Regaining Trust: What to do AFTER a Security Breach

In the past few years, it seems that large-scale data breaches have been occurring with depressing regularly. While it’s incredibly important to establish trustworthiness in any product, re-establishing trust after it has been violated is much harder to do. There is far less room for error when dealing with a customer base that already has reason for concern about an organization’s digital security.

untitledWhen breaches do occur, the best plan to regain trust is use webpages with plain language that contain plenty of specifics and constructive suggestions for issue resolution. In this article for UXPA Magazine, a professional journal for the user experience community, Danielle Cooley and I use the example of four recent breaches (Cici’s Pizza, Home Depot, Wendy’s Restaurants, and Omni Hotels) to see how each firm tried to regain its customers’ trust.

FIR B2B #61 podcast: The care and feeding of fake news

We  are awash in a sewer of fake news stories, and we only have ourselves to blame. It has become an epidemic, and a profitable one at that for these purveyors of click-bait that sound like the truth but are far from it. In this episode, Paul and David discuss why this has happened, who are the players who profit from these stories, and what the major web operators such as Google and Facebook can do about it.

Listen to the 12 minute podcast here:

iBoss blog: DDoS for sale: what is a booter or a stressor and why you should care

DDoS attacks are on the rise, and one of the reasons is the plethora of service providers that make it easy to mount your attacks, especially if you are a lazy or inexperienced criminal. Dozens if not hundreds of these pre-packaged booter or stresser  DDoS services make it a very profitable business and can generate thousands of dollars a week for these criminal operators.

You can read more in my blog post for iBoss here.

iBoss blog: The challenges and opportunities for managing the Internet of Things

The Internet of Things (IoT) has been in the news lately for facilitating numerous DDoS exploits across the planet. A global non-profit think tank called the Online Trust Alliance (OTA) has published a paper entitled IoT, a vision for the future. It outlines how the IoT can grow and thrive, especially given that “users’ confidence that their data is secure and private is at an all-time low.”

You can read my latest post for iBoss’ blog here.

Everyone is now a software company (again)

Several years ago I wrote, “everyone is in the software business. All of the interesting business operations are happening inside your company’s software.” Since then, this trend has intensified. Today I want to share with you three companies that should come under the software label. And while you may not think of these three as software vendors, all three run themselves like a typical software company.

The three are Tesla, Express Scripts, and the Washington Post. It is just mere happenstance that they also make cars, manage prescription benefits and publish a newspaper. Software lies at the heart of each company, as much as a Google or a Microsoft.

In my blog post from 2014, I talked about how the cloud, big data, creating online storefronts and improving the online customer experience is driving more companies to act like software vendors. That is still true today. But now there are several other things to look for that make Tesla et al. into software vendors:

  • Continuous updates. One of the distinguishing features of the Tesla car line is that they update themselves while they are parked in your garage. Most car companies can’t update their fleet as easily, or even ever. You have to bring them in for servicing, to make any changes to how they operate. Tesla’s dashboard is mostly contained inside a beautiful and huge touch LED screen: the days of dedicated dials are so over. These continuous updates are also the case for The Washington Post website, so they can stay competitive and current. The Post posts more total articles than the NYTimes with double the reporting staff of the DC-based paper. That shows how seriously they take their digital mission too.
  • These companies are driven by web analytics and traffic and engagement metrics. Just like Google or some other SaaS-based vendor, The Washington Post post-Bezos is obsessed with stats. Which articles are being read more? Can they get quicker load times, especially on mobile devices? Will readers pay more for this better performance? The Post will try out different news pegs for each piece to see how it performs, just like a SaaS vendor does A/B testing of its pages.
  • Digital products are the drivers of innovation. “There are no sacred cows [here, we] push experimentation,” said one of the Post digital editors. “It is basically, how fast do you move? Innovation thrives in companies where design is respected.” The same is true for Express Scripts. “We have over 10 petabytes of useful data from which we can gain insights and for which we can develop solutions,” said their former CIO in an article from several years ago.
  • Scaling up the operations is key. Tesla is making a very small number of cars at present. They are designing their factories to scale up, to where they can move into a bigger market. Like a typical SaaS vendor, they want to build in scale from the beginning. They built their own ERP system that shortens the feedback loop from customers to engineers and manages their entire operations, so they can make quick changes when something isn’t working. You don’t think of car companies being so nimble. The same is true for Express Scripts. They are in the business of managing your prescriptions, and understanding how people get their meds has become more of a big data problem. They can quickly figure out if a patient is following their prescription and predict the potential pill waste if they aren’t. The company has developed a collection of products that tie in an online customer portal to their call center and mobile apps.

I am sure you can come up with other companies that make normal stuff like cars and newspapers that you can apply some of these metrics to. The lessons learned from the software industry are slowly seeping into other businesses, particularly those businesses that want to fail fast and more quickly as their markets and customers change.

The changing nature of IT security: Bryan Doerr, CEO at Observable Networks

Bryan Doerr has been involved with tech companies for decades, most recently leaving Savvis/Century Link as their CTO before agreeing help bootstrap Observable Networks. I asked him to reflect back on his career and where the infosec industry is headed in general. “There is a lot of security industry maturation still to come, a lot of wood left to chop,” he told me in a phone interview last week. “While there are still some pockets of maturity here and there, they usually are only found with the largest companies who can afford it.”

Looking back more than a decade, the biggest change has been being able to deliver security as a subscription service, he said. “First we had pre-built security appliances, but lately we have seen managed detection and response services,” such as what his company delivers. “And it isn’t just a change in how protection is delivered, but how the subscription service can be more affordable for mid-market customers.”

Another big change is how end user customers finally are getting some benefit from sharing threat intelligence. “No one wanted to talk about where or how they were attacked and share these specifics with anyone else,” he said. This intelligence sharing has made the subscription service vendors more potent and compelling and has boosted the ability to respond effectively to threats.

“Ten years ago security was built on a simple idea: that we know about our attackers and threats, and through some means we could prevent those bad guys from getting inside our networks. Back then, we had a limited number of threats, so we could more readily recognize and block them. That is so far from where we are today. The fundamental nature of what is a threat and how attacks use technology has changed completely. The idea of tracking attack signatures makes a lot less sense when every attack is unique.”

Doerr agrees that the days of the perimeter being the sole point of defense are also long over. As an example, he points out the recent IoT botnet attacks.

One benefit from the last decade has been the move towards increasing virtualization. “This absolutely was a positive influence, and helped us to better design and operate more secure systems and more complex infrastructure,” he said. Before virtualization, we had too many different fiefdoms dedicated to particular circumstances. Each one had different configurations and staffs who were maintaining them. All of that variation left us vulnerable.”

But with virtual machines, “a lot of automation has been brought to bear to keep a consistent environment running. That means we can provision VMs, kill them off, and recreate them easily. This makes it more efficient to scale up and down and we don’t have to spend our time patching systems.”

Another issue is the nature of modern network traffic. “Our networks are becoming increasingly encrypted, we can’t even see what is going on over the wire and view the payloads, and this adds another layer of difficulty. Right now less than half of all traffic is encrypted, but it won’t be long before it becomes 100%. We won’t be able to readily examine any of this traffic, which will make networks harder to defend and detect exploits.”

When he was at Savvis, one memorable experience was upgrading one of their data centers. Thanks to a routing bug the entire data center couldn’t come back online. “We tripped over it on a Saturday, and didn’t immediately understand what we were doing. It was easy to miss a single use case that caused the problem. That was a humbling experience and gave me an appreciation of the magnitude of the business that we had running. You don’t feel it until something terrible happens and you see how significant these outages are.” The situation drove home the point that he needed to stay in touch with his technology and understand that it is not just an abstraction, but also a very real entity.

I asked him who had the better job, the CTO or the CIO? He was firmly behind the CTO position. “CTOs will have jobs for forever, because they help organizations understand the evolution of technology and anticipate the direction of that evolution. The CIOs still have some soul searching to do.”

Like what you are reading?

Subscribe to Inside Security!

Hacking 911 systems: an update

It isn’t often that there is a very short trajectory from an academic research paper to reality, but when it comes to hacking the 911 emergency phone network this is indeed the case. The paper was written earlier this year and first given to the Department of Homeland Security before being published online this fall.

The researchers from Ben Gurion University in Israel describe how an attacker could knock a 911 service offline by launching a distributed denial of service (DDoS) attack using a collection of just 6000 smartphones. While that is a lot of phones to gather in one place, it is a relatively small number when this is compared to computer-based attacks. And you don’t really need to gather them together physically: you can infect these phones with some malware and control them all remotely.

Like other DDoS attacks, phones (rather than computers) make repeated calls to 911, thereby blocking the system from getting legit emergency calls. It is a chilling concept, because unlike other DDoS attacks, the hackers aren’t just bringing down a website with large bursts of traffic: they could prevent someone from getting life-saving assistance.

In the paper, the researchers simulated a cellular network modeled after the 911 network in North Carolina and then showed how attackers could exploit it.

Now 911 attacks aren’t new: indeed, the DHS issued this alert three years ago and mentioned that more than 600 such attacks have been observed over the years. What is new is how easily the attacks could be launched, with just a few thousand phones and some malware to make it all work. Also, these previous attacks were launched against the administrative phone numbers of the alternate 911 call center, not to the actual 911 emergency lines themselves. If you are interested in how the 911 center operates, I posted a piece many years ago about this here.

There are other stories about hospitals and other businesses that have had their phone systems flooded with calls, blocking any business calls from being connected. And where there is fire, there is at least one security vendor to put it out or protect an enterprise network from being exploited by telephone-based DDoS attacks.

The problem is in the design of the 911 call centers. These centers have no built-in way of blacklisting or blocking callers: they want to be able to answer any call from anyone who has an emergency. Therefore, in the face of a large attack, they would have no choice but to answer each and every call. But let’s say we could implement such a service: that would prevent an unintentional owner of an infected and blacklisted phone from making a legitimate emergency call.

Well, that was the theory behind the paper. It didn’t take long before someone actually did it “in the wild,” as they say when an actual attack has been observed. Last month a teen was arrested for allegedly doing such an attack and is facing three felony counts. The teen, Meetkumar Hiteshbhai Desai, discovered an iOS vulnerability that was used for launching the attack and flooding a call center in Arizona. Now his phone supposedly was the only one used and it made just 100 calls in a matter of minutes. But that was enough to get the cops on his case.

It is distressing to be sure. But whether these attacks are done by script kiddies or by professional criminals, certainly the opportunity is there and very real indeed.

Why runtime application self-protection is critical for next gen security

raspToday most of us go about implementing security from the outside in. The common practice to define and then defend a perimeter isn’t viable any longer. With the added complexities of more mobile endpoints, agile development and more sophisticated malware, better protective methods are needed.

In this whitepaper for Vasco, I describe a method that is gaining traction by defending the actual apps themselves using runtime self-protection. RASP, as it is called, comes from a Gartner 2012 report, but is catching on with several vendors, including Arxan Technologies, HPE App Defender,, Lookout App Security/Bluebox, Prevoty, Vasco Digipass for Apps, Veracode and Waratek.

RASP can be a solid defense and a way to isolate and neutralize a potential threat, so you can operate your business safely in these uncertain environments.


The future of St. Louis can be found here

ranken-titleI am almost embarrassed to admit that I have lived in the Central West End neighborhood of St. Louis and never even known about one of the most vibrant college campuses around. I refer to Ranken Technical College, a school that sits just a mile or so from my home and has been operating for more than a century.

We used to refer to these sorts of places as vocational schools, as if they were less than a “real” college. But the tide of perception has turned. As I found out with my tour around campus from the schools’ president Stan Shoun, this is the real future of our city.

The private, non-profit school has more than a dozen different degree programs, spanning things like auto repair, architecture, carpentry, HVAC technology, IT, plumbing, and control systems. Each graduate gets on average five different job offers, and that is where you start to see the difference. Almost everyone is gainfully employed within six months, most getting paid more than $30k a year. The last job fair Ranken held had close to 400 companies recruiting their students, the largest such job fair in the state. That is the kind of college that I would want to go to!

While the school has sat in the same place for more than a century, it is no ivory tower. It is strictly a hands-on place, with the latest equipment for the students to get trained on. Students spent three hours in labs or in the various machine shops for every hour in the classroom.

auto-shopCar companies routinely drop off their latest models for the students to tear apart and put back together. Shoun makes a point of having his own personal car from whatever they have finished working on: his last car took 18 months to get street-legal again, after being totaled in an accident. The auto shop programs are the school’s largest: consider this was “new technology” back 100 years ago. One class works on tuning high-performance engines, as you can see in this photo.

img_2349The IT class that I visited was a set of students that had taken their Cisco CCNA exams, which all but one had passed. There were other computer labs scattered around the 23-acre campus, some being used for classes teaching computer-controlled equipment such as you see here for this metalworking rig.

They also learn on these custom workbenches that are built fcustom-workbenchor them: I have no idea what their purpose is, but it sure is impressive.  To top it all off, over the years students have built more than 60 single-family homes that ring the campus. That is probably more new construction than anyplace else nearby of that type. The campus is also growing: Shoun intends to increase the student body over time, as demand for these kinds of skills continues to rise. And he is opening new campuses too: Ranken has expanded to the western St. Louis suburbs to be a nearby GM plant, and another campus is opening about two hours south of the city near another auto parts facility.

And to help keep tuition reasonable, Shoun also is acting CEO on more than a dozen different “microventures,” run by the students. These are real operating businesses that dovetail with the school’s programs: the students get real-world experience so when they graduate they already have some solid skills and abilities. That is really smart, not to mention effective.

Given that many of these kinds of technical jobs are unfilled, Ranken clearly serves a need. I am glad that I stumbled across the place and got to see it first hand. If you would like a tour, I can set you up. You will see the future of St. Louis quite clearly as you walk around their campus.

FIR B2B podcast: do’s and don’ts of marketing research

Grant Gross’ excellent story in goes into more detail about why you can’t pin the exit polling failures of last week’s general election on big data. Paul and I use these failures as a starting point to discuss the lack of quality in survey research, particularly in the B2B tech marketing space. Both of us have been the recipients of lousy survey “results,” or more accurately, wishful thinking on the part of marketing and PR people. So save everyone’s energies: don’t produce these 200-person SurveyMonkey polls that have no real meaning. Better yet, when a reporter wants to see the survey instrument and the underlying methodology, send it. You’ll gain plenty of street cred and may even get some ink too.

Our recommendations are to pay careful attention to survey size, understand the sampling methodology, make use of a professional pollster or research analyst or statistician and learn from the experts.

Listen to our podcast here: