Strategic lessons from a security breach

Dec 302011
 
online and physical security is essential for a business

2011 has been the year of the IT security breach. Big and small organisations around the world ranging from major corporations like Sony through to smaller businesses such as security analysts Stratfor found their customer data released onto the web.

The frustrating this is most of these breaches are avoidable and “hacking” is often giving too much credit for the security used by the targeted companies.

While the ‘hackers’ themselves may be skilled, the compromised organisations are often easy targets as they don’t follow the basic rules of protecting their data.

Standards matter

Customer payment account details are covered by the Payment Cards Industry -Data Security Standard (PCI-DSS) operated by the PCI Security Standards Council.

The PCI Security Standards Council helpfully has a range of information sheets for merchants of all sizes and if you are taking payments off the web you should make yourself aware of the basic requirements.

For most businesses, the cardinal rule is not to save customer’s card details. Once the payment is approved, you have no business retaining the client’s credit card or bank account numbers.

In Stratfor’s case, they were almost certainly processing payments manually and credit card details were being saved on customers’ records in case of errors or to make renewals easier.

Call in the professionals

There’s no shortage of payment companies, ranging from PayPal through specialist services like eWay to your own bank’s services. Choose the one that works best for you. If you have no idea, call in someone who does.

One of the arguments for using outsourced services, particularly cloud computing, is how data security is a complex field that requires professional and qualified expertise. The internal systems of Sony, Telstra and Stratfor were not up to the demands placed upon. A professional service is better equipped to deal with these issues.

Size doesn’t matter

A major lesson from the last year’s security breaches is that it’s not just the local shop or garage e-commerce business that is careless with data. Some of the world’s biggest companies and government agencies have been compromised.

If anything, Sony’s experience has shown the double standards at work in the application of security rules; there’s no doubt that had a local computer shop been as thoroughly compromised as Sony were, they would have been shut down on the second breach and the management would have been carted off to jail well before the twelfth.

For the management of Sony, there seems to have been little in the way of sanctions of the people nominally responsible for this incompetence. This has to change both within organisations and by those charged with enforcing the rules.

The lesson for customers is you can’t trust anyone with your data; don’t assume the big corporation is any more secure than the serving staff at your local sandwich shop.

Passwords matter

Every time one of these breaches happen we hear about password security, with “experts” pointing out that some of the subscribers were using passwords like ‘statfor’ or ‘password’.

For customers, this actually makes sense if you can’t trust third parties with your details so specific, disposable passwords for each site should be used. There’s little point in having a complex password if some script kiddie is going to post your login details onto 4Chan.

Naturally your passwords for banking and other critical websites should be very different and far more secure than those you use for sites like Stratfor and the Sony Playstation Network.

Will 2012 be any different?

Given the data embarrassments of 2012 for businesses and government agencies, can we expect lessons to be learned in 2012?

While many businesses are going to learn specific lessons from these breaches, there’s a management cultural problem where any spending on information systems is seen as a cost that has to be minimised.

This cost cutting mentality lies at the core at many organisations’ failure to secure their systems properly and until a more responsible culture develops we’ll continue to see these lapses.

Good managers and business owners who understand the importance of guarding their organisation’s and customer’s data are those who are ahead of their competition. Over time, these folk who will have the competitive advantage.

For customers, the sad lesson is we can’t trust anyone and a layered approach to security along with keeping a close eye on our bank accounts and credit card statements is necessary.

Similar posts:

Protecting your technology over the holidays

Dec 212011
 
protecting our computer and internet technology over the christmas holiday break

This post first appeared in the Xero Accounting Software Blog, the advice for protecting your computers and networking equipment applies for home and business users.

The holiday season is here and for many it’s time for a much needed break. Before doing so it’s worthwhile taking a few precautions with your computers and other electronic equipment.

While most of us are moving our data to the cloud, there may still be some data that remains on your office systems. Bear in mind that if your router is damaged or desktop computer has gone missing, you won’t be able to access the web.

And even though your systems will spend much of the next fortnight turned off there are still risks such as power surges, fire and theft etc. There’s even the risk of a virus creeping in when you turn things on when you return. So here’s some things to consider before you leave.

