Equifax

Much is being written about the Equifax data hack. You can read about it here or here or here if you’ve not yet read much about it.

I saw a post on Twitter the other day that cracked me up.

Screen Shot 2017-09-11 at 10.34.40 AM.png

One report in the NY Times suggested that Equifax doesn’t even know who is impacted.

Here is the deal, Equifax’s business is to gather this information and sell it to 3rd parties. When you need a loan or want a new credit card, the company extending credit to you goes to this company, or ones like it, to check on your credit. They gather this information from lots of different places and you have no options to tell them to stop doing this. They are creating this database of information about you and you have no control on how they protect this most sensitive information.

We are the ones impacted by their lack of security. We are the ones further impacted by the huge delay in telling us. What was stolen is about us and it impacts us. Equifax might take a stock hit, but not much more.

 

This company needs to be put out of business. The class action law suit should put them out of business. There should even be clawbacks on executive compensation and stock options.  

A year of credit monitoring is not even meaningful punishment for this poor stewardship and lack of property security protection.

Company and organization leadership teams need to take the protection of confidential information seriously.  There need to be examples, like here, where the company is put out of business because of their lack of proper attention and focus. Probably the CIO will be fired, but really, the board and the senior leadership team should be fired.

 

Compromised Email

A friend of mine had his security compromised a few days ago when someone managed to steal some information from him and cause further damage. He called and wanted to know things he should do.

I told him to assume his home computer, or all of them, was compromised and I encouraged him to use a different platform (a chromebook in this case) to start resetting his passwords and revalidating his information. Leave his likely compromised home computer alone for a while. Turn it off.

He started down this path and then re-logged into his email account (gmail in this case) and changed the password.

I wasn’t with him at this time but a few minutes it occurred to me that he ought to look at the filters or rules that he had put in place to process his email so I sent him that message. I don’t know why I thought of this as I don’t recall thinking of it or reading about this before, but I just thought he ought to look at his filters. He looked.

Someone, had put a filter in place to block certain inbound emails and send them elsewhere.

So, his email had been compromised and the perpetrators had been clever enough to put filter rules in place to further hide the compromise as long as possible. Amazing. I had never considered this before and I’m still thinking about its implications.

If you get your email or computer compromised, you really need to start over on a new platform and then methodically regain control of your accounts. And, turn on two-factor authentication wherever you can.

Be careful out there.

Security Talk for Friends

Screen Shot 2016-04-10 at 5.23.37 PM.png

The security risks that we are all facing individually and as households are getting so severe that I’ve decided to prepare a presentation and give to a gathering of friends. I’m going to talk about basics of passwords, 2-factor authentication, best practices with your endpoints and your home network and finally best practices when traveling.  The key point that I’m trying to get across is that we need to trust less and we need to be proactive in managing our security and privacy.

I did this 1.5 years ago with family and heard a lot of good feedback, however, my 4-year old nephew who was on the floor playing with dinosaurs at the time, rolled over and announced in a loud voice that this was boring!

Copies of this material and some other resources are posted on the security page above.

Mark

 

 

 

 

Phishing Boom

Have been reading about and experiencing an increase in phishing attacks and an increase in their sophistication. Wikipedia defines phishing as:

Phishing is the attempt to acquire sensitive information such as usernames, passwords, and credit card details (and sometimes, indirectly, money), often for malicious reasons, by masquerading as a trustworthy entity in an electronic communication.

There was a good article published late last year which talks about why they are getting more dangerous and I highly recommend you take a look at it. Phishing emails are harder to spot, they come from trusted sources, they know a lot about you and the people you are around and they have specific targets in mind to steal from you. They no longer are impersonal emails about a package delivery. Now they are related to your job function and they may reference people you know. This article is spot on.

An article published last October told of how to spot these emails. I recommend you study this message and then pass it along to friends and family. You might think you’ve got this figured out, well then help your co-workers, family and friends figure it out too.

About 18 months ago I did a security ‘talk’ to my family and I covered topics like passwords, computer updates, phishing and other related ideas. I think I need to do it again and I was thinking about doing an afternoon session for whoever wants to attend where I go to church. If you are informed, tell someone else. This stuff is dangerous.

Change

pablo (2)

Seems to me that lots of change is about to happen in corporate IT. There has been chatter for years about everything moving to the cloud and disk drives are dead or everything must be mobile or the like and most of those brash predictions are just nonsense. They might be true in a corner or in a niche or in some limited applications, but in general, they are nonsense. Few things in IT change overnight or even in a year. Many times is takes decades.

WSJ just posted an article about things we’d like to see die (fax machines) and it is mostly about right. The bulky ERP on the list is right and wrong. Yes, we’d like them to go away and magically be in the cloud, which means someone else’s computer, but it just can’t happen quickly for big organizations. The shift to some of these platforms is really, really, really hard.

However, this time it feels like change is happening. Incrementally. Here are some thoughts:

  1. There is going to be turmoil and turnover in applications used and deployed in the coming years. It is likely that apps installed and put into production last year will be replaced by different applications next year. There are new SaaS solutions appearing weekly and some vendors are integrating lots of functions into a suite (ServiceNow, Salesforce.com, WorkDay, etc.).
  2. Data growth will continue with no real slowdown in sight. Storage is cheap and the engineers want to save everything forever. The data scientist types will want the data saved forever too.
  3. Turmoil will continue with hardware and software vendors. The current wave of M&A activity will continue. Suites gobble up small application companies. Infrastructure companies gobble up other infrastructure companies. Others just won’t make it. The hype cycles will continue.
  4. Security or information protection is getting harder. No easy end in sight.
  5. Lots of stress in IT. Do all of the above, spend little or less, keep everything secure and be faster.

What else?

Privacy

Earlier this month I had the chance to speak to 3rd year law students about technical issues around privacy. My contribution to the class was to point out the impossibilities and the rough edges around rules and laws that perhaps are not well thought through or well understood by those who create the laws.

The Right to be Forgotten in the EU being a good example where the search engines are required to take down search results, but the underlying content on the web pages is not necessarily changed at all. And, while this applied to search engines, it didn’t seem to apply to corporate search engines or ‘paper archives’ like newspapers.

Encryption debates in the EU and worldwide are other examples where it is possible that secure, encrypted communications will be outlawed for everyone and as such, the good guys, corporations, families, etc. will lose secure communication while the bad guys will just resort to open-source alternatives. The bad guys will still encrypt but the good guys will have it taken away. Flawed thinking.

Privacy of meta data in all the apps we use on our smart phones will be another battle ahead. As we move around town with our smart phones we record, share and broadcast:

your location, your search habits, who you call, who calls you, who you IM with, perhaps what you buy, what you look at, what you listen to, how fast you are driving, if you are home or not, perhaps your Wi-Fi credentials, what you are looking for, who your friends are, who you associate with, where you work and live, where you are taking pictures and perhaps with whom, dining choices (loyalty cards), what you are reading, where you exercise, how fast you can run, your heart rate, calories consumed, food choices, arrival and departure times, stocks you are interested in, things you needed to be reminded about, favorite sports teams, shopping lists, music preferences, weight, blood pressure, perhaps your family connections…

This data is being stored all over ‘the cloud’ on computer systems using who knows what security practices. Good luck getting all of that forgotten.

These are going to be strange years ahead where technology is tracking more about us, encryption is getting better on some services, hacking is exposing more data and the world is in conflict (as it always has been) between nations, groups and individuals.

I don’t know where this is all going to end up.

Audit and Security

I heard of a place where internal audit was told to do a comprehensive security of all aspects of an organization. All aspects.

How is that possible?

The IT organization is likely working at 110% with all their energy and effort to manage, monitor, invest and improve an organizations security so how can a short audit effectively grade how they are doing? Now I suppose that if the auditors were knowledgeable about security aspects and if there were huge gaps in what IT was doing then those would surface in the audit. But how could an audit detect deep matters in the enterprise in a short audit?

Further, how can an IT organization comprehensively know that all is in control? Further, how can a CIO assure a board that everything is under control?

They can’t.

They can only attest that they are doing all they know to do, they are vigilant and they are working to set the tone across the enterprise that all must work together to secure the organization.

They can only assure that they are doing all they know to do.

These are difficult times for CIOs.