Jeff Cutler's Keys to Security


May 15, 2014  2:31 PM

Saving Your Reputation after a Data Breach

Jeff Cutler Jeff Cutler Profile: Jeff Cutler

It’s common sense. When a data breach, hack or DDOS attack occurs, you are going to immediately look bad to your customers, clients and the rest of the world. Even if there was nothing you could have done to prevent the loss, you still better get on the stick and think about your reputation. Because things are going to happen FAST!

Screen Shot 2014-05-15 at 10.27.09 AM

For example, the first set of phone calls and emails you’re going to get if you’re the CTO or running the IT department are going to be from investor media outlets, journalists, the CEO of your own company, and the team in community and public relations. How do you respond? With speed, efficiency and accuracy.

But that doesn’t mean you respond to a breach and the associated reputation fallout without carefully thinking about your actions. And it certainly doesn’t mean you ever speak to anyone without having a strategy in place. Let’s look at a simple checklist of items to consider before a breach happens so you’ll be ready when it does occur.

1 – Coordinate with internal departments and your public information team. Then, tell the truth. If your plan of attack is to wait until the extent of the damage is determined, then say that. Tell audiences that you’re carefully reviewing the events and the attack and you’ll be ready to share information soon. This shows that you are being thoughtful and careful in your response to a bad situation.

2 – Notify stakeholders as appropriate. If your company is publicly held, you will have to confer with the legal and compliance teams to see what you have to disclose and when you have to disclose it. Information that affects the company’s status in the stock market is not something that should be treated lightly. One miscommuncation by someone in IT or even PR could sink your company.

Screen Shot 2014-05-15 at 10.28.43 AM

3 – Logistically, get all logs and other information leading up to and through the breach so your teams can evaluate them. Duplicate this information immediately so you’re working from backups. The information regarding a data breach is going to be requested by multiple departments and agencies depending on the extent to which your were compromised. Be sure you have multiple copies.

4 – Get all hands on deck to sift through information and to ensure you’ve buttoned up any holes. Continue your collaboration with management and PR to ensure the messaging you deliver through the entire process is consistent and appropriate.

5 – Learn from the attack. Prepare yourself to fend off similar attempt in the future. Allocate resources to build up defenses again and to train staff to be more vigilant.

After all that’s done, breathe a sigh of relief that you were prepared for the event and were able to handle them with aplomb. Your reputation is valuable to the future viability of your company, so treating it as you would any physical or monetary asset is critical.

How have you responded in times of crisis? How much interdepartmental activity did you experience at your firm? Should it have been higher? What role did PR play in repairing your reputation with the media and the public?

May 9, 2014  2:36 PM

Johnny Manziel and Security Awareness – Lessons from the 2014 NFL Draft

Jeff Cutler Jeff Cutler Profile: Jeff Cutler

The reason people use sports analogies in business and life is because they’re boiled down, easy-to-understand snippets of actions. I’ve been banging the drum of security awareness here for some time now, but the message of constant vigilance sometimes feels stale. Therefore, after watching dozens of college football players get selected to play for various NFL teams last night, I thought I’d use the draft as an example.

And Johnny Manziel as the lightning rod. Stick with me.

Screen Shot 2014-05-09 at 10.37.06 AM

We can all agree that to maintain a secure facility and data center, you need to know what’s happening within and outside of these areas. Knowing the landscape and the environment is paramount to making informed decisions on provisioning and breach remediation.

Further, we all have daily tasks on our calendars that seldom change. A routine, if you will, of security steps we all follow to ensure our IT team and the organization is protected and aware of access to systems and buildings.

Finally, when the environment changes suddenly and drastically, we go into crisis mode and react in the best way we can to the factors presented us. Whether those be a hack, a DDOS attack, a physical breach or something else. In all, we hope to be ready for everything.

That’s where the NFL Draft comes in. Last night, Johnny Manziel dropped 21 spots (at least in his mind) to be selected by the Cleveland Browns as the 22nd overall pick. The quarterback from Texas A&M was considered by many to be at least in the top 10 picks in the 2014 NFL Draft. He was also considered to be the best quarterback. That didn’t matter.

What occurred last night was the environment changed and Johnny Football dropped to a lowly 22 in the draft order. Similar to what happens in your data center if there’s a crash, or what happens in IT if there’s a breach reported, decisions had to be made on the fly.

I won’t bore you with too much inside football, but Johnny didn’t fit any of the needs of the first 21 teams choosing players. Once that was taken into account, anyone can look objectively at the draft environment and understand what happened. It just takes a little big-picture understanding.

