IT security in any realm involves logical security and physical security. Logical security is the integrity of data (content), precision of associated processing, and the delivery of coherent, accurate, content. In other words, data that reflects reality; data that does not mislead or distort various actuals by virtue of distortion/errors of input, process, and output.
Physical security is such things as locked doors on computer rooms. It’s the safety and surety of infrastructure; protection against overheating, for example. Physical security is often mundane; don’t set your coffee on a server, for example.
Mobile is especially vulnerable within the realm of physical security. Devices are constantly transported, their owners on the go, and they can be lost or stolen. Ensure that users make immediate reportage of loss or theft. Consider strong encryption, as any content risks exposure.
As to logical security, determine whether users access organizational resources via a virtual-private-network (VPN), or the internet. Also, ensure strong malware protections are emplaced on devices.
In BYOD environments, that last is especially important: It’s hard to know where users will be surfing, and what manner of personal downloads will be transpiring. Regularized scanning for viruses, malware, and unauthorized intrusions is imperative.]]>
Word comes that more than 500,000 Macintosh machines are potentially infected with a virus – one that is specifically targeting Macs: It’s called Flashback Trojan. The virus is a variation on one that is normally aimed at PCs – typically powered by a Microsoft (MS) Windows operating system. The PC virus has been re-engineered to slip past typical Mac defenses.
A Finnish-based computer security firm, F-Secure, first spotted and noted the virus, followed quickly with qualification by a Russian anti-virus program vendor, Dr. Web.
“All the stuff the bad guys have learned for doing attacks in the PC world is now starting to transition to the Mac world,” according to McAfee Labs Director of Threat Intelligence Dave Marcus.
Flashback lets hackers steal passwords and financial account numbers. Mac users are tricked into opening this specific vulnerability: The virus’ designers have made its installation look like a routine update to Adobe Flash video viewing software.
Once upon a time, people who labored in the Mac realm had a rather smug view of security: Macs escaped specific targeting, it seems, and nefarious malware creators seemed to concentrate their deeds to the world of the PC. No more. While Mac’s position in the past seemed to be that they weren’t vulnerable to PC malware (true, in a specific sense), they are now vulnerable to Mac malware – as adapted to, and specifically created for, that environment.
Malware developers concentrated on Windows PCs because they dominated the market. This allowed Apple to claim that PCs were more prone to hacking: True, technically, but perhaps not so much due to any particular superiority of security of operating systems; rather, merely the luck of being a smaller target. Now that Macs are increasing in popularity, the Apple operating system is becoming a much more attractive target.
The IT field, like any, is rife with people who talk a good game. Some walk like they talk – some don’t. The average candidate for your IT department will appear conversant in technical matters, they will profess a belief in quality of service principles, and of course they are brought on board with high expectations. We know that many people fall short of these expectations – in all fields and areas of endeavor. But in cases of flat-out bad IT hires, we have an enormous drain on resources. In the IT department, a sub-optimal hire compounds across the organization in a very detrimental way, since IT supports virtually the entire organization and almost every effort within.
We also know how much time and effort it takes to dismiss an employee. Often an employee must be left within a performance arena in order for us to record and document poor performance. For IT, this is a cruel irony and a ticklish game – trying to maintain security and solid support while leaving job duties in the hands of a poor performer. The associated inefficiencies brought about by increased oversight, double-checking, and counseling are their own drain – in addition to the lack of results. There is also the impact to staff morale. For these reasons, you need an IT leadership that can smoke out the true candidates worthy of hire, investment, and promotion.
These things make it imperative for your IT leader to understand something about most areas of IT technical endeavor. This person does not need to have a deep background in all areas or even specific areas. This person just needs to have a solid understanding of the principles that guide areas, and a good familiarity with the higher-level best practices for managing each area. Much of the vetting of personnel falls to the managers just under the top leadership. Therefore, top leadership needs to qualify in making those managers the best possible investment that your organization can make, as those managers groom the rest of the department.
Image credit: digitalart]]>
Well, I guess it already has. But an interesting opinion was rendered recently regarding the United States’ position regarding cyber crime. According to Trend Micro’s global CTO, Raimund Genes, the US’ lax security standards are facilitating cyber crime in the public cloud.
Cloud adoption and loose standards regarding online banking show serious security flaws, according to Genes. In fact, he states, “The US has no sense about data security, and I could be very brutal there.”
This isn’t particularly good news for those individuals and organizations who harbor their content, and even processing, in the cloud, by virtue of various solutions providers. Often, these folks have no idea exactly where their information is – relying on the providers’ discretion and standards… and whether those standards comport with current and best practice can be anyone’s guess.
When security lags in one area, it often creates a lax situation in evolving and debuting areas. For example, a looming vulnerability involves Near Field Communication (NFC) – a brief description about NFC and then an example:
NFC allows simple transactions and data exchanges between wireless devices in close proximity. It will likely support regular use of smartphones for making payments. Already many of the smartphones on the market contain NFC chips; the chips are capable of containing credit card information, and a simple wave of your phone near a retail cash register’s reader, for example, will be a fast and effective way of making payment. No more digging for, and swiping of, a credit card.
However, Genes warns of this arena too: The use of NFC by credit card companies, again in view of lax security standards and measures, is a “security disaster,” in his words.
As individuals and organizations grapple with rapidly changing IT issues, such as cloud computing and storage, and NFC communications, be certain to examine and qualify your providers and procedures. Update security policies, and update your security checks. Remember: You must lead threats, in closing vulnerabilities, and in thwarting crime.
When hiring service providers and solutions partners, be certain they’re on the most responsible security edge possible.
NP: Soul Burnin’, Red Garland, jazz24.org]]>
The Washington Post is reporting that foreign hackers disabled a pump at an Illinois water plant last week, according to the preliminary state report.
If the source of the attack is confirmed as foreign, it will be the first known attack on a critical public (that is, societal) support: That of water, power, communications, and other essentials such as policing.
There have been many hacks and harming incidents of various scope and harm in years past, of course. However, those were squarely within the realm of information’s availability or wellness: Incidents involving theft of content, destruction/corruption of it, or the interruption of availability to it by harming websites and their availability.
But now, there are entirely new vulnerabilities faced by our government, and subsequently you and your organization. Any org relies on the steady reliability of public infrastructures and enablements – and we’ve discussed those here in the past. But what of more mundane, and perhaps likely, concerns for the average organization?
Threats are becoming more sophisticated, and in many cases eclipsing the status of security in even the most “sophisticated” environments (relatively speaking). What your organization must do is to survey your entire “security bouquet” prior to something that is certain to happen: Hacktivists, and just general miscreants, are going to shop for companies, agencies, and groups that they can “take down.” It will be sport. It will be an attempt to gain mention on the daily news cycle.
Why? Because if people can do it, they generally will.
Begin with a review of your Acceptable Use policy: Make certain people in your organization are not opening security vulnerabilities. They shouldn’t be using work resources to spend time on nefarious sites, nor should they correspond with strangers – new “friends” – outside of any business context – using domain credentials, to include their simple work e-mail address.
They also shouldn’t be posting comments to non-work-related boards or articles with domain credentials – What is being done in the name of your domain? – that could bring the wrong kind of attention to your organization. Further, when they are on legitimate sites, such as professional support forums, they should take care not to run afoul of Terms of Service elements, nor should they be argumentative or abusive: There can be definite risk of recrimination from a forum member who decides to seek retribution by a “take-down” of some element of your domain.
Review all security policies, and establish a monthly or quarterly security refresher training. All actions and activities should be viewed through security’s prism. Make everyone in the organization a security officer.
NP: Purple Passages, Deep Purple.]]>
Today, any organization is dead without its technical supports. Even an attack on content – information, business intelligence, data – can put business at risk.
By “business,” we mean the doing of the doing – your “busy-ness” in furthering and delivering within your mission: Whether you’re a for-profit private-sector endeavor; a non/not-for-profit org; a government agency; or sole-proprietor. You have business that needs to be conducted on a daily, ongoing, basis.
Any business can go out of business if it loses any measure of its technical enablements, and/or corresponding content. Lose it all, and it most definitely will go out of business.
And now comes word of cyber-terror. What the heck does the local organization do about that?? Eugene Kaspersky is a Russian math genius who founded an internet security apparatus that has been characterized as having a global reach. He’s a thought leader as regards emerging perils. According to Sky News, Kaspersky believes “…we are close, very close, to cyber terrorism. Perhaps already the criminals have sold their skills to the terrorists – and then… oh, God.”
That doesn’t sound too hopeful. Further, Kaspersky, while attending the London Cyber Conference, told Sky that he believes cyber-terror to be the biggest threat to nations such as China and the U.S.
“There is already cyber espionage, cyber crime, hacktivism (whereby activists attack systems and content for political ends) – soon we will be facing cyber terrorism,” he said.
So – what’s the local organization to do? There is a need to protect yourself. With ever-more power and knowledge being available to individuals and small groups, imagine: Imagine a disgruntled ex-employee wiping out your organization’s assets, for example. But further: Can the average organization make a contribution to the larger, surrounding, public security?
I propose a business/tech roundtable in given locales, that meet semi-annually, or perhaps quarterly in high-risk areas (Washington, DC, for example). Here, business and technology folks, from all levels of diverse organizations, can brainstorm and share ideas of protection, prevention, and where necessary – recoveries.
It’s going to become a necessity: Already, the Pentagon is on record to state that the U.S. reserves the right to retaliate with military force against any cyber attack. In a 12-page report to Congress, made public, the Pentagon said:
“When warranted, we will respond to hostile attacks in cyberspace as we would to any other threat to our country. We reserve the right to use all necessary means – diplomatic, informational, military and economic – to defend our nation, our allies, our partners and our interests.”
The vulnerability is large, being that the Defense Department alone operates more than 15,000 computer networks, with 7 million computers worldwide.
But, again, what of your locale? What if simple everyday “hacktivists” decided to take down some service providers that were key to you? It would be awfully uncomfortable to live without e-mail, your online presence, and the services of any other providers such as Cloud hosting, processing, storage, and communications.
It’s something worth thinking about… at least start to think about it – and where effective, efficient, contributions by your org might be made.
NP: Black Sabbath, We Sold Our Soul for Rock ‘n’ Roll, original vinyl LP.
A colleague recently made a cogent argument for timely – in fact immediate – application of all suggested updates as they pop up on various devices; desktops, laptops, smart phones, etc. He examines it from a security perspective, being that many of these updates address security issues. A week doesn’t go by that I don’t get at least one “recommended update” or another on my laptop from various software providers.
The colleague is not a fan of the “Remind Me Later” option/button – he claims that it’s “the most dangerous button you can push” (hmmm… my vote might go to the “Delete Permanently” option…). He likens “Remind Me Later” to discovery that your home alarm is broken, and then deciding to post a reminder to your calendar to look at it later. Another (false) analogy he uses is: Leaving your car unlocked, and asking someone to remind you later to go back and lock it. More on his analogies in a bit…
However, it’s now well-established that hackers and crafters of malware are providing their own “update” notifications: Spoofs of legitimate updates, that upon acceptance install viruses, keystroke monitors, collection of authentication info, website tracking, information relays, and other nefarious things you most definitely want no part of. Further, they employ various tricks in “legitimizing” the look and feel of their activies – one of which is an actual “Remind Me Later” option, figuring you’ll accept it at some point.
A little examination may be in order before reflexively clicking that “OK,” “Install,” or “Update Now” button. Look the popup over carefully: Its aesthetics (does it look typical? If you’re able to remember the last update, that is); the way it’s worded; and further, is it an update that corresponds to your environment (that is, is it for something you’re actually running)? If you receive an Adobe update, and you don’t have Adobe in your environment – don’t install.
Another consideration: Oftentimes updates will create a conflict between the updated application, and another one. There is published documentation of known problems and conflicts between resources, and frequently there is published counsel to forgo a particular update, because another non-conflicting one is due to be released by the software publisher, applications developer, plug-in provider, etc.
A really savvy user will know certain schedules. For example, if receiving a Microsoft operating system update, it would be useful to know if MS was actually sending one out. Googling around for this type of info can help. There are also some great message boards that discuss this topic, and subscription can yield solid info and protections.
But here’s today’s take-away for you: Just because you don’t update an element immediately doesn’t mean you’re completely unprotected (such as leaving your car doors unlocked, or home unsecured). Security elements are still in your environment, running, and protecting: A good provider will LEAD threats, so that you may indeed have a little room for a “Remind Me Later” – particularly if you suspect an update might be a spoof; a threat masquerading as a legit update.
When all is said and done, any specific user, and any specific organization, has to make its own decisions regarding notifications of updates. You’re tasked to know your environment better than anyone.
But keep in mind that “Remind Me Later” can be a legitimate buffer as you research and vet an update notification. It’s not just a procrastination tool.
NP: Soul Bird, Cal Tjader, jazz24.org
I was speaking with a colleague and friend yesterday. He’s just left an organization in the outlying Washington, DC Metro area for a larger one directly downtown.
My friend is about as savvy as they come regarding computer use, online peril, and so-called netiquette. But surprisingly, he doesn’t know what the Acceptable Use policy is at his new organization, or if they even have one.
He did know the situation at his former place of business: They most definitely didn’t have one. The place was a mess in terms of Content Management, Acceptable use, Security, and other formalizations, expectations, and just simple courtesies of informing workers about standards, adherence, and expectations.
But this new place is supposedly a little more refined, larger, has a bit of longevity, and certainly should know better than to be remiss about standard policies – to say nothing of a prudent survey for budding challenges and timely considerations of those – in establishing and evolving policies in match.
I don’t know about you, but I like knowing what’s allowed, and what’s not, and I like remaining squarely within best practices and operational principles in not only leveraging systems and access to best business outcomes, but also leveraging that for best protections. Call it general business surety.
The overwhelming majority of people (at least in this readership) want to do the right thing. People are interested in:
1. Remaining outside the sphere of trouble.
2. Upholding and bolstering their organization’s reputation through solid
contributions and deliveries.
3. Remaining within safe and sure business, and allied technical operations.
Organizations, for their part, must perform due diligence for states of security – inside and out – and keep policies up to date. Any workforce is entitled to know its organization’s stance regarding threats and protections, and the position of those to the organization’s vulnerabilities. They then must be made aware of the subsequent bouquet of policies, procedures, schedule of training, and pro-active notifications – all in service to thwart of threat.
Business should have their IT department survey for what other organizations are doing: Orgs of your similar size; in your market; in your geographic area. It’s a start. Begin to determine what low-cost/no-cost protections can be mounted inside, by institution of appropriate behaviors and practices. Then, forecast (budget) what protections need to be mounted through the help of solutions-providers… vendors.
If you don’t have budget presently, at least get the markers on a 5-year plan or something similar. Whether you’re on the “business” side or “IT” side of the equation, you can also write tangential position papers regarding future’s streaming challenges, with the matching answer to them.
But whatever you do – don’t remain vulnerable. Be fully informed, reasoned, and straightforward in making any gaps and concerns known.
On this day (Sep. 1st): In 1858, the first transatlantic cable failed after less than one month. If at first you don’t succeed…]]>
Today’s social networking environment is interesting from a variety of perspectives.
There’s the security aspect, of course. Folks have to be careful not to divulge too much information, such as:
“Hey! We’re on vacation in beautiful [insert location here]!”
This is the equivalent of a news bulletin to every nearby thief:
“Hi. We’re not in our home at the moment, and won’t be for the next couple weeks. Come on by, break in, and peruse our stuff – take what you like…”
In fact, it is often auto-responders that let criminals know that people are on vacation – and these can be very dangerous. Criminals survey the ‘net to find out which houses are empty, and auto-responders make for very efficient pairing of house-to-criminal. Think.
I remember the good old days when, as IT Director and later CIO, I’d walk out the door one afternoon and not touch a computer or send a message for two whole weeks. I might write a regular paper letter or two and post it while on vacation, but that was it. Today’s eCulture really has people tethered to their accounts and devices:
According to TechCrunch:
- 50% of all Americans are on Facebook – but only 37% have a passport.
- There are 750 million active users worldwide.
- There are 700 billion minutes per month spent.
- 58% of people are online while on vacation.
People feel pressure to stay “plugged in.” There’s pressure to e-mail, tweet, IM, update websites with vacation photos and blurbs…
This is a lot of people, and a lot of time spent. I would urge all users, family members, children, professional associates – all interconnected and linked people – to be very circumspect about what information you make public.
Also: Be very wary of what kinds of information new “friends” solicit. If you know someone exclusively through the domain of online social networking, e-mail, etc., be quite careful. Not to encourage spying, but take note of what children are doing too.
Also, consider private moments “breachable” – anything can happen, and it’s important to view every activity through a security prism. I counsel everyone with whom I work and deal: View all activity through security’s prism. Yes, that bears repeating – and often.
Rather than a burden, it becomes second nature – like fastening a seat belt or locking your door when exiting the house.
To “business” I say: Take stock of what you’re doing, saying, and exposing on social networking sites. Many businesses have official social networking sites and more are jumping in all the time. Employees often exit the “party” of their personal account, and bring the wrong voice to the work account. Know what employees are saying there; how they’re interacting with customers/clients and potential ones. Guard against mixing “friending” with “businessing” – have a social networking policy that comports with, and augments, the organization’s Communications Policy, Acceptable Use Policy, Security Policy, Content Management Policy, and any others.
If don’t have each of those, or if you’re a small org, that’s ok – just be certain to cover the bases in whatever general policies you have concerning employee activity and behavior. If you’re not sure what you have or need, find someone to help you and get liabilities and protections documented and dispersed throughout staff – via communication, training, and hopefully both.
For private individuals, for organizations, now is the time for these reviews, actions, and behaviors.
NP: John Coltrane, Live at the Village Vanguard, original Impulse! 33rpm LP.
It’s interesting to me that the European Union’s European Commission is considering some standard rules for breach notification. These rules would govern how companies make notification to stakeholders, and also govern their behavior throughout breach fallouts.
These “practical rules,” are being crafted from solicited input from the public, and also from national data protection authorities, as well as from consumer protection organizations. In the wake of several high-profile breaches, it’s an understandable consideration (see several of my prior posts regarding breaches).
As stated by Neelie Kroes, the EU’s digital agenda commissioner, “The duty to notify of data breaches is an important part of the new EU telecoms rules. But we need consistency across the EU so businesses don’t have to deal with a complicated range of different national schemes. I want to provide a level playing field, with certainty for consumers and practical solutions for businesses.”
If transparency is key, as one of the stated goals, then I wonder why no mention of government? What of government breaches? Is there the same timely notification requirement for various agencies? In terms of stakeholders’ wellbeing, the government harbors extraordinarily critical content regarding citizens and their interests.
It’s of further interest to me that many “experts” feel that breaches will be an ongoing problem, by virtue of the number of private companies, banks, agencies, etc., that gather and store ever-more personal and empirical data about customers, clients, patients, and so on.
I rather agree that breaches will be an ongoing problem – but not due to an expansion of data stores – that is, more targets. Breaches will occur largely through careless harbor; poor security security practices, lagging security initiatives, and that most venerable and vexing problem: human error.
Joe McNamee, the head of European Digital Rights, says: “It is precisely because there will inevitably be breaches that rules are needed to ensure that citizens are informed and that companies have compelling reasons to minimize the data they collect and maximize their internal security,” he noted.
I rather think that breaches can be thwarted – with proper security protocols, proactive updating of environments to best security features and practices, sound training of personnel, and ever better encryption techniques.
Meantime: I’m back to government: What is their duty in notification of breached agencies and harbored data? Nothing I’ve read has indicated government’s oversight of… government.
I’ll also be curious to see what’s mounted, or attempted, in terms of government control here in the United States.
I’d like to hear from you. What are your thoughts on “breach notification laws”?
Stay safe out there.
NP: Elsa, Cannonball Adderley, jazz24.org