3 July 2009 by Jeff Hayes.

I admit it, I am a social media junkie. I have three classes of accounts for three different purposes: two business related (including myCSO Solutions) and one personal. Like most thinks in life, there can be too much of a good thing. And social media can be one of them.

A recent article in “CSO” magazine Seven Deadly Sins of Social Networking Security, provides good advice for businesses using social media:

1. Over-sharing company activities
2. Mixing personal with professional
3. Engaging in Tweet (or Facebook/LinkedIn/Myspace) rage
4. Believing he/she who dies with the most connections wins
5. Password sloth
6. Trigger finger (clicking everything, especially on Facebook)
7. Endangering yourself and others

One of the purposes of using social media for businesses is to help establish the company’s credibility in the particular target market it chooses to compete. If you are a company that builds satellite receivers, then your commentary should be on telecommunications, namely satellite communications. If you are a restaurant chain, you should comment on the food industry and your segment therein.

If I am going to follow you on Twitter or be your fan on Facebook, I better get something for it. Not a lot but enough to keep me interested. Maybe I need to know if you are running a special for the month, have a new product or are attending or sponsoring an industry event.

I don’t need to know where you went to lunch or that Suzie was promoted from assistant office manager to office manager.

Because of the popularity of social media sites, there are some dark sides to them. This is in the minuet minority but prudence is warranted. This is especially the case with Twitter. There are millions of Twitter accounts that are set up for garbage purposes and are not with the silicon they consume. The key is to be careful who you follow, making sure the content is appropriate for what you are trying to do.

I would recommend for a business to be more involved in content creation and promotion on chosen social media accounts than being actual consumers of them.

A reasonable approach to social media, that includes coupling it with a solid search engine optimization plan for your web site, will help drive viewers to your company’s web site. The end goal for social media should be to increase revenues for the company. Social media should be considered a marketing tool. If done with taste and proper messaging, those following your social media sites will get what they expect and not a bunch of spam, inappropriate ramblings or security exploitations.

Posted in Social Network Security | Print | No Comments »

26 June 2009 by Jeff Hayes.

I have worked at home for part of each week for over ten years. I have never had any guidance from my employer on security practices, mandates or recommendations (less the case where I am the employer or part-owner). I think I do a pretty decent jobs at securing my home and mobile computing environment.

I was interested in how I fared after reading a recent article entitled Seven Deadly Sins of Home Office Security. Let’s consider them:

1. Failing to physically secure the office.
2. Failing to install the most basic computer security measures.
3. Forgetting Wi-Fi security.
4. Failing to separate your business from your home.
5. Failing to remember your office is a place of business and is held liable as such.
6. Forgetting to back up data.
7. Failing to consider bigger business continuity issues.

Probably my biggest mistake, according to this list, is separating my business from non-business activities as it relates to my computer. For me, who works in a small business environment, my business is very much part of my life and working at home is what I do.

If I want to watch a Netflix streaming video on my computer, I will do so without hesitation.

I back-up regularly but probably not regular enough. I am thinking strongly about a remote backup system to bolster my business continuity posture.

This list is a good checklist. But the better solution is for the management team to insist upon a prudent yet reasonable approach to remote and home computing with clear policies backed by consistent audits and enforcement.

Posted in Physical Security, Remote Access, Privacy | Print | No Comments »

1 June 2009 by Jeff Hayes.

On Friday, President Obama made some remarks on securing our nation’s cyber infrastructure. Some highlights are:

• It’s the great irony of our Information Age — the very technologies that empower us to create and to build also empower those who would disrupt and destroy.
• America’s economic prosperity in the 21st century will depend on cybersecurity.
• Cyber threat is one of the most serious economic and national security challenges we face as a nation.
• This status quo is no longer acceptable — not when there’s so much at stake.
• Protecting this infrastructure will be a national security priority.  We will ensure that these networks are secure, trustworthy and resilient.  We will deter, prevent, detect, and defend against attacks and recover quickly from any disruptions or damage.

All accurate. All worthy comments. Obama then went on to describe his strategy in five key areas:

1. Working in partnership with the communities represented here today, we will develop a new comprehensive strategy to secure America’s information and communications networks
2. Working with all the key players — including state and local governments and the private sector — to ensure an organized and unified response to future cyber incidents.
3. Strengthening the public/private partnerships that are critical to this endeavor.
4. Continuing to invest in the cutting-edge research and development necessary for the innovation and discovery we need to meet the digital challenges of our time.
5. Beginning a national campaign to promote cybersecurity awareness and digital literacy from our boardrooms to our classrooms, and to build a digital workforce for the 21st century.

So will it work? Will an Internet czar help protect against cyber attacks? Is the praise being heaped upon the new cybersecurity direction merited? Can a cybersecurity czar make a difference in a government full of turf wars, departmental budgets, and various opinions on what to do and how to do it?

A cyber defense should be part of our military defense. For the most part, it is. Key to most information security programs and policies is to promote the confidentiality, integrity and availability of information. The problem is that collectively, we have done a poor job ensuring this is collectively the case. This is not because of a lack of effort or expenditure. There are smart IT and security personnel working in the various agencies. They know what they are doing. The question we must ask is:  What makes Obama think that having a czar that reports to him — but who has no budgetary or personnel control over the various agencies — will be successful in making cyber space safer for the nation? Are we just adding another bureaucrat that returns and reports, but accomplishes little?

Government is rarely the answer. Obama has already established his own record of how not to use goverfnment for the betterment of all. In order for cybersecurity to work as a nation, it will be up to each agency, state, city, country, industry and private firm to defend its portion of cyber space. Having a solid, national cyber security blueprint with funding hooks and accountability might help the various entities get on the same page.

Posted in Homeland Security | Print | No Comments »

29 May 2009 by Jeff Hayes.

Are you an information hoarder? Are you one of those who thinks “I had better save this because I might need it some day?” An effective document destruction practice can help prevent information from falling into the wrong hands, be they competitors, media, employees, partners, government agencies, and lawyers.

Ben Rothke’s recent article in CSO magazine, Why Information Must Be Destroyed, written in two installments, provides good insight into the issue.

No one is suggesting to violate legal and regulatory requirements. Rather a firm should support those requirements to a fault, and nothing beyond.

Some people still think they need to print out copies of certain documents because it is easier to read. After spending the past 3 years teaching online courses, online reading, even text books and long articles, is a learned skill. It is one I appreciate and am thankful for. It saves on cabinet space. I remember having large paper files and filing cabinets. I have one at home and one at work. They are mostly empty and rarely get used.  Needed information is kept on secure hard drives in multiple locations. Any paper not needed is tossed, shredded or placed in secure containers associated with a viable information destruction company (mobile- or plant-based shredders).

What information should be shredded when no longer needed? Although it will vary between industries, here’s a good list, albeit incomplete:

• Account records
• Activity sheets
• Advertising
• Applications
• Appraisals
• Bank statements
• Bids and quotes
• Budgets
• Business plans
• Canceled checks
• Client lists
• Contact lists
• Corporate tax records
• Correspondence
• Customer records
• Disciplinary reports
• Educational reports
• Expense reports
• Financial statements
• Forecasts
• Formulas, product plans and tests
• General service information
• Health and safety reports
• Internal reports
• Legal Documents
• Lottery tickets
• Magnetic media
• Maps and blueprints
• Marketing plans
• Medical records
• Microfilm / microfiche
• New product information
• Payroll documents
• Performance appraisals
• Personnel files
• Plastic credit and ID cards
• R&D reports
• Sales forecasts
• Specification drawings
• Strategic reports
• Strategies
• Supplier POs
• Supplier reports
• Supplier specifications
• Test scores / class rosters
• Training information
• Treatment programs
• Encryption key management information

In part 2 of Rothke’s article, he comments on the need and process of destroying digital media. Hard drives fail. Computers reach an end of life either practically or financially. Mobile digital media have a life span. All of this material needs to be destroyed or sanitized according to industry or policy guidelines. There’s a right way and a wrong way to clean and/or destroy media. This can be done in-house or outsourced.

Create an information destruction plan and execute it consistently. Physical and digital media destruction or sanitation are key components to an effective data loss prevention program.

Posted in Physical Security | Print | No Comments »

14 May 2009 by Jeff Hayes.

Not the traditional playground of security personnel but for many companies, ensuring the integrity of their intellectual property can be a make or brake situation. Just about every company has some form of IP. It could be a physical product, a software application, a process or procedure. Protecting it in a global economy is paramount.

A friend of mine manufactures a range of consumer-oriented products. One day, one of his kids said while their were in a public place, “dad, this is one of your’s.” My friend looked closer and it was a knock-off of his product from China, installed and used right here in America, about 15 miles from his manufacturing plant.

The Office of the United States Trade Representative (USTR) is an agency that negotiates directly with foreign governments to create trade agreements, resolve disputes and participate in global trade policy organizations. It recently released (leaked) a summary of the key elements of the Anti-Counterfeiting Trade Agreement. To a large extent, almost all of the negotiations have been behind closed doors over the past two plus years.

New to this agreement are items dealing with Internet-based content, including the criminalization of copyright infringement even in cases where there is no profit motive. It will interesting to see what is required in the areas of copyright enforcement, policing a end user behavior, and how information will be shared (if any) between service providers, businesses and government agencies.

Posted in Counterfeiting, Privacy | Print | No Comments »

13 May 2009 by Jeff Hayes.

Many businesses, large and small, engage in product promotion on Google, Yahoo! and MSN. Pay-per-click (PPC) is a way organizations can buy face-time with those in their target markets. For some industries and with certain keywords, this can be expensive.

Ideally, having an optimized Web site for natural searchers is optimal, but sometimes difficult and costly. So many companies will spend a great deal of their marketing budgets on Internet promotion. They will create an ‘ad word’ campaign, limiting themselves to some daily budget. That budget might be $25 a day or $25000 a day.

For each keyword or range of keywords an end user enter into a search engine, a certain number of sponsored links will be returned, along with the natural search results. Those bidding the highest will achieve the most prominent positions on the search results page. The end user has the option of clicking any of those resulting items, based on their relativism to their inquiry. If the user clicks on one of the sponsored links, that single click will cost the owner of that site a certain amount of money — whatever the bid was for that word and position. (It pays for it by having a credit card or some payment means with the search engine supplier.) Based on the number of searches for that range of keywords, the firm running the PPC will often reach their daily budget. Once the budget is gone, there will be no more searches returned for that range of keywords or that campaign until the 24-hour clock resets.

A problem confront those engaged in PPC is that someone with ’bad intent’ can click on a competitor’s PPC ad with the explicit purpose of spending its competitors PPC budget. The result wastes its competitor’s money and can give the competitor a high page position, often without spending as much money as its competitor. There is little the PPC campaign owner can do. In fact, it takes careful analysis by the marketing manager to even suspect foul-play. It is a problem that only the search engine provider can address.

Recently, the Interactive Advertising Bureau has published guidelines for determining when fraudsters are taking advantage of pay-per-click (PPC) advertisements. The Click Measurement Guidelines (the 27-page PDF Guidelines document can be downloaded <HERE>, summarized as follows:

• Define the technical life-cycle of a “click” and outline standard methodologies by which clicks should be measured and counted, including provisions for identifying invalid and/or fraudulent clicks.
• Establish standard terms that will help streamline the buying and selling of click-based media. 
• Increase transparency and consistency in click measurements for media companies, ad-serving organizations, advertisers, and third-party click auditors.

Estimates of fraudulent click range from below 10 percent to as high as 17 percent. Regardless, as one who has and does run PPC campaigns, seeing the advertising industry and the search engine providers making attempts to address this is welcomed. With the amount of money we are talking, it is critical for building credibility for this form of advertising.

Posted in Web Security | Print | No Comments »

11 May 2009 by Jeff Hayes.

There are few things we can do electronically involving the Internet and modern communications that are private. Our credit and debit cards leaves a rich behavior path. The phone company knows who, when and where we call and who calls us. They have a record of our text messages. Our instant messaging partner has a log of our IM activities. Our ISP certainly knows every web site we visit. And for the most part, our preferred search engine provider has a log of our search history.

Although there are many search engines, Google dominates. They dominate because they return relative links based on our inquiry. Its secret sauce is good. Is there anyway around it?

A recent article suggested six things we can do to protect our privacy when using Google services:

1. Know your privacy rights
2. Protect your content on the services you use.
3. Turn off the suggestion feature in the Chrome browser.
4. Turn off Web History.
5. Opt out of interest-based ad serving
6. Add SSL to Gmail.

This advise should be classified in the good housekeeping arena. Even these things are not going to keep Google, or any other search engine or service provider, from formulating a user profile on each of us.

The bottom line is that we should know that big brother is watching and big brother wears multiple hats. As the lines between government and corporate blur, the problem will only worsen.

Whether we have things to hide or not, the government and business clearly are pushing the limit on our American Constitution’s 4th Amendment. With the trends in society today, the Constitution is becoming, unfortunately, a historical document with some good suggestions but not something that cannot be interrupted to suit the times. We are seeing it melt before our very eyes.

Prudence says everything we do online is being logged and we should act accordingly.

Posted in Privacy | Print | No Comments »

8 May 2009 by Jeff Hayes.

According to a recent article in Computerworld by Jaikumar Vijayan, Internet Warfare: Are We Focusing on the Wrong Things?, some are concluding:

More than seven years after the terrorist attacks of Sept. 11, 2001, there’s widespread consensus that federal efforts to secure cyberinfrastructure are bogged down by a lack of vision, planning and leadership. While the government has struggled to come up with a cohesive national strategy for defending its interests on the Internet, threats in cyberspace have continued to grow and today pose a grave risk to national and economic security.

Adversaries, which include unfriendly governments and militaries, intelligence agencies, organized criminals groups and hactivists, have by most accounts already penetrated U.S government and private networks or are actively engaged in doing so.

We certainly have the technical no-how to defend our computing systems. But like most things government does, it gets bogged down in bureauracracy, egos and shear scope of the tasks.

