Jeff Cutler's Keys to Security


August 19, 2014  3:37 PM

Healthy Respect for Security – Medical Data Breaches

Jeff Cutler Jeff Cutler Profile: Jeff Cutler
Hack, Healthcare, Security, Stolen data

One of the hats I wore before jumping into my role as freelance writer was as an employee of a rehabilitation facility. This rehab – for physical injuries and ailments – was a small player in the huge sea of hospitals and provider companies. To that end, their systems were hardly interconnected, networked or even digitized. Patient records were stored in a room across from my office and they were walked around the building by doctors, rehab clinicians and even non-medical personnel.

Screen Shot 2014-08-19 at 11.36.46 AM

While it wasn’t a secure process as any one of the people holding a file could dash away with it, the danger was far less than it is today. Now, our records – both financial and health-specific – are online and accessible to anyone who has a key. And the number of people with keys is growing.

Take the latest breach of patient information at Community Health Systems. The incident affects data for 4.5Million patients. Read more details here in the Tennessean. The company is concerned for its data and reputation, and also for the industry as healthcare incidents are growing.

From the article…

While the attack certainly generates negative publicity for the company, CHS says it has insurance for this type of problem. “While this matter may result in remediation expenses, regulatory inquiries, litigation and other liabilities,” the SEC report said, “at this time, the Company does not believe this incident will have a material adverse effect on its business or financial results.”

The breach is a relatively large one for the health care industry, according to BitSight’s Turner, who added that CHS seems to be communicating about it appropriately.

Criminal attacks on health care companies have become common, according to a March 2014 report by data security research firm the Ponemon Institute, which said those types of hacks have risen 100 percent since the company completed the first study in 2010. Furthermore, the study said, about 90 percent of the facilities surveyed had experienced at least one data breach within the past year.

In this case, the hack came from China and short of keeping systems sandboxed or upping the security protocols, there’s not a lot CHS could have done. Though in my mind, they should have done both. How widely available do medical records and financial pieces of medical records need to be? Who should have access at any one time to this stuff? And why?

Screen Shot 2014-08-19 at 11.32.22 AM

Yes, if a person is injured and can’t provide information to healthcare professionals in an emergency, it’s vital to have that information accessible. But isn’t it time we found a way to protect the huge packages of info that travel along with each of us. You might need to know what I’m allergic to, but you don’t need to know I paid my co-pays with my Discover Card? And you certainly don’t need to know other financial information to provide life-saving care.

I’m wondering where so many healthcare (and other) companies have stored their common sense. It surely wasn’t with their medical records or else we’d be seeing lots more of it.

Thoughts?

August 13, 2014  3:19 PM

The Broken Car Window – Keep Your Valuables Out of Sight

Jeff Cutler Jeff Cutler Profile: Jeff Cutler
Data, duplicate, IT, Permissions, Sandbox, Security, Server, Uncategorized, visual

Like many readers, I live and work near a major metropolitan area. Crime is on our minds more as a way of life as opposed to a life-trajectory-affecting force. Therefore, the issue of car break-ins isn’t one we focus on. City dwellers just know to keep valuables out of sight.

Screen Shot 2014-08-13 at 11.17.16 AM

If you leave an iPod or change purse on the seat or dash, you’re begging for a smash and grab. Similarly, if you don’t secret away your briefcase or duffel bag, your car is going to be a bit lighter or completely destroyed when you return.

Screen Shot 2014-08-13 at 11.16.47 AM

That’s well and good for keeping small items safe in a parked car – how does it relate to when you’re trying to keep your business safe?

The analogy is perfect when it comes to IT security issues is keeping your valuables (data and access to systems) out of sight. But it’s a balancing act. How can you provide complete access to vendors, customers and staff if you have to also keep things locked down? Further, if you want some buzz and SEO return, you’re going to need to have some presence online so folks can find you.

That’s just it, though. You want to be found and you want to be secure. The steps work this way. Keep your stuff in different locations. For systems you rely on to conduct business, put them on one server. Like hiding your leather jacket in the trunk of the car. You still have access to it, but it’s not out there in the open.

Same goes for CRM systems, other databases, proprietary apps and software, and other valuables. Once IT can make a clear decision over who gets to see what, things are easier to control. A side challenge is the organization where myriad groups are given permissions to read data but not write to it.

The solution there is to mirror the data daily and then sandbox it so it’s only a document and not a complete doorway into the information. Though it sounds simple, the challenges IT folks run into on a regular basis could (and do) fill many textbooks.

Next week we’ll have an interview with one of those IT pros. Remember to hide your stuff! See you next week.


August 5, 2014  9:32 PM

Bad Security in One Area is Bad Security in All Areas

Jeff Cutler Jeff Cutler Profile: Jeff Cutler
Accounts payable, CEO, CIO, CTO, Finance, IT, Security, Uncategorized

Guess what has two thumbs and just got a check for a project he finished? Oh, yes. This guy.

WP_20140505_11_09_39_Pro

You know what’s wrong with this picture…other than the goofy grin and movie-star good looks? Yes, the check I got was a mistake. I did some writing for them, but the accounts payable team at my client’s office paid me twice. I’m currently figuring out the process for returning the check and getting a new one cut.

But that’s not the issue. The real problem is security-based. If it’s a piece of cake for someone like me to breach systems and get paid multiple times for a job I only did once, how tough could it be for a hacking cartel to find their way into that system. Furthermore, if this is happening on a broader scale, maybe our entire economy is at risk.

While it’s not as scary as someone hacking into NASDAQ or the NYSE, it still is private money and that’s got to come from somewhere. In the case of my double check, or double payment, the slip-up happened because of emails and bad record-keeping. The department for whom I did the work followed protocol when I sent in my estimate and forwarded that estimate to accounts payable. When I completed the project, I sent in an invoice using the purchase order number issued to me.

Somewhere along the line, A/P started the payment process with the knowledge that the project was underway and monies would be paid out. Then, when a ‘second’ invoice (they must have treated the estimate also as an invoice) came in, they added that to the same purchase order and cut a check.

Fixing this would simply require a database that can compare invoice numbers and dates and other possible duplicate fields. On my check (look at me calling it my check even though I’ve got to return it), there is a department-generated invoice number created by the computer and then an invoice number that corresponds with the invoice I supplied.

Is it earth-shattering? Will the company go under because they paid me $36,000 instead of $18,000? Is this a security breach on the level of the Target or Costco events? For all three questions the answer is no. But if there are issues with tracking money, accounts, invoices and vendors at this level, there likely are bigger issues behind the organization’s IT services and security.

Ultimately, I shared this story because it’s important to realize that issues at one level can indicate bigger issues at other levels and it’s bad business to wait until the walls fall down around you to start examining what you could have done differently. Treat business systems as if you own them – I’m talking to you finance and IT and any C-level executive – and you’ll have less to worry about at the end of the day.

In what ways have you seen little problems blossom into bigger ones at your firm or others? Share in the comments. Next week, I’ll have video content for you! Until then, be safe!


July 30, 2014  4:19 PM

IE no more secure than an unlocked car

Jeff Cutler Jeff Cutler Profile: Jeff Cutler
CTO, Hack, Hackers, Internet Explorer, IT, Security, Software

My MINI Cooper is parked in a garage. In the car is a pile of coins that if counted would amount to $34, probably. That’s why I locked the doors, hid the coins, parked in sight of the lot attendant and ensured that nothing else of value was in view of passersby.

Paranoid? Maybe. For $34 I probably couldn’t pay to replace the smashed window that might result had I left the car open. But I’m in favor of hanging on to my belongings. It’s that very attitude that should also make CTOs and IT professionals a little more vigilant when they are driving their metaphorical vehicles of client data and enterprise information around.

Screen Shot 2014-07-30 at 12.18.38 PM

In fact, when more news hit the other day that Internet Explorer was not very secure (non-emphasis mine), I wondered why in the world anyone’s been using this product at all. It looks, from all details that have been released – here and in publications around the globe – that an infant could breach systems as long as they’re behind the IE wall.

Here’s an article from April that talked about how governments should abandon IE immediately.

And here’s a similar piece that came out this week touting how far IE has not come. Hackers have finally decided to make IE their whipping boy by sharing all its vulnerabilities in detail according to the Guardian.

What can you do? If I were on staff at a company and in the role of some C-level executive, I’d hold my vendor’s feet to the fire. Make it work or lose my business. How tough could that be? Trouble is, the options aren’t very numerable. Changing things is costly. And the ingrained pattern of apathy and ostriching is pervasive.

To wit, when have you ever met an IT department that suggested jumping to a new vendor and reworking all the existing systems because of a security flaw? That’s right, never. IT folks just wait for the next patch and figure things will be OK.

Well, if everyone had that attitude in the ‘real’ world, cars and houses wouldn’t have locks and we’d never need passwords for our online properties. How about waking up and thinking about business success before something bad befalls your company? Wouldn’t that be the smart thing to do – even if it means getting rid of IE?

I welcome your comments. See you with another column next week. *Want to chat with me via video – let’s do an interview. Find me on Twitter or leave a comment here. Maybe a future column will be our interview.

Thanks for reading!


July 23, 2014  4:58 PM

Chips no longer an option for protecting credit cards? What!?

Jeff Cutler Jeff Cutler Profile: Jeff Cutler
Data, Data-security, protection, Security

I’m all for technology being incorporated into our lives. We use so many online networks to stay in touch with friends, colleagues and even the businesses with whom we interact. But the cost of sharing information with these audiences is often worth the payoff. ROI of sharing is enriched lives.

Screen Shot 2014-07-23 at 12.57.46 PM

Then, as tech protections get better, we start to feel more secure and almost blase about our movements. We use our tech gadgets frequently and without regular safeguards. Surfing the hotel Wifi without engaging the VPN. Wijacking the signal from any open source near the coffee shop you’re sitting in. Grabbing a signal at the airport just to send an email.

Even the physical realm – where credit card and ATM skimmers are prevalent – seemed safer now that chip and pin technology had been either implemented or planned. You could make purchases with impunity and didn’t worry about leaving your wallet in a taxi on getting pickpocketed. Kind of.

But then it happened. The chip and pin was thwarted. Whether it’s an urban legend or not – waiting for full confirmation – it made me check my pocket for my wallet. And it happened in Europe of all places!

Here’s the account as penned by colleague Robert Lemos here at Tech Target. In it he tells of a tale from 2011 when “unauthorized charges of more than $1,800 were made to his HSBC credit card, despite the fact that his card contained a security chip”.

That’s enough to make me wonder if we shouldn’t do a bit more testing before requiring the world to go in this direction? Remember, this is THREE YEARS ago and thieves were able to beat the system then. Maybe we’re in more trouble than we realize.

What do you think is the best way we can secure our personal finances? Go back to cash? Require retina scans? Voiceprints?

Until they figure this out, I’m keeping my valuables on a collar around the neck of my cat. As her tag says, “I’m a biter.” At least if my stuff gets stolen, the person who grabs it will leave a little blood behind.


July 16, 2014  3:30 PM

Controlling your IT Assets – Learn from the Supermoon

Jeff Cutler Jeff Cutler Profile: Jeff Cutler
CIO, CTO, Data, IT, keys, Security

The Supermoon the other night got me thinking, “with great size comes great responsibility.” While reworked from a Spiderman comic book quote, it’s a saying that rings true when you’re thinking about online presence and how you can best control your image, assets and team.

Screen Shot 2014-07-16 at 11.29.25 AM

The business environment is increasingly run via online systems administered by your IT department and vendors. As this occurs, the amount of control CTOs and CIOs have is diminished because they can’t possibly know everything that’s happening under their corporate roof. To combat that, some firms tighten the reins and make it difficult for employees to do their jobs.

Witness marketing departments that need to wait a week before installing software; or sales teams that can’t visit customer sites with mobile workstations because they might not be secure if logged into outside Internet access.

Going the other route – and ceding control – is a scary proposition. Who knows what access is being given to contractors, admins, part-time employees and visitors? And with the news getting ever darker in terms of breaches and IT security incidents, we’re all prone to freeze up and not do anything for fear of muddying our own security.

In fact, in Dark Reading the other day, it was reported that more than 96 percent of organizations experienced a significant IT security incident in the past year. I think this figure is inflated. 96% of all companies? Probably a typo, but here’s the entire article. The piece I found more relevant and easier to swallow was that 39 percent of organizations experienced two events.

So, what are we to do? Be smart. Don’t give access to your facility or systems without fully vetting people. But then trust your vetting process so you can move on and be productive. Further, make sure your first line of defense – the IT team – is so well versed in provisioning and security procedures that you’d be comfortable stepping away from the office. A two-week untethered vacation should be a stress-inducing proposition. You should be able to rely on the team you train when you’re not at the office.

What’s the main takeaway? As we get bigger, so do our problems. Only being careful with our property – both data and facilities – will help us continue to be successful.

Have you experienced a significant IT incident in the past year? Are you part of the 39% that has reportedly experienced TWO incidents? What have you done to respond and lock down your stuff?

I’d love to hear from you. See you next week.


July 8, 2014  1:42 PM

Keeping Your Data (and other) Doors Locked

Jeff Cutler Jeff Cutler Profile: Jeff Cutler
admin, Data, DDOS, doors, IT, keys, Security

The house next to mine is being broken into as I write this. Seriously. Some guy with a ladder walked around the entire house and then chose a window to enter through and set up the ladder and started to climb. Only when I emerged from my house – after taking photos of him and his pickup truck – and walked out onto my back deck did he pause.

“I’m looking at this house for some people,” he said.

IMG_9406

I just nodded. After a period of silence, he came down the ladder and moved – with it – to the side of the house where I couldn’t watch him. I went back to my computer and kept an eye on the house.

Then the realtor showed up and explained that the man was there to do a home inspection and I had nothing to worry about. In fact, I had a lot to worry about. Especially how easily it would be for masked men with ladders to breach any of the houses around me – or even mind.

Which makes me think about our lines of defense as homeowners and as data caretakers. If this guy with the ladder was a thief, would he have started in a place out-of-view? Would he have discovered a hide-a-key or other method of entry? Would he have been successful in breaching the defenses and borders of the home next door?

It was very likely. I didn’t see anyone else in the neighborhood challenge him. I didn’t see anyone else take note of his truck or license plate. When it comes to securing your facility and data, you probably have to take the same approach. It falls to YOU to make sure your doors are shut and locked and your client and corporate data is secure.

But then I thought about another scenario. What if I were the person with the ladder trying to access my own home? How much security would be daunting? What safeguards would I have in place so I could gain access in an emergency?

The same thoughts should go through your head when you’re securing the corporate assets. Is there a way in that only an inside circle of people know about? Is it foolproof and based on clear identity processes? Could someone pretending to be you get inside?

In the same way a key under a rock is pretty insecure, you don’t want to set up a simple gauntlet for thieves to traverse. You need something that’s secure and convenient at the same time. As our systems passwords are familiar yet complex, you should do the same thing with your door key and building access.

Here at home our system is to leave keys with neighbors and relatives. In a pinch, it takes some effort to get the key and enter the house, but it isn’t a process a thief would be able to do. At your organization, give the keys to a trusted department head in the form of an encrypted document. Or mail yourself access instructions – encoded of course – in the case of a system malfunction or attack where you need to get in through your own back door.

Further, having a set of physical keys to your facilities held with various trusted employees or locked up at a second facility is a method that can ensure you get access without too much hoop jumping.

If it were easy to breach our systems and crash through our front doors, it would happen more frequently. The trick is finding a way to secure your business and data so if you get locked out you can get back in without too much fuss.

What are your tricks for securing your home? Key in the grill, key on the dog’s collar, stuck behind the door knocker (a thief is probably not knocking), attached to your wind chimes?

Then, what methods are you using to keep your company secure but accessible?

I’d love your comments! See you next week!


July 2, 2014  2:37 PM

Beginning of Summer Security News Roundup

Jeff Cutler Jeff Cutler Profile: Jeff Cutler
Data breach, Email, IT security, malware, Microsoft, Security

Sometimes the daily grind of log management, provisioning personnel and staying on top of IT security issues is just too much. You need a break to relax by the pool and sip an iced tea in the summer sunshine. Well, don’t we all. That’s not reality though. Without careful and constant vigilance, hackers, thieves and ne’er do wells will be taking our data and other valuable property.

Screen Shot 2014-07-02 at 10.36.51 AM

But it is summer, so instead of giving top tips to secure your data center or the best ways to lock down your IT infrastructure, I wanted to share a few articles on security I found around the Web. They make nice reading for a lounge chair if you do make it to the beach or pool. And if you’re stuck in the office over the July 4 holiday weekend, these articles are perfect for coffee-break reading.

Enjoy!

First up is something I saw over on CNET. Microsoft has finally provided some visibility into its efforts to make Webmail safer. In this article, the author describes how Transport Layer Security encryption works. Across many Microsoft mail clients, the encryption is supposed to thwart breaches and hacks better than in the past. What’s your take?

Here’s a snippet from the article…

“This means it will be significantly harder for email originating from and being sent to a Microsoft account to be spied on, as long as the connecting email service also uses TLS.”

Next in your reading list is something a bit more mainstream and fun. Celebrities are as paranoid as ever, but it’s probably smart for IT and business folks to follow their lead. Essentially, be aware of everything going on around you and beef up your corporate security measures if you have any fear of breaches or attacks.

In this feature on Fox News, the contention is that celebrities are not being paranoid, just careful. Read more…

Lastly, in another piece of Windows news, the war on ‘no-IP’ addresses is heating up. The Register says Microsoft has started to fight back against sites that use the ‘no-IP’ protocol. Without an actual IP address tied to transmissions, messages, emails and so forth, it’s harder to track where materials (mostly malware) originates.

Read the article on their stance and how the security community and government are responding. On one side, it’s nice to have an anonymous protocol. On the other hand, if we can do away with malicious attacks, is this blow to address-free IPs worth it? You decide.

As discussed in my column last week, please send me ideas for topics you want to read about. I’d like to delve deeper into security issues that you face regularly. And I’m always open to doing interviews with experts on your staff – just leave your info in the comments.

Thanks! See you next week.


June 25, 2014  12:51 PM

The Importance of IDs and Provisioning

Jeff Cutler Jeff Cutler Profile: Jeff Cutler
Data, Facilities, provisioning, Security

One of my regular soapbox topics is the ease with which facilities can be breached. And if you can get in the door of an organization, it’s relatively easy to get into doors within the building and wreak havoc with systems, data, physical and intellectual property and the livelihood of the business.

It’s also pretty simple these days to set up a first line of defense to keep interlopers at bay. Once caveat is that security staff and IT should work in concert to maintain high levels of security when it comes to access to facilities and systems.

Why am I thinking of this on a gorgeous summer day? The Fake ID season is upon us. That’s right, fake IDs are a huge business all over the nation. This time of year, with students graduating high school and headed away to college, buckets of money are made in the sale of fake IDs. And if crooks in towns from Albuquerque to Zion can create IDs that fool police departments, what’s to keep this technology for opening the doors to your company?

Here’s the story of the burgeoning – and highly sophisticated – fake ID trade in a town just south of Boston, MA. In this case, the IDs are so well made that police came up with a key to assist bars and liquor stores in detecting the fakes. Take a look at the minute details that are incorporated in the IDs to make them so effective. (Screenshot of the ID image on the Canton, MA Police FB page)

Screen Shot 2014-06-25 at 8.34.16 AM

What’s the solution? There are a few routes you can go to lock down your data and building.

First, take provisioning seriously. Maintain a database that accurately documents who is allowed on your campus and in your buildings. Make sure that HR and all relevant departments keep this list updated so your security team can keep unwanted people out of your facilities.

Next, make sure only the people who require access to systems have it. Don’t allow individual staffers to be administrators on their own workstations as that opens security holes all over the place. While it might be time-intensive to send an IT person to install software and change passwords for each employee, it is the best way to keep all employees on the same access level. It also keeps your internal machines safe.

Do a full vetting of your IT staff – perhaps this should be step one. This way you know who you can trust and who’s working for you before you give them keys to the city. Once cleared, this is the security force that keeps your critical information safe.

Finally, never let your guard down. Just as the IDs have gotten better for underage drinkers, so too have the ways in which criminals are trying to tear down your walls. Breaches are going to occur. Make sure they don’t happen because of something or someone you overlooked and unwittingly let into your business.

Be safe out there. Talk to you next week!


June 18, 2014  2:33 PM

What to expect – the Keys to Jeff Cutler’s Keys to Security

Jeff Cutler Jeff Cutler Profile: Jeff Cutler
Blog, Data, IT, Security

I’m not sure I ever did a ‘welcome’ to the blog post when I first started working for Tech Target and putting my columns on security, data breaches, log management and more out into the ether. This post serves that purpose. I want to say hi, introduce myself a bit more, ask you some questions and then get on with the business of reporting on security events and sharing my opinions and guidance as it pertains to keeping your sites and facilities safe.

Me – 22+ years as a professional journalist, technology correspondent, food and travel writer and more. I continue to freelance and provide columns to myriad organizations and outlets. And I enjoy every minute. If I can talk conversationally to an audience that wants to open their mind, then I’m thrilled. You can find my other writing at JeffCutler.com - enjoy.

Screen Shot 2014-06-18 at 10.32.21 AM

As far as this security stuff is concerned, I’m as freaked out as you. Every day some business or entity has its database hacked or systems taken down. We’re seeing new ways in which we can lose money and information. And there are no clear-cut answers in an environment where we need to stay connected to be successful. I’ve done a lot of writing on the pragmatic approach to keeping your stuff safe. I’m still learning some of the intricate database protection methodology, but most of this comes down to common sense.

If you want to keep your stuff safe, keep it away from the bad guys!

All that shared, let me know if there are current events you want covered or expounded upon. Tell me who I should reach out to and interview – videos are lots of fun and I love sharing that type of content with you. Maybe you even want to do Q&A type posts with me. If so, send me your questions and we can try to make that a regular feature.

Whatever the case and whatever the course, I’m here for you. Make use of the blog and learn from me. Tell me how I can help and we’ll both be happy going forward.

Thanks for reading. See you next week.


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: