My MINI Cooper is parked in a garage. In the car is a pile of coins that if counted would amount to $34, probably. That’s why I locked the doors, hid the coins, parked in sight of the lot attendant and ensured that nothing else of value was in view of passersby.
Paranoid? Maybe. For $34 I probably couldn’t pay to replace the smashed window that might result had I left the car open. But I’m in favor of hanging on to my belongings. It’s that very attitude that should also make CTOs and IT professionals a little more vigilant when they are driving their metaphorical vehicles of client data and enterprise information around.
In fact, when more news hit the other day that Internet Explorer was not very secure (non-emphasis mine), I wondered why in the world anyone’s been using this product at all. It looks, from all details that have been released – here and in publications around the globe – that an infant could breach systems as long as they’re behind the IE wall.
Here’s an article from April that talked about how governments should abandon IE immediately.
And here’s a similar piece that came out this week touting how far IE has not come. Hackers have finally decided to make IE their whipping boy by sharing all its vulnerabilities in detail according to the Guardian.
What can you do? If I were on staff at a company and in the role of some C-level executive, I’d hold my vendor’s feet to the fire. Make it work or lose my business. How tough could that be? Trouble is, the options aren’t very numerable. Changing things is costly. And the ingrained pattern of apathy and ostriching is pervasive.
To wit, when have you ever met an IT department that suggested jumping to a new vendor and reworking all the existing systems because of a security flaw? That’s right, never. IT folks just wait for the next patch and figure things will be OK.
Well, if everyone had that attitude in the ‘real’ world, cars and houses wouldn’t have locks and we’d never need passwords for our online properties. How about waking up and thinking about business success before something bad befalls your company? Wouldn’t that be the smart thing to do – even if it means getting rid of IE?
I welcome your comments. See you with another column next week. *Want to chat with me via video – let’s do an interview. Find me on Twitter or leave a comment here. Maybe a future column will be our interview.
Thanks for reading!
I’m all for technology being incorporated into our lives. We use so many online networks to stay in touch with friends, colleagues and even the businesses with whom we interact. But the cost of sharing information with these audiences is often worth the payoff. ROI of sharing is enriched lives.
Then, as tech protections get better, we start to feel more secure and almost blase about our movements. We use our tech gadgets frequently and without regular safeguards. Surfing the hotel Wifi without engaging the VPN. Wijacking the signal from any open source near the coffee shop you’re sitting in. Grabbing a signal at the airport just to send an email.
Even the physical realm – where credit card and ATM skimmers are prevalent – seemed safer now that chip and pin technology had been either implemented or planned. You could make purchases with impunity and didn’t worry about leaving your wallet in a taxi on getting pickpocketed. Kind of.
But then it happened. The chip and pin was thwarted. Whether it’s an urban legend or not – waiting for full confirmation – it made me check my pocket for my wallet. And it happened in Europe of all places!
Here’s the account as penned by colleague Robert Lemos here at Tech Target. In it he tells of a tale from 2011 when “unauthorized charges of more than $1,800 were made to his HSBC credit card, despite the fact that his card contained a security chip”.
That’s enough to make me wonder if we shouldn’t do a bit more testing before requiring the world to go in this direction? Remember, this is THREE YEARS ago and thieves were able to beat the system then. Maybe we’re in more trouble than we realize.
What do you think is the best way we can secure our personal finances? Go back to cash? Require retina scans? Voiceprints?
Until they figure this out, I’m keeping my valuables on a collar around the neck of my cat. As her tag says, “I’m a biter.” At least if my stuff gets stolen, the person who grabs it will leave a little blood behind.
The Supermoon the other night got me thinking, “with great size comes great responsibility.” While reworked from a Spiderman comic book quote, it’s a saying that rings true when you’re thinking about online presence and how you can best control your image, assets and team.
The business environment is increasingly run via online systems administered by your IT department and vendors. As this occurs, the amount of control CTOs and CIOs have is diminished because they can’t possibly know everything that’s happening under their corporate roof. To combat that, some firms tighten the reins and make it difficult for employees to do their jobs.
Witness marketing departments that need to wait a week before installing software; or sales teams that can’t visit customer sites with mobile workstations because they might not be secure if logged into outside Internet access.
Going the other route – and ceding control – is a scary proposition. Who knows what access is being given to contractors, admins, part-time employees and visitors? And with the news getting ever darker in terms of breaches and IT security incidents, we’re all prone to freeze up and not do anything for fear of muddying our own security.
In fact, in Dark Reading the other day, it was reported that more than 96 percent of organizations experienced a significant IT security incident in the past year. I think this figure is inflated. 96% of all companies? Probably a typo, but here’s the entire article. The piece I found more relevant and easier to swallow was that 39 percent of organizations experienced two events.
So, what are we to do? Be smart. Don’t give access to your facility or systems without fully vetting people. But then trust your vetting process so you can move on and be productive. Further, make sure your first line of defense – the IT team – is so well versed in provisioning and security procedures that you’d be comfortable stepping away from the office. A two-week untethered vacation should be a stress-inducing proposition. You should be able to rely on the team you train when you’re not at the office.
What’s the main takeaway? As we get bigger, so do our problems. Only being careful with our property – both data and facilities – will help us continue to be successful.
Have you experienced a significant IT incident in the past year? Are you part of the 39% that has reportedly experienced TWO incidents? What have you done to respond and lock down your stuff?
I’d love to hear from you. See you next week.
The house next to mine is being broken into as I write this. Seriously. Some guy with a ladder walked around the entire house and then chose a window to enter through and set up the ladder and started to climb. Only when I emerged from my house – after taking photos of him and his pickup truck – and walked out onto my back deck did he pause.
“I’m looking at this house for some people,” he said.
I just nodded. After a period of silence, he came down the ladder and moved – with it – to the side of the house where I couldn’t watch him. I went back to my computer and kept an eye on the house.
Then the realtor showed up and explained that the man was there to do a home inspection and I had nothing to worry about. In fact, I had a lot to worry about. Especially how easily it would be for masked men with ladders to breach any of the houses around me – or even mind.
Which makes me think about our lines of defense as homeowners and as data caretakers. If this guy with the ladder was a thief, would he have started in a place out-of-view? Would he have discovered a hide-a-key or other method of entry? Would he have been successful in breaching the defenses and borders of the home next door?
It was very likely. I didn’t see anyone else in the neighborhood challenge him. I didn’t see anyone else take note of his truck or license plate. When it comes to securing your facility and data, you probably have to take the same approach. It falls to YOU to make sure your doors are shut and locked and your client and corporate data is secure.
But then I thought about another scenario. What if I were the person with the ladder trying to access my own home? How much security would be daunting? What safeguards would I have in place so I could gain access in an emergency?
The same thoughts should go through your head when you’re securing the corporate assets. Is there a way in that only an inside circle of people know about? Is it foolproof and based on clear identity processes? Could someone pretending to be you get inside?
In the same way a key under a rock is pretty insecure, you don’t want to set up a simple gauntlet for thieves to traverse. You need something that’s secure and convenient at the same time. As our systems passwords are familiar yet complex, you should do the same thing with your door key and building access.
Here at home our system is to leave keys with neighbors and relatives. In a pinch, it takes some effort to get the key and enter the house, but it isn’t a process a thief would be able to do. At your organization, give the keys to a trusted department head in the form of an encrypted document. Or mail yourself access instructions – encoded of course – in the case of a system malfunction or attack where you need to get in through your own back door.
Further, having a set of physical keys to your facilities held with various trusted employees or locked up at a second facility is a method that can ensure you get access without too much hoop jumping.
If it were easy to breach our systems and crash through our front doors, it would happen more frequently. The trick is finding a way to secure your business and data so if you get locked out you can get back in without too much fuss.
What are your tricks for securing your home? Key in the grill, key on the dog’s collar, stuck behind the door knocker (a thief is probably not knocking), attached to your wind chimes?
Then, what methods are you using to keep your company secure but accessible?
I’d love your comments! See you next week!
Sometimes the daily grind of log management, provisioning personnel and staying on top of IT security issues is just too much. You need a break to relax by the pool and sip an iced tea in the summer sunshine. Well, don’t we all. That’s not reality though. Without careful and constant vigilance, hackers, thieves and ne’er do wells will be taking our data and other valuable property.
But it is summer, so instead of giving top tips to secure your data center or the best ways to lock down your IT infrastructure, I wanted to share a few articles on security I found around the Web. They make nice reading for a lounge chair if you do make it to the beach or pool. And if you’re stuck in the office over the July 4 holiday weekend, these articles are perfect for coffee-break reading.
First up is something I saw over on CNET. Microsoft has finally provided some visibility into its efforts to make Webmail safer. In this article, the author describes how Transport Layer Security encryption works. Across many Microsoft mail clients, the encryption is supposed to thwart breaches and hacks better than in the past. What’s your take?
Here’s a snippet from the article…
“This means it will be significantly harder for email originating from and being sent to a Microsoft account to be spied on, as long as the connecting email service also uses TLS.”
Next in your reading list is something a bit more mainstream and fun. Celebrities are as paranoid as ever, but it’s probably smart for IT and business folks to follow their lead. Essentially, be aware of everything going on around you and beef up your corporate security measures if you have any fear of breaches or attacks.
