CSOonline: How to beef up your Slack security

When it comes to protecting your Slack messages, many companies are still flying blind. Slack has become the defacto corporate messaging app, with millions of users and a variety of third-party add-on bots and other apps that can extend its use. It has made inroads into replacing email, which makes sense because it is so immediate like other messaging apps. But it precisely because of its flexibility and ubiquity that makes it more compelling to protect its communications.


In this post for CSOonline, I take a closer look at what is involved in securing your Slack installatio nand some of the questions you’ll want to ask before picking the right vendor’s product. You can see some of the tools that I took a closer look at too in the chart above.

Book review: The End of Trust

Last week the Electronic Frontier Foundation published an interesting book called The End of Trust. It was published in conjunction with the writing quarterly McSweeneys, which I have long been a subscriber and enjoy its more usual fiction short story collections. This issue is its first total non-fiction effort and it is worthy of your time.

There are more than a dozen interviews and essays from major players in the security, privacy, surveillance and digital rights communities. The book tackles several basic issues: first the fact that privacy is a team sport, as Cory Doctorow opines — meaning we have to work together to ensure it. Second, there are numerous essays about the role of the state in a society that has accepted surveillance, and the equity issues surrounding these efforts. Third, what is the outcome and implications of outsourcing of digital trust. Finally, various authors explore the difference between privacy and anonymity and what this means for our future.

While you might be drawn to articles from notable security pundits, such as an interview where Edward Snowden explains the basics behind blockchain and where Bruce Schneier discusses the gap between what is right and what is moral, I found myself reading other less infamous authors that had a lot to say on these topics.  

Let’s start off by saying there should be no “I” in privacy, and we have to look beyond ourselves to truly understand its evolution in the digital age. The best article in the book is an interview with Julia Angwin, who wrote an interesting book several years ago called Dragnet Nation. She says “the word formerly known as privacy is not about individual harm, it is about collective harm. Google and Facebook are usually thought of as monopolies in terms of their advertising revenue, but I tend to think about them in terms of acquiring training data for their algorithms. That’s the thing what makes them impossible to compete with.” In the same article, Trevor Paglen says, “we usually think about Facebook and Google as essentially advertising platforms. That’s not the long-term trajectory of them, and I think about them as extracting-money-out-of-your-life platforms.”

Role of the state

Many authors spoke about the role that law enforcement and other state actors have in our new always-surveilled society. Author Sara Wachter-Boettcher said, “I don’t just feel seen anymore. I feel surveilled.” Thenmozhi Soundararajan writes that “mass surveillance is an equity issue and it cuts across the landscape of race, class and gender.” This is supported by Alvaro Bedoya, the director of a Georgetown Law school think tank. He took issue about the statement that everyone is being watched, because some are watched an awful lot more than others. With new technologies, it is becoming harder to hide in a crowd and thus we have to be more careful about crafting new laws that allow the state access to this data, because we could lose our anonymity in those crowds. “For certain communities (such as LBGTQ), privacy is what lets its members survive. Privacy is what let’s them do what is right when what’s right is illegal. Digital tracking of people’s associations requires the same sort of careful First Amendment analysis that collecting NAACP membership lists in Alabama in the 1960s did. Privacy can be a shield for the vulnerable and is what let’s those first ‘dangerous’ conversations happen.”

Scattered throughout the book are descriptions of various law enforcement tools, such as drones facial recognition systems, license plate readers and cell-phone simulators. While I knew about most of these technologies, collected together in this fashion makes them seem all the more insidious.

Outsourcing our digital trust

Angwin disagrees with the title and assumed premise of the book, saying the point is more about the outsourcing of trust than its complete end. That outsourcing has led to where we prefer to trust data over human interactions. As one example, consider the website Predictim, which scans a potential babysitter or dog walker to determine if they are trustworthy and reliable using various facial recognition and AI algorithms. Back in the pre-digital era, we asked for personal references and interviewed our neighbors and colleagues for this information. Now we have the Internet to vet an applicant.

