Jeff Cutler's Keys to Security


September 10, 2014  4:33 PM

Hotels, Apple, TSA and more Security

Jeff Cutler Jeff Cutler Profile: Jeff Cutler
Apple, Data, IOS, protection, Security

I’m typing this from Gate 16 at the Nashville airport. After spending a week here in the south, I’ve been able to amass information on a variety of security issues that you’ve probably faced. I want to share them with you here and find out your thoughts.

Hotel security observations…

Regardless of where you’re staying, the way to get around hotel security systems is to act like a tourist while paying careful attention to the inner workings of the facility. From gaining access to rooms being cleaned to pilfering food and goodies from onsite conferences, it’s relatively easy to thwart the system.

The view from my room at Gaylord Opryland Hotel in Nashville.

View from the hotel room balcony at the huge and scenic Gaylord Opryland Hotel Nashville, TN.

Not that I’d do any of these things, but hypothetically there were opportunities for me to enjoy a breakfast; obtain a stuffed animal and other goodies from trade-show booths; take a nap in a room that was being cleaned; snag a tasty Hagen Daz ice cream bar, and collect 47 soaps from various carts around the hotel.

My sole interaction with hotel security came when I somehow short circuited my in-room safe and had to have them come crack it. You realize, they don’t do anything more than plugging in something resembling a fat thumb drive (with different connectors) and voila, the safe is open.

Essentially, if you’re in a hotel you have to put your trust in the staff and keep an eye on your belongings. There’s no real way to keep your stuff safe outside of keeping it with you or leaving it at home.

Let’s talk about Apple Computer…

The tech giant (and lifestyle company if we want to be truthful) just had their major fall press conference. There, they announced two new iPhone models and an Apple Watch. The debut of these items is cool, but the two surprising things that happened – or didn’t occur – during the press conference tell more about the future of tech security.

First, Apple made no mention of the IOS security breaches that allowed hundreds of risque photos to be seen by the world. They didn’t promise to beef anything up. They didn’t say there was an update coming. What this tells me is that Apple has the same mindset I do – that people do not adequately secure their data.

Second, Apple’s feed hit some snags during the press conference. My guess, before the full report comes out, is that hackers were having some more fun with Apple…trying to prove that nothing is safe. We’ll find out if the glitch was really just that or if it was caused by nefarious forces.

Now, how about that TSA?

In Nashville, there are large bags with instruments in them being carried everywhere. I’ve been at the airport for about an hour so far and I’ve heard three announcements (in my terminal) of guitar cases and backpacks being left behind. That’s not something that would be tolerated elsewhere. Think of the security risk airlines face if packages the size of a bass or guitar were left unattended.

Also, I’m against the insanity of TSA Pre-check in a location where the security line is only about 10 minutes from start to finish. Today, I watched as scores of people went into the Pre-check line – and it took many of them longer than the regular line to get into the gate area. Why have this security process in place if it’s not really providing a benefit? Maybe a better thing to do is make it contingent on the number of people flying and time of day.

I don’t purport to be able to fix everything, but these are the security topics I’m thinking about this week. What’s on your mind?

AND, be sure to join me and a bunch of my colleagues next week when we conduct a Twitter security chat on Thursday, Sept. 18. For more details, see the ITKE Twitter feed – @ITKE.

Thanks for reading!

September 5, 2014  12:25 AM

Naked photos, common sense and construction security

Jeff Cutler Jeff Cutler Profile: Jeff Cutler
Credit cards, Hackers, IOS, Security

It’s been a wild week. Each time I had this column ready to post, something else happened in the security world and I had to rewrite this thing. From naked photos of celebrities on IOS cloud servers to a purported breach of credit card data at Home Depot, I think we’ve finally gotten a hold over the week’s news. So let’s jump in and discuss this mess.

Models show off the latest fashions at a swimsuit show at Brasserie Jo Boston in 2014.

Models show off the latest in swimwear fashion at Brasserie Jo Boston in February 2014.

First, if you are not familiar with cloud computing and how applications back up your data…THEN DON’T USE THEM. While most folks are railing on about this being a travesty of justice and a perverted crime, I see this as a failing of common sense. Let’s put this in better perspective and pretend the data stolen or shared was something as simple as a document.

When you think of these photos as snippets of data, then you can detach yourself from the ‘sex’ component of the crime and look at it as an example of user error when it comes to understanding data security and backup. Am I right? If you believe that any piece of your data is safe when transmitted over the Internet, then you’re missing some common sense.

As the pundits have said, this is a boon for the camera manufacturers who were insanely worried about making their future models wifi-enabled and fully connected. Now they don’t have anything to fear from mobile phone camera users because everyone is going to stop sharing their stuff online. Right? Wrong!

You know why? Because many people have the common sense to at least know how online backups work, how secure they are, AND to not share invaluable items on an inherently insecure network.

OK, enough sex photo soapbox for today. In other news, it has been reported that Home Depot had a credit card breach that might rival those at Target and other stores. Should this surprise us as much as the sex photo thing did? Again, no. But we should be more concerned about this because it affects the financial viability of a system we all use every day.

So, until these breaches stop happening so fast and furiously, I’d advise using dollar coins or some other method to pay for goods and services. Do this for two reasons. 1 – we don’t quite have the chip and pin technology nailed yet. 2 – dollar coins are hard to counterfeit and the return on counterfeit coins is low.

That’s today’s lesson. I hope next week has less excitement and more solutions for our security-starved world. Got thoughts on this week’s events? Leave me a comment.


August 28, 2014  7:36 PM

Summer Security Wrap-up

Jeff Cutler Jeff Cutler Profile: Jeff Cutler
Data, Hackers, malware, Security

Fantasy Football drafts are about to take place, students are moving back to school, vacation travel is being wrapped up, and lots of financial, life, leisure and family information is being shared. That’s an environment that reeks of security risks and is probably making lots of hackers lick their chops. Therefore, I’d like to share a few news tidbits and my thoughts as this last post of the summer here on Security Keys.

Sunset over Boston Harbor

First off, if you’re shipping kids off to college and still want to take a little vacation you might want to look at Suits and Spooks in London September 12. The gathering is called a “unique, limited attendance cyber security event” that takes place at venues all over the world a few times each year.

From their site:

“Each event draws thought leaders and decision makers from the public, private, defense, law enforcement and intelligence sectors who come to learn about and discuss some of the key security challenges which face our digitally connected nation and world.”

The information on the conference came across my desk as more breaches are being reported, especially in the banking and financial world. Which then led me to think about our access to information and the amount of buzz each data breach or security event gets. To wit, in the 1950s, if you lived in Philadelphia you might not hear about California events unless they were earthquake-esque. Our data infrastructure now has us whirling about daily because there are constant reports of hackers and thieves grabbing all our stuff.

But are these reports real or are we now jumping at shadows?

An article in Security Week puts a little doubt in my mind about the number of breaches that have been reported. In fact, JP Morgan Chase is working with the FBI to actually see if all the reports of financial data attacks actually took place. While this might be a good wake-up call for institutions, I hope it doesn’t result in complacency if there turn out to be a significant number of fabricated reports. We still need to be vigilant about keeping our doors and windows closed.

Which makes me share this third item – a definition – from Technopedia. For a while I was wondering what malvertising actually meant because most advertising is created with some sort of goal in mind. In this case, it’s actually code hidden within online ads that are served on sites that are less than secure. Then, when people click on the ads or somehow activate them, they infect computers, systems and entire organizations leaving them vulnerable to other attacks.

I’m not sure I’ve clicked on an online ad yet, so I’m hoping my laptop is still free of infection.

That’s it from here. Have a secure week and a great holiday. See you next week!


August 19, 2014  3:37 PM

Healthy Respect for Security – Medical Data Breaches

Jeff Cutler Jeff Cutler Profile: Jeff Cutler
Hack, Healthcare, Security, Stolen data

One of the hats I wore before jumping into my role as freelance writer was as an employee of a rehabilitation facility. This rehab – for physical injuries and ailments – was a small player in the huge sea of hospitals and provider companies. To that end, their systems were hardly interconnected, networked or even digitized. Patient records were stored in a room across from my office and they were walked around the building by doctors, rehab clinicians and even non-medical personnel.

Screen Shot 2014-08-19 at 11.36.46 AM

While it wasn’t a secure process as any one of the people holding a file could dash away with it, the danger was far less than it is today. Now, our records – both financial and health-specific – are online and accessible to anyone who has a key. And the number of people with keys is growing.

Take the latest breach of patient information at Community Health Systems. The incident affects data for 4.5Million patients. Read more details here in the Tennessean. The company is concerned for its data and reputation, and also for the industry as healthcare incidents are growing.

From the article…

While the attack certainly generates negative publicity for the company, CHS says it has insurance for this type of problem. “While this matter may result in remediation expenses, regulatory inquiries, litigation and other liabilities,” the SEC report said, “at this time, the Company does not believe this incident will have a material adverse effect on its business or financial results.”

The breach is a relatively large one for the health care industry, according to BitSight’s Turner, who added that CHS seems to be communicating about it appropriately.

Criminal attacks on health care companies have become common, according to a March 2014 report by data security research firm the Ponemon Institute, which said those types of hacks have risen 100 percent since the company completed the first study in 2010. Furthermore, the study said, about 90 percent of the facilities surveyed had experienced at least one data breach within the past year.

In this case, the hack came from China and short of keeping systems sandboxed or upping the security protocols, there’s not a lot CHS could have done. Though in my mind, they should have done both. How widely available do medical records and financial pieces of medical records need to be? Who should have access at any one time to this stuff? And why?

Screen Shot 2014-08-19 at 11.32.22 AM

Yes, if a person is injured and can’t provide information to healthcare professionals in an emergency, it’s vital to have that information accessible. But isn’t it time we found a way to protect the huge packages of info that travel along with each of us. You might need to know what I’m allergic to, but you don’t need to know I paid my co-pays with my Discover Card? And you certainly don’t need to know other financial information to provide life-saving care.

I’m wondering where so many healthcare (and other) companies have stored their common sense. It surely wasn’t with their medical records or else we’d be seeing lots more of it.

Thoughts?


August 13, 2014  3:19 PM

The Broken Car Window – Keep Your Valuables Out of Sight

Jeff Cutler Jeff Cutler Profile: Jeff Cutler
Data, duplicate, IT, Permissions, Sandbox, Security, Uncategorized

Like many readers, I live and work near a major metropolitan area. Crime is on our minds more as a way of life as opposed to a life-trajectory-affecting force. Therefore, the issue of car break-ins isn’t one we focus on. City dwellers just know to keep valuables out of sight.

Screen Shot 2014-08-13 at 11.17.16 AM

If you leave an iPod or change purse on the seat or dash, you’re begging for a smash and grab. Similarly, if you don’t secret away your briefcase or duffel bag, your car is going to be a bit lighter or completely destroyed when you return.

Screen Shot 2014-08-13 at 11.16.47 AM

That’s well and good for keeping small items safe in a parked car – how does it relate to when you’re trying to keep your business safe?

The analogy is perfect when it comes to IT security issues is keeping your valuables (data and access to systems) out of sight. But it’s a balancing act. How can you provide complete access to vendors, customers and staff if you have to also keep things locked down? Further, if you want some buzz and SEO return, you’re going to need to have some presence online so folks can find you.

That’s just it, though. You want to be found and you want to be secure. The steps work this way. Keep your stuff in different locations. For systems you rely on to conduct business, put them on one server. Like hiding your leather jacket in the trunk of the car. You still have access to it, but it’s not out there in the open.

Same goes for CRM systems, other databases, proprietary apps and software, and other valuables. Once IT can make a clear decision over who gets to see what, things are easier to control. A side challenge is the organization where myriad groups are given permissions to read data but not write to it.

The solution there is to mirror the data daily and then sandbox it so it’s only a document and not a complete doorway into the information. Though it sounds simple, the challenges IT folks run into on a regular basis could (and do) fill many textbooks.

Next week we’ll have an interview with one of those IT pros. Remember to hide your stuff! See you next week.


August 5, 2014  9:32 PM

Bad Security in One Area is Bad Security in All Areas

Jeff Cutler Jeff Cutler Profile: Jeff Cutler
Accounts payable, CEO, CIO, CTO, Finance, IT, Security, Uncategorized

Guess what has two thumbs and just got a check for a project he finished? Oh, yes. This guy.

WP_20140505_11_09_39_Pro

You know what’s wrong with this picture…other than the goofy grin and movie-star good looks? Yes, the check I got was a mistake. I did some writing for them, but the accounts payable team at my client’s office paid me twice. I’m currently figuring out the process for returning the check and getting a new one cut.

But that’s not the issue. The real problem is security-based. If it’s a piece of cake for someone like me to breach systems and get paid multiple times for a job I only did once, how tough could it be for a hacking cartel to find their way into that system. Furthermore, if this is happening on a broader scale, maybe our entire economy is at risk.

While it’s not as scary as someone hacking into NASDAQ or the NYSE, it still is private money and that’s got to come from somewhere. In the case of my double check, or double payment, the slip-up happened because of emails and bad record-keeping. The department for whom I did the work followed protocol when I sent in my estimate and forwarded that estimate to accounts payable. When I completed the project, I sent in an invoice using the purchase order number issued to me.

Somewhere along the line, A/P started the payment process with the knowledge that the project was underway and monies would be paid out. Then, when a ‘second’ invoice (they must have treated the estimate also as an invoice) came in, they added that to the same purchase order and cut a check.

Fixing this would simply require a database that can compare invoice numbers and dates and other possible duplicate fields. On my check (look at me calling it my check even though I’ve got to return it), there is a department-generated invoice number created by the computer and then an invoice number that corresponds with the invoice I supplied.

Is it earth-shattering? Will the company go under because they paid me $36,000 instead of $18,000? Is this a security breach on the level of the Target or Costco events? For all three questions the answer is no. But if there are issues with tracking money, accounts, invoices and vendors at this level, there likely are bigger issues behind the organization’s IT services and security.

Ultimately, I shared this story because it’s important to realize that issues at one level can indicate bigger issues at other levels and it’s bad business to wait until the walls fall down around you to start examining what you could have done differently. Treat business systems as if you own them – I’m talking to you finance and IT and any C-level executive – and you’ll have less to worry about at the end of the day.

In what ways have you seen little problems blossom into bigger ones at your firm or others? Share in the comments. Next week, I’ll have video content for you! Until then, be safe!


July 30, 2014  4:19 PM

IE no more secure than an unlocked car

Jeff Cutler Jeff Cutler Profile: Jeff Cutler
CTO, Hack, Hackers, Internet Explorer, IT, Security, Software

My MINI Cooper is parked in a garage. In the car is a pile of coins that if counted would amount to $34, probably. That’s why I locked the doors, hid the coins, parked in sight of the lot attendant and ensured that nothing else of value was in view of passersby.

Paranoid? Maybe. For $34 I probably couldn’t pay to replace the smashed window that might result had I left the car open. But I’m in favor of hanging on to my belongings. It’s that very attitude that should also make CTOs and IT professionals a little more vigilant when they are driving their metaphorical vehicles of client data and enterprise information around.

Screen Shot 2014-07-30 at 12.18.38 PM

In fact, when more news hit the other day that Internet Explorer was not very secure (non-emphasis mine), I wondered why in the world anyone’s been using this product at all. It looks, from all details that have been released – here and in publications around the globe – that an infant could breach systems as long as they’re behind the IE wall.

Here’s an article from April that talked about how governments should abandon IE immediately.

And here’s a similar piece that came out this week touting how far IE has not come. Hackers have finally decided to make IE their whipping boy by sharing all its vulnerabilities in detail according to the Guardian.

What can you do? If I were on staff at a company and in the role of some C-level executive, I’d hold my vendor’s feet to the fire. Make it work or lose my business. How tough could that be? Trouble is, the options aren’t very numerable. Changing things is costly. And the ingrained pattern of apathy and ostriching is pervasive.

To wit, when have you ever met an IT department that suggested jumping to a new vendor and reworking all the existing systems because of a security flaw? That’s right, never. IT folks just wait for the next patch and figure things will be OK.

Well, if everyone had that attitude in the ‘real’ world, cars and houses wouldn’t have locks and we’d never need passwords for our online properties. How about waking up and thinking about business success before something bad befalls your company? Wouldn’t that be the smart thing to do – even if it means getting rid of IE?

I welcome your comments. See you with another column next week. *Want to chat with me via video – let’s do an interview. Find me on Twitter or leave a comment here. Maybe a future column will be our interview.

Thanks for reading!


July 23, 2014  4:58 PM

Chips no longer an option for protecting credit cards? What!?

Jeff Cutler Jeff Cutler Profile: Jeff Cutler
Data, Data-security, protection, Security

I’m all for technology being incorporated into our lives. We use so many online networks to stay in touch with friends, colleagues and even the businesses with whom we interact. But the cost of sharing information with these audiences is often worth the payoff. ROI of sharing is enriched lives.

Screen Shot 2014-07-23 at 12.57.46 PM

Then, as tech protections get better, we start to feel more secure and almost blase about our movements. We use our tech gadgets frequently and without regular safeguards. Surfing the hotel Wifi without engaging the VPN. Wijacking the signal from any open source near the coffee shop you’re sitting in. Grabbing a signal at the airport just to send an email.

Even the physical realm – where credit card and ATM skimmers are prevalent – seemed safer now that chip and pin technology had been either implemented or planned. You could make purchases with impunity and didn’t worry about leaving your wallet in a taxi on getting pickpocketed. Kind of.

But then it happened. The chip and pin was thwarted. Whether it’s an urban legend or not – waiting for full confirmation – it made me check my pocket for my wallet. And it happened in Europe of all places!

Here’s the account as penned by colleague Robert Lemos here at Tech Target. In it he tells of a tale from 2011 when “unauthorized charges of more than $1,800 were made to his HSBC credit card, despite the fact that his card contained a security chip”.

That’s enough to make me wonder if we shouldn’t do a bit more testing before requiring the world to go in this direction? Remember, this is THREE YEARS ago and thieves were able to beat the system then. Maybe we’re in more trouble than we realize.

What do you think is the best way we can secure our personal finances? Go back to cash? Require retina scans? Voiceprints?

Until they figure this out, I’m keeping my valuables on a collar around the neck of my cat. As her tag says, “I’m a biter.” At least if my stuff gets stolen, the person who grabs it will leave a little blood behind.


July 16, 2014  3:30 PM

Controlling your IT Assets – Learn from the Supermoon

Jeff Cutler Jeff Cutler Profile: Jeff Cutler
CIO, CTO, Data, IT, keys, Security

The Supermoon the other night got me thinking, “with great size comes great responsibility.” While reworked from a Spiderman comic book quote, it’s a saying that rings true when you’re thinking about online presence and how you can best control your image, assets and team.

Screen Shot 2014-07-16 at 11.29.25 AM

The business environment is increasingly run via online systems administered by your IT department and vendors. As this occurs, the amount of control CTOs and CIOs have is diminished because they can’t possibly know everything that’s happening under their corporate roof. To combat that, some firms tighten the reins and make it difficult for employees to do their jobs.

Witness marketing departments that need to wait a week before installing software; or sales teams that can’t visit customer sites with mobile workstations because they might not be secure if logged into outside Internet access.

Going the other route – and ceding control – is a scary proposition. Who knows what access is being given to contractors, admins, part-time employees and visitors? And with the news getting ever darker in terms of breaches and IT security incidents, we’re all prone to freeze up and not do anything for fear of muddying our own security.

In fact, in Dark Reading the other day, it was reported that more than 96 percent of organizations experienced a significant IT security incident in the past year. I think this figure is inflated. 96% of all companies? Probably a typo, but here’s the entire article. The piece I found more relevant and easier to swallow was that 39 percent of organizations experienced two events.

So, what are we to do? Be smart. Don’t give access to your facility or systems without fully vetting people. But then trust your vetting process so you can move on and be productive. Further, make sure your first line of defense – the IT team – is so well versed in provisioning and security procedures that you’d be comfortable stepping away from the office. A two-week untethered vacation should be a stress-inducing proposition. You should be able to rely on the team you train when you’re not at the office.

What’s the main takeaway? As we get bigger, so do our problems. Only being careful with our property – both data and facilities – will help us continue to be successful.

Have you experienced a significant IT incident in the past year? Are you part of the 39% that has reportedly experienced TWO incidents? What have you done to respond and lock down your stuff?

I’d love to hear from you. See you next week.


July 8, 2014  1:42 PM

Keeping Your Data (and other) Doors Locked

Jeff Cutler Jeff Cutler Profile: Jeff Cutler
Data, DDOS, doors, IT, keys, Security

The house next to mine is being broken into as I write this. Seriously. Some guy with a ladder walked around the entire house and then chose a window to enter through and set up the ladder and started to climb. Only when I emerged from my house – after taking photos of him and his pickup truck – and walked out onto my back deck did he pause.

“I’m looking at this house for some people,” he said.

IMG_9406

I just nodded. After a period of silence, he came down the ladder and moved – with it – to the side of the house where I couldn’t watch him. I went back to my computer and kept an eye on the house.

Then the realtor showed up and explained that the man was there to do a home inspection and I had nothing to worry about. In fact, I had a lot to worry about. Especially how easily it would be for masked men with ladders to breach any of the houses around me – or even mind.

Which makes me think about our lines of defense as homeowners and as data caretakers. If this guy with the ladder was a thief, would he have started in a place out-of-view? Would he have discovered a hide-a-key or other method of entry? Would he have been successful in breaching the defenses and borders of the home next door?

It was very likely. I didn’t see anyone else in the neighborhood challenge him. I didn’t see anyone else take note of his truck or license plate. When it comes to securing your facility and data, you probably have to take the same approach. It falls to YOU to make sure your doors are shut and locked and your client and corporate data is secure.

But then I thought about another scenario. What if I were the person with the ladder trying to access my own home? How much security would be daunting? What safeguards would I have in place so I could gain access in an emergency?

The same thoughts should go through your head when you’re securing the corporate assets. Is there a way in that only an inside circle of people know about? Is it foolproof and based on clear identity processes? Could someone pretending to be you get inside?

In the same way a key under a rock is pretty insecure, you don’t want to set up a simple gauntlet for thieves to traverse. You need something that’s secure and convenient at the same time. As our systems passwords are familiar yet complex, you should do the same thing with your door key and building access.

Here at home our system is to leave keys with neighbors and relatives. In a pinch, it takes some effort to get the key and enter the house, but it isn’t a process a thief would be able to do. At your organization, give the keys to a trusted department head in the form of an encrypted document. Or mail yourself access instructions – encoded of course – in the case of a system malfunction or attack where you need to get in through your own back door.

Further, having a set of physical keys to your facilities held with various trusted employees or locked up at a second facility is a method that can ensure you get access without too much hoop jumping.

If it were easy to breach our systems and crash through our front doors, it would happen more frequently. The trick is finding a way to secure your business and data so if you get locked out you can get back in without too much fuss.

What are your tricks for securing your home? Key in the grill, key on the dog’s collar, stuck behind the door knocker (a thief is probably not knocking), attached to your wind chimes?

Then, what methods are you using to keep your company secure but accessible?

I’d love your comments! See you next week!


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: