According to the ABOUT tab on the RSA Conference Website…
“RSA developed RSA Conference in 1991 as a forum for cryptographers to gather and share the latest knowledge and advancements in the area of Internet security. Today, RSA Conference and related RSA Conference branded activities are still managed by RSA, with the support of the industry. RSA Conference event programming is judged and developed by information security practitioners and other related professionals.”
The reason I bring this up is because nowhere will you encounter a more enterprise-focused security group in one place. Sure, BlackHat is a recurring global event where hackers (the best of the best) gather to show off new security breaching techniques. But that’s not an event (this year it’s in the United States in August) where companies really get the benefit of new apps, methodology and theories behind protecting their facilities and data.
*That’s not to say you shouldn’t attend both if you can. I’m just saying RSA focuses more on businesses and security.
What did RSA bring to the fore this year? Here are a few short recaps of the event with links to posts on the RSA site so you can read more. Ultimately, the landscape is changing all the time and it pays to stay up-to-date on the tech behind keeping your properties secure.
Daily recaps of RSA, thought-provoking blog posts and a bunch of other resources are on the main RSA Conference blog site.
Day four of the RSA Conference looks like it was focused on doing good for the world. Charity water was featured heavily with a slot in the keynotes and an initiative was floated where RSA will focus on doing some goodwill work moving forward (not that they haven’t in the past, but it was overtly a part of the day four program). Read about day four at RSA Conference.
If the cloud is such a solution, why don’t people think it’s secure. In fact, in this blog post about employee file sharing, the author cites a study about how security pros don’t think many of the file sharing programs and apps available today are secure enough.
He says, “The survey of 621 IT professionals, found that nearly 50 percent of respondents considered public cloud sharing tools such as Dropbox, Google Docs and Box unsuitable for business use. And only 11 percent of respondents said they would be likely to know if confidential data was lost or stolen due to a data breach in the public cloud.”
Read the entire post called You Shared WHAT?!
Finally, compliance and privacy were top topics during the RSA Conference this year. In fact, in this post on the RSA blog the issue of app privacy in California is discussed. And the decisions made in California could inform what happens elsewhere to all sorts of companies. If you’re a medical, insurance, legal or financial firm – you should read this.
Let me know if you were at RSA and if you’d like to do a video interview about your experiences at this year’s conference. Please leave comments and thoughts here on the blog. Thanks!
In the past few weeks, there have been five home burglaries in my hometown. The break-ins have taken place mostly during the day and the police – as far as I know – are not close to solving any of the crimes.
What’s this mean to you, dear security keys reader? It means today I’m going to rant about physical security and some of the methods that work to keep your facility and business safe. The approaches work as well with residential dwellings as they do at enterprise-level buildings.
The W’s of the Crimes
Journalists follow the W’s as a matter of course to complete a story. Who, what, where, when, why and how. OK, there’s an H in there, but it’s mostly W’s. For crimes, the W’s include Why, Where and When. So, let’s look there and maybe you’ll be better prepared to fend off burglars in the future.
Your business facility gets burgled because it’s an easy target. Thieves may not be super intelligent, but they are lazy and the path of least resistance makes a lot of sense when you’re planning a crime. To protect your building, think about what makes it an attractive target.
Do employees leave valuables in plain sight. Are laptops or phones locked away on weekends or does your staff feel secure enough to leave computers and company equipment out in the open? Are doors easy to breach and is there a badge policy that’s strictly enforced?
If technology tools are easy to locate and walk away with, your site might be a prime location for a theft. Further, if employees are lax about keeping entrances locked and shut, and if they don’t comply with wearing their IDs, then your firm might be a soft and attractive target for criminals.
A frequent target for burglars are buildings that are secluded and sparsely populated. Storage facilities and satellite locations are more likely to attract thieves. Everything from lighting to alarms is frequently less advanced at secondary locations.
What can you do? Impress upon staff that security policies are in place to keep everyone and everything safe. Let teams and managers know that badges are to be worn consistently at all company locations. Also stress the importance of behaving as if company property, facilities and data is of critical value. The cost of business interruption – even to fill out paperwork after a break-in – can be significant.
This W is the easy one. Crime happens ANY TIME you are not looking. If you have that attitude of vigilance (it’s not paranoia), then you and your staff will be better prepared to keep your company safe. Keep your eyes and ears open and make note of anything out-of-the-ordinary that happens around the organization.
Have you ever had a physcial robbery at your place of business? What’s your policy on badging, provisioning and guests in the building?
My office is like a cellphone store. The Nokia Lumia 1520, a few old Samsungs and an iPhone can be found on my desk with cables snaking to outlets and to my laptop. It’s the practice – or obsession – of remaining connected that keeps me and everyone in the tech field from abandoning mobile and going back to the postal system for communicating. But it’s also this obsession that keeps a lot of us these days frantically refreshing the news of mobile security flaws.
Foremost on my mind right now is the issue with Apple devices, both computers and their portfolio of mobile i-gadgets. When news came out the other day, I thought it wasn’t anything big and I ignored it. The situation now seems more dire as dispatches online are urging folks not to use Safari if they’re on a public Wifi hotspot and to immediately upgrade the iOS on their iPhones, iPads and other tech.
So, what’s going on? In my opinion, it’s nothing more than a little shake-out of vulnerability and now it’s hitting the Apple OS. It was bound to happen and I’m surprised that so much buzz has been created around this. But maybe it’s because the mindset of Apple users is one of invincibility and superiority.
I should know. For years I became personally offended if someone didn’t switch to an Apple computer from a PC. I wasn’t sure why a sane person would put up with blue death screens, long start-up times and rampant security holes. A little instrospection and a few trips to a shrink helped me realize it was silly for me to jump on a soapbox about situations I can’t control.
Now, I just shake my head when someone chooses a cheap PC over a stellar Apple device. But I don’t say anything and I view it as a timesaver. In most cases my fervor about Apple instantly made me candidate number one to be tech support for recent Apple converts. But I digress.
With Apple getting slammed a bit for a security flaw, I thought it only fair that I write about it here and warn you all that I MAY have been wrong when I informed you and legions of other humans that Apple was the only technology you need.
It seems that the other technology you need is a browser that can keep you up to date on what security flaws are rampant and what you can do to fix your systems. Even if those systems are made by Apple.
What do you use to compute on? How safe do you feel now that Apple has gotten breached?
Don’t freak out. I’m not the 52-cats-in-the-attic crazy guy across the street. I’m just in touch with my sensitive side and I sometimes believe my cat is telling me something. In this case, my cat is talking to me about Internet security.
That’s right, security secrets from a cat. And they can be distilled into…wait for it…two simple lessons. What? You thought I was going to do a ‘nine-lives’ theme? Too obvious and if your facility and data needs protecting so badly that you require nine steps to get your organization in order, you’ve got bigger problems. In that case, not even a telekinetic cat can help you.
Let’s get started.
First, the cat is hyper-aware of her surroundings. She is impossible to sneak up on and always has an exit plan/route in case she is attacked. How’s this work for your business? Think like a cat.
1. Do you have an security protocol in place if your data is stolen?
2. Are you extra vigilant in recognizing possible threats?
If you answered ‘no’ to either question, your systems may need to be examined. Without a plan in place, you’re risking lost revenue and goodwill if your data is stolen. Further, if you’re not looking suspiciously at every point of access to your facility and systems, you might want to be a bit more cautious. Even grade-school-age kids in other countries are now breaching security on a regular basis in systems all over the civilized world.
Next, the cat has her own process of provisioning with food, toys and people. Take that approach when you’re hiring new employees, admitting guests into your building and even granting permissions to existing personnel.
1. Do you maintain a database of personnel who are allowed access to certain systems or do you grant permissions on the fly?
2. Are visitors required to show TWO forms of ID when they are signed into your facility? And are they accompanied at all times by badged personnel?
3. How thoroughly do you vet requests for access to different systems from within your organization?
Just as the cat might spend 20 minutes poking at a catnip mouse to ensure it’s not dangerous, it behooves you to take a little time and care when giving access, inviting in guests or approving permissions to areas and data within your organization.
You can use any animal you want in your analogies for good data and facility security. Just make sure you pay attention to who and what is coming and going. And if you think people learn after a breach, read Tony’s article on how much companies change after a data breach – NOT MUCH!
If you could have one animal guard your data, what would it be?
In the writing world, analogies are myriad. When it comes the theme of protection, you can go with sports (Peyton Manning needed more protection last night from Seattle’s defense); relationships (if she were less impulsive, she wouldn’t get her heart broken all the time); dining out (perhaps they should have read the Yelp reviews before dining at a one-star restaurant); and even commerce (if you’re still relying on chip and signature cards, you’re using a credit card from the dark ages).
Regardless, analogies all speak to the process of taking a hard look at how your company or you personally are protecting your data, your physical being (or facility), and what you can do moving forward to keep everything more secure. Trouble is that most of the protection scenarios you choose to implement on behalf of your organization require a crystal ball. Because if you don’t know where the next attack is coming from, how can you mount a defense to protect your data and enterprise?
That’s where communication and empathy come in. Not the empathy you need AFTER a breach has occurred and you have to console a CMO that all her marketing data has been stolen. The empathy I’m talking about is the kind that allows you as CTO or IT pro to step into the shoes of your audiences and really look at what is keeping your data safe.
Let’s say you’re a large bank that encourages customers to use your credit cards during international travel and during any of the holiday buying periods. This method ensures you make money off interest and you perpetuate a habit of spending among your clientele.
Now, let’s imagine the data breaches that hit Target, Lord & Taylor and other firms has rendered some of your customers cards vulnerable. Is your first move to react and issue new cards? Do you immediately freeze accounts? Does your company work in conjunction with the retail outlets to discover and plug the source of the attack/breach?
Some of all of the above is prudent, but what should have happened first was a regular evaluation of how your customers use your cards and how you could make them more secure. For years, the technology to protect cards (and online accounts) via dual verification has been used. These days it’s more common than ever before with lots of social media accounts and online financial accounts suggesting it.
Another technological advance is the increase of Chip and Pin cards in use around the world. In fact, a recent article on the Target breach talks about how people now are clamoring for chip and pin cards here in the United States.
But none of this is effective if you truly don’t have a handle on how your customers are using your product. The best way to find out this information is to actually ask them. Seriously. It’s in your customers’ best interest to have secure data. It’s in your best interest to have happy customers. Find out how to make them happy and keep their data secure and you’ll do both.
I’m not going to delve into building surveys or collecting information from customers here, but I will tell you that the process of doing so is a lot less expensive than having a team of IT people tracking down lots data and filling out compliance paperwork just to close the barn door after the horse has left.
Know your customers. Know their patterns and habits. Know their desires. Then you won’t need a crystal ball and you’ll have much more secure relationships across your enterprise.
What recent data breach has you most scared? How do you think it could have been averted? Do you think the chip and pin cards are a longterm solution or just a stopgap?
This week I had the opportunity to speak with Rich Sands of RSands Consulting. He gave me a unique take on how security should work within an organization because he’s worked with dozens of clients all over the world. The one constant necessary in keeping your data and facility secure – internally and externally – is communicating needs and goals across teams and various audiences.
Here’s that interview…
What do you think about the importance of communication across teams and divisions? Especially as it affects the security of your IP and your enterprise?
It’s 2014. Your facility and your data are as secure as they ever were. That’s to say they’re not secure at all and you’d better come to terms with that reality. While there’s a lot you can do to maintain a little sanity in a world that’s seeing new systems breaches daily, sometimes the best plan of attack might be a plan for mitigation.
Now wait a moment. I didn’t plan on starting your new year with a ‘sky-is-falling’ missive. There’s no need to devolve into a luddite. I just want to share with you some common sense action items for keeping damage to a minimum when (not if) a data or facility breach occurs.
One caveat… if you think it can’t happen to you, you haven’t read Sharon Fisher’s latest post about crooks breaking into ATMs using thumb drives. Yeah, it can happen!
OK. Scared yet? Let’s list a few tasks to implement when (and even before) you discover you’ve been hacked…
1 – Have a plan in place BEFORE a breach occurs. Know which IT teams will be called in to deal with physical and technical damage/remediation. Know which communication and administration teams will be leveraged to deal with image and community response.
2 – Understand fully how your backup strategy and processes affect your recovery efforts. Also have a cheat sheet on hand for CTO, COO and CEO so they can have clarity when making decisions about next steps.
3 – Contact your legal team and your compliance task force/committee (you do have people focused on compliance don’t you?). Find out from them where the company stands in a worst case scenario – one where all data is gone. Then work backward looking at situations where only certain levels of data have been compromised.
4 – Use the breach as a learning tool. On the consumer side, look at Target and SnapChat. Both breaches are still in the news and SnapChat looks like it might come out of this looking better than Target because they kept some data protected. *If you read all the information, though, the folks at SnapChat were warned about their poor security numerous times and didn’t do anything to change their protection.
5 – Request a complete situation report from your internal IT teams and from your data services providers. If this level of support isn’t part of your SLAs, then make sure it’s written into all your agreements moving forward. The only way to prevent issues in the future is to fully understand what left you vulnerable in the past.
6 – Finally, don’t be closed-lipped about the situation once you’ve got a handle on it and plugged the leak. Knowledge can be your greatest asset in-house. Let your entire organization know what happened, what was done to fix the problem and what’s being done to prevent future similar breaches and security issues. A well-informed workforce tends to speak up when they see something out of the ordinary.
What’s the worst breach/security lapse your firm has experienced? What did your management and IT staff do to fix it and to move forward?