No partisan ruminations here: We IT and Business folk are nothing if not practical. We strive to be efficient, safe, and true to the mission. That’s our agenda. That said, I remember a common joke I heard primarily in my youth:
The nine most terrifying words in the English language are, “I’m from the government and I’m here to help.”
And now, Government wants to “help” us in the collective digital domain:
The Commerce Dept. unveiled a plan Friday to create a national cyber-identity system that would give consumers who opt in a single secure password and identity for all their digital transactions. [Source: FoxNews.com]
A single ID and password for everything I do digitally? Most emphatically: No thank you.
Although, I will say, here is where government does actually achieve some efficiency: If your Federally sponsored online ID and password are breached, ALL of your online endeavors can immediately be compromised.
But wait! You can have multiple authentication credentials, from multiple “credential providers,” with associated fobs, or smartcards, or smartphone software, or “tokens”… my head’s spinnin’. This article mentions “…though having two [or more – DS] would reduce the simplicity factor, of course.”
The drive is toward a single set of credentials per person.
Right now, I have a diverse set of authentication credentials that I manage on my own, quite nicely – for banks, stores, this blog, etc. – and I like the fact that, so far as I know, the government is not involved. If I forget a password, or even my ID, I can provide answers to simple questions in resuming authorization and access. Further, most if not all of my sites require further, simple, authentication measures beyond ID and password: Such as answers to questions regarding Favorite Hobby, Name of Favorite Uncle, What Year Did You Graduate High School?, etc. – as well as CAPTCHA and other security mechanisms.
This alone is off-putting enough: The National Strategy for Trusted Identities in Cyberspace.
Recognize that the Feds can’t even secure the data they presently have. Just refer to – Report: Military and government data breached 104 times in 2010. Also, Google “Federal Data Breaches.”
On this day: In 1955, the first “Walk”/”Don’t Walk” lighted street signals were installed.
I hate to sound prescient, but these Cloud apps, services, and storage areas really do present risk.
At the same time, The Cloud ain’t goin’ nowhere. Further, folks are going to continue taking advantage of the free and low-cost solutions there, and their ability to make solutions and enablements readily available virtually anywhere – quickly.
However, as I state very plainly in I.T. Wars, powerful enablements come with what can be extreme liabilities. You must carefully manage potential liabilities, and while The Cloud is hardly unique in this respect, realize that standard recognitions like maintenance, survey, repair, and safeguarding may be totally out of your hands.
Deep breath. Relax. Fresh cup of coffee… (ahhhh… coffee. Is there anything it cannot do?).
I was tempted to call this article, Dropping DropBox. But, I rather like DropBox, and have to use it with some clients who use it. Again, to reinforce something we said a couple days ago: Even with a free service, be certain to weigh ROI against TCO. See the bottom of this article concerning ROI and TCO, as necessary.
The purported problem with DropBox is the way it authenticates users, and thus the subsequent allowance (authorization) to files: It uses a hexadecimal code – a “hash code” – stored as plain text, on users’ hard drives. Anyone breaching and obtaining this code has access to a user’s account – and files.
Further, in case you’re a DropBox user and are rushing to change your password – it’s immaterial: A fresh password will not obviate third-party access via the hashcode.
This security liability, involving a pre-eminent Cloud app and data repository, really hammers home the point we’ve been making here in The BTW: Be careful about where you procure and place your “solutions” involving storage, process, accessibility, and so on. Do your homework.
Remember that clouds rain every once in awhile… including The Cloud.
A Couple days ago: In 1954, Joe Turner releases “Shake, Rattle & Roll.” Check out the original. (Didn’t get around to posting this one, but had to still acknowledge Joe).
It was so tempting to title this, “Sobering: Cyber Security and Society”… I do so love alliteration.
But no matter – perhaps as follow-up. But today’s post is driven by some concerning statistics that are rather bothersome. The number of cyber security incidents affecting Federal Government information is increasing.
Cyber Security Incidents Affecting Government Information:
– 2006 incidents reported: 5,503
– 2008 incidents reported: 16,843
– 2010 incidents reported: 41,776
Source: GAO & Office of Management
“Affecting” involves everything and anything: Exposure, corruption of data, nefarious manipulation of data, introduction of malware, breach, theft, loss, and so forth. We all face the same sorts of threats and attendant bad outcomes.
It’s been awhile since I’ve done work for the Feds, but interestingly, I had occasion to do a little work for a city agency recently – just within these past weeks. Obligation of Confidentiality prevents me from naming the city, agency, or specific work – and even absent that, I wouldn’t. However, a rather illuminating incident does highlight what is likely to be a contributor to Federal, State, County and City governments’ challenges, and provides a lesson to us all.
An administrative person received a warning e-mail from Target regarding the Epsilon breach. It appeared that the recently-departed, prior, Admin person had ordered from Target at that particular PC workstation, under generic login credentials (“Admin”), and Target was warning that the firstname.lastname@example.org address, and perhaps other information, might be compromised .
I notified the department’s Director, offering to draft an e-mail of warning regarding the Epsilon breach, and some things to watch for, to avoid, and some general cyber security tips. A point to the department’s IT Security Policy would have been nice too (if they had one).
The Director declined – and because I was there contracting on other matters, I concentrated on those. But… my gosh: In 2011, you miss an opportunity to reinforce security awareness and to propagate best practices in a vulnerable environment? Who can afford that?
The stats above are hardly surprising. If you are in a position of influence – whether government agency or private sector business – anything – never lose an opportunity to reinforce security awareness and best business practices.
Always remember this BTW principle:
In the realm of risk, unmanaged possibilities become probabilities.
On this day: In 1921, station KDKA broadcast the first radio sporting event: a boxing match; Ray vs. Dundee.
I was doing a bit of reading regarding Amazon’s new Amazon Cloud Drive (“your hard drive in the cloud”).
The emphasis on this free service (with registration, and living within a 5 Gb limit) seems to be on storage of music and video… and, generally, other personal use. That’s fine… losing files such as those wouldn’t entail a hardship, unless you’re a filmmaker or professional musician.
But what of data? That is, business data, or critical personal data, such as tax, real estate, investment, etc., data? Heck, what of irreplaceable family photos? We could go on…
In the case of Small and Medium Business (SMB), particularly, they are forever (or should be) on the lookout for cost savings. Free storage? Oh yeah! Further, paid plans are available for storage beyond 5 Gb, for a mere buck per Gig per year. Up to 1,000 Gb. Sounds very attractive… and, swinging back to households; they can always use a little help with expenses.
I still have a problem. I like my data to reside on things that I manage. That I can see, review, update, and restore from… and did I say manage? – in person: A physical fileserver, disk array… a simple USB drive I can see and touch. :^) Call me crazy.
Particularly in the case of storage for backups – why would I want that to go into The Cloud? Or perhaps more accurately, A Cloud? Who’s Cloud? Oh – Amazon’s? No problem… until there’s a problem.
It’s not totally an issue of Amazon’s stability and reliability: If the ’net goes down, for any reason internal (org) or external (ISP, etc.), where’s your data? In The Cloud – and inaccessible. For my SMB readers, small government agencies, and people with critical personal files, and/or treasured files, be wary of trusting The Cloud too much. It will always present vulnerability.
Managing business and IT effectively means closing vulnerabilities and areas of risk: not widening them.
Hmmm… long before The Cloud, we used to say, “Storage is cheap” – and it is. Nothing, and I mean nothing, beats your own local, and close-by offsite backup, physical storage. Mull it over carefully.
All of that said, Amazon Cloud Drive does present an affordable utility for the right circumstances.
Just be sure to understand the ROI vs. TCO (Total Cost of Ownership). What’s the TCO in the realm of a free service? Your cost is assumption of vulnerability, risk, and potential for loss; engendered by your distance and removal from control over your own assets. Recognize that as a price – one that could be very heavy.
For further details regarding Amazon Cloud Drive, I’d like to refer you to Chad Vander Veen’s excellent article, Amazon Makes Play for the Consumer Cloud Crowd.
Stay safe out there.
NP: Miles Davis, Sketches of Spain, original 1960 LP, on Columbia. Superb.
Only the dead have seen the last of data breaches (with apologies to Plato).
Hey – have you heard about this Epsilon thing? Of course you have.
I’ve heard it characterized as the biggest data breach in history. Further, it seems more retailers and consumers are yet being discovered: e-mail addresses and in some cases names have been compromised: That is, entities that are not supposed to have those – have those.
This may be the largest breach in terms of number of records, number of retailers, and/or number of people compromised. But it’s hardly the largest breach in terms of scope of data: No credit card numbers are at (direct) risk, nor is any other critical data, such as Social Security Numbers or bank information. Of course, you and I only have the news reports’, retailers’, and Epsilon’s word on this.
So what exactly is the risk? We understand the breach: Nefarious operators can pair your name with your e-mail address… and… what? Well, they can contact you – via e-mail. That’s relatively tame: Your friends, acquaintances and business contacts do that every day.
Well, these nefarious entities may contact people with bogus “warnings” about the breach.
They may attempt to “phish” (fish) for info from you, asking for confirmation of your credit card number, or ask you to log in to an account, and provide that info, in verifying that your balance hasn’t been negatively impacted by any scams (the irony). Naturally, if anyone provides critical credit card or social security numbers, that entity then has them and they can rip you off. Beware any and all e-mails that may appear warning and helpful: These entities can strip official logos, language, and authentication screens (log in/sign in) from the legitimate sites, thus crafting bogus sites that appear legit.
Particularly at risk are novice online computer users, and youth.
Here’s a serviceable definition of “phishing” from Wikileaks:
Phishing is a way of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication.
A phishing technique was described in detail in 1987, and the first recorded use of the term “phishing” was made in 1996. The term is a variant of fishing, probably influenced by phreaking, and alludes to baits used to “catch” financial information and passwords.
Stay safe out there – verify e-mails and online communications’ sources. In all cases, when contacted with something that may be a phish, call your retailer, your bank, etc. Good advice for this situation – and for future breaches.
On this day: In 1927, television was transmitted from Washington DC to New York City utilizing phone lines.
A few days ago, a large number of websites were infected with code that directed users to other sites whereby they were warned that their computers had been compromised.
Warnings comprise dire pronouncements about resident viruses, tracking cookies, malicious code that turns your PC into a further disseminator of ill and mayhem, and so on. On immediate hand is a rescue: Download our software and clean your PC before irreparable harm transpires. Frequently the software comes with a price, and payment is made by the unsuspecting user.
Sometimes the downloaded “cure” (whether purporting to be anti-virus, anti-spam, removal toolkit, etc.) is an empty program that runs a bogus progress of virus scan and removal. Too, it almost certainly is a program that turns your PC into a further propagation unit of harm. It may also collect your keystrokes – stealing passwords, credit card numbers, personal details, security answers… and report them back to the originating entity.
Do not download and install anything from the web that you do not recognize. Things such as Windows updates (from MicroSoft) and updates from legitimate programs (such as Norton, McAfee, etc.) should be recognizable to you, based on what you run in your local environment; be that a network at work, or a PC or Mac at home. Don’t take chances – know what you have, use, need and trust.
Of course, professional environments, workplaces, are going to have their security pretty well covered (we hope). But what of home users? Well, there are some legitimate, and fairly good, free anti-virus/security softwares available on the web. But why not spring for something a bit more robust, with regularized updates, and a reputation to maintain in the marketplace? That’s what I recommend. I don’t want to endorse specific software solutions (unless someone wants to pay me), but if you’re uncertain where you stand on security, here’s at least a near-term plan to get you started:
Visit a “big-box” retailer and go to the computer department. Have a look at what they offer; read the boxes. Read some reviews in the leading PC/Mac magazines. You can always go online and buy at the online site, or pick up your preference at the retailer.
As to these latest threats: When prompted with unknown and unfamiliar “tools” and so-called solutions: Decline. Take note of the name of the activity and Google it. Chances are high that there will be several news articles describing what you just experienced, and exposing it for what it is: A bogus solicitation for providing you protection, while directing harm your way.
In the workplace, ensure that IT pushes out regular e-mail warnings about both general and specific scams and fakes; also have them include it in quarterly refresher training. For particularly dangerous circumstances, it may be wise to call an ad-hoc meeting of managers, minimally, for their update with immediate subsequent appraisals to staff.
As importantly, if you have young users in your home, ensure that kids know what to look for and avoid. Survey their machines from time-to-time for risks and protection.
Stay safe out there…
NP: Since I Fell for You – Lee Morgan, jazz24.org
Back in the days of my misspent youth, as CIO in a Fortune100 environment, one of my more favored positions was leading IT for a “perception management” company.
Perception Management was this firm’s rebranding and widening of the established Public Relations schema. I rather enjoyed it and found it quite interesting.
Perception Management is extraordinarily important in this age of social networking: Both in terms of personal SN and business: Many businesses, particularly small and medium business (SMB) are utilizing SN because it is efficient, inexpensive, and readily available – easy access; easy setup.
We discussed a particular case of personal peril a couple posts ago, and – if you scroll through the history of this blog – a fair number of other SN perils and outcomes… essentially involving people saying embarrassing things about themselves or others, and being outed for it.
But now there are perils involving livelihoods and professional standing.
Courts personnel, lawyers, and other associates are now perusing jury pools’ members for biases or relationships that may taint and jeopardize the outcome of trials. In some cases, attorneys have found actual relationships between seated jurors and defendants on trial! This is solid grounds for dismissal and retrial – and that has happened.
Further, reviews of SN pages by folks with legal standing have uncovered information about illegal activities – sometimes resulting in arrest and prison.
But of perhaps a more mundane concern to the professional readership here: Hiring authorities are now perusing SN sites, simply taking names from resumes and Googling, Facebooking, and YouTubing around, and seeing what comes up. And often, what comes up is… well, interesting.
You can certainly glean an assessment for someone’s maturity, their gravitas, and likely their overall suitability for any specific job from their SN postings, their friendships, their hobbies, and whatever else occupies their time and fancy. And do you know what? There ain’t a thing you can do about it. Should you be screened from a job for something a potential employer saw online – you’d never know.
You could even be competing for a promotion at a present place of employment; it will become increasingly likely that HR and the manager up the line will review your online standing and presence along with internal performance reviews and documentation.
For the aforementioned SMB: If you are using the ready-network of SN – with its undeniable enablement of business – ensure your folks are not blending “friending” with “businessing.” That is, bleeding the jocularity and questionable taste of interactions between friends, and bringing that informality to the realm of business. It’s easy enough to do when switching back and forth.
Perception Management: Manage how you want to be perceived. More importantly, be the person you want to be understood as being.
Make certain your business adheres to proper protocols and styles of communication too. Survey what is being done in the name of your domain.
Have that accurately reflected in all that you do online – in controlling perceptions.
March 31st: On this day in 1963, Los Angeles ended streetcar service after 90 years.
It’s been reported that RSA Security has been attacked, with the result being “certain information… being extracted.” Had you heard about this? I was alerted to it through my Google Alerts.
As a slight aside: I highly recommend the alerts – they deliver news and articles to you according to interests you specify, such as “Data Breach,” “Cyber Attack,” “Information Security,” and so on… or perhaps “Cloud Computing,” “Web 2.0.” You get the idea. Of course, “celebrity gossip” serves some too. But I use it for career purposes and general professional knowledge.
Back to the attack: RSA Security is a division of EMC2. EMC2 has many contracts with our federal government, for many tens of millions of dollars, for their SecurID system. SecurID generates a token which, used in combination with a password and user ID, grants secure (well…) access to systems at various government agencies.
These agencies include the Social Security Administration, the Department of Defense, and many others – it doesn’t get much bigger than this.
At present there is no data loss being reported (that is, customer or individuals’ data); however, it’s thought that the “extracted” information may grant a successful attack later – presumably with the further breach of critical content.
Art Coviello, RSA Executive Chairman, said: “We do not believe that either customer or employee personally identifiable information was compromised as a result of this incident.”
Hmmm… “We do not believe…”. Would those words reassure you if a solutions partner, a security partner, gave them to you in a similar situation?
SecureID is not only in use at government agencies. A leading Fortune500 chief security officer has been quoted, albeit namelessly: His company processes transactions worldwide for payrolls – and they use SecurID. He states that RSA provided details, within minutes, on how the breach occurred so that they could defend against possible attack.
Within minutes? Color me skeptical on that one. :^ ) Oh. Perhaps they mean 180 minutes, 240 minutes – something like that.
In today’s environment, where the big dogs themselves are within risks that manifest, what should you do? Learn how to spot signs of breach or malfeasance in your environment. Put in the products and ally the security solutions partners that make you most comfortable. But, don’t lean totally into vendors, solutions, and solutions partners.
You have to also stand on your own in actively surveying for risk and possible incursions.
NP: Falling in Love, Stan Getz, jazz24.org
Security involves so much more than physical protection and means of recovery for data; or content.
It also comprises educated use of data. Best use of data. Appropriate use of data – as well as prudent dissemination. Be very wary of that which you consider propagating: Some actions are irreversible.
Consider the case of UCLA student Alexandra Wallace. She made what she considered a funny video regarding Asian students and, again in her mind, their rudeness in talking on mobile phones in the school library. In the video, she spoke into a phone with what appears to be her assessment of how many Asians sound, using a sort of Asian-mimicking dialect – if I may. An exaggerated imitation. Yikes! – even I have to be careful here, lest I say something that can be taken the wrong way.
Alexandra’s video went viral, of course, resulting in what she says is harassment to her family, death threats, and “publishing of my personal information” – whatever that may be. For these reasons, she has chosen to withdraw from UCLA.
She withdrew the video from YouTube two days after it was posted; of course it was too late. It was all over the web by then.
It’s important to note, and we’ve spoken of this before, that our lives are now “Personal-Technology Weaves” – it’s sad to note that in 2011, even young people have not been apprised of the great risk (in addition to the great benefits) to be had on the ‘net.
Any tool, any enablement, any means or mechanism for the blast of information, must come with an accompanying set of warnings and instructions for best use. Educators, starting in 1st grade in my mind, should be making exposure of perils, as delivered through the enormous leverage content has and its efficient propagation.
Make sure you, and those around you, understand the risks as well as the benefits. Make sure your staffs at work understand. Your kids. Your co-workers: Consider; someone may well blast something of yours to the wrong place. It may be legitimate work-content, but if they violate an Obligation of Confidentiality, for example, or just disseminate the wrong interpretation of content, to clients, for example… everyone’s in trouble.
Be careful out there.
NP: Jesse Colin Young, Songbird, on LP.
Web 2.0, that is: Increasingly, individuals and businesses alike are “going to the web.”
In my case, a recent event convinced me that storing my e-mail, contacts, and allied content on a “local,” home office computer is dicey.
Understand: I had a comprehensive backup – and – installation discs. However, for anyone who has tried to re-install MS-Office components, fix corrupt PST files, and so forth, knows what a pain it can be. I even have a backup PST, but for whatever reason, Outlook insists on balking – I won’t belabor the details.
I somehow had the foresight to create duplicate contacts on my ISP’s Webmail system. I’ll resurrect my message store later – I’m good for the moment; I run lean and mean anyway. But this has all got me to thinking…
Web 2.0 makes it easy to share information and collaborate. Social media style dialog enablements, paired – not just with access to apps and data – but with ability to contribute, change, modify, and enhance apps and content, makes for a very powerful arena. An approved virtual community of contributors and consumers of content makes for a savvy population, who can leverage any and all readily available Web 2.0 assets on behalf of the enterprise, its goals, its business.
What’s nice too is that, with appropriate planning and vetting, you can create a secured environment for apps and data… leveraging your provider’s (or multiple providers’) strengths: Your provider performs backups and recoveries, as specified in a Contract, as guaranteed in detailed Agreements. They also provide platforms, paired with virtually an unlimited amount of capacity. Your budget is their only limit. No one needs to run out of physical room in a wiring closet or computer room anymore. You sleep soundly at night.
As companies and individuals offload more things to a virtual environment (relatively speaking), just be sure to thoroughly vet your providers. Contracts and Agreements are one thing: Perform exercises to verify that enablements and data are truly recoverable in the case of local events and losses (or theirs). There is no substitute for empiricism. (The application of observation, not theory, in determining something).
Stay safe out there.
NP: Avalon Sunset, Van Morrison, original Mercury LP.