To wrap this back to keeping your data and enterprise safe…you can only do so if you see the entire landscape. Who might want to target your systems? What areas would you try to breach if you were on the outside? Are there any blips or curious events happening in your daily logs? When you take the time to really look at – and then fix – any issues, you’ll be keeping your facility and information more secure and efficient.

How do you use log management to make security decisions at your company? What one event – without giving away proprietary info – at your firm helped you step up your security game?


May 2, 2014  12:10 PM

Taking care with updates – don’t get eaten by the bear!

Jeff Cutler Jeff Cutler Profile: Jeff Cutler

I know IE is in the news. I know people are still using this archaic browser. I’m just not ready to hop on the soapbox yet. Today I want to talk about mobile OS and application updated.

Screen Shot 2014-05-02 at 8.08.09 AM

My next post will talk about Internet Explorer and all the insanity surrounding that issue. I think it’s too early to delve into all the details and to form an informed opinion on whether the government is off its rocker in recommending we not use the Microsoft product.

So, to update or not to update? While Shakespeare might have posited that it is better to have loved and lost (or was it Alfred Lord Tennyson), the fact remains that updating our devices and systems is the norm. Without regular updates, we’re prone to having plug-ins and accompanying software that just doesn’t work. But what’s the benefit proposition when jumping forward and updating right away?

In the instance of open-source products like the WordPress CMS (and many firms are using WP on their sites and blogs), you can almost perform an update immediately. Plug-in vendors test their products as the update rolls out and the WordPress community is so large that users are a good test case to see what gets broken in an update.

If you’re using WP to run your company CMS, the only thing you might want to do first is make sure your custom code plays nice with the update. Just sandbox the site and run the update, then you’ll know whether it stays stable.

Looking at mobile – and mobile sites – the trick is to have builds of prior versions available to you and to have your IT team ready to tweak your own products and sites when an update hits the shelves.

Screen Shot 2014-05-02 at 8.09.05 AM

Apple iOS gets a bump at least a couple times a year. My rule of thumb (and your mileage may vary) is to wait one week before doing the update on my systems. This isn’t because Apple doesn’t know what its doing, but because there are so many apps out there. It’s not practical for Apple to test each and every app to see if there might be a glitch in their update.

I tend to let others add the update first and then I look at the forums to see if anyone has reported issues. It’s akin to the strategy I used when mountain biking. In order not to get eaten by a bear or be attacked by a puma, I would ride in the center of the pack.

The first rider would run into a bear if it was on the trail and the last rider would get picked off by the big cat. If you allow a few others to go before you in regard to updates, you’ll stay alive and kicking and so will your systems.

Ultimately, the best plan is to have sandboxed versions of different builds at the office Ensure that IT can implement updates in a closed environment so nothing goes wrong when things are live. This will keep your systems and data as safe as possible and leave you in control when deciding the path to take when it comes to building out your systems and apps.

What’s your update strategy? How do you keep your enterprise up and running?


April 23, 2014  7:25 PM

Are you communicating with clients properly about data breaches?

Jeff Cutler Jeff Cutler Profile: Jeff Cutler

As the security landscape continues to change – especially with fallout from Heartbleed still raining down upon businesses from coast to coast – your best first step in protecting yourself and your clients from damage is awareness. By that, I mean if you’re aware of a breach you can respond and at least make a plan. As with any disaster planning, communication is key if you want to protect the castle and your clientele.

Screen Shot 2014-04-23 at 3.24.38 PM

But that’s where problems arise. You see, in an effort to protect businesses all across this great land of ours, the U.S. Government has made some information less accessible unless you know how to search and what rights you have. There are actually nine exemptions in the Freedom of Information Act that keep us safe, but also make it tougher to notify people in the event of a data catastrophe.

Look at the list.

Essentially, it’s an ironic double-edged sword in that organizations are required to alert their clients, customers and partners in the case of a data breach, but can’t access the info necesary to do so. For instance, if customers at Target opted out of marketing from Target, what are the rules Target had to follow in reaching out to them? Was there liability if Target overstepped and phoned people to tell them of the security breach?

It might seem like common sense, but these days we’re all so sensitive about giving out our contact info and addresses that legislation has been written to ‘protect’ people from businesses.

Ultimately, the best way to prepare is to know the laws and what you’re required to do if your systems get hacked. Other than that, time will tell if new measures and methods for notification are approved and put into place.

“Forty-seven states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have enacted legislation requiring private or government entities to notify individuals of security breaches of information involving personally identifiable information.”

See more laws about security breach notifications and if your state is on the list.

How do you plan to respond if Heartbleed or another event makes client data available to prying eyes?


April 16, 2014  11:52 AM

Creating and keeping a safe password system

Jeff Cutler Jeff Cutler Profile: Jeff Cutler

On the heels of Heartbleed, folks are up in arms about getting a new workflow when it pertains to passwords. The old ones aren’t strong enough or have been compromised. The new ones are too hard to remember. Switching dozens of accounts and creating a new password for each is difficult.

In fact, an Examiner.com article spoke to the ways lifestyle can affect your memory. Living wrong can endanger your passwords…who would have thunk it?

Screen Shot 2014-04-16 at 7.47.21 AM

Why do you think Post-it Notes has such high profits? Folks write their passwords down and ‘sticky-note’ them to the side of towers, underneath keyboards or even inside desk drawers. The disconnect between online and actual worlds seldom collides in the minds of staffers. That’s why you need some solutions.

One caveat. As we all get older we start to have some doubt about remembering names and events. The better you design your system, the easier it will be to get into your accounts at work and at home.

1 – Go with something simple. There’s no need to reinvent the wheel here. Pick a memory device or an actual piece of software to assist you in keeping track of your passwords. I’m using 1Password to lock down my office computer and laptop. I only have to remember one master password to get into the library of saved passwords. And the passwords generated by 1Password are ridiculously long and complicated – so it’s a good thing I’ve got a system.

2 – Address ALL of your accounts. If at all possible, address everything from your online banking all the way to your Pinterest account in one sitting. It’s daunting if you’ve got dozens of credit card and financial accounts on top of multiple social media accounts. The philosophy behind doing it all at once is that you won’t leave too many gaps moving forward.

Screen Shot 2014-04-16 at 7.49.21 AM

This is also more secure because it only takes a talented thief one account tied to one email address to start to tear down your secure walls. Gaining access to your email and then resetting passwords on accounts that have that email as the sign-in username is one way your whole world of online properties could come tumbling town.

3 – Finally, keep a regular schedule for updating passwords and securing your accounts. Hackers are working all the time to get into your stuff and they’re good at it. For you to remain secure, change your passwords a couple times a year minimum. Some companies require you to change your password every 30 days (hence the ‘sticky-note’ abundance in offices all over the world). As long as you monitor activity and change your passwords regularly – and have a system for doing so – you should sleep a little easier.

What tips and tricks do you use to remain secure? Are you so diligent that you won’t even sign into Starbucks or hotel wifi? Let me know your methods in the comments.

Thanks!


April 10, 2014  12:09 AM

Heartbleed – All Your Sites Are Unsafe

Jeff Cutler Jeff Cutler Profile: Jeff Cutler

It’s finally happened. No need to be running Windows XP. No need to be running around leaving your credit card receipts on the ground outside 7-Eleven stores. No need to leave the keys in your car ignition. Now, it’s just enough for you to be a member on one of these sites – list courtesy of GitHub. The Heartbleed bug might have already bitten you!

Courtesy of Flickr - Creative Commons from https://www.flickr.com/photos/jassen/2489763818/

Courtesy of Flickr – Creative Commons from https://www.flickr.com/photos/jassen/2489763818/

So, what’s a smart IT person to do? You should move quickly and calmly toward seeing if your sites and activity are vulnerable. Be aware that the situation has been the same for two years and people are just catching on to it now. Then you should get your whole team in a room and explain the issue to them.

Then, once people understand the gravity of the situation you should have them start changing passwords where necessary.

In fact, according to a great piece on Business Insider – here’s how to protect yourself once you find out you’re affect. And you ARE affected. We all are. Sites like Yahoo, FitBit, Slate and Eventbrite are on the list, so get going and fix your passwords.

Screen Shot 2014-04-09 at 8.07.18 PM

How can something like this happen? You tell me. Aren’t we all using double verification for sign-in? Aren’t we all changing email addresses and passwords for each site we access? Aren’t we using crypto keys that change every 20 seconds for access to company VPNs?

Um, no. I don’t think we are. And why not? Isn’t this wake-up call just one more in a long line of breaches that should wake up the entire IT industry? I would say so. And I’d say, get going. Share this blog post and then go change your passwords.

We’ll talk again next week.


April 3, 2014  2:28 PM

A Security Lesson from the U.S. Government

Jeff Cutler Jeff Cutler Profile: Jeff Cutler

[edit - Some readers didn't recognize the referenced site as a parody Gov site. It is, but lessons taken from it are still valid.]

There’s a new tunnel at the White House. I can’t tell you where. Not because I don’t know, but if I told you then I’d have Secret Service people and the NSA gumming up my Gmail and scoping out my Twitter account.

What I can tell you is that this Deep Underground Command Center (DUCC) has been planned for some time and they broke ground on the project in 2010 – if you believe the official reports.

Screen Shot 2014-04-03 at 10.19.25 AM

In fact, on the White House Tunnel System Website, there is a note that says…

The new underground command center serves two purposes: 1) To protect key people with sufficient staff and data to render critical decisions and 2) Ensure the survival of the facility to allow dissemination of these decisions. The DUCC can only serve this purpose if the President and his team can secretly relocate there on very short notice.

If IT professionals are to take a lesson from the U.S. government, it’s that your vital assets should always be treated as such. A list of no-no’s might include…

Leaving doors to your facility propped open for environmental reasons. If it’s too hot, have facilities management fix the thermostat.

Remaining signed into computers and workstations when you’re away from your desk or HORRORS away from the office. Lots of folks still haven’t initiated timed sign-off protocols and enterprise workstations. All it takes to create a breach is for some unscrupulous person to wander by and hop onto a vacant machine.

Using BYOD equipment isn’t completely vetted and approved. With new mobile phones and phablets coming out almost weekly, it’s hard to lock down new personal devices. The first step IT needs to take is creating a BYOD policy that requires all devices to be evaluated. This policy should also include allowances for the resources to do this properly.

Those are just a few thoughts off the top of my head. But if the U.S. government can keep their assets secure and running (do NOT bring up the healthcare Website, please), then shouldn’t private organizations be as well equipped to do the same?

What do you think?


March 31, 2014  11:15 AM

Provisioning Pure and Simple – A Resource

Jeff Cutler Jeff Cutler Profile: Jeff Cutler

My regular routine is to shout about provisioning until the cows come home and then have to be buzzed into the facility because they forgot their passcode and/or badge. OK, a little provisioning humor there. But there’s nothing funny about not knowing the proper way to set up your enterprise so that roles and users are determined, defined and proper access is maintained.

Used with Creative Commons permission - full photo stream at https://www.flickr.com/photos/rickyromero/

Used with Creative Commons permission – full photo stream at https://www.flickr.com/photos/rickyromero/

In poking around the Internet, I found this article from Edge Doc on Provisioning Basics. It gives you a starting point on getting your facility and IT infrastructure up to snuff. I like it because it breaks down some of the complicated stuff so you can easily describe the process and the reasoning behind your actions to management and C-suite personnel. *It’s not a bible by any means. Your provisioning is best determined by experience and by the data and facilities you control.

Let me know what you think about this pieces and if you’ve found provisioning articles that are as valuable to your organization. Thanks!


March 31, 2014  3:13 AM

Colleges Focusing on Security Education

Jeff Cutler Jeff Cutler Profile: Jeff Cutler

It’s not new. And some of the world’s smartest minds are housed there. But as cyber attacks and focus on IT security issues becomes more prevalent in the mainstream, don’t you think colleges and universities would get their ducks in a row and add some programs for IT pros?

Screen Shot 2014-03-30 at 11.11.14 PM

Clearly, the folks at Fortune Magazine did when they wrote this piece. They identify the topic of IT security as one that colleges and universities are starting to capitalize on because the job market for these positions is growing with leaps and bounds. Far be it for someone to just take a management class in college and graduate with a job in hand.

Screen Shot 2014-03-30 at 11.09.26 PM

Now, businesses are freaked out more about cyber threats and attacks on their data more than they are about hiring middle management.

Take a read through the piece – I’m pasting a pertinent quote below – and let me know what you think.

FROM Fortune Magazine
National Cyber Security Alliance Executive Director Michael Kaiser said the field is still very young and that current cybersecurity leaders are largely self-taught, because a decade ago, “There was no place to get an education. The really big gap,” he added, “is that the networks are getting bigger and more robust. How do we find people to protect them?”


March 28, 2014  1:44 PM

Business Wifi and Paranoia go hand-in-hand

Jeff Cutler Jeff Cutler Profile: Jeff Cutler

I’m freaked out. Not because there’s been a breach at my company and not because anyone has stolen my identity, but because there are myriad tech professionals in my community to whom this has happened. What’s going on? Are we destined to let the monster of bad security frighten us at every turn?

The scary truth about security

You would think that we – as trained IT and technology specialists – would be the first to lock down our accounts, rotate our passwords regularly and be vigilant about provisioning our staff. It’s not the case. Maybe it’s a situation where familiarity breeds lax behavior. But whatever it is, it’s not good.

I can count three close friends who have recently lost access to social media accounts, business email servers and even sites because they took the easy way out when it came to security. That’s not right! If we’re to lead by example, the key to security is keeping your stuff secure.

Screen Shot 2014-03-28 at 9.40.38 AM

A good primer on this – since we’ve obviously forgotten everything we learned in school – on in this post by Robert Siciliano that covers Wifi security. Give it a read and let me know if he missed anything when it comes to locking down your Wifi.

Until then, you have my permission to be paranoid. I know I am!


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: