Drones: The Next Great Hack

drone watching

As a kid, one of my favorite hobbies was flying radio control airplanes. Back in the day, we used to hang a colored flag off our antennas to notify other hobbyists what frequency we were on. If someone nearby had the same frequency, the person with the stronger transmitter could take over your airplane and crash it or fly it on a different route. The same is true today – but now, there are much more severe consequences than crashing a toy airplane. The toys may be new, but the technology isn’t.

So far, I have seen drones configured with cameras to show real estate (invasion of privacy), a Taser that was used on a person (personal safety), and a drone that was set up to steal smartphone data while the owner’s Wi-Fi was on (theft of personal data).

Encryption rules for these devices are nonexistent. From the research I’ve done, I’m disappointed to discover that NONE of the companies that sell drones mention encryption or security for any of their devices. There are no rules or regulations regarding drones, and as a result, they have become the true “Wild West” of toys.

Drones with cameras are especially dangerous, and here’s the problem. If the drone is taken over, the hacker has access to anything the drone’s pilot is looking at. This would be especially troubling in a law enforcement scenario. But predator drones used by the US military send video feeds unencrypted, so why should anyone else worry?

Drones that are connected by Wi-Fi are not safe either. A hacker has now released software to hijack commercial drones using simple software that is already available, as well as low cost hardware (a device called a Strawberry PI). (1) To use this hack, all one has to do is perform a Google search to find the correct Mac address for the drone. The hacker can then skyjack the drone and do whatever he or she wants with it. (2)

Six sites in Alaska, Nevada, New York, North Dakota, Texas, and Virginia have been chosen by the FCC to be drone testing sites. These are for commercial drones – not hobbyist drones.

Without encryption and oversight, both types of drones can be a danger to the public’s privacy. In addition, lack of an encrypted connection between the drone and the operator can be a danger to the public’s safety. A drone that has been hacked and taken over can create terrible scenarios, such as, drones intentionally crashing into crowds of people or open spaces where people congregate, surveillance and tracking of victims (for example, domestic abuse victims), and an increase in high-tech peeping Toms.

Technical innovation moves society forward, but at the same time, it also attracts nefarious individuals who take advantage of new technologies and twist them for their own purposes. The only way to stay ahead of the bad guys, at least, in the short term, is to mitigate the damage they can do. And for the devices, strong encryption is the only way to keep the bad guys at bay – at least for a little while. Without encryption, drones will become a target that will become too tempting for the bad guys.

Does your business have a use for drones, and if yes, what can you do to stay ahead of the bad guys? Be prepared, and devise strategies sooner rather than later.

Sources for this post:
(1) “Hacker Releases Software to Hijack Commercial Drones” by Bryant Jordan via Defense Tech
http://defensetech.org/2013/12/09/hacker-releases-software-to-hijack-commercial-drones

(2) SkyJack is a drone engineered to autonomously seek out, hack, and wirelessly take over other drones within Wi-Fi distance, creating an army of zombie drones under your control.
http://samy.pl/skyjack

Image Credit: debspoons via FreeDigitalPhotos.net.

IBMThis post was written as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet. I’ve been compensated to contribute to this program, but the opinions expressed in this post are my own and don’t necessarily represent IBM’s positions, strategies or opinions.

 

wordpress blog stats
Posted in Data Security, Internet of Things, Privacy Rights, Tech Equipment | Tagged , , | Leave a comment

Who Protects Your Corporate Digital Footprint?

World Wide WebBusiness leaders must focus on many things every day. There are legal and compliance issues, personnel issues, product development issues, and much more. But in the era of Snowden vs. the NSA, Wikileaks, and a myriad of data breaches, who protects your corporate digital footprint?

There may be someone in your marketing or IT department who conducts regular web monitoring with either Google Alerts or Talkwalker Alerts (or even better, with both) on your company name or main brand name, but is there a report generated from the results? If yes, who sees the report, and what action is taken if something negative is found?

What happens when someone infringes on your company name, brand name, or tagline? Does your business have a procedure in place? Which department is responsible for taking action?

While most discussions center on hacking into and stealing your most sensitive information for fraudulent purposes, there is another issue that doesn’t garner the same level of attention: the issue of assuring the accuracy of your digital footprint.

According to Wikipedia, a “digital footprint” is defined as the “trail left by an entity’s interactions in a digital environment including its usage of TV, mobile phone, Internet, mobile web, and other devices…A digital footprint may include the recording of activities such as system login and logouts, visits to a web-page, accessed or created files, or emails and chat messages. Social networking sites record activities of individuals, and this usage of social media and roaming services captures data that includes interests, social groups, behaviors, and location. This data can be gathered and analyzed without a user’s awareness.”

