This has been quite a year for data breaches, with reports that numerous unsecured Amazon Web Services storage containers were inadvertently made public, a rise in hidden cryptomining malware, and lots of victims continuing to fall for ransomware and other botnet attacks. So, with that context, let’s look at what security trends 2019 could bring and ways to prepare for the coming year. I cover security awareness training, hiding malware in plain sight with fileless and other techniques, the rise of FIDO2 and better cloud security in my story in HPE’s Enterprise.nxt blog.
One of the best takeaways I got from attending the RSA Archer Summit 2018 this past September was to listen to customers tell their stories about their deployments. I have put together a series of tips based on this testimony from several IT managers who have been using the product for many years. Some of them have asked me to obscure their identity, but the message rings true. You can read their suggestions here.
Yes, just like last October, this month we celebrate National Cybersecurity Awareness Month. So let’s look at what happened in the past year since we last honored this manufactured “holiday.”
We started off 2018 with more than three million records breached by Jason’s Deli, moved into spring with five million records from Saks/Lord&Taylor and 37 million care of Panera Bread restaurants. May saw breaches from fitness tracking company PumpUp and clothing retailer UnderArmor. July was a new low point with breaches from Ticketfly, the Sacramento Bee newspaper chain, and MyHeritage. And let’s not forget Exactis with 340 million records placed online.
And there are many, many other companies who have been breached that I haven’t even mentioned. The issue is that with security awareness, you are only as good as yesterday’s response. In this post for RSA’s blog, I have several suggestions on ways to make this month more meaningful and actionable for IT managers.
Drupal is a leading open source content management tool that hosts a significant portion of the most popular websites on the internet. If you have not heard about the Drupal security flaws from earlier this year, then you need to take a closer look at what happened and start taking precautions to protect your own installations. You can read my post in IBM’s Security Intelligence blog here.
Many of you have written me since getting a similar extortion email over the past few months. The emails all have similar characteristics: they usually mention an older password that you have used on one of your accounts in the subject line, and then suggest that the sender is monitoring your computer with spyware and will send out some compromising information about you if they aren’t paid the ransom.
As I said back in July, these emails shouldn’t be answered, or even opened. The sad fact is that if you are still using something with this password, you probably should be motivated to clean up your act and do a better job with your passwords.
I usually tell my correspondents to use this as an opportunity to do two things. First, to install a password manager. I use LastPass but there are plenty of others. These tools make your logins more secure because you can create complex passwords that you can’t remember, and more importantly, you don’t need to remember them either.
The second item is to use an authenticator app on your smartphone. These apps are probably the best security you can use to protect your accounts. Google, LastPass, Microsoft, Duo, Authy, and numerous other vendors have free ones. They work in conjunction with a one-time code that changes every minute or so. When you login to your accounts with this app enabled, you have that amount of time to enter the code that is shown on your phone’s screen into the web form as part of your login process. If someone has your password, they won’t be able to see this code and properly login.
Even better than using these authenticator apps is to make use of a special FIDO hardware key. Both Google and Yubico sell them. They are more secure but less convenient, because you have to remember to have the key on you when you need to login.
Certainly, there are other alternatives to authenticator apps and keys. Some of you have enabled a different authentication process with your logins, such as using an SMS text message to receive these one-time codes. This is much less secure than either the authenticator apps or the hardware keys, because a hacker can arrange to send this code to their own phone. Sadly, many websites (such as my bank) only support codes sent via the SMS method.
But here is the issue: apart from having authenticator apps and password managers, some of you are still writing your passwords down somewhere, and this is the most insecure thing you can do. Even if you keep a piece of paper in a locked safe, it is still less useful and less secure than the combination of password manager + authenticator app that I described above. That special piece of paper does you no good when you are across town from your office, for example.
There was this recent exchange on Twitter between Capital One and a customer, where the bank’s representative told the customer to not use a password manager. One person commented, “Hey Capital One! 1992 called. You need to hire a more up-to-date Security Officer.” Another recent study showed that password managers weren’t familiar or necessary to more than half of those surveyed.
Some of you have gone to great lengths to store your passwords on your phone’s address book, using a special code that will jog your memory about which password you have chosen for a particular site. Given the compromises that the mobile version of Facebook Messenger has at reading and distributing your contact data, this is also asking for trouble. It really isn’t worth the effort.
One of my readers called me about a month ago in a panic when he got the extortion email message. Once I calmed him down (he was up half the night worrying about it), we came up with a plan, such as I outlined above. I checked back with him recently and he did implement half of my suggestions. But he argued, “I can repeat my passwords on less sensitive accounts, because I don’t have anything to worry about with those accounts. There is nothing to steal here.” Wrong on these counts:
First, every reused password is another way for a hacker to worm their way into your digital life. Let’s say you purchase something from an online retailer, and never return to that site ever again. Meanwhile, you have forgotten that you saved your credit card on the retailer’s site, and then you have forgotten which retailer it was. When that retailer suffers a breach, your credit card is now at risk.
Consumers aren’t alone in reusing their passwords. A study for One Identity of 1000 IT professionals shows some poor security practices in place in several countries. They noted that admin passwords are often shared, among other bad practices.
Maybe you have a reused password for something blander, such as the account to your local library so you can download an ebook or two. Again, that library could be hit by an attacker, and that login could become compromised and reused on some other site. Hackers have automated routines that try username/login pairs across hundreds of websites, testing if you have used them elsewhere. While the hacker may not steal anything of actual monetary value, they are stealing and using your identity. So just don’t reuse them, ever. Please.
Second, whatever system you have developed to avoid using a password manager doesn’t scale. The more websites you need logins for, the more likely you are to forget you already used one of your favorite combinations. My password manager has more than 200 logins. Granted, I am an extreme case, but still your digital life is probably has dozens of logins too.
Third, you could argue that most modern browsers have password saving features to make it easier to login to websites, so you don’t need a password manager. Again, this gives you a false sense of security, particularly if you laptop or phone is lost or stolen. It is child’s play to read your saved password list on your device, and then you have a whole lot of hurt. When you install a password manager, you should turn off the saving password feature in your browser to avoid conflicts.
All the password managers have automated checks to tell you when you are about to reuse one of your existing passwords. Why would you have dupes with using the password managers? This is because you might not have changed all of your old passwords, and the manager is on the look out for one that it already knows about and has squirreled away.
Finally, another nice thing about password managers is that you can have your logins available for all your devices, even if you move around from laptop to phone to desktop. It just makes a lot of sense to use them. So take some time, and get on board, and be secure.
There are more than 20 different coworking places in the St. Louis metro area where I live. I have been to many of them, even though I have my own dedicated office. Why? Because I want to be a part of the startup community and that is where many of them work. The spaces also are great meeting places.
Coworking spaces are useful for several reasons. When you travel, you have a place to set your laptop down and a nearby bathroom. If you just need a space for a few days or a week, you don’t have to go through the hassle of a monthly office rental. And if you have outgrown your dining room or spare bedroom in your home, and want something other than the local coffee shop, it might be time to investigate the local co-working scene.
There are a wide variety of operators, from the global, multi-city ones such as Spaces, WeWork and Industrious to smaller, one-off locations that are quirky and anything but corporate. Finding the right one can be a chore, but you should take the time to make sure it matches your needs.
Why a chore? When you begin your research, you will find out that it is hard to track down exactly what you will be paying for renting an office. This is a combination of factors: First, occupancy varies widely, and many places charge for different sized offices. Rates can also vary depending on how many people will be housed in any given office, although some places don’t care (within reason). Many of the operators want you to come in person to check things out, so they can give you the hard sell. So my first suggestion is you should make sure you know the costs and contracts up front. Here are some other tips:
- Understand whom you will be working next to. Are you interested in meeting people like you or unlike you? The choice is up to you. Some have private offices, some have shared private offices, and most have bullpen-style tables where several people work at close quarters. Make sure you understand what your actual space will entail.
- Check out their vibe and décor. The spots also vary on their vibe, and that will be the hardest thing to pin down if you are looking to plant yourself in one of them. Some are more intimate, which could work or not depending where on the introvert/extrovert scale you are. Lots of them have a Scandinavian design, and some could range to the very artsy funk, which could appeal to some. Some are enormous, such as Chicago’s 1871 that is located on the top floor of the Merchandise Mart. Some are small enough to just house a few people.
- What are the amenities besides a desk and Wifi? With some places, you pay extra for printers, coffee, a gym membership, using conference rooms, having a live human secretary to answer your phone, having a dedicated postal mailbox and a dedicated office phone number. You may not care or need any of these things. Take the time to figure out what is important to you and what that will do to the ultimate rental price.
- Where are you going to get lunch? This isn’t so silly a question. Some places are located in suburban office parks and you have to travel some distance to find food. Others are in downtown areas or in walkable neighborhoods.
- Can you try before you rent? One of the places near me offers a free day pass to check them out. But they also offer the most flexible pricing and usage plans: you can rent an office for a single day or a year, and there are a wide variety of floor plans and even an interesting hybrid shared but private office that has a locked door but can house a dozen people sitting at study carrels. Other places may not be as flexible or offer a complete array of rental terms. Some can be useful just for temporary team conference meetings too.
- How quiet or noisy are the spaces? In my travels around to these places, many people worked with headphones on to isolate themselves and concentrate. You may want to check this out if the ambient sound level is important to you. Of course, the noise level varies depending on how many people are there on any given day.
- Do you need 24×7 access to your office? Some of the properties offer this, some don’t, some charge extra if you want to enter after normal work hours. If this is critical, make sure you ask for the details.
- Are you a party person? Some try to foster more of a sense of community with after-hours events and lectures. Others are strictly utilitarian.
- Do you really need your own office? Many of us can work with a laptop and a cellphone and not much more. If you need a lot of stuff as part of your job, you need a private office to house it all .Some places have lockers that you can store your stuff in as part of their rental fee.
- Will you be going to your office more often than not? If you are going to be out and about, or only in town occasionally, then having one of these spaces could be economical.
- Is parking a hassle? Some places have free parking or include in their rental fees, others you are on your own or pay extra.
- Does the place have arrangements for co-working in other cities? Some of the larger operators, such as WeWork and Spaces, offer complementary rentals in other cities in their networks.
This week Paul Gillin and I delve into details about the power of polarization in our podcast. Brands can certainly benefit, and this article shows exactly how Nike and Dick’s saw an increase in certain metrics after they took a particular political stand. Their experience shows that brands can reap benefits both from the positive and negative sentiment around a particular conversation. We wish more companies would take a stand on things that energize their most passionate advocates.
Next up is our favorite medium: podcasts. This story about how American Airlines turned an internal short podcast into a marketing benefit is worth noting. The podcast covers the behind-the-scenes thinking on airline policies. It was originally meant for employees, but executives decided to post the episodes publicly, saying “There really is no such thing as internal communications anymore.”
Speaking about podcasts, some media companies have begun to sour on using them. The problem is one of managing expectations, and that quality costs money. NPR’s “Serial” podcast is a good case-in-point: it was well done, but expensive.
We close this week’s show by talking about how the inevitable disappointment in voice (aka Alexa-based) marketing has set in, as witnessed by Marketing Week. Yes, the interface isn’t as intuitive as it could be, and certainly nowhere as comprehensive as typing on a keyboard. Plus, we all like to see the stuff we intend to buy, even if it is just a picture online. That reminds us of our favorite “Star Trek” clip of Mr. Scott, trying to use voice commands, only to end up typing on the keyboard.
You can listen to our 16min. podcast here:
Last month the US DoJ unsealed this indictment of a North Korean spy Park Jin Hyok that they claim was behind the hacks against Sony and the creation and distribution of Wanna Cry. It is a 170+ page document that was written by Nathan Shields of the FBI’s LA office and shows the careful sequence of forensic analysis they used to figure out how various attacks were conducted. In this post for CSOonline, I talk about some of the implications for IT managers, based on the extensive details described in the indictment.
We have a new co-working space in St. Louis that brings the total to six choices in my immediate neighborhood of the Central West End to locate your office. These are alternatives to renting your own office, or when your business has grown beyond your dining room and requires something more professional. Or when you need temporary conference space, or want to conduct a training session. They combine flexibility with the gig economy, and provide benefits and camaraderie too. I am a big fan of these places, even though I inhabit my own permanent office.
The new kid in the ‘hood is called Spaces and is part of a network of hundreds of sites located across the country and around the world. I wrote this review for Nicki’s Central West End Guide about them and its competitors. Surprisingly, it was hard to pin down prices on office rental. I also suggest a few things to think about when you are trying to choose your space that can apply no matter where you are located.
I wrote a series of blog posts at the SaltConf18 in September 2018. SaltStack is a devops automation, remote control and orchestration tool that has a great deal of power and is used in some very large enterprise networks managing hundreds of thousands of servers.I also wrote white papers about their technology and its applications.
Here are links to the various pieces:
— I wrote this white paper which talks about typical use cases of the SaltStack Enterprise product and Salt’s key features.
— The relationship of the digital and physical worlds has never been closer, a post about Cyndi Tetro’s session.
— Examinging how IBM Cloud and Cloudflare use Salt to manage their global networks (forthcoming)