Well… I’ve frequently spoken about a new agility being necessary for organizations, and their subsequent ability to mount new security initiatives quickly, in response to fast-changing threats. Happily, tomorrow, I’ll have an interview with the author of the book, “A to XP: The Agile ABC Book.” Agile, as a discipline and a business process management practice, serves the threat landscape well: It applies where the unpredictable is common; and where business processes cannot change quickly enough for necessary business practices.
But that’s tomorrow – back to mainstream awareness: There’s a growing unease amongst the general populace regarding cyber attack, cyber terror, cyber war… and just hacks in general… a burgeoning awareness. There can perhaps be no better indicator of any particular thing’s ubiquitous nature than its inclusion to Late Night television fare.
The other evening, on “Late Night with Jimmy Fallon” (NBC), Fallon mounted a joke that shows just how mainstream cyber awareness has become:
“This is scary - a new report shows that Chinese hackers could one day take out America’s power supply. Or as that’s also known: Pulling a ‘Beyonce.’”
This is an obvious reference to the recent power outage at the Super Bowl, and speculation that Beyonce’s half-time show taxed the stadium’s or region’s power capabilities, perhaps overloading equipment… or something like that. (Whatever was the cause, they obviously need new, comprehensive, backup plans and systems).
But the awareness grows: It’s now in the comic; economic; personal; and military realms: General Jack Keane, former Vice Chief of Staff of the U.S. Army, and now a Fox News military analyst, states that the U.S. is “the best” when it comes to things such as hacking, cyber espionage, and related activities; that Russia is second; and that China is third. However, according to him, China is “by far the most prolific,” stating that thousands of the People’s Liberation Army (PLA) members engage in cyber hacking daily, further assisted by civilian hackers and contractors – penetrating thousands of U.S. companies.
They have penetrated political, economic, and military intelligence realms, stealing related intellectual property – thus stealing technology and innovation to use in advancing their own economic interests.
At the same time, another far more local challenge exists: Retail Cyber Attacks. Retailers are targets of 45% of all computer hacker attacks in 2012. There are an estimated 79 successful cyber attacks a week on U.S. businesses.
36% of all targeted cyber attacks in the U.S. are aimed at small businesses. Those are the very ones that cannot afford robust, up-to-the-minute, protections. They also can’t afford to be without them. A dichotomy.
Hand-in-hand with hacking go the flourishing underground industries that bundle together customer information; addresses; credit card numbers; PINs, and such, and utilize them – or sell them to other crime syndicates.
Consider: A Subway breach had a compromise of data involving 80,000 customers: Unauthorized transactions were made for 3 years on that data.
So we find that what’s turning out to be an omnipresent awareness for cyber vulnerabilities must be paired with a new agility: Tomorrow, Ms. Karen Spencer will share with us her thoughts on Agile, as contained in her book.]]>
The Washington Post is reporting that foreign hackers disabled a pump at an Illinois water plant last week, according to the preliminary state report.
If the source of the attack is confirmed as foreign, it will be the first known attack on a critical public (that is, societal) support: That of water, power, communications, and other essentials such as policing.
There have been many hacks and harming incidents of various scope and harm in years past, of course. However, those were squarely within the realm of information’s availability or wellness: Incidents involving theft of content, destruction/corruption of it, or the interruption of availability to it by harming websites and their availability.
But now, there are entirely new vulnerabilities faced by our government, and subsequently you and your organization. Any org relies on the steady reliability of public infrastructures and enablements – and we’ve discussed those here in the past. But what of more mundane, and perhaps likely, concerns for the average organization?
Threats are becoming more sophisticated, and in many cases eclipsing the status of security in even the most “sophisticated” environments (relatively speaking). What your organization must do is to survey your entire “security bouquet” prior to something that is certain to happen: Hacktivists, and just general miscreants, are going to shop for companies, agencies, and groups that they can “take down.” It will be sport. It will be an attempt to gain mention on the daily news cycle.
Why? Because if people can do it, they generally will.
Begin with a review of your Acceptable Use policy: Make certain people in your organization are not opening security vulnerabilities. They shouldn’t be using work resources to spend time on nefarious sites, nor should they correspond with strangers – new “friends” – outside of any business context – using domain credentials, to include their simple work e-mail address.
They also shouldn’t be posting comments to non-work-related boards or articles with domain credentials – What is being done in the name of your domain? – that could bring the wrong kind of attention to your organization. Further, when they are on legitimate sites, such as professional support forums, they should take care not to run afoul of Terms of Service elements, nor should they be argumentative or abusive: There can be definite risk of recrimination from a forum member who decides to seek retribution by a “take-down” of some element of your domain.
Review all security policies, and establish a monthly or quarterly security refresher training. All actions and activities should be viewed through security’s prism. Make everyone in the organization a security officer.
NP: Purple Passages, Deep Purple.]]>
In thinking about today’s post, I wondered if the title was a bit of hyperbole. Upon reflection, I don’t think so.
Consider: How many people use the same User ID and password for multiple accounts? Many, many people do – and this practice bleeds across personal (social) and professional accounts to a very dangerous degree. Consider too: One hack should not have the potential to daisy-chain and wreak havoc through multiple domains and accounts, by virtue of simple clues granted in one account’s initial breach.
The reason I got to thinking: There’s no shortage of security breaches and leaks, as indicated by the Privacy Rights Clearinghouse’s Chronology of Data Breaches . But I also happened to be reading an international news story: Back in July, SK Communications Company of Korea reported that the personal information of its 35 million users had been hacked.
In a statement, SK said, “The specific scale of the hacking is still being investigated, but it is estimated that some of the personal information of 35 million Nate and Cyworld members have been leaked.” Nate is South Korea’s third-most popular search engine. Cyworld is the country’s largest social networking site; with 25 million users, it accounts for half of the country’s population.
The Biggest Security “Hole”? By virtue of SK’s recent breach, and just a general peek at the Chronology, consider again carefully: How many people – in any country – use the same user ID and password for multiple sites? How many people have the same authenticating credentials for multiple personal accounts… and sensitive work accounts?…
Answer: Too many. Ok, that’s not a very empirical, scientific, report. But I just did a survey of people around me, and… most people have a measure of the same credentials for all sorts of environments.
It could be worse – and it is: What does this mean? This means that if one site is hacked, and credentials are stolen… other information that may point to other sensitive accounts can lead the hackers to those accounts, and they can spin your credentials through all of them. Consider accounts such as: Banks, mortgage companies, work, professional associations, schools, and on, and on, and on…
For the professional business and IT audience: Make it a part of your Security Policy, and any other relevant policies and forums (such as user orientations, quarterly security refresher training, etc.) that user ID(s) and password(s) for business systems must be unique, separate, and apart, from all personal user IDs and passwords. Even security questions and answers should be unique, and used only for the specific work environment.
For the individual: I strongly urge you to consider separate and unique authenticating credentials for personal accounts such as Facebook, MySpace, YouTube, dating sites, and so on – and further, your bank(s) and other related accounts of high sensitivity – whatever you have and wherever you’re involved.
Again: One hack should not have the potential to daisy-chain and wreak havoc through your entire life’s online and subsequent real world existence.
Think about it – and act.
On this day (September 2nd): In 1930, the first non-stop airplane flight from Europe to the US was completed in 37 hours.
A recent news report got me to thinking. The report involved a claim that an Israeli “cyber unit” was responsible for a computer worm that attacked Iran’s Bushehr nuclear power station. The intent is to disable Iran’s nuclear war-making capacity and direct threat to Israel.
Israel is on record: Stating that it would be willing to mount a pre-emptive strike of this nature, in ensuring its own safety and continued existence. Therefore, it is not a stretch to surmise that the worm might be their work.
Not to discount issues involving mortal enemies whatsoever – but the story got me to thinking about something a little more local: What if business rivals, in the course of (comparatively) routine and mundane matters, decided to mount a cyber attack on a business competitor? Much more likely: What if it were a rogue employee who decided to take down a competitor? Or perhaps more likely still, what if a rogue former employee decided to mount cyber-war on his or her former company? All of this is not only within the realm of risk and possibility; indeed measures of these things have happened.
In the realm of risk (all together now), unmanaged possibilities become probabilities. And, left hanging, probabilities always manifest.
As I state in my book, I.T. Wars, an effective internal check-and-balance on unreasonable actions diminishes rapidly as the size of a considered group diminishes. Thus, smaller organizations, comprising small and medium business (SMB), may lack awareness, training, and oversight in catching trouble as it brews…
Or – governance in some unscrupulous organization may simply decide that it can get away with wreaking havoc on a rival (you wouldn’t believe what I observed when I was a car salesman back in my youth; I’m glad that I never, ever, ever, did anything nefarious – at least, that’s my story). To think that today’s, and particularly tomorrow’s, shenanigans won’t involve cyber manifestations is to be quite naïve.
What does this mean to us now? It is easy enough to mount virus attacks against entities – and to mask the origins of the attack. With ever more resources in The Cloud, and thus with fewer “brick-and-mortar” physical protections, organizations today must guard against attacks from a variety of potential origins, and from any number of directions – and those directions are leveraged via an exploding array of wired and wireless means.
Train your staff. Make known general prior prosecutions of individuals who have mounted attacks – there’s nothing wrong with that. Have your security personnel spec’d up-to-the-minute, and have them apprising your staff on a schedule that supports your comfort: monthly, quarterly, semi-annual training –
Security for 2011 and beyond: Get it going – get it improved. Get it delivered.
NP: John Coltrane, The Stardust Session, on LP.]]>