Lastly, in another piece of Windows news, the war on ‘no-IP’ addresses is heating up. The Register says Microsoft has started to fight back against sites that use the ‘no-IP’ protocol. Without an actual IP address tied to transmissions, messages, emails and so forth, it’s harder to track where materials (mostly malware) originates.
Read the article on their stance and how the security community and government are responding. On one side, it’s nice to have an anonymous protocol. On the other hand, if we can do away with malicious attacks, is this blow to address-free IPs worth it? You decide.
As discussed in my column last week, please send me ideas for topics you want to read about. I’d like to delve deeper into security issues that you face regularly. And I’m always open to doing interviews with experts on your staff – just leave your info in the comments.
Thanks! See you next week.
One of my regular soapbox topics is the ease with which facilities can be breached. And if you can get in the door of an organization, it’s relatively easy to get into doors within the building and wreak havoc with systems, data, physical and intellectual property and the livelihood of the business.
It’s also pretty simple these days to set up a first line of defense to keep interlopers at bay. Once caveat is that security staff and IT should work in concert to maintain high levels of security when it comes to access to facilities and systems.
Why am I thinking of this on a gorgeous summer day? The Fake ID season is upon us. That’s right, fake IDs are a huge business all over the nation. This time of year, with students graduating high school and headed away to college, buckets of money are made in the sale of fake IDs. And if crooks in towns from Albuquerque to Zion can create IDs that fool police departments, what’s to keep this technology for opening the doors to your company?
Here’s the story of the burgeoning – and highly sophisticated – fake ID trade in a town just south of Boston, MA. In this case, the IDs are so well made that police came up with a key to assist bars and liquor stores in detecting the fakes. Take a look at the minute details that are incorporated in the IDs to make them so effective. (Screenshot of the ID image on the Canton, MA Police FB page)
What’s the solution? There are a few routes you can go to lock down your data and building.
First, take provisioning seriously. Maintain a database that accurately documents who is allowed on your campus and in your buildings. Make sure that HR and all relevant departments keep this list updated so your security team can keep unwanted people out of your facilities.
Next, make sure only the people who require access to systems have it. Don’t allow individual staffers to be administrators on their own workstations as that opens security holes all over the place. While it might be time-intensive to send an IT person to install software and change passwords for each employee, it is the best way to keep all employees on the same access level. It also keeps your internal machines safe.
Do a full vetting of your IT staff – perhaps this should be step one. This way you know who you can trust and who’s working for you before you give them keys to the city. Once cleared, this is the security force that keeps your critical information safe.
Finally, never let your guard down. Just as the IDs have gotten better for underage drinkers, so too have the ways in which criminals are trying to tear down your walls. Breaches are going to occur. Make sure they don’t happen because of something or someone you overlooked and unwittingly let into your business.
Be safe out there. Talk to you next week!
I’m not sure I ever did a ‘welcome’ to the blog post when I first started working for Tech Target and putting my columns on security, data breaches, log management and more out into the ether. This post serves that purpose. I want to say hi, introduce myself a bit more, ask you some questions and then get on with the business of reporting on security events and sharing my opinions and guidance as it pertains to keeping your sites and facilities safe.
Me – 22+ years as a professional journalist, technology correspondent, food and travel writer and more. I continue to freelance and provide columns to myriad organizations and outlets. And I enjoy every minute. If I can talk conversationally to an audience that wants to open their mind, then I’m thrilled. You can find my other writing at JeffCutler.com - enjoy.
As far as this security stuff is concerned, I’m as freaked out as you. Every day some business or entity has its database hacked or systems taken down. We’re seeing new ways in which we can lose money and information. And there are no clear-cut answers in an environment where we need to stay connected to be successful. I’ve done a lot of writing on the pragmatic approach to keeping your stuff safe. I’m still learning some of the intricate database protection methodology, but most of this comes down to common sense.
If you want to keep your stuff safe, keep it away from the bad guys!
All that shared, let me know if there are current events you want covered or expounded upon. Tell me who I should reach out to and interview – videos are lots of fun and I love sharing that type of content with you. Maybe you even want to do Q&A type posts with me. If so, send me your questions and we can try to make that a regular feature.
Whatever the case and whatever the course, I’m here for you. Make use of the blog and learn from me. Tell me how I can help and we’ll both be happy going forward.
Thanks for reading. See you next week.
To assist readers in understanding different scenarios, I often provide examples that harken back to life at home. I’m not literally talking about leaving your doors at the office open. I’m alluding to the practice of leaving sites and systems unprotected.
We’re not living in 1950. Back then, houses were often left unlocked and our car keys remained in the most logical place, the car. Crime might have been just as bad, but we heard less about it because social media had 60 years to take hold. Businesses only had to worry about paying protection money to the local mob.
