Is staying safe online possible?

I was asked a question on Twitter today. The question was, ÔÇ£Is staying safe online possible?ÔÇØ This is a great question because I increasingly see a sense of apathy in users due to the frequent threats to online safety that are reported. They ask questions such as ÔÇ£If big companies canÔÇÖt protect themselves, what chance do I have?ÔÇØ or ÔÇ£If identify theft is inevitable, what is the point of protecting oneself?ÔÇØ LetÔÇÖs look at the question in an Aristotelian manner. We first must establish what staying safe is. LetÔÇÖs start with this definition:

Being safe online is having the knowledge, ability and opportunity to utilize the Internet and Internet-based resources without subjecting oneself to harm*

Having the knowledge, ability and opportunity to utilize the Internet and Internet-based resources without subjecting oneself or others to harm*

 *harm is being described as the following:

  • Unauthorized disclosure of personal or sensitive information
  • Identify theft
  • Misuse of computing resources due to unauthorized access or presence of malicious code
  • Persuasion or coercion to perform actions due to misrepresentation or incorrect facts presented in phishing emails

With this definition in hand, I can now consider whether this is possible. First, this definition means that no harm, as described above, would come to the individual despite the frequency of use as long as they utilized sufficient knowledge, ability and opportunity. I believe this is false. Even those equipped with sufficient knowledge, ability and opportunity will eventually come to some harm in utilizing the Internet and Internet-based resources. So, what if I revise my definition to this?

Being safe online is having the knowledge, ability and opportunity to minimize the harm* and frequency of harm caused due to the use of the Internet and Internet-based resources.

This definition allows for someone to be safe online but still have harm occasionally occur. However, in such occurrences, the damage done would be minimized. For example, if personal information was disclosed, the individual would be able to recognize that disclosure quickly and work with persons and companies to restrict the value the ability of malicious user to employ the information disclosed and to reduce the amount of damage incurred through use. More specifically, if a person entered a username and password in a fake web site, they would realize their mistake and change their password on the legitimate site before an attacker would have the ability to utilize their credentials. They would also utilize different credentials for other sites so the information gained would have no value if employed for other Internet services.

Using this definition, I believe I could say that it is possible to stay safe online. However, possibility is not probability. Those that would be safe under this definition must have the knowledge, ability and opportunity. If the majority of people utilizing the Internet do not have this then the majority of users are not safe. Our logical step, therefore, is to educate users to give them the knowledge and ability and to make the technology and environment that will provide them with the opportunity something that is available to the majority of users.

For more information:

The Human Side of IT Security

Organizational Security Culture

Securing the Network against Inevitable Human Slipups

This post was written as part of the Dell Insight Partners program, which provides news and analysis about the evolving world of tech. Dell sponsored this article, but the opinions are my own and donÔÇÖt necessarily represent DellÔÇÖs positions or strategies.

Improving software development security at CodeMash 2014

I will be delivering two lightning talks at CodeMash 2014 titled “Maximizing Technology Adoption ROI” and “Data Breach Lessons from 2013”.┬á Even those who have not attended the talk can view the talks here.


Cyber Forensics: Collecting evidence for todayÔÇÖs data breaches | NEO ISACA

NEO ISACA has monthly meetings, and its membership here is primarily IT Auditors, with a number of IT Security Professionals from companies based in and around Cleveland. At each meeting, we get together to discuss a variety of pertinent IT topics, with a speaker leading the discussion.  This month I will be leading the discussion on cyber forensics.

Many forensic techniques focus on obtaining data from local machines, servers or data storage equipment but evidence for modern attacks often resides in many places and the techniques for obtaining this data go beyond those used in the typical forensic investigation.  In this presentation, ISACA members will learn about:

  • Detecting intrusions
  • Network evidence
  • Attack pattern analysis
  • Statistical flow analysis
  • Traffic analysis

View the ISACA event.

Companies must know what they don’t know

The EU Information CommissionerÔÇÖs Office (ICO) has stated with its recent fine for Sony of ┬ú250,000 that lack of knowledge of a data breach is no longer an adequate defense.┬á This fine was given not because of actions Sony took on breaches they knew about but on their lack of knowledge of breaches that the EU deems they should have known about due to the technical knowledge and resources available at Sony.

To claim that you cannot act on vulnerabilities that you do not know of has been a common defense and one that seems rational and logical to most companies, but the ICO’s recent fine suggests that it is unlikely to work in the future.┬á This sort of thinking would be an inhibitor to security initiatives because once you know about a problem, you have to make a determination as to the risk it presents and how you will deal with it.

So how do you know what you donÔÇÖt know?┬á This has been a question for centuries but in this case, the expectation is that companies will perform activities such as regular risk assessments based on data collected from vulnerability scans to identify security controls that can reduce risks to an acceptable level and that they will monitor equipment to detect anomalous behavior.┬á The tools to perform these activities are easily available and various open source options can be implemented at a low cost to the company.┬á However, it will take someone experienced with risk assessment and the tools used to make the data obtained from them actionable.┬á Consider using a security consultant if this is not a skill your company has in-house.

Social Media ÔÇô After the Breach | American Bar Association

Considerable effort can go into stealing personal and company information, but more and more individuals are just giving it away. Today, communication in the workplace has moved to Facebook walls and office gossip is tweeted around the world. YouTube videos portray ÔÇ£behind the scenesÔÇØ footage giving the entire world a glimpse into what once was restricted to employees and an occasional guest. Cast out into the Wild West of time and space that we call the Internet is all manner of private information, both personal and corporate. Telephone numbers, important contacts, addresses, social security numbers, banking and financial data, birth dates, private medical information, and even corporate decisions and strategy are readily and easily available. Moreover, comments made in a personal, trusting setting are now sent into the vast beyond, where they can remain permanently. Read more in the article published in the ABA by me and Timothy Opsitnick.

The Bot stops here: Removing the BotNet threat | Public and Higher Education Sector Security Summit

Academia is a potential breeding ground for botnets but donÔÇÖt despair. Take back your network. This presentation will examine the botnet life cycle and history of botnets leading into techniques for detecting and disrupting botnets in your network.┬á It was presented at the 2012 Public and Higher Education sector security summit.┬á This summit features a full day of talks, presentations, and workshops dedicated to information technology and IT security professionals serving in this economically and socially important sector.┬á We will also present a vendor trade show featuring technology and consulting solution providers.┬á All attendees and vendors are invited to attend an evening reception at the end of the Summit.

This yearÔÇÖs theme is: ÔÇ£IT Means Business in Government and Higher EducationÔÇØ and will include sessions on IT, IT Security, IT Business Management, Compliance, and Legal issues.┬á The Summit will take place Wednesday, April 25, 2012 at LaCentre in Westlake, Ohio. LaCentre is located at 25777 Detroit Road, between Canterbury and Columbia Roads.┬á The facility is easily accessible from Interstate 90.


Four keys to successful BYOD | Eric Vanderburg | Network World

The bring your own device (BYOD) movement formally advocates use of personal equipment for work and obligates IT to ensure jobs can be performed with an acceptable level of security, but how can risks be addressed given the range of devices used and the fact that you lack control of the end point? Companies looking to embrace BYOD — 44% of firms surveyed by Citrix say they have a BYOD policy in place and 94% plan to implement BYOD by 2013 — need to address four key areas:

1) standardization of service, not device,

2) common delivery methods,

3) intelligent access controls and

4) data containment

Read the full article here:

Creating a Culture of Information Security | Information Security Summit

ShouldnÔÇÖt companies and employees understand the importance of security and be ÔÇ£on boardÔÇØ with at least minimal security procedures? After all, how many times have you heard or told others of the importance of a strong password? Reality seems just the opposite. Resistance to security is strong in many organizations despite initiatives to educate on risks and the importance of security. So what obstacle might be preventing adoption of security initiatives in your company?

Organizational culture.

Organizational culture is made up of the values, attitudes, and beliefs within the organization. It, like the subconscious mind, guides decision making, receptiveness to certain ideas, and company direction in many areas including information security. Culture can make or break information security. The good news is that culture can be shaped.

In this presentation, Eric Vanderburg gives practical advice on fostering an organizational culture that promotes information security leading to more effective protection of the data, systems, and people necessary for success.