It’s finally happened. No need to be running Windows XP. No need to be running around leaving your credit card receipts on the ground outside 7-Eleven stores. No need to leave the keys in your car ignition. Now, it’s just enough for you to be a member on one of these sites – list courtesy of GitHub. The Heartbleed bug might have already bitten you!
So, what’s a smart IT person to do? You should move quickly and calmly toward seeing if your sites and activity are vulnerable. Be aware that the situation has been the same for two years and people are just catching on to it now. Then you should get your whole team in a room and explain the issue to them.
Then, once people understand the gravity of the situation you should have them start changing passwords where necessary.
In fact, according to a great piece on Business Insider – here’s how to protect yourself once you find out you’re affect. And you ARE affected. We all are. Sites like Yahoo, FitBit, Slate and Eventbrite are on the list, so get going and fix your passwords.
How can something like this happen? You tell me. Aren’t we all using double verification for sign-in? Aren’t we all changing email addresses and passwords for each site we access? Aren’t we using crypto keys that change every 20 seconds for access to company VPNs?
Um, no. I don’t think we are. And why not? Isn’t this wake-up call just one more in a long line of breaches that should wake up the entire IT industry? I would say so. And I’d say, get going. Share this blog post and then go change your passwords.
We’ll talk again next week.
[edit - Some readers didn't recognize the referenced site as a parody Gov site. It is, but lessons taken from it are still valid.]
There’s a new tunnel at the White House. I can’t tell you where. Not because I don’t know, but if I told you then I’d have Secret Service people and the NSA gumming up my Gmail and scoping out my Twitter account.
What I can tell you is that this Deep Underground Command Center (DUCC) has been planned for some time and they broke ground on the project in 2010 – if you believe the official reports.
In fact, on the White House Tunnel System Website, there is a note that says…
The new underground command center serves two purposes: 1) To protect key people with sufficient staff and data to render critical decisions and 2) Ensure the survival of the facility to allow dissemination of these decisions. The DUCC can only serve this purpose if the President and his team can secretly relocate there on very short notice.
If IT professionals are to take a lesson from the U.S. government, it’s that your vital assets should always be treated as such. A list of no-no’s might include…
Leaving doors to your facility propped open for environmental reasons. If it’s too hot, have facilities management fix the thermostat.
Remaining signed into computers and workstations when you’re away from your desk or HORRORS away from the office. Lots of folks still haven’t initiated timed sign-off protocols and enterprise workstations. All it takes to create a breach is for some unscrupulous person to wander by and hop onto a vacant machine.
Using BYOD equipment isn’t completely vetted and approved. With new mobile phones and phablets coming out almost weekly, it’s hard to lock down new personal devices. The first step IT needs to take is creating a BYOD policy that requires all devices to be evaluated. This policy should also include allowances for the resources to do this properly.
Those are just a few thoughts off the top of my head. But if the U.S. government can keep their assets secure and running (do NOT bring up the healthcare Website, please), then shouldn’t private organizations be as well equipped to do the same?
What do you think?
My regular routine is to shout about provisioning until the cows come home and then have to be buzzed into the facility because they forgot their passcode and/or badge. OK, a little provisioning humor there. But there’s nothing funny about not knowing the proper way to set up your enterprise so that roles and users are determined, defined and proper access is maintained.
In poking around the Internet, I found this article from Edge Doc on Provisioning Basics. It gives you a starting point on getting your facility and IT infrastructure up to snuff. I like it because it breaks down some of the complicated stuff so you can easily describe the process and the reasoning behind your actions to management and C-suite personnel. *It’s not a bible by any means. Your provisioning is best determined by experience and by the data and facilities you control.
Let me know what you think about this pieces and if you’ve found provisioning articles that are as valuable to your organization. Thanks!
It’s not new. And some of the world’s smartest minds are housed there. But as cyber attacks and focus on IT security issues becomes more prevalent in the mainstream, don’t you think colleges and universities would get their ducks in a row and add some programs for IT pros?
Clearly, the folks at Fortune Magazine did when they wrote this piece. They identify the topic of IT security as one that colleges and universities are starting to capitalize on because the job market for these positions is growing with leaps and bounds. Far be it for someone to just take a management class in college and graduate with a job in hand.