Let’s not forget about cybersquatting, when someone with a nefarious intent reserves your company name and either holds it for ransom (translation: they demand an exorbitant amount of money to sell the URL to you) or they prefer to hold onto the URL and not sell it all. Even worse, they create an inappropriate site. Think of the site that’s similar to the URL of the White House – you’re asking for trouble if you click on it (note, the correct site is http://www.whitehouse.gov).

It’s critical to reserve your company and brand names – and all other permutations you can think of – across all major social media sites. That way, you won’t have to worry about waking up one morning with surprising news about your brand on some outlier social site with crazy details about your brand – that are totally false. Also, purchase all URLs that end in .com, .org., .net, as well as other suffixes with your company and brand name.

Visit these sites to check your company name or major brand name: http://knowem.com or http://namechk.com. Don’t forget to also check out and consider purchasing altered or frequently misspelled versions of your company name or brand. Above all, regularly monitor your digital footprint.

What’s your plan to protect your corporate digital footprint?

 

Source for this post:
Wikipedia: Digital Footprint: https://en.wikipedia.org/wiki/Digital_footprint

Image Credit: digitalart via FreeDigitalPhotos.net

IBMThis post was written as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet. I’ve been compensated to contribute to this program, but the opinions expressed in this post are my own and don’t necessarily represent IBM’s positions, strategies or opinions.

wordpress blog stats
Posted in Cybersecurity, Disaster Recovery, Search Technology, Social Media | Tagged , | Leave a comment

Could Your Business Survive If Everyone Telecommuted?

telecommuter

While iPods and smartphones revolutionized the music and cell phone industries, could telecommuting totally revolutionize the workplace? This is a very interesting concept, but certainly, your industry will determine if this is possible. While some companies have stopped offering telecommuting as an option, others embrace it – but there are some security issues that cannot be ignored.

What happens if your employee decides to work at home either in a spare bedroom or a room set up as an office? There is appropriate lighting, ergonomic furniture, and efficient equipment including desktop computer, smartphone, printer, fax, copier, etc. Everything is fine until there’s an electrical surge, or the power goes out. While this sounds impossible, it is very possible, and in fact, has happened to me. When it happens at an office workplace, everyone is in the same boat from the CEO on down to the person who cleans out the lunch room refrigerator. All activity comes to a stop.

But when it happens at one employee’s home, it’s only the single employee who is impacted, and he/she cannot fix the problem. The electrical company must be called, or city employees get involved. This is not a small problem, but it impacts the employee’s ability to complete his/her projects.

Let’s consider the customer service function of your business. While you can ask a group of people to connect to your network with their phones and computers from home, how can you be sure your representatives all provide a consistent brand experience? What happens if one employee has a screaming child in the background? What happens if one employee is working in her kitchen, and the tea pot starts whistling? Or what happens if an employee starts arguing with a family member? All of these scenarios are possible and can interrupt the ability of your employee to do his or her job professionally.

To avoid the problematic family members, the employee grabs a laptop and smartphone and heads to a nearby coffee shop. This telecommuting concept that was designed to take place in a home office environment now relocates to a community-type environment full of possible distractions. Security now takes center stage because all data on both the smartphone and laptop are ripe for picking by hackers due to Wi-Fi access that may not be secure.

And returning to the customer service function, there is no possible way for the employee to take calls and speak over the noise in a public space.

Let’s now consider the security issues involved with telecommuting. In addition to all of the issues raised above, connecting to a corporate network can be a huge security risk if an employee doesn’t have virus/malware protection on his or her home machine or smartphone. What happens when the employee accesses company email from his or her device? There has been much chatter in the news lately about virus protection on smartphones, and Apple recently updated its operating system due to vulnerabilities. Android is known as the number one attacked OS today.

According to a Verizon study conducted in 2013, 95% of all breaches result when an employee unknowingly opens an email that contains malware or some other form of payload. According to Wikipedia, “In computer security, payload refers to the part of malware which performs a malicious action.” So how do you maintain ongoing training when employees are not in the office to attend those sessions?

What about that coffee shop down the street from an employee’s home? Should an employee conduct work from there? Who knows what wandering eyes (or competitors) could be sitting nearby ready to pounce on the data stored on the employee’s laptop? As a result, have a discussion reviewing Wi-Fi procedures for all employees who will telecommute. Go one step further and require employees to review the procedure document and sign that they have read it – perhaps, as part of the employee manual or as part of the onboarding process. This must be done BEFORE any employee is approved to use Wi-Fi and access corporate data.

The IT Department must be allowed to set up VPN access on devices owned and used by employees that will access corporate data in a Wi-Fi environment in order to protect the company.

And, before any employee becomes a telecommuter, written telecommuting policies must be presented to and discussed with the employee – and then signed by the employee. Otherwise, telecommuting shouldn’t be an option.

Does your business have a telecommuting policy?
___________________________

Sources for this post:

[1] Verizon 2013 Data Breach Investigations Report
http://www.verizonenterprise.com/DBIR/2013/download.xml

(2) Inspiration for this post: TELUS Aim to Have 70% of Employees Working Mobile by 2015
http://www.informationsecuritybuzz.com/telus-aim-70-employees-working-mobile-2015/

(3) Wikipedia: Payload (computing)

http://en.wikipedia.org/wiki/Payload_%28computing%29

Image Credit: Ambro via FreeDigitalPhotos.net

IBMThis post was written as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet. I’ve been compensated to contribute to this program, but the opinions expressed in this post are my own and don’t necessarily represent IBM’s positions, strategies or opinions.

wordpress blog stats
Posted in Business Process, BYOD, Cybersecurity, Data Security, Mobile Computing, Network Security, Online Security, Tech Equipment, Telecommuting | Tagged , | Leave a comment

What Policies Appear On Your Website?

privacy policy

Like many businesses, you probably maintain Facebook, Twitter, YouTube, and LinkedIn accounts to promote your product or service. If your leadership and IT teams listen to your marketing and PR teams, these social sites link back to your main website. And like many others, you may refresh your website on a regular basis.

But how often do you update the policies that sit along the footer of each page or appear in the small print in the sitemap? Depending on your specific industry, the size of your business, and your target audience, you may feature more than just a standard Privacy Policy and Terms of Use.

A privacy policy is “a statement or a legal document (privacy law) that discloses some or all of the ways a party gathers, uses, discloses and manages a customer or client’s data. Personal information can be anything that can be used to identify an individual including name, address, date of birth, marital status, contact information, ID issue and expiry date, financial records, credit information, medical history, where one travels, and intentions to acquire goods and services. In the case of a business, it’s often a statement that declares a party’s policy on how it collects, stores, and releases personal information it collects. It informs the client what specific information is collected, and whether it is kept confidential, shared with partners, or sold to other firms or enterprises.” (1)

According to Wikipedia, “There are questions about whether consumers understand privacy policies and whether they help consumers make more informed decisions. Critics also question if consumers even read privacy policies or can understand what they read. A 2001 study by the Privacy Leadership Initiative claimed only 3% of consumers read privacy policies carefully, and 64% briefly glanced at, or never read, privacy policies…One possible issue is length and complexity of policies. According to a 2008 Carnegie Mellon study, the average length of a privacy policy is 2,500 words and requires an average 10 minutes to read.” (2)

The Walt Disney Company goes one step further and provides an Internet Safety page. This company’s page helps parents teach children about Internet safety and cyberbullying. While this may not be appropriate for all businesses, it is a clear demonstration as to how this business knows its audience.

How well do you know your audience, and can you customize your privacy policy page so that it stands apart from the competition?

A Terms of Use agreement “is used for legal purposes by websites and Internet service providers to store a user’s personal data for eCommerce and social networking sites.” (3) Also known as a user agreement, this often contains sections regarding proper usage, opt-out policy, accountability for online actions and behaviors, payment details, and privacy. Terms of use can, and often do, change often and vary from site to site.

Some companies take the Terms of Use idea and transform it into a Terms of Service agreement. One site that features a Terms of Service on its site is Truste.

Some companies with significant brand assets also provide copyright policies. One company is LinkedIn.

Pinterest calls its agreement an “Acceptable Use Policy,” but since photos and images appear on the site, Pinterest wants the content to make users feel “safe and comfortable.”

How can you customize your Terms of Use page so that it stands apart from your competitors?

Since few users or visitors take the time to read the policies on websites, it’s the responsibility of the website owner (whether that is translated to mean CEO, marketing, IT, HR, etc.) to create a user-friendly page so that the policy is read – and not just a few lines, but the entire policy.
_____________________
Sources for this post:
(1) and (2) Wikipedia: Privacy Policy
http://en.wikipedia.org/wiki/Privacy_policy

(3) Wikipedia: Terms of Use
http://en.wikipedia.org/wiki/Terms_of_use

Image Credit: Stuart Miles via FreeDigitalPhotos.net

IBMThis post was written as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet. I’ve been compensated to contribute to this program, but the opinions expressed in this post are my own and don’t necessarily represent IBM’s positions, strategies or opinions.

wordpress blog stats
Posted in Online Privacy, Online Security, Privacy Rights, Terms of Service | Tagged , , | Leave a comment

The Newest Event at the Olympics: Electronics Hacking

gold medal

If you own a business, you should be very worried for the next couple of weeks. You may not be making any large purchases, hiring entire departments of personnel, or launching new products, but your data may be at risk and here’s why: If any of your employees are traveling to Sochi with their electronic devices, they may be putting your data at risk.

On a recent broadcast of “The Evening News with Brian Williams” on NBC, international correspondent Richard Engel provided a report from Sochi about the hacking of electronics. He explained that visitors to Sochi should leave their electronic devices at home and showed why. He brought two brand new computers with him and showed how quickly hackers were able to hack into the machines once he took them out of the box and booted them up. What was once fiction has finally become reality, and no matter where the Olympics are held, hacking on a widespread level will, from this point forward, be a reality.

The reason is that, as a global community, we have reached an age where everyone from world leaders on down to John Q. Public use electronic devices to access their personal as well as business information. This data is considered as valuable as gold to hackers. World leaders can have confidential information regarding their countries as well as other countries on their smartphones, tablets, and other devices. Individuals can have confidential information including financials, contacts, and other personal data on their smartphones, tablets, and other devices. And now, with microphones built in to all devices, hackers can listen in on to confidential conversations between individuals without the parties being aware of the interlopers.

Since software evolves, it’s only natural that the software that hackers use also evolves. Some hacking software comes as a package that includes customer support. Just as our software allows us to add modules for more functionality, software for hacking allows one to add modules so that the software can be updated with other modules to create malware with new functionality.

Wireless is an extremely good attack vector for malware. One thing inherently wrong with large wireless networks for the public is that they’re open. This means that it is open to anyone, which also means it may be open or available for nefarious uses. For example, if you’re in a coffee shop, hotel lobby, hotel room, airport, train station, or any other public area with Wi-Fi, those Wi-Fi routers are probably compromised. So as soon as a wireless network senses a wireless device, that device can be attacked by the compromised network. And if you’re plugged into a network hardwired with a cable, you still might be open for compromise because switches and routers, or even the ISPs that the network runs over could be compromised. Are your employees aware of this, or do they rush to access free Wi-Fi or free wired Internet access?

One thing missing from Richard Engel’s report was the use of encrypted devices and VPNs (virtual private networks) for communications. For the average consumer, these technologies are not at the forefront of their minds. They go with what they are accustomed to. For those of us who live in the infosecurity arena, we weigh ease-of-use versus security, but most users opt for ease-of-use. No one wants to put a password on their phone, it interferes with spontaneity. No one wants to buy an encrypted phone due to price.

However, the average user can install malware protection software, such as, Avast mobile security, Kaspersky Internet Security, or Lookout Security and Antivirus. There are many other Antivirus Apps to choose from. When considering enterprise options, there’s the IBM Endpoint Manager Mobile Client, which protects organizational data. This is available on iTunes for iOS and on Google Play for Androids. The app checks to ensure that a device hasn’t been compromised. It allows a user to receive email and other services securely but must be installed by an IT department. Additionally, the app enables configuration of security settings to protect the organization’s data on a user’s device.

Installation of antivirus software does not guarantee a user will not be hacked – there is malware that cannot be caught by antivirus protection – but it can detect and block a large portion of malware that exists in the wild.

Although infrastructure is an important part of every Olympics, the computer infrastructure that consumers and guests use will not. So while the sporting events that comprise summer versus winter games change, you can be sure of the one event that will be a part of every Olympics going forward: the hacking event. And the only medal that will be given is virtual, but it’s worth GOLD to the hackers who win it.

So heed this lesson: If your employees travel to the Olympics, don’t let them take their devices with them. Buy them throwaway devices or instruct them to unplug during the Olympics!

_______________________

Image Credit: Nirots via FreeDigitalPhotos.net

IBM
This post was written as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet. I’ve been compensated to contribute to this program, but the opinions expressed in this post are my own and don’t necessarily represent IBM’s positions, strategies or opinions.

wordpress blog stats
Posted in Business Process, BYOD, Cybersecurity, Data Security, Management and Technology, Network Security, Online Privacy, Online Security, Tech Equipment | Tagged , , | Leave a comment

How Secure Are Your BYOD Devices in the Workplace?

Texting on smartphone

By now, everyone in the business world knows what the four initials BYOD mean. But if not, it stands for Bring Your Own Device to work. This means that, for a variety of reasons, employees bring their smartphones and tablets to work and use them for work email, work assignments, and work-related Internet searches. As a result, securing the BYOD mobile environment in the workplace is a give-and-take proposition. The employee gives up control of the device, and in the process, the business takes over. The problem lies in how the employee mixes data on the device: there may be family pictures mixed in with confidential memos and other documents. So, thanks to BYOD, the protection of confidential corporate data can be the hardest job for a corporate IT department.

Since the human brain does not easily recall letters (both upper and lower case), numbers, and special characters, that comprise complex passwords, one must use encryption to protect confidential data. The downside to this complexity is that once an employee hands over his/her smartphone/tablet to an employer, the device becomes de facto property of the company.

Now, when an employee wants to access his/her personal data, he/she has to use an employer’s access control to use a personal device. This means no longer having spur of the moment selfies, Vine videos, or emails without stopping to enter a password first. The device becomes a burden rather than a helpful device for the end-user.

One way around this situation is to use cloud-based access. The employee only accesses his or her files or emails from a secure website. The employee is not allowed to download files or emails to any personal computers or other devices. I’ve always been a proponent of all or nothing. Either you lock down the device completely OR use the cloud – and using the cloud may make lock down unnecessary.

Locking and encrypting a device keeps nefarious people out, and in the event that a device is lost or stolen, it can be tracked and wiped safely. Having your data in the cloud keeps employee personal data safely separated from corporate data and ensures that access controls are kept in place. Nothing is cut and dry, of course, and if not done correctly, data can be stolen regardless of security measures.

Here’s an example: An employee can save documents, but not to his or her phone or any other device, and they can check their email. One problem that you’ll always have, unfortunately, is that the employee can print documents, and that’s why you need to train employees.

One problem that businesses don’t often mention is that personal devices may be confiscated during legal proceedings. As a result, personal as well as corporate data could be open to the evidentiary process. This means that silly photos or compromising photos can be scrutinized, personal usage and tracking software can be abused, and all becomes available for the legal system for analysis. This possible scenario makes the cloud look a whole lot better as an option – especially since it may remove the possibility of device seizure.

When it comes to BYOD, it’s up to the company to be an advocate for its employees. Companies should create and implement a “least privilege” strategy so that only employees who actually need access – to documents, assets, and devices – get it. (For more on this topic, visit this page on Wikipedia: http://en.wikipedia.org/wiki/Principle_of_least_privilege.)

As technology budgets decline and more companies add BYOD to their operational strategy, you may want to go one step further. Write down your BYOD policy, add it to your personnel manual, and distribute to all current employees. And during the hiring process, discuss your BYOD policy with candidates. There will be some positions where this becomes a very important issue: sales, customer service, IT, marketing, etc.

This advance notice will show that your company is ahead of the competition. Employees would rather be informed before the first day and the onboarding process begins – and a member of the IT team requests someone’s phone to add device administration rights to it. People have a very personal relationship with their smartphones, as you can tell by watching people walk, talk, or text without ever looking up. Taking control of their device may be too much for some employees to handle and could feel like an invasion of personal space.

But despite how you approach BYOD whether you are a small, medium, or large business, everything boils down to training. Employees must be trained on how to manage corporate data to ensure that it doesn’t fall into the wrong hands – and make sure that training takes place on a regular basis.

IBM has six tips for securing mobile devices in the workplace. Engage your employees and your management team so they’re on the same page regarding BYOD. Check out this link:
http://www.slideshare.net/MidmarketIBM/mm-slideshare-mobilesecuritywlink112513

___________________
Image Credit: Naypong via FreeDigitalPhotos.net
IBM

This post was written as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet. I’ve been compensated to contribute to this program, but the opinions expressed in this post are my own and don’t necessarily represent IBM’s positions, strategies or opinions.

wordpress blog stats
Posted in Business Process, BYOD, Data Security, Management and Technology, Mobile Computing, Network Security, Online Security, Tech Equipment | Tagged , | 2 Comments

Privacy vs. Security

privacy vs security

It seems as if everyone is talking about privacy – or wait, is it security? First there was the WikiLeaks data leak by Julian Assange; then there was the NSA data leak by Edward Snowden which brought to light the NSA’s spying on American citizens; and most recently, several customer data breaches in the retail industry.

According to Wikipedia, privacy is “the ability of an individual or group to seclude themselves or information about themselves and thereby reveal themselves selectively.”

In simple terms, privacy amounts to the ability of an individual or group to control what data, or in tech terms, personally identifiable information (PII), is given to an organization, specifically data collection agencies or companies.

I usually give the following example about privacy to my students. “Privacy is when somebody comes up to you and asks to borrow five dollars. You have five ones in your pocket but you tell the individual that you only have two dollars. You give two dollars and keep the other three. Or, somebody asks for five dollars, but you say that you have no money. You keep the information that you have five dollars to yourself.”

Of course with websites like Spokeo.com and WhitePages.com – and with the massive amounts of data gathering they do – the person who asks you for five dollars probably already knows you have five dollars, and knows that you’re lying if you say that you don’t have any money.

Here’s another example of how our privacy has been eroded – this story first appeared in both The New York Times and Forbes back in 2012. A girl purchased a variety of products at a general merchandise store over time, but thanks to data mining, the store sent her baby-related sale coupons. The store was able to postulate that she was pregnant before even she knew she was pregnant. The story appeared in mainstream media pubs (The New York Times and Forbes), not information security pubs, so the positive result is that people are becoming more aware of the value of their personal information.

However, many people bring privacy breaches upon themselves. I’ve seen snail mail addresses, phone numbers, and birthdates on Facebook. There is no possible way that people can expect privacy when those types of data are posted out in the open. Public data is mined and can be harvested, packaged, and sold to anyone. The data can then be resold to advertisers who want to entice you to buy their products.

According to Wikipedia, security is “the degree of resistance to, or protection from, harm. It applies to any vulnerable and valuable asset, such as a person, dwelling, community, nation, or organization. Security (also known as cybersecurity) is information security as applied to computers and computer networks and data. The field covers all the processes and mechanisms by which computer-based equipment, information and services are protected from unintended or unauthorized access, change or destruction.”

The three tenets or cornerstones of security are confidentiality, integrity, and accessibility. Based on my experience, security is different from privacy in that security is the protection of information from theft. While others might disagree with me, a breach of any type, network or computer, leads to the theft of some type of information, whether it’s the physical theft or the corruption of information. Unplanned events, both natural and man-made disasters, are part of the security umbrella because they can lead to loss of accessibility to data, which is part of the three tenets of security.

Back to the example I began about the five dollars. Here’s how I explain security: Somebody tries to rob you of the five dollars in your pocket. The police officer comes and arrests the man after he steals your five dollars from you right after he gets away, months later, years later. And sometimes, security is keeping the money in a plastic bag zipped in your pocket while it’s in a washing machine. When you take your pants out of the washing machine, your five dollar bills are still in good shape. This may be a simplistic explanation, but sometimes, simplicity makes the concept understandable.

Businesses are hit from both sides: people and computers trying to breach your privacy as well as those trying to breach your security. It could be argued that businesses should have no expectation of privacy, but specific industries and compliance requirements will determine how much privacy protection are required (for example, banking, government, healthcare, etc.). Security is another issue. All businesses are required to take appropriate security measures regardless of size or industry.

Memorize this reminder: Privacy is a matter of what you are willing to give while security is what someone – whether group, person, entity, disaster – is trying to take from you.

Article in NY Times: How Companies Learn Your Secrets
http://www.nytimes.com/2012/02/19/magazine/shopping-habits.html

Article in Forbes
http://www.forbes.com/sites/kashmirhill/2012/02/16/how-target-figured-out-a-teen-girl-was-pregnant-before-her-father-did/

__________________
Image Credit: Stuart Miles via FreeDigitalPhotos.net

IBMThis post was written as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet. I’ve been compensated to contribute to this program, but the opinions expressed in this post are my own and don’t necessarily represent IBM’s positions, strategies or opinions.

wordpress blog stats
Posted in Cybersecurity, Data Security, Network Security, Online Privacy, Online Security, Privacy Rights | Tagged | Leave a comment

What Can Recent Data Breaches Teach Your Business?

data breach

There have been several data breaches in the news recently, and they should incite fear in your C-suite. Don’t think that your business is immune to a data breach, because it isn’t. Since this could happen to your business – no matter its size – here are some important security lessons.

First, be up front with your customers if and when a breach happens. Don’t sugarcoat the situation. Don’t tell employees and stockholders one story vs. a different story to customers and the media. Be as transparent as possible, and you may still have customers the day after a breach happens. Also, provide a customer service team to handle questions and complaints. Don’t disconnect your customer service number or online chat. Don’t wait weeks or months to inform your customers about a breach.

Second, immediately assemble your security team to dissect the why’s and how’s of the breach. Train employees throughout the company who don’t work in security so that they understand the importance of being proactive when it comes to protecting sensitive corporate data. Your security team can only be effective if all employees understand security.

Third, choose customer-facing personnel carefully. Customers will, without a doubt, have questions resulting from the breach, and they deserve knowledgeable personnel to handle their questions.

Fourth, depending on the extent of your breach, you may want to offer your customers free credit monitoring service subscriptions for specific lengths of time.

Fifth, consider if a product or service discount would be welcomed by customers. Will your customers appreciate a discount, or will they think it’s too little too late?

