I’m not sure I ever did a ‘welcome’ to the blog post when I first started working for Tech Target and putting my columns on security, data breaches, log management and more out into the ether. This post serves that purpose. I want to say hi, introduce myself a bit more, ask you some questions and then get on with the business of reporting on security events and sharing my opinions and guidance as it pertains to keeping your sites and facilities safe.
Me – 22+ years as a professional journalist, technology correspondent, food and travel writer and more. I continue to freelance and provide columns to myriad organizations and outlets. And I enjoy every minute. If I can talk conversationally to an audience that wants to open their mind, then I’m thrilled. You can find my other writing at JeffCutler.com - enjoy.
As far as this security stuff is concerned, I’m as freaked out as you. Every day some business or entity has its database hacked or systems taken down. We’re seeing new ways in which we can lose money and information. And there are no clear-cut answers in an environment where we need to stay connected to be successful. I’ve done a lot of writing on the pragmatic approach to keeping your stuff safe. I’m still learning some of the intricate database protection methodology, but most of this comes down to common sense.
If you want to keep your stuff safe, keep it away from the bad guys!
All that shared, let me know if there are current events you want covered or expounded upon. Tell me who I should reach out to and interview – videos are lots of fun and I love sharing that type of content with you. Maybe you even want to do Q&A type posts with me. If so, send me your questions and we can try to make that a regular feature.
Whatever the case and whatever the course, I’m here for you. Make use of the blog and learn from me. Tell me how I can help and we’ll both be happy going forward.
Thanks for reading. See you next week.
To assist readers in understanding different scenarios, I often provide examples that harken back to life at home. I’m not literally talking about leaving your doors at the office open. I’m alluding to the practice of leaving sites and systems unprotected.
We’re not living in 1950. Back then, houses were often left unlocked and our car keys remained in the most logical place, the car. Crime might have been just as bad, but we heard less about it because social media had 60 years to take hold. Businesses only had to worry about paying protection money to the local mob.
Now, we’re locking our homes with keypad security and double bolts. We’re encrypting our data with hashes that are innumerable digits in length. And we employ special forces-level security at the door to our cafeterias.
Is it paranoia? Not in all phases. Perhaps it’s silly to lock down the vending machines at your office in the same way you protect your CRM system, but that’s for you to decide. Essentially, the value of our ‘things’ and data hasn’t changed that much in relative terms over time. What has changed is the potential gain or loss if we experience a breach in either physical or virtual terms.
What’s the process, then, for behaving rationally and intelligently in 2014? It’s three-fold.
First, know what you have and the value it has to your organization and your customers. This includes data that might be proprietary and likely target for theft.
Second, know how well protected you are in all phases of your operation. Do you have 24-hour security at your facilities or are they only ‘protected’ during work hours? What access do you provide to contractors and visitors? How do you provision employees as they require access to different systems?
Third, keep your eyes and ears open. Seeing something and saying something has begun to sound tired. But if you’re vigilant and use common sense – and some intuition – you’ll know when something isn’t right. Even when you’re looking at data logs or talking with folks around headquarters.
Lock your doors and keep the keys in a safe place. Be smart about your data and building security. Because the best line of defense is the one you don’t need to use. Nobody is going to be breaking down your door or cracking your systems if you’re vigilant in observing all your property – physical and electronic.
I took my car in for service the other day because the electrical system was acting up. No, not under warranty. Cost $1000. But that’s neither here nor there. The real discussion point here is that our vehicles are now so sophisticated they might be dangerous. What if the electrical system issue was because of a DDOS attack?
Witness, for a second, the current lawsuit between GM and lots of families who were affected (or killed) when the ignition allegedly failed in such a way that the drivers lost control of their cars. If that could happen, what might occur if dastardly fiends took over your vehicle with the intention of harming you?
It could happen.
According to a recent piece by Jose Pagliery in CNN Money, your car can easily (sort of) be hacked. In the article, Pagliery says, “Consider the level of complexity of modern day cars — and the chance for a screw up. The space ship that put humans on the moon, Apollo 11, had 145,000 lines of computer code. The Android operating system has 12 million. A modern car? Easily 100 million lines of code.”
While a lot of the possible nefarious access to your car is either hands on – meaning crooks need to be in your vehicle – or within bluetooth range, so I’m not thinking that masterminds in their parents basements are planning to crash cars all over the place. But it certainly makes you think about the ways in which access to your data and your systems can be compromised. Especially if your firm has a fleet of vehicles, measures profits and productivity via GPS or other systems in your trucks, or if your business is something like product delivery.
What would you do if someone took over the controls to your car or your company’s vehicles?
The other day, I was asked by a friend of mine to do some work for him. The work was right in my wheelhouse – professional content creation – but the sticking point was he didn’t want to pay me. This led to a whole discussion over what anyone’s time is worth and why the most skilled at a job have to charge more because they are more efficient in their process.
How’s this relate to security? Simple. If you’re a skilled IT pro and know what to look for, you can keep your data secure and your logs analyzed faster than someone unfamiliar with your industry or the security-protection field.
But how do you convey this information to colleagues, folks in the C-suite and clients without sounding like a complete donkey and losing their respect? The same way I presented my argument to my friend. You do a few things that make it clear that the skills and methods you use are worth the investment.
First, explain the landscape as best you can. In security, your primary goal is to keep the enterprise running and secure. That’s it. When you lay that objective on the table, you’re letting others know what drives you and that you understand your role.
Next, use past experience and even case studies to illustrate your breadth of knowledge and skill set. As a content guy, I brought up the multiple assignments I’ve had to create content for news organizations, Fortune 100 companies and even small businesses like his. As a security pro, bring up your success stories.
There’s no need to craft an oscar-award-worthy diatribe about how you saved civilization, but you should be slightly unabashed about your successes. Talk about a particular breach that didn’t happen because you understand what to look for when performing log management. Give a glimpse into how you decided to hold credentials back from a person and how they subsequently were found to be a security risk.
You can even provide insight into how you work with HR and departments to provision existing staff so that systems remain secure while increasing productivity. Everyone has stories of success in their chosen field – just identify yours and use them to justify your existence and budget.
Finally, explain that your role is vital – but only as one facet of the entire organization. While you might provide a secure platform on which the company conducts business, performs experiments or manages client assets, it’s a team approach. Make it clear that your interests lie in the same direction as anyone coming to leverage your services.
Once you’re at that point, it makes it much easier to make an argument for more resources, budget, salary and support. Stand up for yourself and your department – security isn’t easy. Like I told my friend who said he could just go take some photos instead of hiring me, “you’ll get exactly what you invest.”
Be secure out there. See you next week!
OK, that headline was a bit inflammatory…but it’s true. Any site worth its salt has been selling customer data for ages and making a pretty good living doing so. EBay is no different, except now the practice takes on a new twist with the recent data breach of their servers.
A few days ago, information on the 145Million eBay users was compromised leaving account information vulnerable. What’s that mean for you? Someone might list something and use your account. Someone might use your account to buy something and then ship it elsewhere.
Or those same someones could actually take your sign-in data and use it to breach other accounts including banking and credit card services.
“The breach, which was confirmed by investigators this week, happened in late February and early March; eBay discovered it in early May. It seems hackers used an internal eBay corporate account to spy on usernames, email addresses, physical addresses, phone numbers and dates of birth.”
So, the fear that your account is doomed is probably a little overstated. In fact, the password data on accounts was encrypted, keeping it safe – especially if you use the same password on multiple services beyond eBay. But hackers could use the other info to try and compromise other accounts.
One huge thing that worries me is that this event happened in FEBRUARY and we’re just hearing about it now. Isn’t there something that should hold organizations accountable to reporting this information sooner?
For now, your best steps are to reset your password and tighten up your security questions and pins. That should keep you safe and ready to buy some overpriced merchandise from the other sellers on eBay.
Until next week, keep your data and your passwords a secret!
It’s common sense. When a data breach, hack or DDOS attack occurs, you are going to immediately look bad to your customers, clients and the rest of the world. Even if there was nothing you could have done to prevent the loss, you still better get on the stick and think about your reputation. Because things are going to happen FAST!
For example, the first set of phone calls and emails you’re going to get if you’re the CTO or running the IT department are going to be from investor media outlets, journalists, the CEO of your own company, and the team in community and public relations. How do you respond? With speed, efficiency and accuracy.
But that doesn’t mean you respond to a breach and the associated reputation fallout without carefully thinking about your actions. And it certainly doesn’t mean you ever speak to anyone without having a strategy in place. Let’s look at a simple checklist of items to consider before a breach happens so you’ll be ready when it does occur.
1 – Coordinate with internal departments and your public information team. Then, tell the truth. If your plan of attack is to wait until the extent of the damage is determined, then say that. Tell audiences that you’re carefully reviewing the events and the attack and you’ll be ready to share information soon. This shows that you are being thoughtful and careful in your response to a bad situation.
