’s that word again) attached a spreadsheet to an outbound e-mail.  As stated in I.T. Wars:  Errors have efficiencies too.  Bad outcomes are no longer relegated to the travel of physical paper and a couple carbons…  errors travel at the speed of electrons, to destinations of extraordinary number.

 

Mistakes will happen, but in this case it seems rather incredible.  Spreadsheets and all  files should have accurate names – particularly for sensitive information – that reflect, in a concise way, the sensitivity for each file’s contents.

 

Further, passwords and controls can be attached to files (upon their creation), forcing authentication when attaching sensitive information to e-mails.  Also control systems are easily developed such that, when anyone attempts to attach/include particularly sensitive files (password protected or not) with an e-mail, a simple dialog box invokes a warning:  This file has been marked as “Sensitive” – or – “Classified” – whatever… -it can even be auto-triggered by content (hey…),  followed by:  “Are you sure you want to include this file to these recipients?”

 

This can be applied in addition to other security measures of course:  Access and control by virtue of login accounts with associated class-of-user, group network identities, and – limits to, and graduated levels of, access to areas of data based on experience, nature of work, and need.

 

Stay safe out there.

 

April 29th:  On this day, in 1892, Charlie Reilly is baseball’s 1st pinch hitter.


April 28, 2011  7:44 AM

Security, Sony, and Station (PlayStation), Part 45



Posted by: David Scott
authentication, authentication questions, cost of data breach, credential information, credentialing information, credit card breach, credit card data, data breach, data breach expense, data compromise, data control, ID, login, password, playstation, Sony, Sony PlayStation, user data, user ID

 

Just kidding – it’s only Part 2.  (Please see first article, just below this one for reference).

 

Sony has said that this information has been compromised:  User name; address; country; e-mail address; birthdate; PlayStation Network/Qriocity password and login; and handle/PSN online ID.

 

Wow – that’s quite a bit.  But it gets worse, and I always hate the “maybe(s), might have been(s)…” etc. – there may have been breach of user billing address, purchase history, and various password security answers.  Ouch.

 

I had to laugh at some counsel from the Washington Post Business with Bloomberg section (which I saw online – I no longer reside in DC, but have many fond memories…):

 

This is certainly a big data breach and spells a lot of trouble for Sony’s image, but there’s no need for consumers to panic.  Just deal with it the same you deal with any data breach…

 

Yah.  No big deal…  handle it like that last breach you suffered through – and, hopefully the next one won’t be any bigger a deal than this one either.

 

Now, I don’t advocate panicking – I’m all about serious, straight-ahead tackling of problems – establishing empirical measures and solutions, for meritorious outcomes and protections.

 

But frankly, a rather casual attitude seems to exist herepaired with some good advice, make no mistake – I like it the advice.  But, in the realm of risk, unmanaged possibilities become probabilities. 

 

And here, Sony had tipped into the realm of probability:  Given the outcome, there can be no argument.  Let’s understand this fully for anyone and their position in today’s Weave: 

 

1.      Sony was in the realm of risk – we’re all there, particularly if we have any kind of online presence and business.  Risk – assumed and beyond:  Acknowledged.

2.      Sony entered a zone of unmanaged possibilities; again, given the outcome, there can be no argument.  The possibilities were engendered by someone who was not surveying the environment adequately, nor putting in place the prudent, forward, security posture and measures necessary.  (Note:  This is not fault-finding; the “someone” or “someones” may not have been able to survey adequately; may have been inhibited by budget; lack of training; or maybe the appropriate “someone,” department, security posture, etc., was simply missing in action at Sony).

3.      As usual, the unmanaged possibility manifested as a probability – and – the probable happened, as it always must – simple odds favor the probable, to the point that an unmanaged probable will always manifest.

 

Odds favor the probable, and left unattended, the probable will always manifest.

 

Thus, in the realm of risk, unmanaged possibilities become probabilities.

 

Survey your domains.

 

 

NP:  Yardbird Suite, Charlie Parker, www.Jazz24.org – followed by Keep on Gwine, Stanton Moore…  all I can say is… wow – each over 13 minutes of fine, fine, fine jazz…

 


April 27, 2011  11:07 AM

Security, Sony, and Station (PlayStation)



Posted by: David Scott
breach of credit card, cost of data breach, credit card breach, data breach, data breach expense, data security, e-mail spoof, online spoof, playstation breach, Sony, sony breach, Sony PlayStation, spoof

Oh oh (again).  Sony says that sometime between April 17th and 19th, its PlayStation network was hacked.  Here in the classy environs of The BTW (and by extension, IT Knowledge Exchange and TechTarget) we might refer to this as a breach.  Sony is advising its 77 million (disconnected) users to check their credit card accounts.

Oh my:  Even children at play (and adults, too) are not safe – but we knew that.  It’s a cold, cruel world.

Apparently birthdates, e-mail addresses, and purchase histories have been “accessed” (therefore, for purpose of liability assessments, assume:  “Stolen”).  Too, credit card info may have been stolen, but Sony doesn’t know for sure – last time I checked.  (I guess you could say last time they checked!). 

However, PlayStation users are advised to check their accounts.  I’m glad I’m not a “player,” at least in this context.  For those of you who are parents, with kids, with PlayStations, you’re going to want to run this to ground to your own satisfaction.  Check with your card providers – and I’d do it by phone…

Sony says the attack is “malicious” in nature, and has hired an outside security firm to investigate.  Hmmm… methinks they hired the outside firm about a week too late.

Going forward, beware e-mail spoofs and phishing schemes:  That is, official looking e-mails that purport to be from your bank/credit card provider(s), and while we’re at it, from Sony too.  Breaching entities can strip official logos and authentication screens – an entire website’s “oeuvre” – allowing you to think you’re logging in to “XYZ-CreditCardCo.com” – you fill in credentials (ID and password; again filling a hack situation)… when in fact you could leave the fields blank and access the dummy site.  But, you’ve entered the critical info… and then… the site asks for all sorts of “further authentication.”  Oops.

How the heck does Sony get breached, hacked, violated… anyhow?  Aren’t they… big?  Protected with the latest security measures?  Are they not on the RFE (Responsible Forward Edge)?  Don’t they know what they’re doin’?  Um…

When Sony’s system is back up, change your ID(s), password(s), and any other authenticating/security/credentialing information.  Immediately.

Just to be sure.

 

NP:  Powerage – AC/DC.  Ok, a departure from my usual old-school, straight-ahead, jazz references.  But… someone here at S-bucks mentioned the band, and I just had to weigh in with my 3 concert experiences; two with original singer Bon Scott – and those were… simply… amazing.

 

 

 

 


April 25, 2011  11:57 AM

In the Dark: Folks are just now catching up to The BTW



Posted by: David Scott
best business practice, business ability, business adaptability, business alignment, business and IT policy, business and IT planning, business and IT solutions, business breach, business challenge, business continuity, cyber attack, cyber security, cyber threat, cyber training, cyber war, cyberwar, DAPR, disaster awareness, disaster awareness preparedness and recovery, disaster plan, disaster prevention, disaster recovery planning, DR, DR planning, in the dark, in the dark: crucial industries confront cyber attacks

 

Not to sound too forward-thinking, but McAfee just released an interesting report:  In the Dark:  Crucial Industries Confront Cyberattacks.

 

It’s rather amazing that whole industries, as well as the entities that populate those industries – large, medium and small business – are lagging in the face of crucial threats.

 

Those threats not only comprise cyber war, cyber attack, and even “inside jobs” mounted by dissatisfied employees, or preventable breaching incidents manifested through human error, but also enterprises face peril from large-scale threats to infrastructure as manifested by terror attack or destructive weather events.

 

Consider a pre-Katrina business in New Orleans.  Yep – be sure to lock those doors, set the nightly backup, and while we’re at it, let’s minimize all the single-points-of-failure elements we can…  In the meantime, all that care and concern – and business –  washed away in the comprehensibility of a flood  because no one heeded the warnings about under-spec’d levies.

 

What of sole-proprietorships?  Given all the tornados in the mid-West at the moment, what is a prudent plan for business continuity if the house blows away?  Life does go on… and so must business.

 

I felt the gap between awareness for potential of large-scale bad events (both internally sourced, and external), and solid security postures, even in Fortune100 environments.  Here, you might expect best awareness and allied practices, but no:  Often, the business element, IT’s governance, would be unwilling to engage, and then only grudgingly make budget available for the thinnest of security standings for recoveries.  It was a vulnerable feeling, I must tell you.

 

I like to think that I’m a little ahead of the pack.  In the last chapter of I.T. Wars:  Managing the Business-Technology Weave in the New Millennium (Ch:  What’s at Stake) I discuss large perils to enterprises, and what the “local” organization (that is, yours) should begin to think about doing.  I propose regional BizSec teams (business security), comprised of leading minds from a variety of regional organizations.  Solutions always start with discussion by proactive people…

 

It’s something to think about doing in this, still, new millennium.  Stay safe!

 

 

NP:  Blue Rondo à la Turk.  Jazz24.org.  Brubeck – ‘nuff said.

 


April 22, 2011  10:16 AM

Uh Oh: Google and Apple are Collecting Information about YOU



Posted by: David Scott
Apple, apple google collect personal information, collection of personal information, data breach, data collection, data theft, google, personal information, service provider, streetview, unwarranted data collection

 

I don’t use an iPhone, and my use of Google is strictly in my home, as opposed to using it on my particular “smartphone” – brand and model to remain unmentioned, at least for the moment.