When eBay was just getting started, they had to build their own trust proxy so that buyers would feel comfortable with their purchases. They came up with early reputation algorithms, which today have evolved into the Uber/Lyft star-rating for their drivers and passengers. Some of the writers in this book mention how Blockchain-based systems could become the latest incarnation for outsourcing trust.  

Privacy vs. anonymity

The artist Trevor Paglen says, “we are more interested not so much in privacy as a concept but more about anonymity, especially the political aspects.” In her essay, McGill ethics professor Gabriella Coleman says, “Anonymity tends to nullify accountability, and thus responsibility. Transparency and anonymity rarely follow a binary moral formula, with the former being good and the latter being bad.”

Some authors explore the concept of privacy nihilism, or disconnecting completely from one’s social networks. This was explored by Ethan Zuckerman, who wrote in his essay: “When we think about a data breach, companies tend to think about their data like a precious asset like oil, so breaches are more like oil spills or toxic waste. Even when companies work to protect our data and use it ethically, trusting a platform gives that institution control over your speech. The companies we  trust most can quickly become near-monopolies whom we are then forced to trust because they have eliminated their most effective competitors. Facebook may not deserve our trust, but to respond with privacy nihilism is to exit the playing field and cede the game to those who exploit mistrust.” I agree, and while I am not happy about what Facebook has done, I am also sticking with them for the time being too.

This notion of the relative morality of our digital tools is also taken up in a recent NY Times op/ed by NYU philosopher Matthew Liao entitled, Do you have a moral duty to leave Facebook? He says that the social media company has come close to crossing a “red line” but for now he is staying with them.  

The book has a section for practical IT-related suggestions to improve your trust and privacy footprint, many of which will be familiar to my readers (MFA, encryption, and so forth). But another article by Douglas Rushkoff goes deeper. He talks about the rise of fake news in our social media feeds and says that it doesn’t matter what side of an issue people are on for them to be infected by the fake news item. This is because the item is designed to provoke a response and replicate. A good example of this is one individual recently mentioned in this WaPost piece who has created his own fake news business out of a parody website here.

Rushkoff recommends three strategies for fighting back: attacking bad memes with good ones, insulating people from dangerous memes via digital filters and the equivalent of AV software, and better education about the underlying issues. None of these are simple.

This morning the news was about how LinkedIn harvested 18M emails from to target ads to recruit people to join its social network. What is chilling about this is how all of these email addresses were from non-members that it had collected, of course without their permission.  

You can go to the EFF link above where you can download a PDF copy or go to McSweeneys and buy the hardcover book. Definitely worth reading.

FIR B2B podcast #109: Transparency, Truth and the Rebirth of Long-Form Content

Three items in the news caught our attention this week. The first was a piece that by Agility PR about a tale of two PR crisis responses— and why only one of them worked.  The crises in question are the firing of Megyn Kelly by NBC and Andy Rubin’s departure from Google with a $90 million severance package. Both situations were handled differently by the organizations’ leaders, and both produced very different results in terms of public and employee perception. The contrasting cases are useful to help shape your own crisis response and to understand how you have to get ahead of the news in just the right tone and with actions that speak louder than platitudes.

The second piece we discuss provides evidence that marketing guru Gary Vaynerchuk is wrong about an awful lot of things, largely because he appears to base his observations and predictions more on instinct than on facts. We respect Vaynerchuk for what he’s accomplished, but think that in an environment in which the value of facts is being called into question, it’s incumbent upon thought leaders to use them. This is the big data age, after all.

Finally, we have often debated the optimal length of podcasts and videos for content marketing purposes, but maybe old assumptions about keeping recorded content as short as possible is out of date. Welcome to the Age of the Hour-Long YouTube Video makes the case that long-form content is making a comeback. For the same reason that podcasts have become popular, people are now able to put their idle time to work. This may have implications for marketing videos in the future, and whether you want to go after quality or quantity when it comes to collecting readership. We both are devotees of podcasts that frequently run 90 minutes or more. That’s because the content is great, the hosts do their research and the subjects are interesting. Which would you rather have, eyeballs or fans?

Happy holidays to all, we’ll return next week with fresh insights. You can listen to our podcast here:

Book review: You’ll see this message when it is too late

A new book from Professor Josephine Wolff at Rochester Inst. of Technology called You’ll see this message when it is too late is worth reading.  While there are plenty of other infosec books on the market, to my knowledge this is first systematic analysis of different data breaches over the past decade.

She reviews a total of nine major data breaches of the recent past and classifies them into three different categories, based on the hackers’ motivations; those that happened for financial gain (TJ Maxx and the South Carolina Department of Revenue and various ransomware attacks); for cyberespionage (DigiNotar and US OPM) and online humiliation (Sony and Ashley Madison). She takes us behind the scenes of how the breaches were discovered, what mistakes were made and what could have been done to mitigate the situation.

A lot has been already written on these breaches, but what sets Wolff’s book apart is that she isn’t trying to assign blame but dive into their root causes and link together various IT and corporate policy failures that led to the actual breach.

There is also a lot of discussion about how management is often wrong about these root causes or the path towards mitigation after the breach is discovered. For example, then-South Carolina governor Nikki Haley insisted that if only the IRS had told them to encrypt their stolen tax data, they would have been safe. Wolff then describes what the FBI had to do to fight the Zeus botnet, where its authors registered thousands of domain names in advance of each campaign, generating new ones for each attack. The FBI ended up working with security researchers to figure out the botnet’s algorithms and be able to shut down the domains before they could be used by the attackers. This was back in 2012, when such partnerships between government and private enterprise were rare. This collaboration also happened in 2014 when Sony was hacked.

Another example of management security hubris can be found with the Ashley Madison breach, where its managers touted how secure its data was and how your profiles could be deleted with confidence — both promises were far from the truth as we all later found out.

The significance of some of these attacks weren’t appreciated until much later. For example, the attack on the Dutch registrar DigiNotar’s certificate management eventually led to its bankruptcy. But more importantly, it demonstrated that a small security flaw could have global implications, and undermine overall trust in the Internet and compromise hundreds of thousands of Iranian email accounts. To this day, most Internet users still don’t understand the significance in how these certificates are created and vetted.

Wolff mentions that “finding a way into a computer system to steal data is comparatively easy. Finding a way to monetize that data can be much harder.” Yes, mistakes were made by the breached parties she covers in this book. “But there were also potential defenders who could have stepped in to detect or stop certain stages of these breaches.” This makes the blame game more complex, and shows that we must consider the entire ecosystem and understand where the weak points lie.

Yes, TJ Maxx could have provided stronger encryption for its wireless networks; South Carolina DoR could have used MFA; DigiNotar could have segmented its network more effectively and set up better intrusion prevention policies; Sony could have been tracking exported data from its network; OPM could have encrypted its personnel files; Ashley Madison could have done a better job with protecting its database security and login credentials. But nonetheless, it is still difficult to define who was really responsible for these various breaches. 

For corporate security and IT managers, this book should be required reading.

CSOonline: How to set up a successful digital forensics program

IT and security managers have found themselves increasingly needing to better understand the world of digital forensics. This world has become more important as the probability of being breached continues to approach near-certainty, and as organizations need to better prepare themselves for legal actions and other post-breach consequences.

In this post for CSOonline, I describe the basics behind digital forensics, the kinds of specialized tools that are required, links to appropriate resources to learn more and a checklist of various decisions that you will need to consider if you are going to be more involved in this field. It is not just about understanding the legal consequences of a breach, but also in being properly prepared before a breach occurs. And something that you need to get your head around: lawyers can be your friends in these circumstances.

CSOonline: Top application security tools for 2019

The 2018 Verizon Data Breach Investigations Report says most hacks still happen through breaches of web applications. For this reason, testing and securing applications (from my CSOonline article last month) has become a priority for many organizations. That job is made easier by a growing selection of application security tools. I put together a list of 13 of the best ones available, with descriptions of the situations where they can be most effective. I highlight both commercial and free products. The commercial products very rarely provide list prices and are often bundled with other tools from the vendor with volume or longer-term licensing discounts. Some of the free tools, such as Burp Suite, also have fee-based versions that offer more features. You can review my list in CSOonline here. 

 

 

Fear of Facebook: becoming social, but only behind our keyboards

As many of you know, for the last several years I have been doing a regular podcast with Paul Gillin on B2B marketing trends. Gillin has been in tech journalism for more than 30 years, having run Computerworld and TechTarget and written numerous books. It is a fun gig, and we offer a lot of insight, and you should subscribe if you are interested in the overall topic.

In our latest episode, we return to talking to Dan Newman, who is a very insightful guy for just being born when both Paul and I started in IT. Newman said one thing that I want to expand upon here. We were talking about the rise of customer self-service portals and methods, including using chatbots as a tool to provide quick answers. He thinks this is an indication that “We have become more social, but only behind our keyboards.” That is an interesting phenomenon.

I would amend that position to say not only have we become more social, but more critical to a fault thanks to our consumption of online social networks. You could lay the blame on Reddit, as this recent book does. (We are the Nerds, as reviewed in the NY Times here.) A better title for this book, as the reviewer David Streitfeld states, should be “We are the Trolls” and suggests its tag line should be “Two inexperienced young guys created something they didn’t understand and couldn’t control.” He writes, “the lack of adult oversight; the suck-up press; the growth-at-any-cost mentality; the loyal employees, by turns abused and abusive” all contributed to its offensive snark. In the end, it didn’t matter. Forget about connecting the world, or doing good, or bringing a voice to the disenfranchised. Reddit is a $2B media property, and in the Valley, money is what eventually matters.

That is a common theme for many tech companies, and it seems we are seeing the same effect happening down highway 101 at the Facebook campus (shown here). You should watch the two-part Frontline series this week about Facebook. During the program, you will see how in the process of connecting the world’s populace, it has inflamed their worst passions and stoked their fears. It interviews several current and ex-employees. While the latter might have axes to grind, it is worth hearing their points of view. You’ll hear how Trump’s digital media manager spent $100M on Facebook ads before the 2016 election. If you haven’t thought about this before, it is worth viewing both episodes to see how much influence the company has had, and how poor Zuck’s leadership has been. The program also highlights the rise of “fake news” across Facebook, such as these companion posts on the Pope endorsing either Trump or endorsing Clinton.

Think fake news is easy to spot? Take this quick quiz developed by the Newseum education staff. My wife and I tried it, and while we did reasonably well, we still got a couple of items wrong. Granted, we had a timed deadline to complete the quiz, and some of them we just guessed answers. But we saw that it is harder than we both thought, even when you have been told to be on the lookout. Imagine how much harder this task could be in our normal lives consuming online media posts?

The Frontline program interviewed their chief of security Alex Stamos who says, “Russia [through its advertising and fake accounts] wants to find fault lines in US society and amplify them, and to make Americans not trust each other.” Russians orchestrated two concurrent and co-located protest rallies in Houston, seeding participants on both sides. There is no question that Facebook is being used as an amplifier to promote hatred of all kinds. Just look at your own news feeds.

Farhad Manjoo’s column in the NY Times this week makes a case that Zuck is “too big to fail,” playing off the phrase used for the 2008 mortgage banking crisis. He mentions reports that tie Facebook posts to the Myanmar genocide, discriminatory advertising and multiple federal legal inquiries. He concludes by saying either Zuck fix Facebook, or no one does, like it or not.

But here’s the thing: as we become more social behind our keyboards, we can’t be as discriminating as we can when we meet people face-to-face. In embracing the self-service world, we are all doing ourselves a tremendous disservice too. Lies become truth, and democracy is turned inside out. It is time Facebook took responsibility for its power and role in this process.

FIR B2B podcast #108: Dan Newman’s 2019 tech trends for CMOs

Paul Gillin and I speak this week with Daniel Newman, author, speaker, millennial CEO and founding partner at Futurum Research. We were interested in a column he wrote for Forbes entitled, How Will The 10 Top Digital Transformation Trends For 2019 Impact The CMO. 