There are so many agencies, departments, divisions with overlapping initiatives. Each of these entities has its own cyber security strategy. National cyber security plans exist. But core to the problem is that there is not a unified mandate or declaration that our cyberinfrastructure is a vital asset for national and economic security. If we threw the right resources at it as we do many other less important things, we could get our hands around the problem.

Like most things with the federal government, money is spent on either some politician’s latest project that benefits his constituencies alone, the latest emergency of the day, and most recently the federalizing of private industries. They can hold hearing, form committees, create strategies, but nothing will happen until a MAJOR cyber incident shuts down and/or compromises a significant aspect of our society, infrastructure or commerce.

Cyber defense is not a technical problem; it is a people and organizational problem.

Posted in Homeland Security | Print | No Comments »

6 May 2009 by Jeff Hayes.

Where do most security incidents comes from? External hackers? Disgruntled employees? Probably not. For most organizations, the innocent employee.

Whether it is politics, business or technology, the most damaging thing is ignorance. People are ignorant of what damage that can occur through careless browsing habit. Why? Because significant security incidents are rarely experienced by the average computer user.

Most computer users do a few limited number of thing:  they check email, run a word processor, download photos, copy music and browse the Internet for news, sport, products, etc. A browser is the most used application on most desktops, laptops or netbooks. Few have had any instruction on the security implications of their browsing habits.

Recently, Joan Goodchild posted a short-list of five security mistakes people make when browsing the Internet:

1. Blindly installing Active X controls
2. Trusting bad SSL certifications
3. Allowing unsigned content
4. Letting curiosity get the best of you
5. Having a ‘just do it’ mentality

Most people do not know what Active X even is. All they know is if they check it, the pop-up box goes away and they get to their “intended” destination. Likewise, who knows what SSL is? A “Bad SSL cert” means what to the average bloke? A user clicks on a link that requires an application that does not appear to be on the users local machine. The pop-up says you can run it if you click “here.” What does the average user do? Clicks “here,” where ever “here” might take him/her.

Spam is still rampant because enough people, albeit a small number, still click on the message to find-out more, whether it is a free financial check-up, a must-have coupon for lunch, or someone from your high school that is interested in hooking up.

We all view our computer as a utility: it just must work. Most of the time it does. But ignorant browsing is going to catch-up eventually, if it has not already (most will not associate their insecure browsing habits to PC performance degradation).

In March 2009, Bill Brenner, gave his 10 IE Browser Settings for Safer Surfing:

1. Disable XPS documents
2. Disable font download
3. Disable inclusion of local file directory path when uploading files to a server
4. Disable prompting if you are prone to just clicking “yes”
5. Always prompt for username and password
6. Disable SSL 2.0 support
7. Enable TLS support
8. Disable searching from the URL bar
9. Disable unnecessary add-ons
10. Uninstall old Java installations

You know the cliches:  “Common sense is not all that common.” “If something seems too good to be true, it probably is.” Free is never free.” I know it is hard to face but 23 year old beautiful women are not interested in blind dates or 50+ year old men.

A little education can go a long way in protecting our personal and business computing environments. It all starts by prudence by the end user and the browser.

Posted in Web Security | Print | 1 Comment »

5 May 2009 by Jeff Hayes.

What keeps you up at night? What wakes you in the middle of the night? Besides a crying baby, barking dog or noisy neighbors, most of us have something that stresses us out. Personal finances, job security, relationships are at the top of the list for many.

I tend to have business concerns, those that come from running a business with a few colleagues. How can we meet our financial obligations? What can I do to identify and get in front of new customers? Are we going to get paid this month?

For Melissa Hathaway, the acting senior director for cyberspace for the National Security and Homeland Security Councils, it’s the world’s digital infrastructure. For her, it should be. Anyone that accepts a high-ranking position in the government or industry better have sleepless nights.

Criminals never sleep. Cyber-crime is 24×7. Tools designed to probe, exploit and manipulate are at it non-stop. Because we live in a cyber-world, our defenses never rest. They can never take a day off.

For the small business owner or general manager, selling products, meeting payroll and keeping employees, partners and customers happy are paramount. 

Just as our digital infrastructure was driven more by considerations of interoperability and efficiency than of security, most of our IT systems have evolved rather than getting built with an underlying security plan.

Every business, regardless of the size and industry, needs to take an occasional step-back and assess the risks posed to the on-going operations of the business. Do we have a realistic and tested business continuity plan? Do we have a data back-up and recovery plan? Do we have a plan to deal with “Joe, the IT guy, getting hit by the bus?”

I suspect few CEOs and GMs are kept awake at night due to cyber-security risks. But if one expands it to include all business operations, then that which might have been consider to be unlikely, quickly becomes something with a probability that needs some attention.

In today’s world, information security and availability are everyone’s concern.

Posted in Homeland Security | Print | No Comments »