Wednesday, October 19, 2011

Blame the humble “CC” for data leaks

Many of us have either been a victim off or perpetuator of the “CC” gaffe. Instead of using the “BCC” function we inadvertently send mails using a “CC” which results in recipients being aware of the other members of the group. Whether it is a party invite or a large bank disclosing the name of its high rollers, the simple “CC” is one of the big sources of inadvertent data leaks.
Many times we deliberately “CC” a wider audience to make sure we cover anyone remotely concerned with the mail contents irrespective of information confidentiality and adherence to the simple principle of need to know. These fringe recipients may not value the information, forwarding or disclosing it to others. In extreme cases copies of these mails find their way to media or social networks. If you are surprised at how quickly your organization’s grapevine got hold of the news, the humble “CC” may be to blame!

Tuesday, October 18, 2011

Woman CEO cyber harasses female coworker

Woman CEO maligns female colleague on Net, detained  ran the unusual title of news report by the Times of India. Apparently a women CEO had been cyber harassing her junior by posting remarks about her character or lack thereof which “described the victim as a sex pest who eyed newly recruited young men and was also "having a good time with a former employee". Apparently the women CEO was jealous of the rapid rise of the victim and wanted to bias her management against her.
This case was unusual as it demonstrates how the career pressures and workplace politics spill online with jealous peers using the net to spread a disinformation or disaccreditation campaign using the anonymity of cyberspace.
The important aspect of this news item was the victim registering a complaint to the cyberpolice. I am sure that simply catching the perpetrator must have brought great joy. It also underscores the importance of having a social networking policy and strong corporate governance.

Monday, October 17, 2011

The relationship between the threat of political violence and Cybersecurity attacks

The Indian political story is markedly different from what happens in the rest of the world. Firebrand politicians make loaded statement to create divides or spur street violence to win votes by appeasing majority sentiment. The police fail to arrest these leaders fearing a mass breakdown in the law and order situation and instead arrest a few minor miscreants. This constant threat of violence ensures that leaders usually get away with actions and statements that are simply unacceptable to Indians at large.
In the security world I see a similar pattern of retribution or vigilante attacks if a business targets hackers. There are two classic examples. The first was Sony; it went after a hacker who disclosed vulnerabilities in the Playstation, and issued threats of penal actions against other who may try to compromise its products, which was swiftly followed by what we all know to be a cyber cyclone which left Sony poorer by $200 million.  Later, an arrest of an alleged perpetrator of the first attack led to a follow on attack.  Wikileaks was the second example; the retribution was in response to actions taken to shutdown Wikileaks and arrest Assange for the disclosure of US cables.
Businesses now face a tough decision; do they prosecute and eventually make the world a safer place or do they ignore and settle such attacks? 

Monday, October 10, 2011

The Impact of the Rise of Tablets on Corporate Security

India launched a 35$ tablet based on Android 2.2. It may lack sophistication but has the functionality needed to browse the web, use apps and so forth. This launch is a future indication of how cheap and therefore ubiquitous a tablet is set to become. Corporate employees will soon carry a tablet as a personal item.
The cultural change brought on by online banking, shopping and social networks pressured IT departments to allow access to social sites through their corporate networks. Most refused citing five main reasons; loss of productivity, need for larger bandwidth, security reasons such as malware, violation of corporate policy (viewing adult content, legal issues) and fear of employees posting uncensored content (against other employees or corporate info). But these restrictions simply suppressed a desire. Smartphone’s allowed limited access to social networking sites and email but lacked in rich browsing experience.
Tablets overcome this limitation with larger screen size. As the device and the mobile data access charges are paid by the employee the IT department has no control over its use. Of the five main reasons for disallowing access to social networks the company is freed from; risk of malware, legal issues and higher bandwidth charges. The risks of malware does not go away but simply shifts from the company to the user, but baring this the company will not be able to control the loss of productivity, violation of company policy and uncensored content.
Companies will have to learn to accept the risks, just as companies long stopped trying to prevent employees chatting in corridors and set-up quiet corners and coffee places for employees to mingle.  The net result was an increase in conversations around business and better productivity.
The next step for security professionals will be to modify company policy to accommodate the use of employee owned tablet in the workplace which may be difficult to monitor and enforce.

Sunday, October 9, 2011

Stuxnet, Infected Drones Signal Shift of Intent

Was the disclosure of the American drone network command consoles being infected by Keyloggers and the decison of the  Indian defense to throw an air cordon around major cities simply a coincidence? Why is the Indian airforce planning to defend against drones and/or small aircrafts in a 9/11 style attack?

Perhaps these are simply unrelated incidents but they illustrate the rise of malware with the sole purpose of causing destruction. The first major incident was STUXNET which wiped out Iranian nuclear centrifuges by spinning them over their rated capacity. Could the recently uncovered keyloggers targeting remote controlled weapon systems be part of a new and dangerous trend.

Friday, October 7, 2011

US Governments acts to upgrade internal data security

The White House issued an executive order to beef up security against insider threats post the WikiLeaks episode. It took seven months to review policy and institute simple security controls such as disabling CD drives and USB ports. This is a clear indicator of the size and dimension of the challenge to make sure governments adhere to security policies. Sheer bureaucracy and limited security knowledge stand in the way. It also amply shows that a significant investment is needed by governments across the world in technology and security awareness training to better their security posture.
If this does not change as governments modernize and automate processes both internal and external, the probability of cyber attacks and theft will rise exponentially.  Not to mention the consequence of cyberwar, and cyber espionage on government networks. The initiative by the US government shows that it’s capable of learning (not a common quality for governments) and is a good step forward. Other governments should take note of this example. There are many which prescribe laws on data security which do not apply to the government themselves. I find this thought quite humorous.

Tuesday, October 4, 2011

How CEO’s can pass the Security Test? A letter to CEO’s

Dear Mr. CEO
Sub: Poor security in your organization
Dear Sir
Let us face reality. You Mr. CEO do not have time for information security but are in agreement as to its importance to business. If you were a king in the yesteryears you would certainly have understood the importance of fortifications.
I will tell you why you are simply unaware of where they company stands in terms of security preparedness. You do not measure it. Well this little flaw has a cascading effect as your team does not see it in their KRA. Your KRA is what the board wants and therefore you invest only for regulatory compliance.
I will let you in on an open secret. The historical annual audit, you thought gave you the pulse is like closing the bird cage once the bird has pooped and flown the coop. Not all is lost, you can still steer the ship with this set of twelve questions in five categories that you can ask of yourself and your team (CISO, CFO, CMO and CIO) to obtain the security pulse of your organization.
Awareness and Attitude: The first principle is to remember that you cannot be effective unless you really believe security is important and invest time in understanding what security means to your business. Throwing resources to meet a problem without first understanding the problem is a bad way to do business. So the first two questions are to be answered by none other than you.
·         Do I believe that the probability of security risks is high and that my company could be a victim?
·         Have I been coached on the importance of security and how it affects my company?
Audit and Measurement: What you do not measure, you certainly do not control. That’s an old trick; I do not need to teach. But in security, how frequently you measure and ensure remediation is also important. I would probably recommend that you straighten up if no one has yet reported a security incident to you. This probably means that since you never asked, the organization never instituted a process to monitor and measure. So call your CIO, CISO and CFO and ask them the next three questions.
·         Do you conduct annual third-party comprehensive security assessments?
·         Do you conduct weekly vulnerability assessment and have a process to track remediation?
·         Are you aware of security breaches within the organization?
And why did you not inform me?
Quality and Resources: Good intentions which are not backed by acceptable best practices, industry certifications and resources cannot be successful. All companies move from good to great over time. Overnight certifications are for appraisals only and not of practical use. Invest some time to understand your current security maturity, investments and road ahead. This is an exercise you can do annually, but it helps set the direction and vision for security across the organization. Security, Mr CEO is cross functional, and you alone can ensure that it becomes the responsibility of all and not Mr X or Mr Y, because you can be sure that managers in your company will squeeze the security budget in his/her area to fund an item in his direct KRA. So call your CISO, the man in charge and ask him the next three questions to understand his vision and financial and political challenges. If you support him, perhaps the rest of the organization will.
·         Do you know where on the maturity model is your security posture?
·         Is security a downplayed function? More hygiene than strategic
·         Do you have a security organization with defined budgets?

Business Entwinement: Security has moved away from being simply a hygiene factor to an essential business item. Your customers demand secure services and as you scurry to use mobile, web and cloud guarantying data security is critical. If you have not consider the security risk at the time of decision making, you are probably ensuring a failed service or the failure of your business at a point in time when someone decides to hack your service. The other big requirement is to keep a watch out for corporate espionage. Loose emails and talks by your senior team ensure that you lose a great deal of business to your competitors. So ask yourself these questions as you lead the pace.
·         Do your senior managers keep business information on a need to know basis?
·         Do you consider information security as an area of business risks while making decisions?