Dan highlighted a couple of the tech trends that will be essential items for CMOs to get their arms around in the coming year, including the transformation of data from machine learning to AI. “Analytics should be the CMO’s best friend,” he told us. “AI will allow for data-driven campaigns that will be guaranteed to work every time.”

Newman said data should play a pivotal role in marketing in the future, and don’t worry too much about over-personalizing the message. Nobody ever complains when a brand provides too much value and can help drive purchases that customers want at any given moment. The trick is to find the right moment and to target customers accurately.

The European Union’s new General Data Protection Regulation will force changes in the way brands market in the coming year, he said. They will have to become more creative about not just getting customers to opt in but to staying engaged. This means that companies are going to have change the way they do lead development. They’ll need to know customers better in order to personalize content because they’ll have less data to work with.

We had a particularly interesting discussion about chatbots as a mechanism for driving personal interactions. Newman sees us moving away from face-to-face moments, and the phenomenon isn’t limited to teens or Gen Xers. The rise of customer self-service is an indication that “We have become more social, but only behind our keyboards,” he said.

Another of his provocative predictions consumers will be able to use blockchain to, in effect, sell information about themselves to marketers.  While Newman sees this technology as still immature, he believes its long-term potential is explosive.

Finally, as the average tenure for CMOs continues to decline, they will have to do a better job of managing expectations and develop tighter relationships with their CEOs. You can listen to our 24 min. podcast here:

HID ActivID Authentication Server: A very capable and comprehensive IAM product

If you are looking for a comprehensive identity and access management (IAM) tool that can cover just about any authentication situation and provide ironclad security for your enterprise, you should consider HID Global’s ActivID product line.

Even if you are an IAM specialist, it will take days and probably weeks of effort to get the full constellation of features setup properly and tested for your particular circumstances. There is good news though: you would be hard pressed to find an authentication situation that it doesn’t handle. t has a wide range of tools that can lock down your network, covers a variety of multifactor authentication methods and token form factors (as shown here below), and provides single sign-on (SSO) application protection.

f you are rolling out MFA protection as part of a larger effort to secure your users and logins, then the case for using HID’s product becomes very compelling.

I was hired to take a closer look at their product earlier this year, and came away impressed with the level of thoroughness and comprehensive protective features. You can download my report here and learn more about this tool and what it can do.

FIR B2B podcast #107: What LinkedIn’s Latest Sales Research Says About the State of B2B Marketing

When we last spoke to Justin Shriber (below), Vice President of Marketing for LinkedIn Sales and Marketing Solutions in episode #87 last January, he offered some predictions about the upcoming year in B2B marketing. His forecasts turned out to be is pretty solid, including closer alignment of marketing and sales functions and the growing importance of storytelling in promoting your brand. So we took advantage of a pitch for LinkedIn’s new State of Sales report to connect again. This third annual report examined how top sales performers – B2B in particular – are using technology and modern strategies to build trust with buyers and close more deals. The addition of buyer views this year makes the survey even more interesting reading.

The report found a resurgence of buyer interest in doing business with trusted vendors: 40% of sales professionals rank trust as the number one factor in closing deals — surprisingly rated above ROI and price. 

There are also some interesting age breakdowns. Millennials are outperforming their peers in sales effectiveness pretty much across the board, the survey found. Young sales reps are tapping into marketing insights and using tech at higher rates than their elders to help them succeed. Of course, their quotas might be lower, as well!

Buyers who are decision-makers are least likely to engage with sales professionals who lack knowledge about their company (79 percent) and whose products or services are irrelevant to their company (76 percent). Understanding the buyer’s business is now table stakes for salespeople, Shriber told us. Of course, LinkedIn has some features that can help with that. 

In this interview, we dig into a number of highlights of the survey as well as discuss trends LinkedIn is seeing in the use of its platform by sales pros. You can listen to the 20 min. podcast here.