Reset passwords

The New Year is a good time to refresh passwords, so review what your key login details are and update them to stronger, more secure phrases. I personally like using phrases like a song or poem and dropping characters into the spaces so a password might look like: Mary$had$a$little$lamb

You can make the passwords stronger by adding numbers and capitals as well.

Staff turnover happens in all businesses and you may have forgotten to remove some former employees from your accounts when they left. The end of the year is a good time to review who has access to your cloud and remote access accounts.

If you’re a social media user it’s also worthwhile checking what applications you’ve allowed to access your Facebook, Twitter or other online services. That mafia or farm game looks harmless, but often you’ve given it the right to post things and collect data from your account, so take off the ones you no longer find useful.

Unplug everything

Even when turned off, most modern computer equipment still has power running through its systems. This puts technology at risk during storms or brownouts. Printers, modems, routers, should all be turned off and disconnected from power and communications lines.

Network, telephone line or cable connections should be unplugged – power surges can often affect phone and cable network connections. In fact you should unplug anything that connects your equipment to the outside world.

Hide your equipment

Give thieves as little temptation as possible. Electronic equipment has a high resale value and is easily moved. Lock away anything portable and draw the curtains or blinds in rooms where less portable equipment is kept.

If you have an old laptop or mobile phone sitting around it’s not a bad idea to hide away the modern equipment and leave the old stuff in an obvious location. This is a variation on the old “leave ten dollars in the cash draw” ploy that gives thieves something without them ransacking the place. Don’t leave the sacrificial laptop in plain sight or you’ll be inviting break-ins.

Backup

One of the advantages with cloud computing is that many of your backup needs are taken care of. Unfortunately you still need your own local backups.

In most offices not everything gets saved to the cloud and that information matters. For many small business years of work is sitting on the hard drive.

External hard drives and DVDs are the most popular ways of saving backups. Your backup should include documents, email, address books, favorites and bookmarks.

Store the backups away from the computer, preferably offsite. I recommend making two copies, leave one onsite for easy access and store one elsewhere. If something terrible happens to your home or office while you are away, your data is at least safe.

For home offices, it’s a good idea to leave a copy of the backup with your neighbours or a relative in a nearby suburb. An old client of mine swaps external hard drives with his mother- in-law at church each week so he has a reasonably up to date copy of his data somewhere he knows he can get to.

When you return

Your computer is the very last thing you should turn on. Turn on modems, printers, external drives and network equipment before your computer. If you have a cable or ADSL Internet connection, give it a few minutes to connect before trying to log on.

Update your system

While you were away new Internet nasties in the form of viruses, Trojan horses and spyware will have come out and there’s a good chance some of them may be waiting in your inbox.

Before checking emails or surfing the net, update your security software and check for any system updates. Don’t do anything on the net until everything is updated.

Christmas and New Year are times when you should relax. There’s nothing worse than returning to find office equipment and valuable data lost. By backing up your systems and taking some precautions you don’t need to feel anxious about your business being up and running quickly when you get back to work.

Enjoy your holidays and let’s all look forward to a great New Year.

Similar posts:

Distrusting the cloud

Dec 162011
 
trust is the currency of the web and business

The recent KPMG Convergence Report looking at online trends in the mobile web found that nine out of ten Australian consumers are concerned about the security of their online data.

In light of recent corporate security breaches such as Sony’s and Telstra’s this is understandable which creates a real barrier for the adoption of cloud computing services.

For cloud computing to be taken seriously, customers have to be certain their data and applications will be respected and protected.

The corporate sector’s failure to hold senior management responsible these problems shows how big businesses largely aren’t taking user privacy or security seriously.

This is a great opportunity for new businesses, we’ve already seen Amazon become the biggest host for cloud services over storage and Internet incumbents who five years ago would have dismissed Jeff Bezo’s company as a glorified book stand.

For newer companies offering cloud services it’s a chance to build a culture where customer service, privacy and respect comes before management bonuses and perks. Where delivering what you promise is more than waving a vague Service Level Agreement (SLA) document under customer’s noses.

As customers, big and small businesses have much to gain from cloud computing‘s productivity, collaboration and cost saving aspects but trust that data will be protected and the service will be available is essential.

Before choosing a cloud service have a search of the web and popular forums to check what people are saying about the product.

Don’t rely on fancy marketing, or assume that a big company will be better at protecting your data. The evidence is clear that smaller, newer companies are doing a better job at protecting data and ensuring business continuity than many of their bigger competitors.

Over time, customers are going to get used to trusting cloud service providers and the businesses who’ll succeed in the online applications world are those who’ve been shown to be trustworthy.

This is one way the web is changing the way we do business.

Similar posts:

  • No Related Posts

The online business playground

Dec 092011
 
the online world can be a playground but social media can hurt a business

This article originally appeared as The Business Playground on Smart Company.

Last week, I was lucky to be invited to talk about digital citizenship with school kids and their parents in the Griffith area.

The concept of “digital citizenship” is pretty simple – your behaviour online should be no different from how you’re expected to conduct yourself in the playground or business world.

When talking to some of the parents about the issues their kids face, it stuck me just how seriously most of the concepts like being accountable for your behaviour, safe computing and avoiding bullying are as applicable as much to business as the schoolyard.

Bullying in the workplace is pretty common and – as the tragic case of a young waitress who killed herself after being bullied at a Melbourne café shows – employers are directly responsible if they don’t control it.

While the Melbourne case didn’t have a digital aspect, what employees put up about their co-workers on social media sites or on blogs or in emails can be bullying as well.

Making things worse when social media or the web is involved is that most of the evidence is in writing and difficult to erase.

Safe computing, such as creating strong passwords and not sharing them, is one important part of being safe online.

Just as kids get into trouble by sharing their passwords with their friends, so too do businesses that common login details for their key systems and services.

Some weeks ago there was the story of a Texas waterworks that was hacked because their systems had a simple password.

No doubt the login was kept simple to make things easy for staff and management, just like a 12-year-old sharing their Minecraft or Moshi Monster accounts with their big brother or best friend.

Being accountable for your behaviour is probably something both kids and business people struggle with; just as kids don’t understand that taunting their friends through a Facebook page has real life consequences, many managers and entrepreneurs forget that laws and professional standards apply online as much as they do in any other area.

Of course in business, it’s not just ourselves that can cause problems – our staff can get us in trouble too. Employees need to know that upsetting co-workers, customers, suppliers and competitors is unprofessional and can cost them their jobs.

Having a staff acceptable computer use policy makes it clear employees are responsible for work related comments they make even on their personal accounts outside of working hours is now essential for all enterprises.

In many ways, business is just like being in the playground. It’s usually fun, but when things go wrong it can be painful in many ways.

Just as schools are on the look out for digital trouble among students, watch out for similar pain points among your staff.

Similar posts:

Securing the USB stick

Dec 072011
 
USB memory sticks can create security and virus problems.

While I’m always reluctant to publicise security company’s media releases – believing many of them to be hysterical hype – a quick study by Sophos on lost USB keys has some interesting lessons for all of us who use thumb drives to carry data.

Sophos bought 50 USB drives at Sydney’s CityRail unclaimed lost property auction and analysed them for malware and security risks.

The study – not yet online – found more than 4,400 files including photos, CVs and job applications. Confidential material that could be used for identity theft, stalking or commercial advantage.

Encryption

If you are moving confidential data between computers, it may be a good idea to consider encryption software that protects files from unwanted visitors. Mac OS X has encryption software built in as does  all but the home versions of Windows 7 and Vista.

Should you have a computer that doesn’t come with encryption, or you’re taking the drive between different venues, then you may need a third party encryption program like TrueCrypt. Note you’ll need administrator rights to install the software on every machine you use.

The Malware threat

As a security company Sophos leaned heavily towards the malware aspect with a headline that 66%, or 33, of the drives had some sort of malware on them.

While that statistic is suspiciously high, it does illustrate the risk of plugging USB sticks into school, office and internet cafe computers. Like unsafe sex, the likelihood of catching something nasty increases with the more partners you have.

Perversely Apple Macs could be helping spread the malware as Mac users generally don’t use or need anti virus sofware and any viruses picked up on someone else’s Windows system can sit undetected and dormant until they are used on another PC.

Consequently, its good practice to wipe a drive when you’re finished with it so along with deleting malware you are also not keeping unnecessary and possibly out of date files on your drive.

Overall, Sopho’s survey illustrates why cloud services like Dropbox and Box.net are best for sharing data although the USB stick still has an important role when everything else goes wrong.

Similar posts:

Spotting a security charlatan

Nov 242011
 
there is a lot of poor security and technology advice

Google’s Open Source Programs Manager, Chris DiBona recently pointed out how IT security industry charlatans keep making false claims to push the sales of their software products and consulting services.

“If you read an analyst report about ‘viruses’ infecting ios, android or rim,” says Chris,  “you now know that analyst firm is not honest and is staffed with charlatans. There is probably an exception, but extraordinary claims need extraordinary evidence.”

Sadly, the computer press tends to accept these extraordinary claims at face value and allows the charlatans to repeat their snake oil pitches without subjecting them to critical analysis.

Fortunately for those who care about the security of their home and business IT systems, there are ways to spot the charlatans and their dodgy wares.

The Big Target theory

When you read a claim that the Windows malware epidemic of the early 2000s was due to Microsoft being a big target as opposed to the tiny market shares of Apple and Linux, you can be sure they are the words of someone who is at best clueless selling a dubious product.

This theory is nonsense, as I’ve explained previously, and anyone who genuinely believes this has no experience in dealing with the poorly secured operating systems that were Window98, Me and the early versions of XP.

If you are confronted by somebody making this claim ask them why, now smartphones are outselling desktop computers, where is the widespread malware promised for mobile systems? It doesn’t exist for exactly the reasons Chris gives in his Google+ post.

Real Soon Now

The other key indicator is the “real soon now” claims – that a virus is about to burst onto the scene that will rub the smile off the face of smug Mac and Linux users.

Invariably the hysterical headlines are backed up with claims, almost always taken from a vendor’s press release, that a security company’s researchers have identified a threat that is about exploit wilfully clueless users.

Daring Fireball’s John Gruber has done an excellent job of dismantling this rubbish in his classic post “Wolf”.

His post was provoked by the ‘news’ that a wave of Apple malware was on its way. That was six months ago and we’re waiting. John tracked similar stories back to 2004, none of which came to fruition.

The modern snake oil men have an advantage in that tech journalists are desperate for page views and in many media organisations they no longer have the resources to critically analyse PR claims.

Sadly there are real security issues that home and business users need to be aware of. Of course, much of the solution for this doesn’t sell dubious antivirus or expensive consulting services.

In some respects, the proliferation of these stories is a reflection of the decline of the mainstream media business model.

As more ‘news’ stories become lightly rewritten PR spin, the less readers take those outlets seriously and once trusted journals of record become little better than online gossip rags.

Important issues, like information security, deserve more than repeating the lies of those who profit from fear, uncertainty and doubt.

Similar posts:

Avoiding industrial nightmares

Nov 232011
 
protecting our business and computer networks in the age of the internet

The Iranian nuclear program is crippled by a virus that infects their control systems while a hacker claims a Texas waterworks can be accessed with a three word password.

Any technology can be vulnerable to the bad guys – obscure systems like office CCTV networks and home automation services can be as vulnerable as the big, high profile infrastructure targets.

While there’s good reasons to connect our systems to the web, we need to ensure our networks are secure and there’s a range of things we can do to protect ourselves.

Does this need to be connected?

Not everything needs a Internet or network connection, if there’s no reason for a device or network to be connected then simply don’t plug it in.

Keep in mind though that threats don’t just come through the web, both the Iranian malware attack and the Wikileaks data breach weren’t due to hackers or Internet attacks.

Get a firewall

No server or industrial system should be connected directly to the public Internet, an additional layer of security will protect systems from unwanted visitors.

All Internet traffic should go through a firewall that is configured to only allow certain traffic through, if the router or firewall can be configured to support a Virtual Private Network (VPN), then that’s an added layer of security.

Disable unnecessary features

The less things you have running, the fewer opportunities there are for clever or determined hackers to find weaknesses.

Shut down unnecessary services running on systems – Windows servers are notorious for running superfluous features – and close Internet ports that aren’t required for normal running of your network.

Patch your systems

Computer systems are constantly being updated as new security problems and flaws are found.

Unpatched computers are a gift to malicious hackers and all systems should be current with the latest security and feature updates.

This is a lesson the Iranians learned with the Stuxnet worm that was almost certainly introduced through an unpatched system – probably one running an early version of Windows XP or even 98 – which was vulnerable to known security problems.

Have strong passwords

Passwords are a key part of a security policy, they have to be strong and robust while being different to those you use for social media and cloud computing services.

It’s also important not to share passwords and restrict key log in details and administrator privileges to those who require them for their work.

With online services like social media, cloud computing and other web tools becoming a part of business and home life, we have to take the security of our systems seriously. Hardening them against threats is a good place to start.

Similar posts:

The digital inheritance

Oct 182011
 
after death, someone has to deal with our digital footprint

Our digital footprint – what appears about us online in websites and social media services – is becoming more important as we’re judged by what people find out about us on the web.

As what we store on the web becomes more important, the need to plan for what happens to that data when we pass away becomes more important. “Generation Cloud”, a survey in the UK by hosting company Rackspace and the University of London looked at how Britons were dealing with these issues.

Information left online can cause problems as social media sites will send suggestions and reminders which can distress others if the suggested contact has passed away.

Equally, a web site or Facebook page could even serve as a memorial. The final blog post of Derek K. Miller is a particularly touching memorial.

To create a “digital tombstone”, for your loved ones to remove inappropriate posts or just to access your digital personal effects like email or photos stored on a cloud service, they will need your passwords.

In the Generation Cloud survey, 11% of the participants planned to leave their online account details and passwords in their wills and half considered some of their ‘treasured possessions’ are stored online.

Once again we’re finding our online data has real value that’s worth passing down. It’s another reason to guard your data safely and not give it away lightly.

Similar posts:

Password protection

Jul 262011
 
how to protect your computer and social media data

The suspension of eighty students from a suburban Sydney high school once again illustrates how careless we often are with passwords and the access to our computers. In an era of Internet banking, online shopping and social media sites holding our personal details, we have to take web security seriously.

In many ways the teacher who let their password slip to their students was lucky. In the United States, authorities haven’t always been so forgiving these sort of mistakes, and in this case the kids and the system administrators were a lot more adult and responsible than their Connecticut counterparts.

What the incident does show is how the weakest points of our technology networks are ourselves – the most secure systems, toughest passwords and best anti-virus protection won’t help us if we don’t take care.

We looked at protecting organisations in an earlier post, Protecting your data, and here’s some steps on how to take care with your personal details.

Shut down computers

When you’re finished working, make sure you log out of email programs, secure sites, social media services and shut your computer down.

In an office context, this is very important if you’re going away for a meeting or a break as people have been known to use co-workers computers to access prohibited sites or sensitive information.

Should you be using Internet cafes, hotel business centres or airport lounges you should be doubly careful to make sure you’ve logged off completely before walking away from the shared computer.

Hide your passwords

As the teacher at Prairiewood High found, your password is gold. Do not divulge it under any circumstances.

Often doing so is almost certainly a breach of your organisation’s Acceptable Use Policy and sometimes this can mean disciplinary action or dismissal from a job. With your online banking, disclosing your password or PIN can mean you won’t be compensated if money is stolen from your account.

Even a seemingly trivial social media site can cause trouble for you if crooks can get onto it.

Having a complex password is good and we look at a neat little trick for memorable but tough passwords in our Protecting Your Data post, it’s worthwhile making sure your logins are both easy to remember while being secure.

Understand your AUP

An AUP, or Acceptable Usage Policy, is part of the conditions of you using a computer or online service. Many government and corporate networks have a box pop up forcing you to agree every time you login. Take time to occasionally read this.

Should you accidentally give away your password, say to a site that’s fooled you that it’s your bank or a social media site, the AUP will usually have a clause or a sentence on what to do in that situation. Understanding this will give you piece of mind if something does happen.

We’re now in an age where our personal information is more valuable than ever before and we need to guard what who has access to it. Passwords are going to be part of protecting our data for some time to come so understanding how to use them properly is essential.

Similar posts:

  • No Related Posts

The Lulz are on us

Jul 022011
 
avoiding making clowns of ourselves in online web security

Last weekend’s announcement that the LulzSec group of jolly hackers was breaking up was met with bemusement at what has been one of the most mysterious, albeit entertaining, chapters in the information wars of 2011.

It’s quite clear that 2011 is the Year of the Hack with organisations ranging from electronics company Sony who now appear to be the joke of the online security world through to major banks, the FBI and even Google’s Gmail service being the subject of serious online attacks.

That many of these attacks were successful is a reminder to all of us how important online security is and it is our responsibility to protect our customers’ and staff details by taking basic precautions.

Take security seriously

Many of the business hacks appear to have been because of slack security practices including out of date software and default passwords being used.

Even if you don’t have a server yourself, make sure your computers have all current updates installed and that strong passwords are in place.

Password Security

A basic precaution is to have robust passwords. A combination of letters and numbers is the best.

One nice little tactic is to use a phrase as a password and separate the letters with a character, for instance using “mary$has$a$little$lamb”, although you might want to choose a more intimate phrase.

Keep in mind too that strong passwords aren’t much help if an incompetent corporation leaks them onto the web, along with your banking details. So use a layered approach where critical passwords for bank accounts are different to those that you might use for an online game or social media site.

Restrict access

The real risk to our security lies with our own staff, many “hacks” are actually employees erasing or give away data, which could be deliberate or accidental.

Don’t give passwords or access to people who don’t need them, keep the business accounts away from your sales staff and lock employment records away from the IT folk. Private client information shouldn’t be shared around the office and particularly not with outside parties.

Backup, backup, backup

The DistributeIT debacle, which one is hesitant to describe as a “hack” as their complete loss of hardware, client data and backups sounds more like an internal problem than an outside attack, shows how important it is to keep your own backups.

As we move our businesses to online and cloud based services, we have to put a lot of trust into those who provide those products. It’s good insurance to have easily available copies of mission critical data in case a problem.

Invest in technology

We’ve all heard CEOs and ministers claim they will save millions in outsourcing their IT departments. Those savings come from somewhere and information security is one of those corners that’s cut when reducing operating costs.

Experienced tech workers have plenty of examples where management cries of “we’ve been hacked” have actually been hardware failures or staff mistakes bought on by poorly trained staff working with inadequate equipment.

Sony appear to have fallen for this, having reportedly sacked many of their security specialists before the hacks began.

Make sure you are making sensible investments in your technology and not going for the cheapest, or free, option simply to save a few pennies.

Obey standards

Nothing is more embarrassing than losing clients’ confidential data, particularly banking details.

If you are taking customer payments, make sure you are complying with the DSS-PCI standards for card payments by giving the work to a reputable payment gateway.

Have a contingency plan

“There but for the grace of God….” is a good phrase to keep in mind when you see another business affected by a hacker, hardware failure or any of the millions of other unfortunate things that could stop your business.

Even with the best planning in the world sometimes dumb luck just doesn’t go your way. You need to have a fall back plan to keep your business running if the unexpected happens.

Be honest

One thing that jumps out in a number of the stories is how some organisations are simply not honest with their customers.

The process starts with misrepresenting how they secure and protect customer data. When an outage hits, they hide behind a call centre and often lie, or at least understate, the effects of the problem.

In an age of social media, blogs and user forums trying to spin your way out of trouble is not the answer. If customers are going to trust you, they need to have confidence you won’t mislead them.

As consumers, the various data breaches we’ve seen so far this year should make us pause before we give valuable personal data to businesses. It’s quite clear that some don’t deserve our trust.

For businesses we need to show that we are worthy of our customers’ trust. The first step of that process is taking their privacy seriously.

LulzSec, anonymous and all the other various hackers, anarchists and general troublemakers on the web are reminding us that we need to take our online responsibilities as seriously as any other others.

Make sure you’re protecting your own business and your customers’ data.

Similar posts:

  • No Related Posts
 Older Entries  Newer Entries