But above all, don’t think that if you have a data breach, no one will find out. There’s a website just for this purpose. The Privacy Rights Clearinghouse features a Chronology of Data Breaches and is updated on a regular basis – sometimes daily. The site’s tagline is “Empowering Consumers. Protecting Privacy.” Once you take a look, you’ll think of breaches differently. Here’s the link:
http://www.privacyrights.org/data-breach/new.

There’s no doubt that a security breach can have a long-lasting impact on your organization, but your response time and quality of response can determine if your customers remain customers or choose your competitors.

_________________

Image Credit: Idea go via FreeDigitalPhotos.net

 
IBM

This post was written as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet. I’ve been compensated to contribute to this program, but the opinions expressed in this post are my own and don’t necessarily represent IBM’s positions, strategies or opinions.

wordpress blog stats
Posted in Business Process, Data Security, Disaster Recovery, Network Security, Online Security | Leave a comment

There Is No Silver Bullet Solution When It Comes to Cyber Security

QandA

IBM recently published its “Security Services Cyber Security Intelligence Index” report, an analysis of cyber security attacks and incident data from its worldwide security operations. I had an opportunity to connect with Nick Bradley, Practice Lead, Threat Intelligence and Analysis, Office of Special Security Intelligence Development (OSSID) for IBM global security operations, to discuss the report. Highlights from our conversation follow below.

QUESTION: From an overall security standpoint, do you think companies would be better off in the long run by moving to a thin client environment? Would this eliminate some of the risks facing companies today?
NICK BRADLEY: I think the answer to that question is highly dependent on the environment.  There are many benefits as well as drawbacks to running a thin client environment. IBM, for example, has many who are part of the mobile workforce – and this does not work very well with the thin client architecture. However, in a security operations center where data and work are all required to be done within the secure environment, the thin client could be a highly viable option. As with any technology, it has its strengths and weaknesses and is highly situational. There is no silver bullet solution. Every organization must make decisions that best secure its environment while attempting to minimize how the productivity of its employees is affected.

QUESTION: With the Internet of Things (IoT) in the pipeline, companies of all sizes are bombarded by devices attaching to their networks. We have already seen breaches through IP cameras used for company surveillance. Many devices are coming to market with weak security, so how well will we be able to protect large networks as the devices enter the network environment?
NICK BRADLEY: While this may seem like a new threat or risk, that’s not the case. As new technology enters cyberspace, the possibility of new vulnerabilities, new risks, and new ways to exploit them will always accompany it. Think about vulnerabilities that were exploited through network printers many years ago. According to our X-Force trend and risk report, we are seeing an increase in mobile vulnerability disclosures. An interesting fact, though, is that many of the vulnerabilities affecting mobile platforms originate in components that are used in both mobile and desktop software. X-Force recommends Android users check to see if a firmware update is available and consider upgrading. CISOs should also review their bring your own device (BYOD) security policies and their risk assessment of which devices and device profiles are allowed access. While it can be a Herculean effort, organizations should conduct regular penetration tests and assessments of their environments, including any new tech being allowed access to their networks.

QUESTION: Since both personal and corporate email are being pushed to personal devices, it’s important to note that these devices do not usually have malware protection and can become attack vectors. As a result, how is BYOD affecting overall security strategies in large corporations?
NICK BRADLEY: While it is not a good practice to mix your personal email with your corporate email, it is something that we all know can be difficult to control and creates a serious risk for data leakage. There is, however, software as well as services that can help mitigate this risk. In the end though, this is one of those cases where everything that was old is new again. Do not open email or attachments that are from unknown senders. Install an approved security software package on your mobile device. Do not conduct work on open untrusted Wi-Fi connections. The risks here are much the same as those we face with a mobile workforce using a laptop. BYOD is here to stay – and unless a company is going to ban it, then strong security practices, policies, and user education are all extremely important.

QUESTION: Do you think air-gapping would be effective to protect critical assets, or the “Family Jewels” as you refer to them? Would that technique be worth the time and effort to protect high value critical assets, such as, Intellectual Property and Financial Data?
NICK BRADLEY: While air-gapping is an extremely strong network segmentation technique, it is also highly situation dependent. If there is no need to ever work with the “Family Jewels” outside of that controlled environment, then by all means it is probably one of the most secure practices that can be used. At the end of the day, you can either use this technique or you cannot.

QUESTION: Many global corporations have a decentralized management structure, and as a result, have a hard time with network access control – recall the Edward Snowden incident. Since each location can – and most likely does – have different rules, procedures, and compliance requirements, how can you keep incidents from happening that could damage a company’s global reputation?
NICK BRADLEY: By having strong and constantly updated security practices, policies, and procedures, risks can be minimized. While technology does exist that can assist in this area, some very common but good security practices can be crucial to minimize risk such as Network segmentation, principle of least privilege, security clearance on employees where required, etc. As the scope and frequency of data breaches continue in an upward trajectory, a return to basic security fundamentals is essential.

QUESTION: Company-wide security training requires support from ALL members of the management team. Over time, training gets pushed to the side – or the bottom of the priority list – if no significant data breach occurs. So how do you recommend that companies keep security training at the top of the priority list on a regular basis?
NICK BRADLEY: This is an area that a company should not let falter. Develop a plan and maintain it. This is by no means easy and at times can be rather expensive, but the cost of not maintaining security training can be MUCH more costly. This should be maintained with the same level of importance as an emergency response plan or disaster recovery/business continuity plan. Do not allow this to get pushed to the side or to the bottom of the priority list. Make it a mandated requirement and hold management to it. Embedding other processes such as cyber exercises can not only help here, but also bolster interest and support. Additionally, utilizing new technology or software to deliver awareness, such as, online training and testing, can be extremely helpful.

“In the end, success hinges upon promoting and supporting a risk-aware culture, where the importance of security informs every decision and procedure at every level of the company. That means secure procedures need to become second nature, much like locking the door behind you when you leave home.”

To learn more, follow on Twitter: @ibmSecurity

———–

Image Credit: Stuart Miles via FreeDigitalPhotos.net.

IBM

This post was written as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet. I’ve been compensated to contribute to this program, but the opinions expressed in this post are my own and don’t necessarily represent IBM’s positions, strategies or opinions.

wordpress blog stats
Posted in Business Process, BYOD, Cybersecurity, Data Security, Internet of Things, Network Security | Leave a comment

Bluetooth Low Energy: A Technology That Can Raise Your Blood Pressure

high blood pressure

Have you ever wanted to know if a pair of pants on display on the other side of the store is on sale? If you answered yes, well, your phone can now alert you. A technology known as Bluetooth Low Energy (LE) is now able to keep track of you, with precision measured in feet, if you have an iPhone with iOS 7, and soon if you have an Android phone.

Apple’s technology uses transceivers placed in strategic locations. A retail store is an example. Beacons can detect where a user is standing. A retailer can then send a message to the user indicating that there’s a sale on a particular product that may be as close as a rack of clothes within grasp.

With this technology, when a customer walks into a store, provided he or she has downloaded an app, he or she will be welcomed to the store (or welcomed back) and informed of specials or personalized offers that might be available specifically for them.

Apple calls its version of this technology iBeacon. It uses low energy Bluetooth (Bluetooth LE), which is a new version of standard Bluetooth. While existing Bluetooth can run a battery down quickly, this new low energy version can run constantly at very low power – and for many years, since it uses a small watch battery as its power source.

This updated Bluetooth technology is being used for medical, sports, and home devices, such as, heart monitors and diabetes pumps, Nike devices that work with an iPhone/iPod/iPad, and will soon be used in home door locks.

But of course, there is a dark side to this new technology. Bluetooth LE, also called Bluetooth Smart, is hackable – and more easily hackable than standard Bluetooth devices. For more details about the device “Ubertooth” used for the hack, check out http://www.ubertooth.sourceforge.net.

The most dangerous aspect of this new technology can be found in medical devices. These devices include heart monitors, pace makers, blood glucose meters, and others that don’t need to send large amounts of data in constant streams but, instead, low amounts of data in short or continuous bursts.

Also, using them in home devices is a robbery waiting to happen. Anyone can throw a Ubertooth device into the bushes and grab your unlock codes when you leave or enter your home. Breaking and entering is no longer necessary if criminals can easily walk through your front door.

There are no solid encryption protocols in place for BTLE. Until there are, this technology should be avoided for devices that our lives may depend on. You can’t opt out of your heart monitor or insulin pump. Fortunately you don’t have to use BTLE to lock your doors.

The take-away lesson for all businesses – whether small, midsize, or Fortune 100 – is the same. Don’t adopt new technologies just because they’re new. The wise decision is to sit and wait for the kinks to be worked out, test thoroughly and for a reasonable period of time. Then when the kinks are worked out, go ahead and use with caution. NEVER add a technology that can enter your network at will and cause damage without thoroughly vetting it first.
_____________________
Image Credit: Stuart Miles via FreeDigitalPhotos.net
IBM
This post was written as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet. I’ve been compensated to contribute to this program, but the opinions expressed in this post are my own and don’t necessarily represent IBM’s positions, strategies or opinions.

Posted in Bluetooth Technology, Internet of Things, Tech Equipment | Leave a comment