Now, we’re locking our homes with keypad security and double bolts. We’re encrypting our data with hashes that are innumerable digits in length. And we employ special forces-level security at the door to our cafeterias.
Is it paranoia? Not in all phases. Perhaps it’s silly to lock down the vending machines at your office in the same way you protect your CRM system, but that’s for you to decide. Essentially, the value of our ‘things’ and data hasn’t changed that much in relative terms over time. What has changed is the potential gain or loss if we experience a breach in either physical or virtual terms.
What’s the process, then, for behaving rationally and intelligently in 2014? It’s three-fold.
First, know what you have and the value it has to your organization and your customers. This includes data that might be proprietary and likely target for theft.
Second, know how well protected you are in all phases of your operation. Do you have 24-hour security at your facilities or are they only ‘protected’ during work hours? What access do you provide to contractors and visitors? How do you provision employees as they require access to different systems?
Third, keep your eyes and ears open. Seeing something and saying something has begun to sound tired. But if you’re vigilant and use common sense – and some intuition – you’ll know when something isn’t right. Even when you’re looking at data logs or talking with folks around headquarters.
Lock your doors and keep the keys in a safe place. Be smart about your data and building security. Because the best line of defense is the one you don’t need to use. Nobody is going to be breaking down your door or cracking your systems if you’re vigilant in observing all your property – physical and electronic.
I took my car in for service the other day because the electrical system was acting up. No, not under warranty. Cost $1000. But that’s neither here nor there. The real discussion point here is that our vehicles are now so sophisticated they might be dangerous. What if the electrical system issue was because of a DDOS attack?
Witness, for a second, the current lawsuit between GM and lots of families who were affected (or killed) when the ignition allegedly failed in such a way that the drivers lost control of their cars. If that could happen, what might occur if dastardly fiends took over your vehicle with the intention of harming you?
It could happen.
According to a recent piece by Jose Pagliery in CNN Money, your car can easily (sort of) be hacked. In the article, Pagliery says, “Consider the level of complexity of modern day cars — and the chance for a screw up. The space ship that put humans on the moon, Apollo 11, had 145,000 lines of computer code. The Android operating system has 12 million. A modern car? Easily 100 million lines of code.”
While a lot of the possible nefarious access to your car is either hands on – meaning crooks need to be in your vehicle – or within bluetooth range, so I’m not thinking that masterminds in their parents basements are planning to crash cars all over the place. But it certainly makes you think about the ways in which access to your data and your systems can be compromised. Especially if your firm has a fleet of vehicles, measures profits and productivity via GPS or other systems in your trucks, or if your business is something like product delivery.
What would you do if someone took over the controls to your car or your company’s vehicles?
The other day, I was asked by a friend of mine to do some work for him. The work was right in my wheelhouse – professional content creation – but the sticking point was he didn’t want to pay me. This led to a whole discussion over what anyone’s time is worth and why the most skilled at a job have to charge more because they are more efficient in their process.
How’s this relate to security? Simple. If you’re a skilled IT pro and know what to look for, you can keep your data secure and your logs analyzed faster than someone unfamiliar with your industry or the security-protection field.
But how do you convey this information to colleagues, folks in the C-suite and clients without sounding like a complete donkey and losing their respect? The same way I presented my argument to my friend. You do a few things that make it clear that the skills and methods you use are worth the investment.
First, explain the landscape as best you can. In security, your primary goal is to keep the enterprise running and secure. That’s it. When you lay that objective on the table, you’re letting others know what drives you and that you understand your role.
Next, use past experience and even case studies to illustrate your breadth of knowledge and skill set. As a content guy, I brought up the multiple assignments I’ve had to create content for news organizations, Fortune 100 companies and even small businesses like his. As a security pro, bring up your success stories.
There’s no need to craft an oscar-award-worthy diatribe about how you saved civilization, but you should be slightly unabashed about your successes. Talk about a particular breach that didn’t happen because you understand what to look for when performing log management. Give a glimpse into how you decided to hold credentials back from a person and how they subsequently were found to be a security risk.
You can even provide insight into how you work with HR and departments to provision existing staff so that systems remain secure while increasing productivity. Everyone has stories of success in their chosen field – just identify yours and use them to justify your existence and budget.
Finally, explain that your role is vital – but only as one facet of the entire organization. While you might provide a secure platform on which the company conducts business, performs experiments or manages client assets, it’s a team approach. Make it clear that your interests lie in the same direction as anyone coming to leverage your services.
Once you’re at that point, it makes it much easier to make an argument for more resources, budget, salary and support. Stand up for yourself and your department – security isn’t easy. Like I told my friend who said he could just go take some photos instead of hiring me, “you’ll get exactly what you invest.”
Be secure out there. See you next week!