As the security landscape continues to change – especially with fallout from Heartbleed still raining down upon businesses from coast to coast – your best first step in protecting yourself and your clients from damage is awareness. By that, I mean if you’re aware of a breach you can respond and at least make a plan. As with any disaster planning, communication is key if you want to protect the castle and your clientele.
But that’s where problems arise. You see, in an effort to protect businesses all across this great land of ours, the U.S. Government has made some information less accessible unless you know how to search and what rights you have. There are actually nine exemptions in the Freedom of Information Act that keep us safe, but also make it tougher to notify people in the event of a data catastrophe.
Essentially, it’s an ironic double-edged sword in that organizations are required to alert their clients, customers and partners in the case of a data breach, but can’t access the info necesary to do so. For instance, if customers at Target opted out of marketing from Target, what are the rules Target had to follow in reaching out to them? Was there liability if Target overstepped and phoned people to tell them of the security breach?
It might seem like common sense, but these days we’re all so sensitive about giving out our contact info and addresses that legislation has been written to ‘protect’ people from businesses.
Ultimately, the best way to prepare is to know the laws and what you’re required to do if your systems get hacked. Other than that, time will tell if new measures and methods for notification are approved and put into place.
“Forty-seven states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have enacted legislation requiring private or government entities to notify individuals of security breaches of information involving personally identifiable information.”
See more laws about security breach notifications and if your state is on the list.
How do you plan to respond if Heartbleed or another event makes client data available to prying eyes?
On the heels of Heartbleed, folks are up in arms about getting a new workflow when it pertains to passwords. The old ones aren’t strong enough or have been compromised. The new ones are too hard to remember. Switching dozens of accounts and creating a new password for each is difficult.
In fact, an Examiner.com article spoke to the ways lifestyle can affect your memory. Living wrong can endanger your passwords…who would have thunk it?
Why do you think Post-it Notes has such high profits? Folks write their passwords down and ‘sticky-note’ them to the side of towers, underneath keyboards or even inside desk drawers. The disconnect between online and actual worlds seldom collides in the minds of staffers. That’s why you need some solutions.
One caveat. As we all get older we start to have some doubt about remembering names and events. The better you design your system, the easier it will be to get into your accounts at work and at home.
1 – Go with something simple. There’s no need to reinvent the wheel here. Pick a memory device or an actual piece of software to assist you in keeping track of your passwords. I’m using 1Password to lock down my office computer and laptop. I only have to remember one master password to get into the library of saved passwords. And the passwords generated by 1Password are ridiculously long and complicated – so it’s a good thing I’ve got a system.
2 – Address ALL of your accounts. If at all possible, address everything from your online banking all the way to your Pinterest account in one sitting. It’s daunting if you’ve got dozens of credit card and financial accounts on top of multiple social media accounts. The philosophy behind doing it all at once is that you won’t leave too many gaps moving forward.
This is also more secure because it only takes a talented thief one account tied to one email address to start to tear down your secure walls. Gaining access to your email and then resetting passwords on accounts that have that email as the sign-in username is one way your whole world of online properties could come tumbling town.
3 – Finally, keep a regular schedule for updating passwords and securing your accounts. Hackers are working all the time to get into your stuff and they’re good at it. For you to remain secure, change your passwords a couple times a year minimum. Some companies require you to change your password every 30 days (hence the ‘sticky-note’ abundance in offices all over the world). As long as you monitor activity and change your passwords regularly – and have a system for doing so – you should sleep a little easier.
What tips and tricks do you use to remain secure? Are you so diligent that you won’t even sign into Starbucks or hotel wifi? Let me know your methods in the comments.
It’s finally happened. No need to be running Windows XP. No need to be running around leaving your credit card receipts on the ground outside 7-Eleven stores. No need to leave the keys in your car ignition. Now, it’s just enough for you to be a member on one of these sites – list courtesy of GitHub. The Heartbleed bug might have already bitten you!
So, what’s a smart IT person to do? You should move quickly and calmly toward seeing if your sites and activity are vulnerable. Be aware that the situation has been the same for two years and people are just catching on to it now. Then you should get your whole team in a room and explain the issue to them.
Then, once people understand the gravity of the situation you should have them start changing passwords where necessary.
In fact, according to a great piece on Business Insider – here’s how to protect yourself once you find out you’re affect. And you ARE affected. We all are. Sites like Yahoo, FitBit, Slate and Eventbrite are on the list, so get going and fix your passwords.
How can something like this happen? You tell me. Aren’t we all using double verification for sign-in? Aren’t we all changing email addresses and passwords for each site we access? Aren’t we using crypto keys that change every 20 seconds for access to company VPNs?
Um, no. I don’t think we are. And why not? Isn’t this wake-up call just one more in a long line of breaches that should wake up the entire IT industry? I would say so. And I’d say, get going. Share this blog post and then go change your passwords.
We’ll talk again next week.
[edit - Some readers didn't recognize the referenced site as a parody Gov site. It is, but lessons taken from it are still valid.]
There’s a new tunnel at the White House. I can’t tell you where. Not because I don’t know, but if I told you then I’d have Secret Service people and the NSA gumming up my Gmail and scoping out my Twitter account.
What I can tell you is that this Deep Underground Command Center (DUCC) has been planned for some time and they broke ground on the project in 2010 – if you believe the official reports.
In fact, on the White House Tunnel System Website, there is a note that says…
The new underground command center serves two purposes: 1) To protect key people with sufficient staff and data to render critical decisions and 2) Ensure the survival of the facility to allow dissemination of these decisions. The DUCC can only serve this purpose if the President and his team can secretly relocate there on very short notice.
If IT professionals are to take a lesson from the U.S. government, it’s that your vital assets should always be treated as such. A list of no-no’s might include…
Leaving doors to your facility propped open for environmental reasons. If it’s too hot, have facilities management fix the thermostat.
Remaining signed into computers and workstations when you’re away from your desk or HORRORS away from the office. Lots of folks still haven’t initiated timed sign-off protocols and enterprise workstations. All it takes to create a breach is for some unscrupulous person to wander by and hop onto a vacant machine.
Using BYOD equipment isn’t completely vetted and approved. With new mobile phones and phablets coming out almost weekly, it’s hard to lock down new personal devices. The first step IT needs to take is creating a BYOD policy that requires all devices to be evaluated. This policy should also include allowances for the resources to do this properly.
Those are just a few thoughts off the top of my head. But if the U.S. government can keep their assets secure and running (do NOT bring up the healthcare Website, please), then shouldn’t private organizations be as well equipped to do the same?
What do you think?
My regular routine is to shout about provisioning until the cows come home and then have to be buzzed into the facility because they forgot their passcode and/or badge. OK, a little provisioning humor there. But there’s nothing funny about not knowing the proper way to set up your enterprise so that roles and users are determined, defined and proper access is maintained.
In poking around the Internet, I found this article from Edge Doc on Provisioning Basics. It gives you a starting point on getting your facility and IT infrastructure up to snuff. I like it because it breaks down some of the complicated stuff so you can easily describe the process and the reasoning behind your actions to management and C-suite personnel. *It’s not a bible by any means. Your provisioning is best determined by experience and by the data and facilities you control.
Let me know what you think about this pieces and if you’ve found provisioning articles that are as valuable to your organization. Thanks!
It’s not new. And some of the world’s smartest minds are housed there. But as cyber attacks and focus on IT security issues becomes more prevalent in the mainstream, don’t you think colleges and universities would get their ducks in a row and add some programs for IT pros?
Clearly, the folks at Fortune Magazine did when they wrote this piece. They identify the topic of IT security as one that colleges and universities are starting to capitalize on because the job market for these positions is growing with leaps and bounds. Far be it for someone to just take a management class in college and graduate with a job in hand.
Now, businesses are freaked out more about cyber threats and attacks on their data more than they are about hiring middle management.
Take a read through the piece – I’m pasting a pertinent quote below – and let me know what you think.
FROM Fortune Magazine
National Cyber Security Alliance Executive Director Michael Kaiser said the field is still very young and that current cybersecurity leaders are largely self-taught, because a decade ago, “There was no place to get an education. The really big gap,” he added, “is that the networks are getting bigger and more robust. How do we find people to protect them?”
I’m freaked out. Not because there’s been a breach at my company and not because anyone has stolen my identity, but because there are myriad tech professionals in my community to whom this has happened. What’s going on? Are we destined to let the monster of bad security frighten us at every turn?
You would think that we – as trained IT and technology specialists – would be the first to lock down our accounts, rotate our passwords regularly and be vigilant about provisioning our staff. It’s not the case. Maybe it’s a situation where familiarity breeds lax behavior. But whatever it is, it’s not good.
I can count three close friends who have recently lost access to social media accounts, business email servers and even sites because they took the easy way out when it came to security. That’s not right! If we’re to lead by example, the key to security is keeping your stuff secure.
A good primer on this – since we’ve obviously forgotten everything we learned in school – on in this post by Robert Siciliano that covers Wifi security. Give it a read and let me know if he missed anything when it comes to locking down your Wifi.
Until then, you have my permission to be paranoid. I know I am!
According to the ABOUT tab on the RSA Conference Website…
“RSA developed RSA Conference in 1991 as a forum for cryptographers to gather and share the latest knowledge and advancements in the area of Internet security. Today, RSA Conference and related RSA Conference branded activities are still managed by RSA, with the support of the industry. RSA Conference event programming is judged and developed by information security practitioners and other related professionals.”
The reason I bring this up is because nowhere will you encounter a more enterprise-focused security group in one place. Sure, BlackHat is a recurring global event where hackers (the best of the best) gather to show off new security breaching techniques. But that’s not an event (this year it’s in the United States in August) where companies really get the benefit of new apps, methodology and theories behind protecting their facilities and data.
*That’s not to say you shouldn’t attend both if you can. I’m just saying RSA focuses more on businesses and security.
What did RSA bring to the fore this year? Here are a few short recaps of the event with links to posts on the RSA site so you can read more. Ultimately, the landscape is changing all the time and it pays to stay up-to-date on the tech behind keeping your properties secure.
Daily recaps of RSA, thought-provoking blog posts and a bunch of other resources are on the main RSA Conference blog site.
Day four of the RSA Conference looks like it was focused on doing good for the world. Charity water was featured heavily with a slot in the keynotes and an initiative was floated where RSA will focus on doing some goodwill work moving forward (not that they haven’t in the past, but it was overtly a part of the day four program). Read about day four at RSA Conference.
If the cloud is such a solution, why don’t people think it’s secure. In fact, in this blog post about employee file sharing, the author cites a study about how security pros don’t think many of the file sharing programs and apps available today are secure enough.
He says, “The survey of 621 IT professionals, found that nearly 50 percent of respondents considered public cloud sharing tools such as Dropbox, Google Docs and Box unsuitable for business use. And only 11 percent of respondents said they would be likely to know if confidential data was lost or stolen due to a data breach in the public cloud.”
Read the entire post called You Shared WHAT?!
Finally, compliance and privacy were top topics during the RSA Conference this year. In fact, in this post on the RSA blog the issue of app privacy in California is discussed. And the decisions made in California could inform what happens elsewhere to all sorts of companies. If you’re a medical, insurance, legal or financial firm – you should read this.
Let me know if you were at RSA and if you’d like to do a video interview about your experiences at this year’s conference. Please leave comments and thoughts here on the blog. Thanks!
In the past few weeks, there have been five home burglaries in my hometown. The break-ins have taken place mostly during the day and the police – as far as I know – are not close to solving any of the crimes.
What’s this mean to you, dear security keys reader? It means today I’m going to rant about physical security and some of the methods that work to keep your facility and business safe. The approaches work as well with residential dwellings as they do at enterprise-level buildings.
The W’s of the Crimes
Journalists follow the W’s as a matter of course to complete a story. Who, what, where, when, why and how. OK, there’s an H in there, but it’s mostly W’s. For crimes, the W’s include Why, Where and When. So, let’s look there and maybe you’ll be better prepared to fend off burglars in the future.
Your business facility gets burgled because it’s an easy target. Thieves may not be super intelligent, but they are lazy and the path of least resistance makes a lot of sense when you’re planning a crime. To protect your building, think about what makes it an attractive target.
Do employees leave valuables in plain sight. Are laptops or phones locked away on weekends or does your staff feel secure enough to leave computers and company equipment out in the open? Are doors easy to breach and is there a badge policy that’s strictly enforced?
If technology tools are easy to locate and walk away with, your site might be a prime location for a theft. Further, if employees are lax about keeping entrances locked and shut, and if they don’t comply with wearing their IDs, then your firm might be a soft and attractive target for criminals.
A frequent target for burglars are buildings that are secluded and sparsely populated. Storage facilities and satellite locations are more likely to attract thieves. Everything from lighting to alarms is frequently less advanced at secondary locations.
What can you do? Impress upon staff that security policies are in place to keep everyone and everything safe. Let teams and managers know that badges are to be worn consistently at all company locations. Also stress the importance of behaving as if company property, facilities and data is of critical value. The cost of business interruption – even to fill out paperwork after a break-in – can be significant.
This W is the easy one. Crime happens ANY TIME you are not looking. If you have that attitude of vigilance (it’s not paranoia), then you and your staff will be better prepared to keep your company safe. Keep your eyes and ears open and make note of anything out-of-the-ordinary that happens around the organization.
Have you ever had a physcial robbery at your place of business? What’s your policy on badging, provisioning and guests in the building?
My office is like a cellphone store. The Nokia Lumia 1520, a few old Samsungs and an iPhone can be found on my desk with cables snaking to outlets and to my laptop. It’s the practice – or obsession – of remaining connected that keeps me and everyone in the tech field from abandoning mobile and going back to the postal system for communicating. But it’s also this obsession that keeps a lot of us these days frantically refreshing the news of mobile security flaws.
Foremost on my mind right now is the issue with Apple devices, both computers and their portfolio of mobile i-gadgets. When news came out the other day, I thought it wasn’t anything big and I ignored it. The situation now seems more dire as dispatches online are urging folks not to use Safari if they’re on a public Wifi hotspot and to immediately upgrade the iOS on their iPhones, iPads and other tech.
So, what’s going on? In my opinion, it’s nothing more than a little shake-out of vulnerability and now it’s hitting the Apple OS. It was bound to happen and I’m surprised that so much buzz has been created around this. But maybe it’s because the mindset of Apple users is one of invincibility and superiority.
I should know. For years I became personally offended if someone didn’t switch to an Apple computer from a PC. I wasn’t sure why a sane person would put up with blue death screens, long start-up times and rampant security holes. A little instrospection and a few trips to a shrink helped me realize it was silly for me to jump on a soapbox about situations I can’t control.
Now, I just shake my head when someone chooses a cheap PC over a stellar Apple device. But I don’t say anything and I view it as a timesaver. In most cases my fervor about Apple instantly made me candidate number one to be tech support for recent Apple converts. But I digress.
With Apple getting slammed a bit for a security flaw, I thought it only fair that I write about it here and warn you all that I MAY have been wrong when I informed you and legions of other humans that Apple was the only technology you need.
It seems that the other technology you need is a browser that can keep you up to date on what security flaws are rampant and what you can do to fix your systems. Even if those systems are made by Apple.
What do you use to compute on? How safe do you feel now that Apple has gotten breached?