Now, businesses are freaked out more about cyber threats and attacks on their data more than they are about hiring middle management.
Take a read through the piece – I’m pasting a pertinent quote below – and let me know what you think.
FROM Fortune Magazine
National Cyber Security Alliance Executive Director Michael Kaiser said the field is still very young and that current cybersecurity leaders are largely self-taught, because a decade ago, “There was no place to get an education. The really big gap,” he added, “is that the networks are getting bigger and more robust. How do we find people to protect them?”
I’m freaked out. Not because there’s been a breach at my company and not because anyone has stolen my identity, but because there are myriad tech professionals in my community to whom this has happened. What’s going on? Are we destined to let the monster of bad security frighten us at every turn?
You would think that we – as trained IT and technology specialists – would be the first to lock down our accounts, rotate our passwords regularly and be vigilant about provisioning our staff. It’s not the case. Maybe it’s a situation where familiarity breeds lax behavior. But whatever it is, it’s not good.
I can count three close friends who have recently lost access to social media accounts, business email servers and even sites because they took the easy way out when it came to security. That’s not right! If we’re to lead by example, the key to security is keeping your stuff secure.
A good primer on this – since we’ve obviously forgotten everything we learned in school – on in this post by Robert Siciliano that covers Wifi security. Give it a read and let me know if he missed anything when it comes to locking down your Wifi.
Until then, you have my permission to be paranoid. I know I am!
According to the ABOUT tab on the RSA Conference Website…
“RSA developed RSA Conference in 1991 as a forum for cryptographers to gather and share the latest knowledge and advancements in the area of Internet security. Today, RSA Conference and related RSA Conference branded activities are still managed by RSA, with the support of the industry. RSA Conference event programming is judged and developed by information security practitioners and other related professionals.”
The reason I bring this up is because nowhere will you encounter a more enterprise-focused security group in one place. Sure, BlackHat is a recurring global event where hackers (the best of the best) gather to show off new security breaching techniques. But that’s not an event (this year it’s in the United States in August) where companies really get the benefit of new apps, methodology and theories behind protecting their facilities and data.
*That’s not to say you shouldn’t attend both if you can. I’m just saying RSA focuses more on businesses and security.
What did RSA bring to the fore this year? Here are a few short recaps of the event with links to posts on the RSA site so you can read more. Ultimately, the landscape is changing all the time and it pays to stay up-to-date on the tech behind keeping your properties secure.
Daily recaps of RSA, thought-provoking blog posts and a bunch of other resources are on the main RSA Conference blog site.
Day four of the RSA Conference looks like it was focused on doing good for the world. Charity water was featured heavily with a slot in the keynotes and an initiative was floated where RSA will focus on doing some goodwill work moving forward (not that they haven’t in the past, but it was overtly a part of the day four program). Read about day four at RSA Conference.
If the cloud is such a solution, why don’t people think it’s secure. In fact, in this blog post about employee file sharing, the author cites a study about how security pros don’t think many of the file sharing programs and apps available today are secure enough.
He says, “The survey of 621 IT professionals, found that nearly 50 percent of respondents considered public cloud sharing tools such as Dropbox, Google Docs and Box unsuitable for business use. And only 11 percent of respondents said they would be likely to know if confidential data was lost or stolen due to a data breach in the public cloud.”
Read the entire post called You Shared WHAT?!
Finally, compliance and privacy were top topics during the RSA Conference this year. In fact, in this post on the RSA blog the issue of app privacy in California is discussed. And the decisions made in California could inform what happens elsewhere to all sorts of companies. If you’re a medical, insurance, legal or financial firm – you should read this.
Let me know if you were at RSA and if you’d like to do a video interview about your experiences at this year’s conference. Please leave comments and thoughts here on the blog. Thanks!
In the past few weeks, there have been five home burglaries in my hometown. The break-ins have taken place mostly during the day and the police – as far as I know – are not close to solving any of the crimes.
What’s this mean to you, dear security keys reader? It means today I’m going to rant about physical security and some of the methods that work to keep your facility and business safe. The approaches work as well with residential dwellings as they do at enterprise-level buildings.
The W’s of the Crimes
Journalists follow the W’s as a matter of course to complete a story. Who, what, where, when, why and how. OK, there’s an H in there, but it’s mostly W’s. For crimes, the W’s include Why, Where and When. So, let’s look there and maybe you’ll be better prepared to fend off burglars in the future.
Your business facility gets burgled because it’s an easy target. Thieves may not be super intelligent, but they are lazy and the path of least resistance makes a lot of sense when you’re planning a crime. To protect your building, think about what makes it an attractive target.
Do employees leave valuables in plain sight. Are laptops or phones locked away on weekends or does your staff feel secure enough to leave computers and company equipment out in the open? Are doors easy to breach and is there a badge policy that’s strictly enforced?
If technology tools are easy to locate and walk away with, your site might be a prime location for a theft. Further, if employees are lax about keeping entrances locked and shut, and if they don’t comply with wearing their IDs, then your firm might be a soft and attractive target for criminals.
A frequent target for burglars are buildings that are secluded and sparsely populated. Storage facilities and satellite locations are more likely to attract thieves. Everything from lighting to alarms is frequently less advanced at secondary locations.
What can you do? Impress upon staff that security policies are in place to keep everyone and everything safe. Let teams and managers know that badges are to be worn consistently at all company locations. Also stress the importance of behaving as if company property, facilities and data is of critical value. The cost of business interruption – even to fill out paperwork after a break-in – can be significant.
This W is the easy one. Crime happens ANY TIME you are not looking. If you have that attitude of vigilance (it’s not paranoia), then you and your staff will be better prepared to keep your company safe. Keep your eyes and ears open and make note of anything out-of-the-ordinary that happens around the organization.
Have you ever had a physcial robbery at your place of business? What’s your policy on badging, provisioning and guests in the building?
My office is like a cellphone store. The Nokia Lumia 1520, a few old Samsungs and an iPhone can be found on my desk with cables snaking to outlets and to my laptop. It’s the practice – or obsession – of remaining connected that keeps me and everyone in the tech field from abandoning mobile and going back to the postal system for communicating. But it’s also this obsession that keeps a lot of us these days frantically refreshing the news of mobile security flaws.
Foremost on my mind right now is the issue with Apple devices, both computers and their portfolio of mobile i-gadgets. When news came out the other day, I thought it wasn’t anything big and I ignored it. The situation now seems more dire as dispatches online are urging folks not to use Safari if they’re on a public Wifi hotspot and to immediately upgrade the iOS on their iPhones, iPads and other tech.
So, what’s going on? In my opinion, it’s nothing more than a little shake-out of vulnerability and now it’s hitting the Apple OS. It was bound to happen and I’m surprised that so much buzz has been created around this. But maybe it’s because the mindset of Apple users is one of invincibility and superiority.
I should know. For years I became personally offended if someone didn’t switch to an Apple computer from a PC. I wasn’t sure why a sane person would put up with blue death screens, long start-up times and rampant security holes. A little instrospection and a few trips to a shrink helped me realize it was silly for me to jump on a soapbox about situations I can’t control.
Now, I just shake my head when someone chooses a cheap PC over a stellar Apple device. But I don’t say anything and I view it as a timesaver. In most cases my fervor about Apple instantly made me candidate number one to be tech support for recent Apple converts. But I digress.
With Apple getting slammed a bit for a security flaw, I thought it only fair that I write about it here and warn you all that I MAY have been wrong when I informed you and legions of other humans that Apple was the only technology you need.
It seems that the other technology you need is a browser that can keep you up to date on what security flaws are rampant and what you can do to fix your systems. Even if those systems are made by Apple.
What do you use to compute on? How safe do you feel now that Apple has gotten breached?
Don’t freak out. I’m not the 52-cats-in-the-attic crazy guy across the street. I’m just in touch with my sensitive side and I sometimes believe my cat is telling me something. In this case, my cat is talking to me about Internet security.
That’s right, security secrets from a cat. And they can be distilled into…wait for it…two simple lessons. What? You thought I was going to do a ‘nine-lives’ theme? Too obvious and if your facility and data needs protecting so badly that you require nine steps to get your organization in order, you’ve got bigger problems. In that case, not even a telekinetic cat can help you.
Let’s get started.
First, the cat is hyper-aware of her surroundings. She is impossible to sneak up on and always has an exit plan/route in case she is attacked. How’s this work for your business? Think like a cat.
1. Do you have an security protocol in place if your data is stolen?
2. Are you extra vigilant in recognizing possible threats?
If you answered ‘no’ to either question, your systems may need to be examined. Without a plan in place, you’re risking lost revenue and goodwill if your data is stolen. Further, if you’re not looking suspiciously at every point of access to your facility and systems, you might want to be a bit more cautious. Even grade-school-age kids in other countries are now breaching security on a regular basis in systems all over the civilized world.
Next, the cat has her own process of provisioning with food, toys and people. Take that approach when you’re hiring new employees, admitting guests into your building and even granting permissions to existing personnel.
1. Do you maintain a database of personnel who are allowed access to certain systems or do you grant permissions on the fly?
2. Are visitors required to show TWO forms of ID when they are signed into your facility? And are they accompanied at all times by badged personnel?
3. How thoroughly do you vet requests for access to different systems from within your organization?
Just as the cat might spend 20 minutes poking at a catnip mouse to ensure it’s not dangerous, it behooves you to take a little time and care when giving access, inviting in guests or approving permissions to areas and data within your organization.
You can use any animal you want in your analogies for good data and facility security. Just make sure you pay attention to who and what is coming and going. And if you think people learn after a breach, read Tony’s article on how much companies change after a data breach – NOT MUCH!
If you could have one animal guard your data, what would it be?
In the writing world, analogies are myriad. When it comes the theme of protection, you can go with sports (Peyton Manning needed more protection last night from Seattle’s defense); relationships (if she were less impulsive, she wouldn’t get her heart broken all the time); dining out (perhaps they should have read the Yelp reviews before dining at a one-star restaurant); and even commerce (if you’re still relying on chip and signature cards, you’re using a credit card from the dark ages).
Regardless, analogies all speak to the process of taking a hard look at how your company or you personally are protecting your data, your physical being (or facility), and what you can do moving forward to keep everything more secure. Trouble is that most of the protection scenarios you choose to implement on behalf of your organization require a crystal ball. Because if you don’t know where the next attack is coming from, how can you mount a defense to protect your data and enterprise?
That’s where communication and empathy come in. Not the empathy you need AFTER a breach has occurred and you have to console a CMO that all her marketing data has been stolen. The empathy I’m talking about is the kind that allows you as CTO or IT pro to step into the shoes of your audiences and really look at what is keeping your data safe.
Let’s say you’re a large bank that encourages customers to use your credit cards during international travel and during any of the holiday buying periods. This method ensures you make money off interest and you perpetuate a habit of spending among your clientele.
Now, let’s imagine the data breaches that hit Target, Lord & Taylor and other firms has rendered some of your customers cards vulnerable. Is your first move to react and issue new cards? Do you immediately freeze accounts? Does your company work in conjunction with the retail outlets to discover and plug the source of the attack/breach?
Some of all of the above is prudent, but what should have happened first was a regular evaluation of how your customers use your cards and how you could make them more secure. For years, the technology to protect cards (and online accounts) via dual verification has been used. These days it’s more common than ever before with lots of social media accounts and online financial accounts suggesting it.
Another technological advance is the increase of Chip and Pin cards in use around the world. In fact, a recent article on the Target breach talks about how people now are clamoring for chip and pin cards here in the United States.
But none of this is effective if you truly don’t have a handle on how your customers are using your product. The best way to find out this information is to actually ask them. Seriously. It’s in your customers’ best interest to have secure data. It’s in your best interest to have happy customers. Find out how to make them happy and keep their data secure and you’ll do both.
I’m not going to delve into building surveys or collecting information from customers here, but I will tell you that the process of doing so is a lot less expensive than having a team of IT people tracking down lots data and filling out compliance paperwork just to close the barn door after the horse has left.
Know your customers. Know their patterns and habits. Know their desires. Then you won’t need a crystal ball and you’ll have much more secure relationships across your enterprise.
What recent data breach has you most scared? How do you think it could have been averted? Do you think the chip and pin cards are a longterm solution or just a stopgap?