 

I’m not too worried about these recent revelations that Apple and Google are noting, collecting, and transmitting back to base a record of users’ locations.

 

There are sound business reasons for noting, and tracking, users’ locations.  As but a couple examples:  By knowing where you are, these entities can deliver targeted, location-specific, search results.  You might be searching for specific retailers, or locations that offer specific products, and Apple and Google each have a business interest in supplying you with best information:  either reputation is enhanced when they can deliver ever-better targeted results.

 

A great case for tracking is made in delivering traffic information:  If a particular phone is moving down the road at an acceptable pace, a smartphone can report smooth sailing.  If a preponderance of phones are relatively fixed on a point, in proximity of a road, and any particular phone is requesting traffic info, it would be prudent for the phone to warn of possible congestion (as but one factor in any phone’s reportage of such events).

 

However, realize that just last year, Google shut down one element of its data collection efforts (StreetView) when it discovered it was “inadvertently” collecting personal information such as e-mail addresses and passwords! 

 

Now, what is the downside in Apple’s and Google’s (and others) collection of location (and possibly other) information?

 

Consider:  Even today, entire families carry phones.  10-year-old kids have their own phones; in the future, it’s likely that everyone is going to be “carrying.”  If a nefarious entity was to breach their way to live-time updates of a family’s location, it wouldn’t be too difficult to ascertain when everyone was out of the house.  An empty home presents a nice target for burgling.  In a week or two’s time, someone could know each member of a household’s entire schedule.  Perhaps even more frightening:  A breaching entity could determine when the home was occupied by only a child – and this liability is too large to leave to chance.  Lest anyone think this is over-active thinking, realize that the only way threats are held in abeyance is through active survey of possibilities, and the institution of prudent security measures.  Know what your service providers are doing.

 

In other words, don’t laugh:  Far stranger things transpire every day.  And as data becomes more universally applied to individuals and their respective lives, it will not only be enhancing:  It will present large liabilities that need to be managed.  You’ve heard me say, for business: 

 

            In the realm of risk, unmanaged possibilities become probabilities. 

 

Well now, for the undeniable Personal-Technology Weave that our lives have become, we can well see the looming and growing liabilities.  Any person should exercise a proactive security posture.  When procuring new devices and associated services, be sure to look through security’s prism:  Ask questions, review contracts, and… read associated articles, reports and blogs in staying abreast of what’s being done in the name of your (personal) domain. 

 

Stay safe out there…

 

On this day:  In 1967, actor Tom Conway died.  Considered a “B-movie” actor, I love his portrayal of “The Falcon” in that series of ‘40s quasi-film-noir movies.  Check ‘em out.

 

 

 

 

 

 

 


April 18, 2011  11:30 AM

Uh Oh: Government Sponsored Internet ID Plan?



Posted by: David Scott
cyber security, federal government breach, government breach, identity ecosystem, identity theft, internet ID, National Strategy for Trusted Identities in Cyberspace, online security

 

No partisan ruminations here:  We IT and Business folk are nothing if not practical.  We strive to be efficient, safe, and true to the mission.  That’s our agenda.  That said, I remember a common joke I heard primarily in my youth:

 

The nine most terrifying words in the English language are, “I’m from the government and I’m here to help.”

 

And now, Government wants to “help” us in the collective digital domain: 

The Commerce Dept. unveiled a plan Friday to create a national cyber-identity system that would give consumers who opt in a single secure password and identity for all their digital transactions.  [Source:  FoxNews.com]

 

A single ID and password for everything I do digitally?  Most emphatically:  No thank you. 

 

Although, I will say, here is where government does actually achieve some efficiency:  If your Federally sponsored online ID and password are breached, ALL of your online endeavors can immediately be compromised.

 

But wait!  You can have multiple authentication credentials, from multiple “credential providers,” with associated fobs, or smartcards, or smartphone software, or “tokens”…  my head’s spinnin’.  This article mentions “…though having two [or more – DS] would reduce the simplicity factor, of course.” 

 

The drive is toward a single set of credentials per person.

 

Right now, I have a diverse set of authentication credentials that I manage on my own, quite nicely – for banks, stores, this blog, etc. – and I like the fact that, so far as I know, the government is not involved.  If I forget a password, or even my ID, I can provide answers to simple questions in resuming authorization and access.  Further, most if not all of my sites require further, simple, authentication measures beyond ID and password:  Such as answers to questions regarding Favorite Hobby, Name of Favorite Uncle, What Year Did You Graduate High School?, etc. – as well as CAPTCHA and other security mechanisms. 

 

This alone is off-putting enough:  The National Strategy for Trusted Identities in Cyberspace. 

 

Recognize that the Feds can’t even secure the data they presently have.  Just refer to – Report:  Military and government data breached 104 times in 2010.  Also, Google “Federal Data Breaches.”

 

Happy reading.

 

On this day:  In 1955, the first “Walk”/”Don’t Walk” lighted street signals were installed.

 


April 18, 2011  9:40 AM

More Clouds in the Cloud – Consider DropBox



Posted by: David Scott
application as a service, cloud access, cloud applications, cloud apps, cloud security, cloud services, cloud vulnerabilities, computing as a service, data as a service, hardware as a service, IT security, platform as a service, software as a service, the cloud

 

I hate to sound prescient, but these Cloud apps, services, and storage areas really do present risk.

 

At the same time, The Cloud ain’t goin’ nowhere.  Further, folks are going to continue taking advantage of the free and low-cost solutions there, and their ability to make solutions and enablements readily available virtually anywhere – quickly.

 

However, as I state very plainly in  I.T. Wars,  powerful enablements come with what can be extreme liabilities.  You must carefully manage potential liabilities, and while The Cloud is hardly unique in this respect, realize that standard recognitions like maintenance, survey, repair, and safeguarding may be totally out of your hands.

 

Deep breath.  Relax.  Fresh cup of coffee… (ahhhh… coffee.  Is there anything it cannot do?).

 

I was tempted to call this article, Dropping DropBox.  But, I rather like DropBox, and have to use it with some clients who use it.  Again, to reinforce something we said a couple days ago:  Even with a free service, be certain to weigh ROI against TCO.  See the bottom of this article concerning ROI and TCO, as necessary.

 

The purported problem with DropBox is the way it authenticates users, and thus the subsequent allowance (authorization) to files:  It uses a hexadecimal code – a “hash code” – stored as plain text, on users’ hard drives.  Anyone breaching and obtaining this code has access to a user’s account – and files.

 

Further, in case you’re a DropBox user and are rushing to change your password – it’s immaterial:  A fresh password will not obviate third-party access via the hashcode.

 

This security liability, involving a pre-eminent Cloud app and data repository, really hammers home the point we’ve been making here in The BTW:  Be careful about where you procure and place your “solutions” involving storage, process, accessibility, and so on.  Do your homework.

 

Remember that clouds rain every once in awhile… including The Cloud.

 

 

A Couple days ago:  In 1954, Joe Turner releases “Shake, Rattle & Roll.”  Check out the original.  (Didn’t get around to posting this one, but had to still acknowledge Joe).

 


April 11, 2011  11:25 AM

Sobering: Cyber Security and Government



Posted by: David Scott
content management, cyber attack, cyber security, cyber security and government, data breach, data corruption, data loss, data theft, epsilon, government data, government data breach

 

It was so tempting to title this, “Sobering:  Cyber Security and Society”… I do so love alliteration.

 

But no matter – perhaps as follow-up.  But today’s post is driven by some concerning statistics that are rather bothersome.  The number of cyber security incidents affecting Federal Government information is increasing. 

 

Consider:

 

Cyber Security Incidents Affecting Government Information:

 

-         2006 incidents reported:    5,503

-         2008 incidents reported:  16,843

-         2010 incidents reported:  41,776

                                                     

Source:  GAO & Office of Management

 

“Affecting” involves everything and anything:  Exposure, corruption of data, nefarious manipulation of data, introduction of malware, breach, theft, loss, and so forth.  We all face the same sorts of threats and attendant bad outcomes.

 

It’s been awhile since I’ve done work for the Feds, but interestingly, I had occasion to do a little work for a city agency recently – just within these past weeks.  Obligation of Confidentiality prevents me from naming the city, agency, or specific work – and even absent that, I wouldn’t.  However, a rather illuminating incident does highlight what is likely to be a contributor to Federal, State, County and City governments’ challenges, and provides a lesson to us all.

 

An administrative person received a warning e-mail from Target regarding the Epsilon breach.  It appeared that the recently-departed, prior, Admin person had ordered from Target at that particular PC workstation, under generic login credentials (“Admin”), and Target was warning that the admin@xyz.org address, and perhaps other information, might be compromised . 

 

I notified the department’s Director, offering to draft an e-mail of warning regarding the Epsilon breach, and some things to watch for, to avoid, and some general cyber security tips.  A point to the department’s IT Security Policy would have been nice too (if they had one).

 

The Director declined – and because I was there contracting on other matters, I concentrated on those.  But… my gosh:  In 2011, you miss an opportunity to reinforce security awareness and to propagate best practices in a vulnerable environment?  Who can afford that? 

 

No  one.

 

The stats above are hardly surprising.  If you are in a position of influence – whether  government agency or private sector business – anything – never lose an opportunity to reinforce security awareness and best business practices.

 

Always remember this BTW principle: 

 

In the realm of risk, unmanaged possibilities become probabilities.

 

 

On this day:  In 1921, station KDKA broadcast the first radio sporting event:  a boxing match; Ray vs. Dundee. 


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: