Here at ITKE we’re trying to enrich your experience and create even more relevant discussions. Therefore, I’m moving my posts over to the Security Corner blog for a bit to see if the additional posts and fun stuff that’s coming in from Ken Harthun make you smile.
Find both of us over there for the time being – we’re excited to hear from you!
I like to point out that it’s not paranoia if everyone is actually gunning for you
Yesterday I was Dr. Decadent and watched TV during the day. Yep, my wife wasn’t happy with me and the cats were very confused. But the folks who pay me for security expertise and content were very pleased. You see, I was watching a recent NOVA program during which the subject of paranoia was the focus.
Realize that paranoia can be destructive, controlling and negative. It can destroy trust and mislead you. But paranoia – as presented during this show – can also direct some very powerful self-preservation forces for both individuals and businesses.
For instance, when stuxnet was developed (by who knows whom) it would have served entire countries well to harbor a little paranoia over computer software. And in the NOVA episode, we’re taken on a cool journey of both math and science. With that dash of paranoia.
My take on the value of paranoia is it keeps us vigilant. It makes us close and lock the doors to our house. It prompts us to ‘beep’ our car when we’re parked in the city. It spurs us to change our passwords regularly (the regular warnings from IT also help in this regard). And paranoia actually keeps us grounded.
I urge you to see if you can find the NOVA episode on-demand, online or via a streaming service. Then take a careful look at your security patterns. Are you being paranoid enough when it comes to locking down your personal and professional properties, data and facilities?
In many cases, I think we could all do more. *My blog Things to Worry About in no way led me down this path of paranoid ranting. Really. See you next week. I’ve got an announcement and some cool new ideas to share with you!
Earlier this week I sat down with Kara Sassone of Northeastern University to talk about ID badges and security. Here’s the interview. What’s your take on the hassle ID badges present? Do you think there are better solutions for keeping our facilities and workplaces secure?
I’m typing this from Gate 16 at the Nashville airport. After spending a week here in the south, I’ve been able to amass information on a variety of security issues that you’ve probably faced. I want to share them with you here and find out your thoughts.
Hotel security observations…
Regardless of where you’re staying, the way to get around hotel security systems is to act like a tourist while paying careful attention to the inner workings of the facility. From gaining access to rooms being cleaned to pilfering food and goodies from onsite conferences, it’s relatively easy to thwart the system.
Not that I’d do any of these things, but hypothetically there were opportunities for me to enjoy a breakfast; obtain a stuffed animal and other goodies from trade-show booths; take a nap in a room that was being cleaned; snag a tasty Hagen Daz ice cream bar, and collect 47 soaps from various carts around the hotel.
My sole interaction with hotel security came when I somehow short circuited my in-room safe and had to have them come crack it. You realize, they don’t do anything more than plugging in something resembling a fat thumb drive (with different connectors) and voila, the safe is open.
Essentially, if you’re in a hotel you have to put your trust in the staff and keep an eye on your belongings. There’s no real way to keep your stuff safe outside of keeping it with you or leaving it at home.
Let’s talk about Apple Computer…
The tech giant (and lifestyle company if we want to be truthful) just had their major fall press conference. There, they announced two new iPhone models and an Apple Watch. The debut of these items is cool, but the two surprising things that happened – or didn’t occur – during the press conference tell more about the future of tech security.
First, Apple made no mention of the IOS security breaches that allowed hundreds of risque photos to be seen by the world. They didn’t promise to beef anything up. They didn’t say there was an update coming. What this tells me is that Apple has the same mindset I do – that people do not adequately secure their data.
Second, Apple’s feed hit some snags during the press conference. My guess, before the full report comes out, is that hackers were having some more fun with Apple…trying to prove that nothing is safe. We’ll find out if the glitch was really just that or if it was caused by nefarious forces.
Now, how about that TSA?
In Nashville, there are large bags with instruments in them being carried everywhere. I’ve been at the airport for about an hour so far and I’ve heard three announcements (in my terminal) of guitar cases and backpacks being left behind. That’s not something that would be tolerated elsewhere. Think of the security risk airlines face if packages the size of a bass or guitar were left unattended.
Also, I’m against the insanity of TSA Pre-check in a location where the security line is only about 10 minutes from start to finish. Today, I watched as scores of people went into the Pre-check line – and it took many of them longer than the regular line to get into the gate area. Why have this security process in place if it’s not really providing a benefit? Maybe a better thing to do is make it contingent on the number of people flying and time of day.
I don’t purport to be able to fix everything, but these are the security topics I’m thinking about this week. What’s on your mind?
AND, be sure to join me and a bunch of my colleagues next week when we conduct a Twitter security chat on Thursday, Sept. 18. For more details, see the ITKE Twitter feed – @ITKE.
Thanks for reading!
It’s been a wild week. Each time I had this column ready to post, something else happened in the security world and I had to rewrite this thing. From naked photos of celebrities on IOS cloud servers to a purported breach of credit card data at Home Depot, I think we’ve finally gotten a hold over the week’s news. So let’s jump in and discuss this mess.
First, if you are not familiar with cloud computing and how applications back up your data…THEN DON’T USE THEM. While most folks are railing on about this being a travesty of justice and a perverted crime, I see this as a failing of common sense. Let’s put this in better perspective and pretend the data stolen or shared was something as simple as a document.
When you think of these photos as snippets of data, then you can detach yourself from the ‘sex’ component of the crime and look at it as an example of user error when it comes to understanding data security and backup. Am I right? If you believe that any piece of your data is safe when transmitted over the Internet, then you’re missing some common sense.
As the pundits have said, this is a boon for the camera manufacturers who were insanely worried about making their future models wifi-enabled and fully connected. Now they don’t have anything to fear from mobile phone camera users because everyone is going to stop sharing their stuff online. Right? Wrong!
You know why? Because many people have the common sense to at least know how online backups work, how secure they are, AND to not share invaluable items on an inherently insecure network.
OK, enough sex photo soapbox for today. In other news, it has been reported that Home Depot had a credit card breach that might rival those at Target and other stores. Should this surprise us as much as the sex photo thing did? Again, no. But we should be more concerned about this because it affects the financial viability of a system we all use every day.
So, until these breaches stop happening so fast and furiously, I’d advise using dollar coins or some other method to pay for goods and services. Do this for two reasons. 1 – we don’t quite have the chip and pin technology nailed yet. 2 – dollar coins are hard to counterfeit and the return on counterfeit coins is low.
That’s today’s lesson. I hope next week has less excitement and more solutions for our security-starved world. Got thoughts on this week’s events? Leave me a comment.
Fantasy Football drafts are about to take place, students are moving back to school, vacation travel is being wrapped up, and lots of financial, life, leisure and family information is being shared. That’s an environment that reeks of security risks and is probably making lots of hackers lick their chops. Therefore, I’d like to share a few news tidbits and my thoughts as this last post of the summer here on Security Keys.
First off, if you’re shipping kids off to college and still want to take a little vacation you might want to look at Suits and Spooks in London September 12. The gathering is called a “unique, limited attendance cyber security event” that takes place at venues all over the world a few times each year.
From their site:
“Each event draws thought leaders and decision makers from the public, private, defense, law enforcement and intelligence sectors who come to learn about and discuss some of the key security challenges which face our digitally connected nation and world.”
The information on the conference came across my desk as more breaches are being reported, especially in the banking and financial world. Which then led me to think about our access to information and the amount of buzz each data breach or security event gets. To wit, in the 1950s, if you lived in Philadelphia you might not hear about California events unless they were earthquake-esque. Our data infrastructure now has us whirling about daily because there are constant reports of hackers and thieves grabbing all our stuff.
But are these reports real or are we now jumping at shadows?
An article in Security Week puts a little doubt in my mind about the number of breaches that have been reported. In fact, JP Morgan Chase is working with the FBI to actually see if all the reports of financial data attacks actually took place. While this might be a good wake-up call for institutions, I hope it doesn’t result in complacency if there turn out to be a significant number of fabricated reports. We still need to be vigilant about keeping our doors and windows closed.
Which makes me share this third item – a definition – from Technopedia. For a while I was wondering what malvertising actually meant because most advertising is created with some sort of goal in mind. In this case, it’s actually code hidden within online ads that are served on sites that are less than secure. Then, when people click on the ads or somehow activate them, they infect computers, systems and entire organizations leaving them vulnerable to other attacks.
I’m not sure I’ve clicked on an online ad yet, so I’m hoping my laptop is still free of infection.
That’s it from here. Have a secure week and a great holiday. See you next week!
One of the hats I wore before jumping into my role as freelance writer was as an employee of a rehabilitation facility. This rehab – for physical injuries and ailments – was a small player in the huge sea of hospitals and provider companies. To that end, their systems were hardly interconnected, networked or even digitized. Patient records were stored in a room across from my office and they were walked around the building by doctors, rehab clinicians and even non-medical personnel.
While it wasn’t a secure process as any one of the people holding a file could dash away with it, the danger was far less than it is today. Now, our records – both financial and health-specific – are online and accessible to anyone who has a key. And the number of people with keys is growing.
Take the latest breach of patient information at Community Health Systems. The incident affects data for 4.5Million patients. Read more details here in the Tennessean. The company is concerned for its data and reputation, and also for the industry as healthcare incidents are growing.
From the article…
While the attack certainly generates negative publicity for the company, CHS says it has insurance for this type of problem. “While this matter may result in remediation expenses, regulatory inquiries, litigation and other liabilities,” the SEC report said, “at this time, the Company does not believe this incident will have a material adverse effect on its business or financial results.”
The breach is a relatively large one for the health care industry, according to BitSight’s Turner, who added that CHS seems to be communicating about it appropriately.
Criminal attacks on health care companies have become common, according to a March 2014 report by data security research firm the Ponemon Institute, which said those types of hacks have risen 100 percent since the company completed the first study in 2010. Furthermore, the study said, about 90 percent of the facilities surveyed had experienced at least one data breach within the past year.
In this case, the hack came from China and short of keeping systems sandboxed or upping the security protocols, there’s not a lot CHS could have done. Though in my mind, they should have done both. How widely available do medical records and financial pieces of medical records need to be? Who should have access at any one time to this stuff? And why?
Yes, if a person is injured and can’t provide information to healthcare professionals in an emergency, it’s vital to have that information accessible. But isn’t it time we found a way to protect the huge packages of info that travel along with each of us. You might need to know what I’m allergic to, but you don’t need to know I paid my co-pays with my Discover Card? And you certainly don’t need to know other financial information to provide life-saving care.
I’m wondering where so many healthcare (and other) companies have stored their common sense. It surely wasn’t with their medical records or else we’d be seeing lots more of it.
Like many readers, I live and work near a major metropolitan area. Crime is on our minds more as a way of life as opposed to a life-trajectory-affecting force. Therefore, the issue of car break-ins isn’t one we focus on. City dwellers just know to keep valuables out of sight.
If you leave an iPod or change purse on the seat or dash, you’re begging for a smash and grab. Similarly, if you don’t secret away your briefcase or duffel bag, your car is going to be a bit lighter or completely destroyed when you return.
That’s well and good for keeping small items safe in a parked car – how does it relate to when you’re trying to keep your business safe?
The analogy is perfect when it comes to IT security issues is keeping your valuables (data and access to systems) out of sight. But it’s a balancing act. How can you provide complete access to vendors, customers and staff if you have to also keep things locked down? Further, if you want some buzz and SEO return, you’re going to need to have some presence online so folks can find you.
That’s just it, though. You want to be found and you want to be secure. The steps work this way. Keep your stuff in different locations. For systems you rely on to conduct business, put them on one server. Like hiding your leather jacket in the trunk of the car. You still have access to it, but it’s not out there in the open.
Same goes for CRM systems, other databases, proprietary apps and software, and other valuables. Once IT can make a clear decision over who gets to see what, things are easier to control. A side challenge is the organization where myriad groups are given permissions to read data but not write to it.
The solution there is to mirror the data daily and then sandbox it so it’s only a document and not a complete doorway into the information. Though it sounds simple, the challenges IT folks run into on a regular basis could (and do) fill many textbooks.
Next week we’ll have an interview with one of those IT pros. Remember to hide your stuff! See you next week.
Guess what has two thumbs and just got a check for a project he finished? Oh, yes. This guy.
You know what’s wrong with this picture…other than the goofy grin and movie-star good looks? Yes, the check I got was a mistake. I did some writing for them, but the accounts payable team at my client’s office paid me twice. I’m currently figuring out the process for returning the check and getting a new one cut.
But that’s not the issue. The real problem is security-based. If it’s a piece of cake for someone like me to breach systems and get paid multiple times for a job I only did once, how tough could it be for a hacking cartel to find their way into that system. Furthermore, if this is happening on a broader scale, maybe our entire economy is at risk.
While it’s not as scary as someone hacking into NASDAQ or the NYSE, it still is private money and that’s got to come from somewhere. In the case of my double check, or double payment, the slip-up happened because of emails and bad record-keeping. The department for whom I did the work followed protocol when I sent in my estimate and forwarded that estimate to accounts payable. When I completed the project, I sent in an invoice using the purchase order number issued to me.
Somewhere along the line, A/P started the payment process with the knowledge that the project was underway and monies would be paid out. Then, when a ‘second’ invoice (they must have treated the estimate also as an invoice) came in, they added that to the same purchase order and cut a check.
Fixing this would simply require a database that can compare invoice numbers and dates and other possible duplicate fields. On my check (look at me calling it my check even though I’ve got to return it), there is a department-generated invoice number created by the computer and then an invoice number that corresponds with the invoice I supplied.
Is it earth-shattering? Will the company go under because they paid me $36,000 instead of $18,000? Is this a security breach on the level of the Target or Costco events? For all three questions the answer is no. But if there are issues with tracking money, accounts, invoices and vendors at this level, there likely are bigger issues behind the organization’s IT services and security.
Ultimately, I shared this story because it’s important to realize that issues at one level can indicate bigger issues at other levels and it’s bad business to wait until the walls fall down around you to start examining what you could have done differently. Treat business systems as if you own them – I’m talking to you finance and IT and any C-level executive – and you’ll have less to worry about at the end of the day.
In what ways have you seen little problems blossom into bigger ones at your firm or others? Share in the comments. Next week, I’ll have video content for you! Until then, be safe!
My MINI Cooper is parked in a garage. In the car is a pile of coins that if counted would amount to $34, probably. That’s why I locked the doors, hid the coins, parked in sight of the lot attendant and ensured that nothing else of value was in view of passersby.
Paranoid? Maybe. For $34 I probably couldn’t pay to replace the smashed window that might result had I left the car open. But I’m in favor of hanging on to my belongings. It’s that very attitude that should also make CTOs and IT professionals a little more vigilant when they are driving their metaphorical vehicles of client data and enterprise information around.
In fact, when more news hit the other day that Internet Explorer was not very secure (non-emphasis mine), I wondered why in the world anyone’s been using this product at all. It looks, from all details that have been released – here and in publications around the globe – that an infant could breach systems as long as they’re behind the IE wall.
Here’s an article from April that talked about how governments should abandon IE immediately.
And here’s a similar piece that came out this week touting how far IE has not come. Hackers have finally decided to make IE their whipping boy by sharing all its vulnerabilities in detail according to the Guardian.
What can you do? If I were on staff at a company and in the role of some C-level executive, I’d hold my vendor’s feet to the fire. Make it work or lose my business. How tough could that be? Trouble is, the options aren’t very numerable. Changing things is costly. And the ingrained pattern of apathy and ostriching is pervasive.
To wit, when have you ever met an IT department that suggested jumping to a new vendor and reworking all the existing systems because of a security flaw? That’s right, never. IT folks just wait for the next patch and figure things will be OK.
Well, if everyone had that attitude in the ‘real’ world, cars and houses wouldn’t have locks and we’d never need passwords for our online properties. How about waking up and thinking about business success before something bad befalls your company? Wouldn’t that be the smart thing to do – even if it means getting rid of IE?
I welcome your comments. See you with another column next week. *Want to chat with me via video – let’s do an interview. Find me on Twitter or leave a comment here. Maybe a future column will be our interview.
Thanks for reading!