It was so tempting to title this, “Sobering: Cyber Security and Society”… I do so love alliteration.
But no matter – perhaps as follow-up. But today’s post is driven by some concerning statistics that are rather bothersome. The number of cyber security incidents affecting Federal Government information is increasing.
Cyber Security Incidents Affecting Government Information:
- 2006 incidents reported: 5,503
- 2008 incidents reported: 16,843
- 2010 incidents reported: 41,776
Source: GAO & Office of Management
“Affecting” involves everything and anything: Exposure, corruption of data, nefarious manipulation of data, introduction of malware, breach, theft, loss, and so forth. We all face the same sorts of threats and attendant bad outcomes.
It’s been awhile since I’ve done work for the Feds, but interestingly, I had occasion to do a little work for a city agency recently – just within these past weeks. Obligation of Confidentiality prevents me from naming the city, agency, or specific work – and even absent that, I wouldn’t. However, a rather illuminating incident does highlight what is likely to be a contributor to Federal, State, County and City governments’ challenges, and provides a lesson to us all.
An administrative person received a warning e-mail from Target regarding the Epsilon breach. It appeared that the recently-departed, prior, Admin person had ordered from Target at that particular PC workstation, under generic login credentials (“Admin”), and Target was warning that the email@example.com address, and perhaps other information, might be compromised .
I notified the department’s Director, offering to draft an e-mail of warning regarding the Epsilon breach, and some things to watch for, to avoid, and some general cyber security tips. A point to the department’s IT Security Policy would have been nice too (if they had one).
The Director declined – and because I was there contracting on other matters, I concentrated on those. But… my gosh: In 2011, you miss an opportunity to reinforce security awareness and to propagate best practices in a vulnerable environment? Who can afford that?
The stats above are hardly surprising. If you are in a position of influence – whether government agency or private sector business – anything – never lose an opportunity to reinforce security awareness and best business practices.
Always remember this BTW principle:
In the realm of risk, unmanaged possibilities become probabilities.
On this day: In 1921, station KDKA broadcast the first radio sporting event: a boxing match; Ray vs. Dundee.
I was doing a bit of reading regarding Amazon’s new Amazon Cloud Drive (“your hard drive in the cloud”).
The emphasis on this free service (with registration, and living within a 5 Gb limit) seems to be on storage of music and video… and, generally, other personal use. That’s fine… losing files such as those wouldn’t entail a hardship, unless you’re a filmmaker or professional musician.
But what of data? That is, business data, or critical personal data, such as tax, real estate, investment, etc., data? Heck, what of irreplaceable family photos? We could go on…
In the case of Small and Medium Business (SMB), particularly, they are forever (or should be) on the lookout for cost savings. Free storage? Oh yeah! Further, paid plans are available for storage beyond 5 Gb, for a mere buck per Gig per year. Up to 1,000 Gb. Sounds very attractive… and, swinging back to households; they can always use a little help with expenses.
I still have a problem. I like my data to reside on things that I manage. That I can see, review, update, and restore from… and did I say manage? – in person: A physical fileserver, disk array… a simple USB drive I can see and touch. :^) Call me crazy.
Particularly in the case of storage for backups – why would I want that to go into The Cloud? Or perhaps more accurately, A Cloud? Who’s Cloud? Oh – Amazon’s? No problem… until there’s a problem.
It’s not totally an issue of Amazon’s stability and reliability: If the ’net goes down, for any reason internal (org) or external (ISP, etc.), where’s your data? In The Cloud – and inaccessible. For my SMB readers, small government agencies, and people with critical personal files, and/or treasured files, be wary of trusting The Cloud too much. It will always present vulnerability.
Managing business and IT effectively means closing vulnerabilities and areas of risk: not widening them.
Hmmm… long before The Cloud, we used to say, “Storage is cheap” – and it is. Nothing, and I mean nothing, beats your own local, and close-by offsite backup, physical storage. Mull it over carefully.
All of that said, Amazon Cloud Drive does present an affordable utility for the right circumstances.
Just be sure to understand the ROI vs. TCO (Total Cost of Ownership). What’s the TCO in the realm of a free service? Your cost is assumption of vulnerability, risk, and potential for loss; engendered by your distance and removal from control over your own assets. Recognize that as a price – one that could be very heavy.
For further details regarding Amazon Cloud Drive, I’d like to refer you to Chad Vander Veen’s excellent article, Amazon Makes Play for the Consumer Cloud Crowd.
Stay safe out there.
NP: Miles Davis, Sketches of Spain, original 1960 LP, on Columbia. Superb.
Only the dead have seen the last of data breaches (with apologies to Plato).
Hey – have you heard about this Epsilon thing? Of course you have.
I’ve heard it characterized as the biggest data breach in history. Further, it seems more retailers and consumers are yet being discovered: e-mail addresses and in some cases names have been compromised: That is, entities that are not supposed to have those – have those.
This may be the largest breach in terms of number of records, number of retailers, and/or number of people compromised. But it’s hardly the largest breach in terms of scope of data: No credit card numbers are at (direct) risk, nor is any other critical data, such as Social Security Numbers or bank information. Of course, you and I only have the news reports’, retailers’, and Epsilon’s word on this.
So what exactly is the risk? We understand the breach: Nefarious operators can pair your name with your e-mail address… and… what? Well, they can contact you – via e-mail. That’s relatively tame: Your friends, acquaintances and business contacts do that every day.
Well, these nefarious entities may contact people with bogus “warnings” about the breach.
They may attempt to “phish” (fish) for info from you, asking for confirmation of your credit card number, or ask you to log in to an account, and provide that info, in verifying that your balance hasn’t been negatively impacted by any scams (the irony). Naturally, if anyone provides critical credit card or social security numbers, that entity then has them and they can rip you off. Beware any and all e-mails that may appear warning and helpful: These entities can strip official logos, language, and authentication screens (log in/sign in) from the legitimate sites, thus crafting bogus sites that appear legit.
Particularly at risk are novice online computer users, and youth.
Here’s a serviceable definition of “phishing” from Wikileaks:
Phishing is a way of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication.
A phishing technique was described in detail in 1987, and the first recorded use of the term “phishing” was made in 1996. The term is a variant of fishing, probably influenced by phreaking, and alludes to baits used to “catch” financial information and passwords.
Stay safe out there – verify e-mails and online communications’ sources. In all cases, when contacted with something that may be a phish, call your retailer, your bank, etc. Good advice for this situation – and for future breaches.
On this day: In 1927, television was transmitted from Washington DC to New York City utilizing phone lines.
A few days ago, a large number of websites were infected with code that directed users to other sites whereby they were warned that their computers had been compromised.
Warnings comprise dire pronouncements about resident viruses, tracking cookies, malicious code that turns your PC into a further disseminator of ill and mayhem, and so on. On immediate hand is a rescue: Download our software and clean your PC before irreparable harm transpires. Frequently the software comes with a price, and payment is made by the unsuspecting user.
Sometimes the downloaded “cure” (whether purporting to be anti-virus, anti-spam, removal toolkit, etc.) is an empty program that runs a bogus progress of virus scan and removal. Too, it almost certainly is a program that turns your PC into a further propagation unit of harm. It may also collect your keystrokes – stealing passwords, credit card numbers, personal details, security answers… and report them back to the originating entity.
Do not download and install anything from the web that you do not recognize. Things such as Windows updates (from MicroSoft) and updates from legitimate programs (such as Norton, McAfee, etc.) should be recognizable to you, based on what you run in your local environment; be that a network at work, or a PC or Mac at home. Don’t take chances – know what you have, use, need and trust.
Of course, professional environments, workplaces, are going to have their security pretty well covered (we hope). But what of home users? Well, there are some legitimate, and fairly good, free anti-virus/security softwares available on the web. But why not spring for something a bit more robust, with regularized updates, and a reputation to maintain in the marketplace? That’s what I recommend. I don’t want to endorse specific software solutions (unless someone wants to pay me), but if you’re uncertain where you stand on security, here’s at least a near-term plan to get you started:
Visit a “big-box” retailer and go to the computer department. Have a look at what they offer; read the boxes. Read some reviews in the leading PC/Mac magazines. You can always go online and buy at the online site, or pick up your preference at the retailer.
As to these latest threats: When prompted with unknown and unfamiliar “tools” and so-called solutions: Decline. Take note of the name of the activity and Google it. Chances are high that there will be several news articles describing what you just experienced, and exposing it for what it is: A bogus solicitation for providing you protection, while directing harm your way.
In the workplace, ensure that IT pushes out regular e-mail warnings about both general and specific scams and fakes; also have them include it in quarterly refresher training. For particularly dangerous circumstances, it may be wise to call an ad-hoc meeting of managers, minimally, for their update with immediate subsequent appraisals to staff.
As importantly, if you have young users in your home, ensure that kids know what to look for and avoid. Survey their machines from time-to-time for risks and protection.
Stay safe out there…
NP: Since I Fell for You – Lee Morgan, jazz24.org
Back in the days of my misspent youth, as CIO in a Fortune100 environment, one of my more favored positions was leading IT for a “perception management” company.
Perception Management was this firm’s rebranding and widening of the established Public Relations schema. I rather enjoyed it and found it quite interesting.
Perception Management is extraordinarily important in this age of social networking: Both in terms of personal SN and business: Many businesses, particularly small and medium business (SMB) are utilizing SN because it is efficient, inexpensive, and readily available – easy access; easy setup.
We discussed a particular case of personal peril a couple posts ago, and – if you scroll through the history of this blog – a fair number of other SN perils and outcomes… essentially involving people saying embarrassing things about themselves or others, and being outed for it.
But now there are perils involving livelihoods and professional standing.
Courts personnel, lawyers, and other associates are now perusing jury pools’ members for biases or relationships that may taint and jeopardize the outcome of trials. In some cases, attorneys have found actual relationships between seated jurors and defendants on trial! This is solid grounds for dismissal and retrial – and that has happened.
Further, reviews of SN pages by folks with legal standing have uncovered information about illegal activities – sometimes resulting in arrest and prison.
But of perhaps a more mundane concern to the professional readership here: Hiring authorities are now perusing SN sites, simply taking names from resumes and Googling, Facebooking, and YouTubing around, and seeing what comes up. And often, what comes up is… well, interesting.
You can certainly glean an assessment for someone’s maturity, their gravitas, and likely their overall suitability for any specific job from their SN postings, their friendships, their hobbies, and whatever else occupies their time and fancy. And do you know what? There ain’t a thing you can do about it. Should you be screened from a job for something a potential employer saw online – you’d never know.
You could even be competing for a promotion at a present place of employment; it will become increasingly likely that HR and the manager up the line will review your online standing and presence along with internal performance reviews and documentation.
For the aforementioned SMB: If you are using the ready-network of SN – with its undeniable enablement of business – ensure your folks are not blending “friending” with “businessing.” That is, bleeding the jocularity and questionable taste of interactions between friends, and bringing that informality to the realm of business. It’s easy enough to do when switching back and forth.
Perception Management: Manage how you want to be perceived. More importantly, be the person you want to be understood as being.
Make certain your business adheres to proper protocols and styles of communication too. Survey what is being done in the name of your domain.
Have that accurately reflected in all that you do online – in controlling perceptions.
March 31st: On this day in 1963, Los Angeles ended streetcar service after 90 years.
It’s been reported that RSA Security has been attacked, with the result being “certain information… being extracted.” Had you heard about this? I was alerted to it through my Google Alerts.
As a slight aside: I highly recommend the alerts – they deliver news and articles to you according to interests you specify, such as “Data Breach,” “Cyber Attack,” “Information Security,” and so on… or perhaps “Cloud Computing,” “Web 2.0.” You get the idea. Of course, “celebrity gossip” serves some too. But I use it for career purposes and general professional knowledge.
Back to the attack: RSA Security is a division of EMC2. EMC2 has many contracts with our federal government, for many tens of millions of dollars, for their SecurID system. SecurID generates a token which, used in combination with a password and user ID, grants secure (well…) access to systems at various government agencies.
These agencies include the Social Security Administration, the Department of Defense, and many others – it doesn’t get much bigger than this.
At present there is no data loss being reported (that is, customer or individuals’ data); however, it’s thought that the “extracted” information may grant a successful attack later – presumably with the further breach of critical content.
Art Coviello, RSA Executive Chairman, said: “We do not believe that either customer or employee personally identifiable information was compromised as a result of this incident.”
Hmmm… “We do not believe…”. Would those words reassure you if a solutions partner, a security partner, gave them to you in a similar situation?
SecureID is not only in use at government agencies. A leading Fortune500 chief security officer has been quoted, albeit namelessly: His company processes transactions worldwide for payrolls – and they use SecurID. He states that RSA provided details, within minutes, on how the breach occurred so that they could defend against possible attack.
Within minutes? Color me skeptical on that one. :^ ) Oh. Perhaps they mean 180 minutes, 240 minutes – something like that.
In today’s environment, where the big dogs themselves are within risks that manifest, what should you do? Learn how to spot signs of breach or malfeasance in your environment. Put in the products and ally the security solutions partners that make you most comfortable. But, don’t lean totally into vendors, solutions, and solutions partners.
You have to also stand on your own in actively surveying for risk and possible incursions.
NP: Falling in Love, Stan Getz, jazz24.org
Security involves so much more than physical protection and means of recovery for data; or content.
It also comprises educated use of data. Best use of data. Appropriate use of data – as well as prudent dissemination. Be very wary of that which you consider propagating: Some actions are irreversible.
Consider the case of UCLA student Alexandra Wallace. She made what she considered a funny video regarding Asian students and, again in her mind, their rudeness in talking on mobile phones in the school library. In the video, she spoke into a phone with what appears to be her assessment of how many Asians sound, using a sort of Asian-mimicking dialect – if I may. An exaggerated imitation. Yikes! – even I have to be careful here, lest I say something that can be taken the wrong way.
Alexandra’s video went viral, of course, resulting in what she says is harassment to her family, death threats, and “publishing of my personal information” – whatever that may be. For these reasons, she has chosen to withdraw from UCLA.
She withdrew the video from YouTube two days after it was posted; of course it was too late. It was all over the web by then.
It’s important to note, and we’ve spoken of this before, that our lives are now “Personal-Technology Weaves” – it’s sad to note that in 2011, even young people have not been apprised of the great risk (in addition to the great benefits) to be had on the ‘net.
Any tool, any enablement, any means or mechanism for the blast of information, must come with an accompanying set of warnings and instructions for best use. Educators, starting in 1st grade in my mind, should be making exposure of perils, as delivered through the enormous leverage content has and its efficient propagation.
Make sure you, and those around you, understand the risks as well as the benefits. Make sure your staffs at work understand. Your kids. Your co-workers: Consider; someone may well blast something of yours to the wrong place. It may be legitimate work-content, but if they violate an Obligation of Confidentiality, for example, or just disseminate the wrong interpretation of content, to clients, for example… everyone’s in trouble.
Be careful out there.
NP: Jesse Colin Young, Songbird, on LP.
Web 2.0, that is: Increasingly, individuals and businesses alike are “going to the web.”
In my case, a recent event convinced me that storing my e-mail, contacts, and allied content on a “local,” home office computer is dicey.
Understand: I had a comprehensive backup – and – installation discs. However, for anyone who has tried to re-install MS-Office components, fix corrupt PST files, and so forth, knows what a pain it can be. I even have a backup PST, but for whatever reason, Outlook insists on balking – I won’t belabor the details.
I somehow had the foresight to create duplicate contacts on my ISP’s Webmail system. I’ll resurrect my message store later – I’m good for the moment; I run lean and mean anyway. But this has all got me to thinking…
Web 2.0 makes it easy to share information and collaborate. Social media style dialog enablements, paired – not just with access to apps and data – but with ability to contribute, change, modify, and enhance apps and content, makes for a very powerful arena. An approved virtual community of contributors and consumers of content makes for a savvy population, who can leverage any and all readily available Web 2.0 assets on behalf of the enterprise, its goals, its business.
What’s nice too is that, with appropriate planning and vetting, you can create a secured environment for apps and data… leveraging your provider’s (or multiple providers’) strengths: Your provider performs backups and recoveries, as specified in a Contract, as guaranteed in detailed Agreements. They also provide platforms, paired with virtually an unlimited amount of capacity. Your budget is their only limit. No one needs to run out of physical room in a wiring closet or computer room anymore. You sleep soundly at night.
As companies and individuals offload more things to a virtual environment (relatively speaking), just be sure to thoroughly vet your providers. Contracts and Agreements are one thing: Perform exercises to verify that enablements and data are truly recoverable in the case of local events and losses (or theirs). There is no substitute for empiricism. (The application of observation, not theory, in determining something).
Stay safe out there.
NP: Avalon Sunset, Van Morrison, original Mercury LP.
Well, it happened to me: My laptop’s operating system corrupted and I had to re-install it.
Fortunately, I had a comprehensive backup, which made me whole once I reinstalled the O/S.
I’m a self-employed consultant, so it would have been a bit embarrassing had I not been able to recover. Perhaps it would have even been professionally crippling: Loss of client information, billing records, data… even business reputation.
In the case of lost data and associated problems, even large enterprises and sizable medium-scale businesses get bit. We frequently hear about these situations in the news: Remember the Heartland Payment Systems data breach? How about something from this month? Health Net, Inc. has a data breach investigation going on affecting 1.9 million patient records. Ouch.
It’s interesting to Google “Largest Data Breach” and “Most Recent Data Breaches”… have a look at what comes up. Another interesting area of perusal is The Chronology of Data Breaches, as reported by The Privacy Rights Clearinghouse (PRC).
I’d forgotten that March 6th through 12th was the 13th annual National Consumer Protection Week – but better late than never. The PRC still has their Top 5 Privacy Tips for that week headlined, as well as tips for privacy protection during tax season, best practices regarding identity theft perils, and others. It’s a handy reference – check in from time-to-time.
As to small business: I know several small business owners and operators. For many, backups are… well… almost an afterthought. They’re performed sporadically, they’re not comprehensive enough, stuff is overlooked, and suddenly… something happens and critical data and business information is lost.
It’s simple enough to procure an outboard drive; “storage is cheap,” as we like to say. You can easily get a backup routine scheduled with simple-to-use software. At a minimum, just kick off a whole-drive backup manually – run it overnight.
Even for personal laptops/computers that aren’t involved in business use: You can’t imagine all the stored passwords and IDs that you’ve forgotten, for such things as social networking, banking, downloads, blogging, etc., etc.
Don’t wait: Back up.
On This Day: In 1960, the first patent for lasers was granted to Arthur Schawlow and Charles Townes.
And why not? Everything gets more expensive as time goes by. In fact, cost of breaches has risen for each of the past three years.
Symantec, folks who ought to know, says the average cost of a breach is around $3 million a year per business breached. If that sounds like a lot, realize that some businesses suffer losses of 10s of millions.
Of course, ever more breaches require ever more security awareness training and education for employees: More cost.
Too, the organization must survey its firewalls, virus and malware protections for currency and comprehension, and just generally expend precious business resources (time, attention, money, assessments for returns, to say nothing of repairs to reputation and breached systems…), thus robbing energy and focus from that main thrust that should occupy any business: Business.
Most breaches and loss or corruption of data are due to human error: Blame the employees. Nah: Actually, there’s enough blame to go around. Management/leadership (both IT and Business leadership) must put the proper emphasis on security and associated awareness.
One way IT can help: Send out a regularized (once a month?) Security Quiz. You can ask such things as “If a web site asks you to… should you….?” You get the idea; come up with a dozen questions. You’d be surprised how lax interns are, in spite of tight IT security orientations, delivered upon hire and start. Not to pick on interns (they probably get picked on enough); regular staff can be pretty abysmal in their actions and activities too. Give away some nominal surprise for the winner: a free day off? Use your imagination – coordinate with HR and management – evaluate the returns. Does the environment seem safer?
Don’t forget data’s liability in the era of portability: USB sticks, laptops, smartphones… Even e-mail is an element of portability: Do not let staff conduct business via personal e-mail accounts, facebook, YouTube, etc. And make a determination, and publication, of expectations for appropriate use of official e-mail. If you don’t spell out the “dos” and “don’ts,” you’ll reap all sorts of silly, expensive, results.
Unfortunately, in the era of all-access, all-the time, breach and business reputation are always in play.
Stay on the responsible forward edge.
NP: How Deep is the Ocean – Ron Affif, jazz24.org