Regaining your anonymity online

Anonymity has been a longstanding hallmark of the Internet but you should no longer assume that your online activities are anonymous.

A vast amount of information is collected as you use the Internet. Search engines store the key words you search for and the pages you visit, browsers store web history, which may be integrated with the cloud, and websites store information your activities on their sites. Your IP address provides information on your general location and many applications can track your location data, obtained from your address or from GPS.

It takes a concerted effort to regain your anonymity. Anonymity must be protected from end-to-end starting with the operating system and then progressing to your network address, browser and search engine.

Operating System

Last month I wrote about the privacy features and flaws of Windows 10. What many don’t realize is that their operating system is collecting information on their activities which could be retrieved by malware or published to the cloud for data mining. This can be avoided by using an operating system that runs off a CD or DVD. Such systems, called “live” operating systems, run in memory, a storage component of your computer that retains data only while the computer is powered on. This data is not retained when you shut down the computer or restart it. CDs or DVDs are typically read-only, meaning that data cannot be written to them. Files that you are working on can be saved to a flash drive but operating system logs of activity are not stored with live operating systems. Similarly, spyware, malware and other junk cannot install on a live operating system. This further protects you against threats to your anonymity.

Network Address

Each device that connects to the Internet identifies itself with a unique IP address. This address can indicate your location and it can be used to correlate activity collected from multiple sources in order to build a profile on you. One method of obscuring this address is to use a proxy. A proxy requests Internet resources on your behalf and then presents them to you so that the requests appear to originate from the proxy rather than you.

However, one must be careful in using proxies because not all are intended for anonymity. Some send a forwarder that indicates where the data originated and others send data in the clear so that it can be potentially intercepted. Choose a proxy that uses SSL encryption and does not use http “forwarded for” headers. Another limitation of proxies is that attackers see them as a potential target because of the high volume of traffic traversing them. Compromised proxy servers could put your information in the hands of cyber criminals.

The Onion Router (TOR) extends the proxy model by bouncing connections between many computers within its network and then delivering the final request from one of many endpoints. Data within TOR is encrypted using SSL. It is still possible for a TOR server to be compromised but that server would only see a small portion of your traffic or possibly none at all depending on how your traffic was routed through the TOR network. The downside of using TOR is that connections are often slow due to the latency incurred by traversing so many computers.

Browser

The most common browsers are Internet Explorer, Mozilla Firefox and Google Chrome. Internet Explorer or its replacement, Edge, is the default browser on Windows machines. Linux variants often come equipped with either Firefox or Chrome, depending on the distribution. Each of these browsers has their share of privacy flaws but your choice of browser is much less important than the privacy settings you select within the browser. Restrict cookies and set your browser security settings to the highest level that still allows you to browse with ease. Many browsers also include a private browsing mode. This is very useful for restricting information from being collected by your browser on your activities while in this mode.

Search Engine

Most of the search engines collect data on your browsing habits so they can target ads to you and improve their search rankings. Some search engines share or sell this information with other parties. However, Duck Duck Go is a search engine that does none of these things and it is a valuable tool for searching the web anonymously.

These technologies and techniques can all be used to protect your anonymity. However, they provide the best protection when used together. It may not be feasible for you to use all of them. For example, you may need to use an application at the same time while you browse, making a live operating system impractical or you might want to test searches in a specific search engine. I encourage you to use as many as possible.  You may additionally use a virtual private network (VPN) to connect to your workplace or other common resources so that traffic between your computer and the VPN is encrypted and you can use wiping tools to more effectively erase data from your machine after deleting it. However, a discussion on these tools will have to wait for another article.

Continue reading

Point/counterpoint: Breach response and information sharing

Some breaches require notification such as those involving patient data or customer information, but sharing is optional. Of course, notification is just one form of information sharing. For example, February’s executive order encourages private sector companies to share information on cybersecurity threats.

There are advantages and disadvantages of sharing information with others, and here to talk about it are two information security influencers and Eric Vanderburg and Bev Robb. Vanderburg will be arguing for information sharing and Robb will discuss potential sharing woes that may arise from government and private sector collaboration.

Eric Vanderburg

Vanderburg: Attackers seek to maximize their return on the development or purchase of new exploits by targeting as many companies as possible. Additionally, just like crimes outside of cyberspace, cyber-criminals have established habits and proven methods that they rely upon to steal data or take over or destroy systems.

The resources of any individual company or person are limited. It takes coordination in order to combat today’s threats. It is essential to protect your company against data breaches but prevention alone does not stop attackers from trying again. The information shared can help track down and catch the bad guys.

I could argue the benefits all day but the main decision point is whether the benefits outweigh the threats so let’s look at some.

Robb: Many information-sharing initiatives proposed by the U.S. government make it slick for the private sector to share information with the government, but not vice versa. You scratch my back and I’ll scratch yours may not apply.

Though I am not completely against information sharing between government and companies in the private sector, some concerns are:

  •         The federal government’s track record in the realm of government data breaches and their ability to safeguard data.
  •         Private sector companies that have reported crimes to the government that rarely receive timely intelligence back (regarding threat actors).

Though it does take coordination and information sharing within the information security community to combat the current threat landscape there is still much room for improvement.

Information overload

Security professionals reading this may be feeling overwhelmed already by the information on vulnerabilities and threats they receive each day. So why should we burden them with even more information?

Vanderburg: It is actually for that very reason that they need this information. There are too many threats out there, and organizations need to know which threats are credible and which vulnerabilities are more likely to be exploited. Information sharing can provide a filter to the vast amount of information out there so that security practitioners can properly prioritize.

Robb: The government is not a knight in shining armor and is already steeped with so much data and myriad software programs that it would be difficult to analyze threat data without the use of “commonly shared tools” to aggregate and analyze all this threat data.

Who decides which threats are credible and which vulnerabilities are more likely to be exploited? If it is the government that makes this decision, what is the ETA before the private sector is notified? My crystal ball tells me that the private sector will get the short end of the stick again, while daydreaming for actionable intelligence to arrive.

Damage to reputation

Vanderburg: An organization’s reputation can also be damaged by what it withholds. We see this especially when an incident occurs that later turns out to be much larger in scope than originally thought. At this point, the damage is much greater and public opinion is set against the company because they took so long to identify the threat and act on it. However, if the information on the incident had been shared, similar incidents could have offered more insight into which systems should be analyzed and related threats that might require investigation. This could potentially reveal and resolve other threats sooner, both minimizing the damage to the company and its customers but also preserving its reputation.

Robb: We’ve all learned over time, that government often takes an exceptionally long time to identify their own security threats and to act upon them. With most government data breaches shrouded in secrecy there is often miniscule acknowledgement of any accountability for weak security practices.

Information to attackers

Vanderburg: Sharing information publicizes the successful attack vectors used in an attack. If this information is shared before the vulnerability has been remediated, other attackers could exploit the same weakness. However, attackers already share information on successful attacks with others. It is likely other attackers will find this information not through security information sharing networks but rather through their own communities. As a general rule, security through obscurity (something is secure because it is unknown) is not a viable strategy because such things generally stay unknown for a short amount of time.

Robb: Deep web hacking communities and forums abound with information on exploits, hacking tutorials, intelligence on business websites (many that are vulnerable to SQL injection), and the like. Hackers are frequently applauded and esteemed when they share knowledge of data breaches they participated (or are currently targeting). They do not need to pay attention to “breach information sharing” because most of these bad boys just want to quickly monetize their hacks. You can bet your bottom line that they will find the means to infiltrate their target(s) with or without any knowledge of “collaborative threat intel”.

—————————–

Though there is the sharing of threat intelligence within industry-specific sectors such as the Cyber Threat Alliance, ES-ISAC (Electricity Sector Information Sharing and Analysis Center) and NERC (North American Electric Reliability Corporation) – sharing threat intelligence is still in its infancy.

When you locate a data breach, what steps do you take to report it? Who do you go to? How do you tell a company that they’ve been breached if they are unaware? Curious? Be sure to check back next month for another Vanderburg-Robb data breach conversation.

Continue reading

Future ready cloud security

In 5 to 10 years, the cloud will be as ubiquitous as the Internet is today. It is predicted that 2015 will see a dramatic change in labor and business models as operations shift to the cloud. It will be part of our normal lives, with cloud-based apps running on stereos, watches, mirrors, glasses and many other devices that we interact with or carry with us daily. Software and data will not be hardware dependent because they will be running in the cloud but you will be able to interact with your data and systems whenever and wherever you are at.

The lines between work and home or business and pleasure are already blurred, but they will become increasingly transparent in the years to come. The floodgates of organizational data will be released into a variety of cloud-based systems. Organizations that develop a security-minded cloud culture now will better transition into the cloud in years to come as it continues to grow. Such cultures will have the framework such as policies, procedures, workflows and shared cloud successes will foster effective cloud security behaviors and habits.

So what does a security-minded cloud culture look like? Provided here are three steps that you can take to start developing it.

The first step is to foster ongoing communication about the cloud, its benefits, and challenges. Create a cloud committee made up of people from different departments and backgrounds within the company and discuss what is working for you and how that can be standardized as an organizational best practice. As part of it, subject ideas to peer review and test assumptions and risks.

Next, create and maintain a data map that details where types of data are stored and which vendors or third parties maintain the data. This is important in case there is a data breach, eDiscovery request, merger, or many other situations. Empower employees to help maintain the data map through discussions on how and where the data is located by members of the cloud committee.

Lastly, be discerning in your choice of products or services. The choice of a cloud provider is not one to be taken lightly without an appropriate level of consideration. Cloud vendors should go through a vendor risk management process that ensures they have sufficient security controls in place to mitigate risks to the type of data they will be hosting. Each vendor can be assigned a risk rating for data classifications to make it easy to determine if data can be used on the vendor’s platform. Risk management should also take into account any compliance requirements and whether the vendor’s systems adhere to those requirements. Also, ensure that service level agreements are appropriate for your data availability requirements. If this concept sounds foreign, consider classifying your organizational data based on the required confidentiality level and availability need.

You are most likely planning for growth in cloud utilization, so make sure that the solutions you choose can scale with your business. Choose a vendor that can handle several times the volume you initially would contract for and one that has a track record of success and innovation.

This is an exciting time for we stand at the cusp of great technological change. People and organizations are being given the freedom to utilize technology how, when and where they see fit without having to worry about the underlying architectural complexities or capital expenditures. #BeFutureReady, and know this is your chance to seize the cloud, to harness it or even mold it to accomplish great things. Create a culture that supports secure cloud utilization and make a difference – now and in the future!

Continue reading

Is your culture interfering with data security?

With the ease and prevalence of global expansion, security leaders must understand how to implement security across a global organization to avoid weaknesses, targets for attackers or sources of data breaches. Our natural inclination is to plan based on the culture we know and the experiences we have had, but global security leadership requires a bit more thought in order to be effective.

Business is global. This isn’t new, nor is it surprising that cultural differences, international laws, and workplace practices differ around the world. Businesses have long sought to harness the strengths of particular cultures and, in other situations, to transplant the culture and values of the company’s mother country onto a global labor force. For example, a company with sites in Japan or Italy may have trouble being notified of security issues due to Italy’s “bella figura” or Japan’s “mentsu” concept of keeping face. Employees in those countries may not share the information out of concern for potentially shaming their global counterparts. In such cases, the parent organization may try to impress the value of open communication upon employees from those countries. On the other hand, a company might open research and development offices in Switzerland, Finland, or Singapore due to their high degree of intellectual property rights protection.

Enterprise-wide security programs should consider how security will be effective in different cultures, the differences in legal and regulatory requirements, how company property is viewed, encryption limitations, and language barriers in order to manage security effectively around the world.

Security programs can be more or less effective in different cultures so it is important to not only gather support and feedback from top management but also from leaders in regional centers with differing cultures. For example, separating the office into different security zones, each requiring authentication, may be well received in Western countries such as the United States but Eastern countries like Japan may think this rude and untrustworthy. Similarly, perceptions and priorities of security may differ between countries as shown in this global security survey.

Another important global difference is legal and regulatory requirements. The European Union differs greatly from the United States in their privacy laws, so a security program will need to ensure that the requirements of each country’s laws are met while still maintaining at least the organizational defined minimum standard of security. Employees from multiple regions working on a single project or the same data will need to follow appropriate procedures to ensure they are complying.

An organization’s response and transparency in handling incidents is related to the legal and regulatory requirements, but also impacts a company’s brand image. Differing cultures may not have the same definition of what constitutes an incident or communication channels could differ in such a way that incidents are not reported in a timely manner. Global organizations need to ensure that consistent training is provided to ensure that incidents are properly categorized as incidents and that reporting is done through the established channels.

Global organizations house data in locations around the world but not all countries have the same definition of company property. If sensitive data is housed in a facility that is seized or breached by the government in which that site resides, private customer data or sensitive organizational data may be lost or disclosed. For this reason, organizations should take special care to house data in countries that have protections for business property and information.

The global organization transmits data between sites in different countries on a regular basis, but some countries may have limitations on the maximum level of encryption that can be used on international transmissions. In some cases, these limitations may present an unacceptable level of risk of data disclosure. In such cases, data may need to stay local to a specific region or some data may be unavailable in certain areas.

The last consideration is probably the most obvious. Language barriers can present difficulties if security procedures and policies are misunderstood in another country. Furthermore, incident response coordination may be more difficult when communication is slowed due to language barriers. Incident response plans should specify how communication will be handled between countries with different languages so that information is shared effectively and policies and procedures should undergo review following their translation to ensure that their meaning does not change.

The key to an effective enterprise-wide security program lies in establishing and enforcing a minimum standard for security that is implemented at each site regardless of its location globally. Global business is more complex but with a little more thought, you can save yourself and your organization many security headaches down the road. Make sure that you security is expanding with your business.

Continue reading

Don’t be a victim. Be a protector

As vigorously as many organizations are working to prevent them, data breaches are becoming more of a common occurrence, and the consequences are even bigger for organizations and the individuals whose data they hold in trust. As such, we need to get our terms straight, especially when it comes to the victim.

If your wallet were stolen, we would consider you the victim. Organizations that have suffered data breaches have often considered themselves the victim as well. However, the scenario of the stolen wallet is not an apples-to-apples comparison with a data breach because of one significant difference. The wallet is your property, but organizations retain the data of others, and they have an obligation to protect the information that is provided to them. When someone has an obligation, or duty, and they fail to fulfill it, they are the malefactor, not the victim. The victim is the person whose data was stolen — the consumer, patient, or partner.

Okay. So why must we define the victim, or why can’t they both be victims? The answer lies in assuming responsibility. Victims are not responsible for the negative situations they find themselves in, and organizations that consider themselves victims are not recognizing the responsibility they have to protect what has been entrusted to them.

This is a key factor in today’s culture of information sharing.

I use the word “culture” because this duty is not something that can be handed off to a single person or department. Neither can it be transferred or outsourced entirely to another party. This is the responsibility of everyone in the organization — from the representative collecting information to the receptionist answering the phone; from the janitor sweeping the floors to the machine operator in a factory. Even if you don’t directly interface with sensitive data, you may provide someone with the stepping stone to another person or resource leading to such information.

Consider the information your organization collects and work with as part of your job, and decide whether you are collecting more than you need or if the data you view is all relevant to the role. Some information could be removed or compartmentalized so that only pieces of the data are visible to those who need them. The concept of “need to know” for privacy has moved from being a recommendation to a mandate.

Consider also the way you and your teams interact with data, via smartphone, laptop, tablet or watch. We use these devices in public places where others might view the data or credentials used to access the data. Some access data over public networks where the information can be viewed in transit. In your daily life and in the course of normal business, you work with so much data that must be protected.

Let me empower you today. Don’t be a victim, be a protector. From today forward, see yourself as you are, an integral defense against the breach. Discuss this with your coworkers and leaders in your organization so that you can take the steps necessary to prevent the next one.

Continue reading

The case for consistency in security

Security spending could be compared to the stock market. It increases and decreases depending on intangibles such as how “at-risk” the organization feels rather than on objective measures such as the number of cyberattacks, vulnerabilities or data breaches.

An organization may put technical controls in place, educate employees and establish new policies immediately following a breach, but over time the technology becomes outdated and no longer protects the organization as it should. Memory of the breach fades, causing exceptions to be made to the firm’s policies and leading to forgetfulness in employee adherence to best-practice procedures. Eventually, another incident causes the organization to spend money again, and the cycle starts all over.

This situation is detrimental to companies in two ways. First, it results in periods when the organization is quite vulnerable. Also, in the end, more money is spent on security than would have been required if security spending were consistent from quarter to quarter. In fact, effective IT security solutions contribute to business success and profitability. Let’s explore this by looking at major areas where security dollars go; technology, governance, and training.

Technology

Technology such as firewalls, Intrusion Detection Systems (IDS), antivirus software, authentication systems or auditing and alerting systems, is essential to protecting organizational information assets but technology is quickly outdated. More sophisticated attacks or better equipment on the part of the attackers necessitates increased investment by organizations to protect themselves.

Consistent spending keeps technology up to date so that it continues to address current risks. It is also much easier to make incremental improvements to address new risks rather than design a completely new solution. Those who maintain security systems have a better understanding of how the product protects against threats and how it can be modified if necessary.

Governance

Governance includes the policies that spell out the organization’s approach to information security such as how users will be authenticated, how data is classified, roles and responsibilities and sanctions for those who do not follow policies. Procedures document how specific tasks are performed to accomplish what is set forth in the policies. When security spending is consistent, policies are updated so that they are in line with business objectives. When inconsistent, policies may conflict with business objectives and the policies are either ignored or business objectives are not met.

Similarly, consistent security spending allows for procedures to be updated as technology and forms of attack change. When spending is irregular, procedures may be followed but won’t adequately protect the organization or informal undocumented procedures may occur — which affects operational effectiveness. Lastly, policies are enforced when security spending is systematic, leading to regular patterns of behavior and a culture that sustains security rather than obstructing it.

Training

Training is also more effective with consistent security spending because it keeps security awareness top of mind. Otherwise, employees will need to be completely retrained on information security because much of the information is forgotten.

So how is security spending addressed in your organization? Is it consistent and proactive or inconsistent and reactive?

Continue reading