Improving software development security at CodeMash 2014

I will be delivering two lightning talks at CodeMash 2014 titled “Maximizing Technology Adoption ROI” and “Data Breach Lessons from 2013”.┬á Even those who have not attended the talk can view the talks here.

 

Twas the Night before the Breach

Twas the night before the breach, when all through the place
Not an alarm was ringing, nor even a trace
That data was being pilfered, with the greatest of care
In hopes that its access would none make aware
 
The employees were off early, out for the day
Some to go shopping and others to play
Leaving the office empty, ÔÇÿcept for one man
Filling a thumb drive as fast as he can
 
The passwords he had, some from Susan, others Paul
One under the keyboard, another on the wall
So he gleefully posed as his oblivious colleagues
Obtaining the data while humming a melody
 
Till leaving the office, no clue he neglect
To remove with him lest someone start to suspect
Ill intentions from such an employee as he
Whose reputation was spotless as spotless could be
 
The holiday proceeded much as expected
Families gathered, read stories and collected
The gifts they desired but hardly touched after
Great feasts were consumed, songs sung with laughter
 
But one of them partook in much more than cheer
Anonymously he sold them, stolen secrets most dear
Highest bidder to win, take all you can handle
Spreadsheets, memos, personal and financial
 
Returning to work, the breach first went undetected
Till profits sagged much lower than projected
Our secrets were stolen, they cried in shock
Our competitors have knowledge of things they ought not

Remington College Commencement Address

I was honored to be able to address the final graduating class at Remington College’s campus on the West side of Cleveland, Ohio.┬á It was also my pleasure to be one of the first instructors there and to design much of the curriculum used in their Computer Networking Technology program.┬á Here is the commencement address for those who wish to read it.┬á Congratulations Remington College graduates.

Faculty and staff, parents and friends of the graduates, and the graduating class of 2013. ItÔÇÖs a great honor to commemorate your graduation and all the dedication and effort that went into it. You should be proud.

Im sure youre eager to leave here, diploma in hand, to celebrate with all your friends and family. Before you do, take this one truth with youCultivate real relationships.

Career pursuits, technology, entertainment, and life pressures have a way of distancing us from others. DonÔÇÖt let that happen. Establish deep relationships with a few close people. TheyÔÇÖre the ones who can be relied on in troubled times and they make life worth living.

Most of you are probably on Facebook. When I joined Facebook, it sure did change my life. I quickly connected with friends from school and work. Soon after, family members joined my circle of friends. People I hadnÔÇÖt talked to in years came out of the digital woodwork, eager to reconnect, share experiences, photos, and memories. Looking at each page was like meeting in a coffee shop sharing wallet photos and catching up.

It didnÔÇÖt take long, however, before I had a few hundred friends. Friends who tried their best to keep me up-to-date on their lives. I was flooded with information on the games they were playing, food they were eating, or the programs they liked on TV. The intimate coffee shop I had liked so much turned into a busy train station.

I tried my best to keep up with it all. I read their updates and posted thoughtful replies until one day I saw one of my friends at the store. I tried to remember something sheÔÇÖd recently posted on Facebook so I could strike up a conversation, but it was all a jumble in my head. She had just gotten back from scuba diving. No. That was someone else. Her sister had a baby. No, still not right.

I realized then that I was trying to do the impossible. By dividing my attention among so many people I wasnÔÇÖt being a good friend to any of them. Mark Vernon, author of The Philosophy of Friendship, says, “You really have to have mulled over things with [someone] to become really good friends and there’s only so many people you can do that with.ÔÇØ In other words, you need to spend quality time together in order to cultivate really good friends and you can only do that with a few people. Quality time is sometimes a shared experience. At other times it is giving a person your undivided attention or a listening ear.

ÔÇ£Be courteous to allÔÇØ, George Washington said, ÔÇ£but intimate with few, and let those few be well tried before you give them your confidence. True friendship is a plant of slow growth, and must undergo and withstand the shocks of adversity before it is entitled to the appellation.ÔÇØ

We need a few close friends ÔÇô the kind you can call anytime or count on in times of trouble. They are the ones who love you and want the best for you. Sociologists at Duke University and the University of Arizona found that these close friendships have decreased by a third in the last twenty years. A third of close friendships lost in a period where technological advances would seem to make us more connected. Instead I are becoming increasingly isolated.

Meaningful relationships need to be cultivated. ItÔÇÖs something youÔÇÖll have to make time for. This is important because a lack of close friends can lead to loneliness, anxiety, and a diminished satisfaction in life. I want you to live a happy fulfilled life. A life youÔÇÖre not going to find in social networking, climbing the corporate ladder or driving that fancy new Lexus. DonÔÇÖt get so caught up in life that you forget to cherish relationships. YouÔÇÖve come this far and IÔÇÖm sure it wasnÔÇÖt all on your own. YouÔÇÖve had some help from parents, a spouse, friends, teachers, or peers.

Take a minute to identify those people and vow to cultivate those relationships, for a rewarding life is not built alone. Cultivate real relationships. They will be more valuable to you than anything you achieve.

 

Virtual Chief Security Officers getting small businesses ahead

Security remains a complex discipline.  This ever-changing challenge grows in complexity daily as new threats emerge and compliance requirements increase.  Several regulations including HIPAA require organizations to have a person whose role is to ensure compliance within the organization.  This is why organizations need a designated person with primary responsibility for security and compliance.  This person is the Chief Security Officer (CSO).

The Role of a Chief Security Officer

A Chief Security Officer or CSO is first and foremost a business leader in the organization.┬á He or she sets the organizationÔÇÖs security vision and ensures that it is in line with other business objectives.┬á The CSO works with other business leaders such as the senior financial manager such as a Chief Financial Officer (CFO), business owner, senior partners, or Chief Executive Officer (CEO), senior IT executive such as the Chief Information Officer (CIO) and Chief Operating Officer (COO) to implement security and compliance initiatives throughout the company.

Some CSO activities may include:

  • Establishing and evangelizing the security vision
  • Defining security strategy and goals
  • Determining the level of acceptable risk
  • Defining and implementing security and compliance governance
  • Coordinating compliance activities and communicating with regulatory groups
  • Creating, publishing and maintaining security policies
  • Ensuring security awareness of risks and of organizational security policies
  • Coordinating incident response activities (e.g. data breach, IP theft)
  • Ensuring physical security for company facilities including offices, sites and datacenters.

Challenges

The CSO role is still relatively new and it has seen some challenges in implementation.  Information security involves much cooperation from Information Technology (IT) and compliance requirements include many sections on technical controls so it is understandable that IT is often seen as the group responsible for security but this is not ideal because security and compliance both involve much more than just technical controls.  The actions of people including employees and outside actors are essential to maintaining security and compliance and this requires someone or a group with more than the technical skills.

Some chief security roles may be given to IT, legal, or HR, employees. However, this approach often results in these individuals handing security as a secondary role so security does not get the priority it is due.  Furthermore, a central point of contact is lacking in the organization in this approach.

The Role of a Virtual CSO

A virtual CSO performs the same activities a CSO would but they do so on a part time basis.  The role may actually be comprised of several persons to cover a company even when a person is on vacation or otherwise unavailable.  Virtual CSOs allow organizations to utilize highly specialized skill sets by provides companies with expert resources in security. This is made possible without the high fixed cost of adding dedicated security executives.

Virtual CSOs are able to assist organizations by developing effective strategies essential to evaluate and mitigate risks, maintain operational continuity and secure the organization. Virtual CSOs address areas of security needs whether these are on personnel issues, timely employee background checks, technology, rehabilitation or procedures and policies to designing.

Virtual CSOs partner with businesses to understand how core information assets have been deployed. They work hand in hand with organizations as they study the security placed around the assets and what improvements can further be made. Virtual CSOs provide assistance in integrating security into organizational strategies and processes and they help companies develop tailor-made delivery plans that are fitting to their needs and budget.

Ideal Traits

Ideal virtual CSOs should be well-versed at understanding exploits, attacks, controls, countermeasures and vulnerabilities. They should have a thorough understanding of technology such as operating systems, virtualization, storage and networking but business and leadership skills are even more important for this role.  Security and compliance is more about people than it is about technology so the virtual CSO should be able to interface and direct people and lead change efforts.

Virtual CSOs need to be able to translate risk to data, information or computers, into the risk to business. They should be able to determine the how to respond to risks including mitigating, accepting, transferring or avoiding risk.

Summary

The Chief Security Officer role is more vital to companies of all sizes than ever before.  CSOs are in high demand but for those who do not need a full time person and the expense that goes with it, a virtual CSO may be the answer.  Sometimes this role is added to a pre-existing role within the organization but this can lead to compliance being treated as a secondary activity and it does little to protect organizational information security.

Virtual CSOs work across business and functional lines. They see through the complete deployment of strategic and holistic approaches in dealing with specific business issues. This is done by carefully assessing risks related to the organizationÔÇÖs reputation, information, assets and all people involved. Such is crucial especially for businesses that are looking at long-term sustainability and expansion.

My thoughts on Xbox One

I watched the XBOX One launch video today on my XBOX 360 console dashboard.  It is impressive in some ways but I am really disappointed that they are going to charge you if you buy a used game.  I only buy used games so this made me quite upset.  Actually, I got so angry at Microsoft that I cancelled my Xbox live subscription so it will end in January and I will not renew it.  They will only be hurting themselves.  A minority but still significant portion of people who buy new games count on being able to sell them when they have finished playing the games.  They use the money they get from the sale to buy more games.  Those that buy the used games when they are still relatively new might still buy the game new if it was not available used but many of the other used buyers like me would not buy the game new.  I get about $10 of fun out of the average game so I will not pay more than that for it.  Some games like Civilization, Dragon Age, Sacred or Kingdom Under Fire were worth a lot more to me but then there were games that I bought and then only played once or twice.  Maybe they will realize the economics of the situation when they finally start selling the system and as games age.  Maybe that will cause them to reverse their policy but that will take a while.

The media components of the Xbox are cool but many of the new TVs or blu ray players have social networking, video on demand, chat and audio streaming built right into them and those who do not have that can get a Roku or an Apple TV.  I would rather get an Apple TV for $100 than pay several hundred for an Xbox One.

I didn’t see anything on it but is it going to output in 4k resolution?┬á I am looking forward to the 4k technology.┬á If I was designing a game system I would make sure it had 4k video and 7.1 surround sound and make it very social for gamers. Make it easy to take pictures and videos of games and to post those to social networks.┬á Let gamers update their social networks with gamer stats and live updates from games and create parental controls to keep kids safe.

 

June 19, 2013 update: Microsoft backs down on DRM.  http://www.cnn.com/2013/06/19/tech/gaming-gadgets/xbox-drm/index.html

Social networking strategy

Social networking is my thing this year and I just wanted to share my strategy with you in case you find it useful.

I spend about 30 minutes each day managing my Twitter and Linkedin accounts and it really helps.  Each day on Linkedin, I search for others I can connect with. I also look through my connections and find people whom I can endorse and after endorsing them I ask them to endorse me as well. I added my social networks to my email signature so that people I communicate with will add me or view my social networks.

Weekly, I look for one thing on my Linkedin that I can improve and then I improve that area.  It may be adding more detail to a section or revising some wording but I make regular edits.  Next, I Google myself to make sure that no negative information appears about me and that my positive sites appear early in the search results.

Most employers Google potential employees and they check their Linkedin, Twitter and public Facebook so it can really pay off.┬á You can also search for jobs on Linkedin but it will only show jobs that you are connected with so as you add more connections, more jobs will become available.┬á I never would have landed the book contract if it weren’t for Linkedin.

Safe computing in a digital world | The Union Club

It is a dangerous world out there in cyberspace with organizations losing corporate secrets or private customer data almost daily.┬á Protecting yourself, however, doesnÔÇÖt have to be difficult and neither should it be left to those in IT.┬á The keys to safe computing in a digital world can be yours.

The event will be presentation, and question and answer.

The value to attend is to learn how to secure the privacy of your information that is routinely exchanged and stored digitally.  Cybersecurity is in the news.  Even President Obama discussed it in the State of the Union Address in February.

Privacy matters even for those who don’t care

There are so many ways to share on social media today and users, especially the younger generation, are sharing almost everything.  The problem is that some data is not meant to be shared.  A culture of sharing is developing that can be quite harmful for businesses and the confidential information they hold.  It is even more important in this day and age to educate employees on what they can and cannot share.  Consider implementing a social media policy that specifies sharable data and data that must remain confidential along with sanctions for those who violate the policy.  Make sure that all employees are aware of the policy and why it is in place.  Lastly, make sure the policy is enforced through both technical and procedural controls.

Fraud techniques revealed in recent debit card case

On May 9, 2013, Federal prosecutors issued indictments against eight individuals for hacking and theft.  The case revealed the methods used by hackers to gain access to debit card numbers that were ultimately used to withdraw $45 million.

Hackers gained unauthorized access to credit card processing companies and conducted what hackers term ÔÇ£unlimited operationÔÇØ.┬á Unlimited operation is an attack where debit cards account balances and withdrawal limits are removed.┬á In this case, attackers performed unlimited operation on several prepaid MasterCard debit cards and then distributed the card numbers and pins to groups around the world.┬á These groups recoded gift cards and hotel entry cards with the stolen card numbers and then coordinated withdrawals from ATM machines.

I have spoken of the increase in coordination of cyber-attacks many times and this is an excellent example.  In a little over two hours on December 22, 2012, the criminals were able to withdraw $400,000 from 140 ATMs across New York City.  A series of thefts in February resulted in the theft of almost $2.4 million in 10 hours and the group is accused of stealing a total of $45 million by following this procedure for different card issuers and locations.

The banks involved in this case might have prevented the theft by monitoring for anomalous behavior such as the excessive use of a card number or the modifications required in unlimited operation attacks.  Anomalous behavior monitoring is valuable no matter where the next attack comes from and it is useful in other industries as well.