2 – Notify stakeholders as appropriate. If your company is publicly held, you will have to confer with the legal and compliance teams to see what you have to disclose and when you have to disclose it. Information that affects the company’s status in the stock market is not something that should be treated lightly. One miscommuncation by someone in IT or even PR could sink your company.
3 – Logistically, get all logs and other information leading up to and through the breach so your teams can evaluate them. Duplicate this information immediately so you’re working from backups. The information regarding a data breach is going to be requested by multiple departments and agencies depending on the extent to which your were compromised. Be sure you have multiple copies.
4 – Get all hands on deck to sift through information and to ensure you’ve buttoned up any holes. Continue your collaboration with management and PR to ensure the messaging you deliver through the entire process is consistent and appropriate.
5 – Learn from the attack. Prepare yourself to fend off similar attempt in the future. Allocate resources to build up defenses again and to train staff to be more vigilant.
After all that’s done, breathe a sigh of relief that you were prepared for the event and were able to handle them with aplomb. Your reputation is valuable to the future viability of your company, so treating it as you would any physical or monetary asset is critical.
How have you responded in times of crisis? How much interdepartmental activity did you experience at your firm? Should it have been higher? What role did PR play in repairing your reputation with the media and the public?
The reason people use sports analogies in business and life is because they’re boiled down, easy-to-understand snippets of actions. I’ve been banging the drum of security awareness here for some time now, but the message of constant vigilance sometimes feels stale. Therefore, after watching dozens of college football players get selected to play for various NFL teams last night, I thought I’d use the draft as an example.
And Johnny Manziel as the lightning rod. Stick with me.
We can all agree that to maintain a secure facility and data center, you need to know what’s happening within and outside of these areas. Knowing the landscape and the environment is paramount to making informed decisions on provisioning and breach remediation.
Further, we all have daily tasks on our calendars that seldom change. A routine, if you will, of security steps we all follow to ensure our IT team and the organization is protected and aware of access to systems and buildings.
Finally, when the environment changes suddenly and drastically, we go into crisis mode and react in the best way we can to the factors presented us. Whether those be a hack, a DDOS attack, a physical breach or something else. In all, we hope to be ready for everything.
That’s where the NFL Draft comes in. Last night, Johnny Manziel dropped 21 spots (at least in his mind) to be selected by the Cleveland Browns as the 22nd overall pick. The quarterback from Texas A&M was considered by many to be at least in the top 10 picks in the 2014 NFL Draft. He was also considered to be the best quarterback. That didn’t matter.
What occurred last night was the environment changed and Johnny Football dropped to a lowly 22 in the draft order. Similar to what happens in your data center if there’s a crash, or what happens in IT if there’s a breach reported, decisions had to be made on the fly.
I won’t bore you with too much inside football, but Johnny didn’t fit any of the needs of the first 21 teams choosing players. Once that was taken into account, anyone can look objectively at the draft environment and understand what happened. It just takes a little big-picture understanding.
To wrap this back to keeping your data and enterprise safe…you can only do so if you see the entire landscape. Who might want to target your systems? What areas would you try to breach if you were on the outside? Are there any blips or curious events happening in your daily logs? When you take the time to really look at – and then fix – any issues, you’ll be keeping your facility and information more secure and efficient.
How do you use log management to make security decisions at your company? What one event – without giving away proprietary info – at your firm helped you step up your security game?
I know IE is in the news. I know people are still using this archaic browser. I’m just not ready to hop on the soapbox yet. Today I want to talk about mobile OS and application updated.
My next post will talk about Internet Explorer and all the insanity surrounding that issue. I think it’s too early to delve into all the details and to form an informed opinion on whether the government is off its rocker in recommending we not use the Microsoft product.
So, to update or not to update? While Shakespeare might have posited that it is better to have loved and lost (or was it Alfred Lord Tennyson), the fact remains that updating our devices and systems is the norm. Without regular updates, we’re prone to having plug-ins and accompanying software that just doesn’t work. But what’s the benefit proposition when jumping forward and updating right away?
In the instance of open-source products like the WordPress CMS (and many firms are using WP on their sites and blogs), you can almost perform an update immediately. Plug-in vendors test their products as the update rolls out and the WordPress community is so large that users are a good test case to see what gets broken in an update.
If you’re using WP to run your company CMS, the only thing you might want to do first is make sure your custom code plays nice with the update. Just sandbox the site and run the update, then you’ll know whether it stays stable.
Looking at mobile – and mobile sites – the trick is to have builds of prior versions available to you and to have your IT team ready to tweak your own products and sites when an update hits the shelves.
Apple iOS gets a bump at least a couple times a year. My rule of thumb (and your mileage may vary) is to wait one week before doing the update on my systems. This isn’t because Apple doesn’t know what its doing, but because there are so many apps out there. It’s not practical for Apple to test each and every app to see if there might be a glitch in their update.
I tend to let others add the update first and then I look at the forums to see if anyone has reported issues. It’s akin to the strategy I used when mountain biking. In order not to get eaten by a bear or be attacked by a puma, I would ride in the center of the pack.
The first rider would run into a bear if it was on the trail and the last rider would get picked off by the big cat. If you allow a few others to go before you in regard to updates, you’ll stay alive and kicking and so will your systems.
Ultimately, the best plan is to have sandboxed versions of different builds at the office Ensure that IT can implement updates in a closed environment so nothing goes wrong when things are live. This will keep your systems and data as safe as possible and leave you in control when deciding the path to take when it comes to building out your systems and apps.
What’s your update strategy? How do you keep your enterprise up and running?
As the security landscape continues to change – especially with fallout from Heartbleed still raining down upon businesses from coast to coast – your best first step in protecting yourself and your clients from damage is awareness. By that, I mean if you’re aware of a breach you can respond and at least make a plan. As with any disaster planning, communication is key if you want to protect the castle and your clientele.
But that’s where problems arise. You see, in an effort to protect businesses all across this great land of ours, the U.S. Government has made some information less accessible unless you know how to search and what rights you have. There are actually nine exemptions in the Freedom of Information Act that keep us safe, but also make it tougher to notify people in the event of a data catastrophe.
Essentially, it’s an ironic double-edged sword in that organizations are required to alert their clients, customers and partners in the case of a data breach, but can’t access the info necesary to do so. For instance, if customers at Target opted out of marketing from Target, what are the rules Target had to follow in reaching out to them? Was there liability if Target overstepped and phoned people to tell them of the security breach?
It might seem like common sense, but these days we’re all so sensitive about giving out our contact info and addresses that legislation has been written to ‘protect’ people from businesses.
Ultimately, the best way to prepare is to know the laws and what you’re required to do if your systems get hacked. Other than that, time will tell if new measures and methods for notification are approved and put into place.
“Forty-seven states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have enacted legislation requiring private or government entities to notify individuals of security breaches of information involving personally identifiable information.”
See more laws about security breach notifications and if your state is on the list.
How do you plan to respond if Heartbleed or another event makes client data available to prying eyes?
On the heels of Heartbleed, folks are up in arms about getting a new workflow when it pertains to passwords. The old ones aren’t strong enough or have been compromised. The new ones are too hard to remember. Switching dozens of accounts and creating a new password for each is difficult.
In fact, an Examiner.com article spoke to the ways lifestyle can affect your memory. Living wrong can endanger your passwords…who would have thunk it?
Why do you think Post-it Notes has such high profits? Folks write their passwords down and ‘sticky-note’ them to the side of towers, underneath keyboards or even inside desk drawers. The disconnect between online and actual worlds seldom collides in the minds of staffers. That’s why you need some solutions.
One caveat. As we all get older we start to have some doubt about remembering names and events. The better you design your system, the easier it will be to get into your accounts at work and at home.
1 – Go with something simple. There’s no need to reinvent the wheel here. Pick a memory device or an actual piece of software to assist you in keeping track of your passwords. I’m using 1Password to lock down my office computer and laptop. I only have to remember one master password to get into the library of saved passwords. And the passwords generated by 1Password are ridiculously long and complicated – so it’s a good thing I’ve got a system.
2 – Address ALL of your accounts. If at all possible, address everything from your online banking all the way to your Pinterest account in one sitting. It’s daunting if you’ve got dozens of credit card and financial accounts on top of multiple social media accounts. The philosophy behind doing it all at once is that you won’t leave too many gaps moving forward.
This is also more secure because it only takes a talented thief one account tied to one email address to start to tear down your secure walls. Gaining access to your email and then resetting passwords on accounts that have that email as the sign-in username is one way your whole world of online properties could come tumbling town.
3 – Finally, keep a regular schedule for updating passwords and securing your accounts. Hackers are working all the time to get into your stuff and they’re good at it. For you to remain secure, change your passwords a couple times a year minimum. Some companies require you to change your password every 30 days (hence the ‘sticky-note’ abundance in offices all over the world). As long as you monitor activity and change your passwords regularly – and have a system for doing so – you should sleep a little easier.
What tips and tricks do you use to remain secure? Are you so diligent that you won’t even sign into Starbucks or hotel wifi? Let me know your methods in the comments.