Security Intelligence: What are the new security features of Windows Server 2016?

Windows Server 2016 became commercially available on Oct. 12, 2016. The new operating system includes a few noteworthy and important security features, such as a bare-bones Nano Server to reduce the potential attack surface, a more protected hypervisor that can run encrypted virtual disks, minimal administration to bring the principle of least privilege to remote PowerShell environments and more.

You can read my summary of these and other security features inmy post for IBM’s SecurityIntelligence blog here.

The view from a former state agency CIO: David O’Berry

David O’Berry was a former CIO at a state agency with 1000 employees, now he works for a security vendor. To give you an idea of his credentials, he has CISSP‑ISSAP, ISSMP, CCSP, CRISC, CSSLP, MCNE, CSPM and a CRMP!

He met his wife in college when a virus erased his senior thesis text and backups: luckily she was both a fast typist and a good sport. “That was by far the most expensive virus of my entire career!” Later on he had to attack another floppy-based virus, which was difficult because he had to run around the office finding infected disks and literally destroying them. He also faced down the Nachia/Welchia worm, which infected a PC that was not patched because the user was out on maternity leave.

“When I was a CIO, imaging software probably saved us the most time and had the strongest impact initially along with mail filtering products and endpoint management tools for remote control. Besides these products, I believe that standardization of what we did and how we did it had the single largest impact on our organization being able to progress as rapidly as we did with as limited resources as we had.”

For fighting insider threats, “you have to have contextually aware DLP and scanning products as well as what I call “Distributed Peer Review” by the nodes that attach to the environment.  Each node has to contribute to the survival of the organism by being a sensor in the larger scheme of things.” He has seen plenty of ransomware, and feels that “first and foremost it is a test of backup and recovery plans. Having a known-state in that area fell out of vogue for a while but now it is more important than ever even if it seems like boring blocking and tackle.”

At his current employer, “we do use MDM and they also allow BYOD. As a former CIO, we had not adopted BYOD when I left but had made the entire workforce mobile and managed it accordingly. We also had implemented Imprivata for its single sign-on package.”

When it comes to securing the cloud and his cloud-based servers, “there are similar challenges to what we have been pursuing since the dawn of time. Visibility is king.  Constructs that give you real-time visibility give you the edge over any other type of product when coupled with real-time mitigation and resilience.”

Now that he is on the vendor side, “I would say that the state of cybersecurity has gotten a lot worse since I made the jump because the pace of innovation and change has hit a vertical level and never stops. Malware creators have become more and more adept at how to attack the exploding number of devices. I believe we have a chance to get out in front of the next phase of this is, but to do so we have to share information in real-time as well as allow companies to participate without artificial barriers to entry. However, our window of opportunity is closing rapidly.”

The different worlds of digital and analog entertainment options

What do the TV series House of Cards, Moneyball pitcher Chad Bradford, women’s erotica purchases, You Tube Spaces and Harrah’s casinos have in common? I will explain in a moment, as you mull over each of these situations.

In a new book entitled, Streaming, Sharing, Stealing: Big Data and the future of entertainment, two Carnegie Mellon professors present years of researching the book publishing, movie-making, television and music industries and how they treat their customers, their artists, and their data. Their conclusions will both surprise and delight you, and I would urge you to buy this book and read it carefully.

Let’s go back to our intro. In February 2011 when the producers of the show House of Cards approached several cable TV executives to get their show green-lighted. Political dramas weren’t popular, and the execs passed. As you all know, Netflix acquired the rights to the series, but what you may not know is that they paid the production company $100 million for a two-year commitment for he series, rather than buying a single pilot episode.

Why did they do this? Because they knew exactly what were the viewing habits of their customers. They created multiple trailers to promote the series:

  • one for Kevin Spacey fans,
  • one for customers that liked “strong female lead actors,” as they characterize those types of movies
  • one for fans of David Fincher’s movies,
  • and another for the people who had rented the original BBC series on DVDs.

It knew exactly the people who would want to watch the series, because it had all the data about their viewing habits. And we all know what happened: Cards became a hit, and is filming its next season.

The authors question the generally held belief that delaying the release of a movie via DVD rental or online stream hurts sales, or that selling a paperback or ebook hurts hardcover sales. What they found is that there are two separate audiences for content: those that have “crossed over” to the digital world aren’t coming back to the analog world. Delaying an ebook resulted in almost no change in hardcover book sales. Delaying a digital movie release after the physical DVD date could cut digital sales by half. Digital and analog are different products, and operate in different universes. “When digital customers couldn’t find the product they wanted to buy when they wanted to buy it, many of them simply left, and didn’t come back. They are either pirating their content or consuming other types of content on Netflix et al.”

The digital world grew out of a “perfect storm” coincidence of three megatrends: the Internet and better broadband, the rise of digital content such as MP3s and downloadable apps and movies, and lower-cost PCs that were usable and affordable. This created so much turmoil that the existing entertainment industries couldn’t cope.

Take women’s erotica, and other specialty genres in the book-publishing world. These books used to be difficult to find, with only a few stores carrying more than a couple of titles, often hidden on selected shelves. But with Kindles and other ereaders, people can buy what they want without having to show the world their tastes. When the first 50 Shades book was written, it was self-published. Fans through online communities promoted it before it became a blockbuster hit.

What about You Tube Spaces? These are video production facilities that anyone who has a sufficiently large audience can book and use. Think of it as WeWork with a soundstage and digital editing bay, but for free. There are classes on all sorts of production techniques. They are located in major cities around the globe: all with the goal of improving the quality of You Tube videos. (Here is a tour that The Next Web took a few years ago of their LA studio.) Such a thing wouldn’t be conceivable just five or ten years ago.

And then there is Moneyball and the pitcher Chad Bradford. He had a quirky pitching style but incredible power as a pitcher. However, the stats normally used by most baseball scouts didn’t capture his performance, and he was overlooked by most of the teams. Eventually, he was signed by Oakland and delivered for a couple of years. Eventually though the other baseball teams got their Big Data act together and Oakland’s advantage evaporated.

Moneyball illustrates another issue: the culture in tech firms differs from those of the entertainment firms such as major studios or book publishers. “Companies such as Google, Amazon and Apple don’t make gut feel decisions – they make quantitative decisions based on what their data tells them.” Once the digital platforms have learned their customers’ preferences, they can market products directly to them, based on what they watch, read, and listen to. They can design specific promotional campaigns to speak to specific groups, and even target new customers.

One final example is of Harrah’s casinos. Back in 2000, the company was doing well. It operated in more markets, and was very profitable. But the gambling landscape was changing: more casinos were being built across the country, often as destination resorts that included show rooms, luxury-themed shopping malls and five-star restaurants. Harrah’s had to pivot from operating independent casinos to integrating them in a single business that looked closely at its customers’ data and who did what where on its properties. It had to focus on extracting value from that data, and in a way that built customer loyalty countrywide. And contrary to its provincial assumptions of the local property managers, using this central data repository and analytics they were able to increase revenues, promote cross-market players, and design new loyalty programs to increase its overall customer base.

The overall moral of this book: entertainment companies are going to have to take control over the customer interface and their customers’ data if they are going to be successful. It should be required reading for any digital marketer.

FIR B2B #57: Shelley Harrison on marketing for startups

In this episode, Paul and I talk to Shelley Harrison, owner of LaunchPad. She has helped start more than 200 tech companies over the years, including cc:Mail (acquired by Lotus), Socialtext (acquired by PeopleFluent), Postini (acquired by Google), Vermeer (acquired by Microsoft) and others. She often follows a serial entrepreneur from startup and startup, and spoke to us about what makes for great partnership between founder and director of marketing. She offers plenty of advice, including what attributes the serial entrepreneurs she has worked for over the year have in common that make for compelling marketing of their businesses: she presents a very long list, which happens only a fifth of the companies that she has worked for. And she talks about what happens when a marketer’s advice conflicts with the founder’s vision, and the people whom she has been able to persuade, or at least listen to her point of view. you can listen to the 20-minute podcast here:

FIR B2B #56: The art and science of international marketing with Frank Cutitta

Frank Cutitta has been around the tech industry for decades and both one of his plum assignments was managing the international expansion of IDG properties during the company’s glory days. As a result, he has been to more than 100 countries and understands how to adjust your marketing plans and messages accordingly. In this 27 minute podcast, we spoke to him about what marketers need to know to work with non-American audiences and product teams, and how they should become more sensitive to local customs and ways of doing business. Listen to the recording here:

iBoss blog: Why Grammar Counts in Decoding Phished Emails

When it comes to crafting the “best” phishing email scam letter, over the years it has been assumed that the less polished a letter, the better. Having something that is poorly worded, or purposely uses bad syntax and grammar tends to eliminate the sharper-eyed readers who probably wouldn’t respond to the phish anyway. This way the phisher ensures that only the most gullible users will end up getting snared.

However, the tide may be turning, and finally grammarians might be gaining the upper hand. A new theory is that correct grammar gets better results these days. My blog post for iBoss has the details about how the French are leading the charge.

Speaking gigs as part of cybersecurity awareness month

October is cybersecurity awareness month and I am giving a speech at several locations around town to do my part. The speech draws on several blog posts that I have written recently about the debate between security and privacy, and covers the following topics:


The speech will be given this week at St. Louis’ America’s Center SecureWorld conference and as part of a special month-long series of activities at Fontbonne University, including this St. Louis chapter meeting of ISACA. You can download my presentation here.

Network World review: Check Point Sandblast technology

Check Point has long been known as a firewall company but it is reaching beyond its roots with a new series of protective technologies under its SandBlast line. SandBlast has been around for several years, but received several significant updates over the past year to make it a truly effective endpoint protection product that can handle a wide variety of zero-day exploits across your entire enterprise, such as this backdoor exploit that we detected from China moments after we installed our product.


You can read my full review here (reg. req.)

The view from a non-profit CIO.

Being the CIO of a non-profit gives you an entirely different perspective in terms of managing people, resources, and technologies.

David Goodman would know. He has been involved with managing IT operations for different non-profits for most of his professional career. He used to be the CIO of International Rescue Committee, and currently is the CIO-in-Residence at NetHope, an umbrella organization that is a resource for some of the world’s largest non-profit aid organizations.

“The biggest challenge for non-profits about IT is that few people understand it in that context. We usually don’t have any roadmap or a sizable staff for how we are going to implement any new technology. Many organizations don’t have any dedicated infosec staff, or if they do they only have one person for this task.”

Often, IT takes a hit due to unplanned consequences that is more because of the where the non-profit is located than anything related to the technology itself. For example, he tells the story of a nonprofit that opened an office in a very insecure country. “We opened an office there to help benefit refugees, which is our mission. We made connections with the local militia to make sure that we were permitted to do this and didn’t have any issues until one day our office was overrun by the militia and our people were taken hostage. They didn’t like what we were doing. While that doesn’t happen too often, it was pretty scary for our staff and volunteers. They took all of our computing equipment. Eventually, we were able to get them to release everyone, although two Americans were held in a hotel for a few extra weeks.”

Planning for this situation is a challenge, as you might expect. But the office had no incident response frameworks, no security policies. “There were passwords written on whiteboards. There were staffers using personal Skype accounts to communicate with headquarters. Because all the laptops were stolen, the rebels were using the staff’s personal Skype accounts that were set to autologin and were sending messages impersonating the staff. They couldn’t easily shut down these personal accounts.” Eventually all personnel returned safely and everyone was accounted for. But they lost all their equipment: “that was never seen again.”

Few IT managers or CIOs have to deal with this kind of situation. “It is pretty nasty stuff, and it is because of the nature of how many international nonprofits operate and the places they have their offices are often in conflict areas. This means we don’t just worry about IT security, but the safety of the staff too.”

Here is another example. At one international nonprofit, he wanted to improve the organization’s password policies. The issue was that many of the staffers are scattered around the world and don’t regularly login to their enterprise Active Directory domain controller which meant that staff didn’t get regular notifications of expiring passwords. “So for the field staff, we set their domain passwords not to expire. As you might imagine, this wasn’t great infosec policy, so I tried to implement a better one that had complexity and change management built-in. I got buy-in from senior management and approval from the CEO. We were ready to implement it, and I sent a reminder email to some of the affected parties, including the CEO.”

Suddenly he scuttled the whole idea: “He told me that he had been using the same password for more than 30 years and wasn’t about to change it now. So the very straightforward and approved password policy was shelved, and there are probably still hundreds of people using non-expiring passwords around the organization.” Goodman couldn’t get him to understand why a better password policy matters.

All is not gloom and doom however. At NetHope, he is working with a number of major donors, including the Gates Foundation and MasterCard International, to create non-profit specific security controls that can be used for guiding IT auditing and compliance. “We will have a set of best practices on how to appropriately secure critical data, all based on existing standards like ISO, NIST, and PCI. We will also provide implementation guidance so that nonprofits without dedicated info sec staff — which is nearly all of them — will know how to implement these controls.”

Like what you are reading?

Subscribe to Inside Security!

The view from a small college CIO: Infosec is getting harder to do.

Ravi Ravishanker is the CIO and Associate Provost at Wellesley College in Massachusetts. He has been in IT for many years, and supports an organization with more than 1400 faculty and staff. I spoke to him in September 2016. “Information security has continued to be one of the highest priority for every one of the IT organizations I have worked for. The only difference is that it has become harder and its relative importance compared to the other things we have to do has gotten higher, which results in much higher resource allocation to security across the entire institution.”

He recalls back in 1986, when he began his IT career. He was writing code in assembler for a VAX VMS. This was done to make it faster to execute. “However, we made a programming error to have one user send a file to another using TCP/IP. Because of an internal security lapse, the students found out they could send someone else’s files using our program. It didn’t take long to fix the problem, fortunately.” Coming into the modern day, he finds that vulnerability scanners are one of his most important security tools. “This is because they expose vulnerabilities about network ports that shouldn’t be open. Similarly, scanners that test our web apps for a range of vulnerabilities are also essential.”

“We realize that given our limited resources, we have to be very diligent. First and foremost, data and network security needs to be a priority for everyone in the IT organization, not just a select group of security administrators. Also, security is a joint partnership between IT and our users; it is a shared responsibility of the entire the enterprise. If our users aren’t following best practices, they can expose our enterprise to data security issues. Security is a critical part of everything that we do.”

To date, he hasn’t seen much in the way of insider threats at the college. “People in higher education have a sense of loyalty to the institution, and we place a lot of trust in our employees. While insider threats are always a potential issue, we are in a space where it is minimal.”

The college has moved into the cloud and continues to increase its cloud footprint. “We try to do as much due diligence when we sign up with a new provider and make sure that they are giving us the security that we need. We thoroughly review the contracts and agreements from security and compliance perspectives before signing up with a provider.”

“We are a fairly small IT organization and currently our user services, which manages desktop support, and the systems and network groups are all under one director. This works really well in terms of information exchange between the groups and easy access to the systems and network engineers. However, we recently decided to reorganize this group and we hope that this relationship will be preserved because this relationship is critical from information security perspective.”

Like what you are reading?

Subscribe to Inside Security!