Investment: The world runs on money and so does your security apparatus. I am sure that when you tally your books of accounts, you will be unable to find a line item for the security spends in the company. It will be dispersed in several budget, spent and prioritized differently.  One thing you are good at is ROI. So consider this, it could be your loss or your competitors loss. Which do you prefer? If it’s your competitor’s loss than perhaps you should learn from the data breach he suffered last month and invest today. Perhaps that a strategy you would chose or you could ask yourself the following two questions.
·         Have you assessed the annual loss due to security incidents?
·         Is your investment rationale, compliance driven or focused on holistic security improvement?
Well sir, thank you for reading this longish letter. It was borne out of my long frustration in working in your company. I hope that at least this year round; you will spare the time to meet me to discuss the year’s security plans and budgets.

Yours Sincerely,
CISO

Sunday, October 2, 2011

iPhone 5 type Product Launches and Six Other Secrets Companies Need to Keep

Apple is set to launch iPhone 5 shortly. The event is shrouded in absolutely secrecy keeping the customers guessing as to the products new look and features. Customers love a mystery, and the deliberate suspense augurs well for the brand and long lines at product stores. Apple ironclad security around Apple prototypes involves the use of private jets, windowless rooms, storage cases padlocked to tables whose wood grain signatures are photographed and much more. But, the launch of a new consumer product is just one of the seven reasons companies need to maintain secrets.
Safeguard New Product Development
One of the most common problems companies face is of copy cat products launched before their new product hits the market. This usually happens when competitors get a wind of the new product through suppliers, employees who crossed over or loose talk by employees. Some companies deliberately employ spies and agencies to continuously monitor the actions of competitors. The problem gets more acute in highly competitive industries like telecommunications where new product plans are frequently launched to churn customers or in the investment intensive pharmaceutical business.
Safeguarding new product development from concept to market requires the adoption of an information security process that analyses threats to information leakage at each step of the product lifecycle and enforces methods to obfuscate and restrict access to product data as well as ensures traceability to source.
Customer Data Privacy
Keeping customer data confidential is a compliance requirement mandated by law and industry regulation. Companies have to ensure customer personal data such as medical history, banking transaction, credit card information, mobile call details and information such as address, telephone numbers and social security numbers are kept confidential. Most of the recent breaches have targeted credit card and email details as hackers earn revenue through email scams and credit card misuse.
Companies need to invest in systems and processes to ensure data privacy by implementing security management systems such as ISO27001 as well as compliance to specific control frameworks such as PCI.
Keep Design Secrets under Wraps
Companies invest a lot of money in product and component designs and proof of concepts for future products and technologies which have long-term strategic interest. Access to such designs by competitors may help then shorted design cycles or patent ideas first. Some designs are protected through patents, but vast majority need to be kept confidential as they may not be cost effective to patent or be patentable.
Safeguarding these designs require investment in a secure product vault where access and modification to digitally stored designs are carefully controlled and monitored. Companies need to restrict the movement of data and images out of product development centers by preventing access to email, banning use of mobile phones and camera’s, removable data media and so forth. In addition care has to be taken to protect these secrets when shared with suppliers, using contractual clauses and mandates to ensure suppliers adherence to security best practices.
Mislead Stakeholders
It is not uncommon for senior executives to paint the corporate business picture in a manner that obfuscates reality from stakeholders. Most balance sheets provided a glossed up view of a company’s performance and requires investors to read between the lines. Business information is similarly internally projected in reviews to the board.
The board plays a major role in deciphering the picture present and their deep involvement can temper the effects of misreporting. The extent of misreporting is proportional to the quality of corporate governance and ethics.
Defraud the Company
Deliberate manipulation of key data to defraud or to paint an unrealistic image of a company’s performance is one of the reasons that Sarbanes Oxley Act was brought in. Quarter on Quarter growth and incentives tied to an executive’s performance forced manipulation of key statistics misleading investors and financial institutions. Major and minor frauds where executives profiteer through decisions that favor them are not uncommon.
Audit firms bear the brunt of the responsibility to ensure that financial statements prepared are accurate and the firms has policies to minimize internal corruption.
Protect Business Interests
Many time business decisions are taken which though proper may have an impact on suppliers, customers or employees if widely known. Layoffs and product end of life decisions are some examples. Securing key business data relating to strategy, new products, bids, and costs is of prime importance to ensure that competitors do not gain an upper hand. Data which may affect share prices is legally mandated to be kept confidential under disclosure policies.
Safeguarding such information primarily rests on how executives in the know keep it confidential. Their actions and attitude determines the level secrecy. Commonsense in enforcing a need to know policy is all that is needed, it does not have to be taught and cannot be prescribed by security policy. Simple actions such a emailing on a need to know basis, conversing in closed rooms, not leaving documents unattended on desks are simple precautions. I am normally surprised at the information one picks up while waiting to board a flight, shared by individuals openly discussing confidential subjects on mobile phones or working on confidential business presentations.