Book review: You’ll see this message when it is too late

A new book from Professor Josephine Wolff at Rochester Inst. of Technology called You’ll see this message when it is too late is worth reading.  While there are plenty of other infosec books on the market, to my knowledge this is first systematic analysis of different data breaches over the past decade.

She reviews a total of nine major data breaches of the recent past and classifies them into three different categories, based on the hackers’ motivations; those that happened for financial gain (TJ Maxx and the South Carolina Department of Revenue and various ransomware attacks); for cyberespionage (DigiNotar and US OPM) and online humiliation (Sony and Ashley Madison). She takes us behind the scenes of how the breaches were discovered, what mistakes were made and what could have been done to mitigate the situation.

A lot has been already written on these breaches, but what sets Wolff’s book apart is that she isn’t trying to assign blame but dive into their root causes and link together various IT and corporate policy failures that led to the actual breach.

There is also a lot of discussion about how management is often wrong about these root causes or the path towards mitigation after the breach is discovered. For example, then-South Carolina governor Nikki Haley insisted that if only the IRS had told them to encrypt their stolen tax data, they would have been safe. Wolff then describes what the FBI had to do to fight the Zeus botnet, where its authors registered thousands of domain names in advance of each campaign, generating new ones for each attack. The FBI ended up working with security researchers to figure out the botnet’s algorithms and be able to shut down the domains before they could be used by the attackers. This was back in 2012, when such partnerships between government and private enterprise were rare. This collaboration also happened in 2014 when Sony was hacked.

Another example of management security hubris can be found with the Ashley Madison breach, where its managers touted how secure its data was and how your profiles could be deleted with confidence — both promises were far from the truth as we all later found out.

The significance of some of these attacks weren’t appreciated until much later. For example, the attack on the Dutch registrar DigiNotar’s certificate management eventually led to its bankruptcy. But more importantly, it demonstrated that a small security flaw could have global implications, and undermine overall trust in the Internet and compromise hundreds of thousands of Iranian email accounts. To this day, most Internet users still don’t understand the significance in how these certificates are created and vetted.

Wolff mentions that “finding a way into a computer system to steal data is comparatively easy. Finding a way to monetize that data can be much harder.” Yes, mistakes were made by the breached parties she covers in this book. “But there were also potential defenders who could have stepped in to detect or stop certain stages of these breaches.” This makes the blame game more complex, and shows that we must consider the entire ecosystem and understand where the weak points lie.

Yes, TJ Maxx could have provided stronger encryption for its wireless networks; South Carolina DoR could have used MFA; DigiNotar could have segmented its network more effectively and set up better intrusion prevention policies; Sony could have been tracking exported data from its network; OPM could have encrypted its personnel files; Ashley Madison could have done a better job with protecting its database security and login credentials. But nonetheless, it is still difficult to define who was really responsible for these various breaches. 

For corporate security and IT managers, this book should be required reading.

CSOonline: How to set up a successful digital forensics program

IT and security managers have found themselves increasingly needing to better understand the world of digital forensics. This world has become more important as the probability of being breached continues to approach near-certainty, and as organizations need to better prepare themselves for legal actions and other post-breach consequences.

In this post for CSOonline, I describe the basics behind digital forensics, the kinds of specialized tools that are required, links to appropriate resources to learn more and a checklist of various decisions that you will need to consider if you are going to be more involved in this field. It is not just about understanding the legal consequences of a breach, but also in being properly prepared before a breach occurs. And something that you need to get your head around: lawyers can be your friends in these circumstances.

CSOonline: Top application security tools for 2019

The 2018 Verizon Data Breach Investigations Report says most hacks still happen through breaches of web applications. For this reason, testing and securing applications (from my CSOonline article last month) has become a priority for many organizations. That job is made easier by a growing selection of application security tools. I put together a list of 13 of the best ones available, with descriptions of the situations where they can be most effective. I highlight both commercial and free products. The commercial products very rarely provide list prices and are often bundled with other tools from the vendor with volume or longer-term licensing discounts. Some of the free tools, such as Burp Suite, also have fee-based versions that offer more features. You can review my list in CSOonline here. 

 

 

Fear of Facebook: becoming social, but only behind our keyboards

As many of you know, for the last several years I have been doing a regular podcast with Paul Gillin on B2B marketing trends. Gillin has been in tech journalism for more than 30 years, having run Computerworld and TechTarget and written numerous books. It is a fun gig, and we offer a lot of insight, and you should subscribe if you are interested in the overall topic.

In our latest episode, we return to talking to Dan Newman, who is a very insightful guy for just being born when both Paul and I started in IT. Newman said one thing that I want to expand upon here. We were talking about the rise of customer self-service portals and methods, including using chatbots as a tool to provide quick answers. He thinks this is an indication that “We have become more social, but only behind our keyboards.” That is an interesting phenomenon.

I would amend that position to say not only have we become more social, but more critical to a fault thanks to our consumption of online social networks. You could lay the blame on Reddit, as this recent book does. (We are the Nerds, as reviewed in the NY Times here.) A better title for this book, as the reviewer David Streitfeld states, should be “We are the Trolls” and suggests its tag line should be “Two inexperienced young guys created something they didn’t understand and couldn’t control.” He writes, “the lack of adult oversight; the suck-up press; the growth-at-any-cost mentality; the loyal employees, by turns abused and abusive” all contributed to its offensive snark. In the end, it didn’t matter. Forget about connecting the world, or doing good, or bringing a voice to the disenfranchised. Reddit is a $2B media property, and in the Valley, money is what eventually matters.

That is a common theme for many tech companies, and it seems we are seeing the same effect happening down highway 101 at the Facebook campus (shown here). You should watch the two-part Frontline series this week about Facebook. During the program, you will see how in the process of connecting the world’s populace, it has inflamed their worst passions and stoked their fears. It interviews several current and ex-employees. While the latter might have axes to grind, it is worth hearing their points of view. You’ll hear how Trump’s digital media manager spent $100M on Facebook ads before the 2016 election. If you haven’t thought about this before, it is worth viewing both episodes to see how much influence the company has had, and how poor Zuck’s leadership has been. The program also highlights the rise of “fake news” across Facebook, such as these companion posts on the Pope endorsing either Trump or endorsing Clinton.

Think fake news is easy to spot? Take this quick quiz developed by the Newseum education staff. My wife and I tried it, and while we did reasonably well, we still got a couple of items wrong. Granted, we had a timed deadline to complete the quiz, and some of them we just guessed answers. But we saw that it is harder than we both thought, even when you have been told to be on the lookout. Imagine how much harder this task could be in our normal lives consuming online media posts?

The Frontline program interviewed their chief of security Alex Stamos who says, “Russia [through its advertising and fake accounts] wants to find fault lines in US society and amplify them, and to make Americans not trust each other.” Russians orchestrated two concurrent and co-located protest rallies in Houston, seeding participants on both sides. There is no question that Facebook is being used as an amplifier to promote hatred of all kinds. Just look at your own news feeds.

Farhad Manjoo’s column in the NY Times this week makes a case that Zuck is “too big to fail,” playing off the phrase used for the 2008 mortgage banking crisis. He mentions reports that tie Facebook posts to the Myanmar genocide, discriminatory advertising and multiple federal legal inquiries. He concludes by saying either Zuck fix Facebook, or no one does, like it or not.

But here’s the thing: as we become more social behind our keyboards, we can’t be as discriminating as we can when we meet people face-to-face. In embracing the self-service world, we are all doing ourselves a tremendous disservice too. Lies become truth, and democracy is turned inside out. It is time Facebook took responsibility for its power and role in this process.

FIR B2B podcast #108: Dan Newman’s 2019 tech trends for CMOs

Paul Gillin and I speak this week with Daniel Newman, author, speaker, millennial CEO and founding partner at Futurum Research. We were interested in a column he wrote for Forbes entitled, How Will The 10 Top Digital Transformation Trends For 2019 Impact The CMO. 

Dan highlighted a couple of the tech trends that will be essential items for CMOs to get their arms around in the coming year, including the transformation of data from machine learning to AI. “Analytics should be the CMO’s best friend,” he told us. “AI will allow for data-driven campaigns that will be guaranteed to work every time.”

Newman said data should play a pivotal role in marketing in the future, and don’t worry too much about over-personalizing the message. Nobody ever complains when a brand provides too much value and can help drive purchases that customers want at any given moment. The trick is to find the right moment and to target customers accurately.

The European Union’s new General Data Protection Regulation will force changes in the way brands market in the coming year, he said. They will have to become more creative about not just getting customers to opt in but to staying engaged. This means that companies are going to have change the way they do lead development. They’ll need to know customers better in order to personalize content because they’ll have less data to work with.

We had a particularly interesting discussion about chatbots as a mechanism for driving personal interactions. Newman sees us moving away from face-to-face moments, and the phenomenon isn’t limited to teens or Gen Xers. The rise of customer self-service is an indication that “We have become more social, but only behind our keyboards,” he said.

Another of his provocative predictions consumers will be able to use blockchain to, in effect, sell information about themselves to marketers.  While Newman sees this technology as still immature, he believes its long-term potential is explosive.

Finally, as the average tenure for CMOs continues to decline, they will have to do a better job of managing expectations and develop tighter relationships with their CEOs. You can listen to our 24 min. podcast here:

HID ActivID Authentication Server: A very capable and comprehensive IAM product

If you are looking for a comprehensive identity and access management (IAM) tool that can cover just about any authentication situation and provide ironclad security for your enterprise, you should consider HID Global’s ActivID product line.

Even if you are an IAM specialist, it will take days and probably weeks of effort to get the full constellation of features setup properly and tested for your particular circumstances. There is good news though: you would be hard pressed to find an authentication situation that it doesn’t handle. t has a wide range of tools that can lock down your network, covers a variety of multifactor authentication methods and token form factors (as shown here below), and provides single sign-on (SSO) application protection.

f you are rolling out MFA protection as part of a larger effort to secure your users and logins, then the case for using HID’s product becomes very compelling.

I was hired to take a closer look at their product earlier this year, and came away impressed with the level of thoroughness and comprehensive protective features. You can download my report here and learn more about this tool and what it can do.

FIR B2B podcast #107: What LinkedIn’s Latest Sales Research Says About the State of B2B Marketing

When we last spoke to Justin Shriber (below), Vice President of Marketing for LinkedIn Sales and Marketing Solutions in episode #87 last January, he offered some predictions about the upcoming year in B2B marketing. His forecasts turned out to be is pretty solid, including closer alignment of marketing and sales functions and the growing importance of storytelling in promoting your brand. So we took advantage of a pitch for LinkedIn’s new State of Sales report to connect again. This third annual report examined how top sales performers – B2B in particular – are using technology and modern strategies to build trust with buyers and close more deals. The addition of buyer views this year makes the survey even more interesting reading.

The report found a resurgence of buyer interest in doing business with trusted vendors: 40% of sales professionals rank trust as the number one factor in closing deals — surprisingly rated above ROI and price. 

There are also some interesting age breakdowns. Millennials are outperforming their peers in sales effectiveness pretty much across the board, the survey found. Young sales reps are tapping into marketing insights and using tech at higher rates than their elders to help them succeed. Of course, their quotas might be lower, as well!

Buyers who are decision-makers are least likely to engage with sales professionals who lack knowledge about their company (79 percent) and whose products or services are irrelevant to their company (76 percent). Understanding the buyer’s business is now table stakes for salespeople, Shriber told us. Of course, LinkedIn has some features that can help with that. 

In this interview, we dig into a number of highlights of the survey as well as discuss trends LinkedIn is seeing in the use of its platform by sales pros. You can listen to the 20 min. podcast here. 

How great collaborations occur

What do the Beatles, Monty Python, the teams behind building the Ford Mustang and the British Colossus computer, and the Unabomber manhunt have in common? All are examples of impressive and successful collaborative teams. I seem to return to the topic of collaboration often in my writing, and wrote this post several years ago about my own personal history of collaboration. For those of you that have short memories, I will refresh them with some other links to those thoughts. But first, let’s look at what these groups all have in common:

Driven and imaginative leadership. The Netflix series on the Unabomber creates a somewhat fictional/composite character but nevertheless shows how the FBI developed the linguistic analysis needed to catch this criminal, and how a team of agents and a massive investigation found him. Some of those linguistic techniques were used to figure out the pipe bombing suspect from last week, by the way.  

A combination of complementary skills. The Beatles is a good example here, and we all have imprinted in our early memories the lyrics and music by John and Paul. On the British code-breaking effort Colossus,  that team worked together without actually knowing what they each did, as I mentioned in my blog post. Another great example is the team that originally created the Ford Mustang car, as I wrote about a few years ago. 

Superior writing and ideation. An interview that Eric Idle recently gave on the Maron WTF podcast is instructive. Idle spoke about how the entire Python team wrote their skits before they cast them, so that no one would be personally invested to a particular idea before the entire group could improve and fine-tune it. Many collaborative efforts depend on solid writing backed by even more solid idea-creation. There are a number of real-time online writing and editing tools (including Google Docs) that are used nowadays to facilitate these efforts. 

Active learning and group training. A new effort by the Army is noteworthy here, and what prompted my post today. They recognize that soldiers have to find innovative ways to protect their digital networks and repel cyber invasions. They announced the creation of a new cyber workspace at the Fort Gordon (near Augusta Geo.) base called Tatooine, which refers to the Star Wars planet where Luke spent some time in the early movies. The initial missions of this effort will focus on three areas:

  • drone detection,
  • active hunting of cyber threats on DoD networks, and
  • designing better training systems for cyber soldiers.

Great communicators.  Many of these teams worked together using primitive communication tools, before the digital age. Now we are blessed with email, CRMs, real-time messaging apps, video chats, etc. But these blessings are also a curse, particularly if these tools are abused. In this post for the Quickbase blog, I talk about signs that you aren’t using these tools to their best advantage, particularly for handling meeting schedules and agendas. In this post from September, I also provide some other tips on how to collaborate better. 

Unique partnerships. All of my examples show how bringing together the right kinds of talent can result in the sum being bigger than the individuals involved. At the Army base, both military and civilian resources will be working together, and draw on the successful Hack the Army bug bounty program. On Colossus, they recruited people who were good at solving crossword puzzles, among other things. The Python group included Terry Gilliam, who was a gifted animator and brought the necessary visual organization to their early BBC TV shows. 

Certainly, the history of collaboration has been one of fits and starts. As a former publication editor, I can recall the teams that I put together had some great collaborative efforts to write, edit, illustrate and publish the stories in our magazines. And while we continue making some of the same mistakes over again and not really considering the historical context, there are a few signs of hope too as the more modern tools help folks over some of these hurdles. That brought me a solid appreciation for how these best kinds of collaborations happen. Feel free to share your own examples if you’d like. 

CSOonline: What is application security and how to secure your software

Application security is the process of making apps more secure by finding, fixing, and enhancing the security of apps. Much of this happens during the development phase, but it includes tools and methods to protect apps once they are deployed. This is becoming more important as hackers increasingly target applications with their attacks.

In the first of a two-part series for CSOonline, I discuss some of the reasons why you need to secure your apps and the wide variety of specialized tools for securing mobile apps, for network-based apps, and for firewalls designed especially for web applications. Next month, I will recommend some of these products.

Looking for a portable VPN? Don’t pick these products.

I have been testing some interesting devices to help you set up VPNs when you travel. By now most of you know not to connect to open WiFi access points, because your Internet traffic can be monitored, recorded, invaded, and used against you. The way to avoid these issues is to use a VPN. Until recently, you had a few different choices to install some software or bring your own VPN device. Both are more suitable for corporate networks, and aren’t all that easy to install and configure. These three devices attempt to make things easier for consumers. Sadly, they all aren’t quite up to the task.

Both the Butterfly and eBlocker are small hardware devices. The Butterfly has a USB end that fits in any USB AC power adapter. The eBlocker is a cube two inches on a side with its own Ethernet and power cables to connect it up. The Webroot product is only software. You see I listed their prices above, and that is my first complaint: a consumer VPN should be priced transparently. Figuring out their prices shouldn’t take a combination of a CPA and a PI.

The appeal of the three products are their supposed ease of installation. However, I ran into problems on all of them. For example, the eBlocker is made in Germany, and the default menus are shown in German. If you want to change this to English menus, you have to learn enough German to navigate through the menu tree to find the switch to make this happen. The Butterfly (setup menu at left) is designed to operate with a simple open WiFi router. As you move about the world, you have to find and connect to one before you can establish your VPN connection. That is great, but you will have problems on other routers that aren’t completely open. For example, you’ll have issues if you connect to hotel or airport routers with captive wireless portals that require you to bring up a web form to acknowledge something. Also, there was no way to change the default password in any of its  configuration menus, which seems like a major security shortcoming. The Webroot VPN was the easiest to install, since it was just software that runs in the background, but it had issues that I will get to below.

On all three, you can select various VPN endpoints for your traffic to appear to come from. At right, you can see how you can do this with Webroot, by clicking on the locations shown in the list. That has a lot of appeal — if it really worked as advertised. With eBlocker, you can also set up your Internet traffic thru the TOR network for even more privacy. I had issues with all of them when verifying the IP addresses with a public service, such as WhatisMyIP.com. They didn’t always consistently work, and despite conversations with each vendor, I couldn’t exactly tell you why.

Webroot also allows you to select a particular VPN protocol (like IPsec or PPTP) if you need to connect to a corporate VPN. That is a nice touch.

All three also do more than just setup a VPN. Webroot does rudimentary content filtering. eBlocker can anonymize your originating IP address and block ads in your browsing sessions. It has this privacy discovery page where you can see what kind of information is being collected from your browser session, if you need reminding. Here is what its dashboard looks like:

Blocking ads seems like a great idea, until you run into lots of websites that won’t deliver any content to you until you unblock them. As an example, my hometown newspaper doesn’t allow any visitors from EU countries because of potential GDPR liabilities. (That is probably a canard, but still.) There is a whitelist to add sites to try to get around this, but it didn’t seem to always function as intended.

Using a VPN can also come in handy when you travel overseas and want to access content from the streaming video services. This is because the shows that we take for granted here in the US aren’t necessarily licensed for overseas viewing. For example, I was recently in Israel, where I was pleased to see that Amazon was streaming “The Man in the High Castle” but blocked just about every other one of their other original shows. However, none of the VPN services of the three devices would work reliably in this situation. And with Webroot’s VPN engaged, I couldn’t access any Netflix content whatsoever. It could be because of cookies set on my computer, or because of how I registered for the service, or it could be something else. The bottom line: if you want to securely access your content when you travel, you can’t depend on any of these devices.

And that is why I recommend you don’t buy any of these three items, at least until each vendor does a better job with fixing the issues I mentioned above. Consumer-grade VPNs are a great idea, especially if you travel frequently. But they are still a challenge, unless you have an IT department standing by to assist you when you run into snags on the road.