How one small trade association manages their security

Posted on September 9, 2016 by dstrom

I spoke to the IT Manager of a 65-person trade association in the DC area. I have known this manager, whom I will call John, for decades through various IT positions, mostly in non-profits and trade associations.

(He has asked that I not use his name or the name of his association.)

Things have changed since he first began working at the association eight years ago. “When I was just a few months into my current position, we had about 15 laptops stolen from their docking stations by (what we believe was) the night-time cleaning crew. People came in to work and their laptops were gone. My logistical response was executed pretty well – I had folks up and running very quickly. But we never treated the incident as a serious information breach. These days we think about things differently.”

One of the biggest impacts that John has had was to hire a network management VAR to help setup and monitor their firewalls. He uses a combination of tools such as NetWrix for auditing their Active Directory logs (“I can unlock a user before they even realize it,” he said), Sophos for anti-virus full disk encryption and its web appliance.

He uses another VAR and additional monitoring tool that is industry-specific. “They have a monitoring appliance in our environment that sends a ton of alerts that tend to be very non-actionable – like someone used a cleartext password on a website. Well, there’s only so much I can do about that. The value is that they aggregate our data with our members’ data to look for unusual trends across the country so they can alert us to industry-wide attacks.” This VAR also performs vulnerability scans annually that he says is very disruptive to our storage array. But it is useful. ”For example, did you know that APC products (UPSs and PDUs) have three factory default login IDs and passwords? We knew about the first. Didn’t know about the second and third. So, I’m changing those asap.”

When it comes to dealing with insider threats, he says “a big win for us has been KnowBe4.com It is a very affordable training program that allows me to spam and phish my own staff. Plus they offer videos and a learning management system that we hope to implement next year with HR’s approval. They also send me a “scam of the week” which I repackage and send to staff. It’s both entertaining and educational.” Another classic phishing situation was when one of his VPs sent out member email addresses to a Yahoo address he thought was our CEOs. “ It happened on a weekend and the VP was on his phone and couldn’t really see the whole message on the screen. It was quickly discovered that the CEO did not have a Yahoo address. That was our first real cyber security incident. Calls were made. The board was notified. It was only names and email addresses, but those two items are considered personally identifiable information. This happened about a week before I implemented KnowBe4. If I had gotten approval for it earlier and set it up earlier, this might have been avoided.”

John also deploys a BYOD policy for some of the staff, and is still evaluating mobile device management strategies. They just migrated their email to Office 365 and haven’t yet implemented any two-factor authentication.

John’s total staff is a help desk technician and his VARs, one of whom is on site two days a month.

“Security is a bigger part of my job today because of the increased emphasis and because our association represents a high profile industry where security is also a high profile issue. Our CEO wants us to walk the walk if we’re telling our members to do the same.”

Learning from the US Secret Service how to protect your enterprise

Posted on September 7, 2016 by dstrom

With all the changes to infosec technology, here is a not-so-outrageous idea: maybe you should take a page from the US Secret Service playbook in how you run your IT security department. Actually, this idea didn’t come from me, but from someone who actually is familiar with both roles. Nathaniel Gleicher is trained as a computer scientist and a lawyer, and currently is the Head of Cybersecurity Strategy at Illumio, a security vendor. Previously, he prosecuted cybercrime at the US DOJ and served as Director for Cybersecurity Policy at the White House National Security Council. While he worked at the White House, he saw multiple data breaches. “Every breach relies on lateral movement, and instead of attackers being at risk once they get inside, they’re able to take all the time that they need to identify high value information and cause damage.”

He thinks organizations need to take a different, simplified approach and go back to the basics: get visibility inside the data center and cloud and then be able to truly lock the doors inside.

In a blog post for his firm, he writes: “Like the Secret Service, cybersecurity defenders face a similar problem: they are defending high-value assets that must be protected, but also have to speak to hundreds or thousands of other servers. You have to have visibility, and reduce your attack surface, and focus on the security consequences for your most valuable assets. Shutting down the attack surface constrains attackers, makes lateral movement harder, forces attackers to risk exposure, and makes other security tools more effective.”

Sadly, most organizations focus their cybersecurity spend today at the perimeter, making no effort to secure or even understand the interior of their data centers. After reading Gleicher’s post, I asked him if there is a difference between interior and exterior networks any longer. He told me in a phone interview, “Everything is a potential threat. One difference is that you can have greater control around an interior network. And your network visibility is much more limited with exterior ones. But that’s missing the point. An intruder can find something once they are inside your network and can look around. Organizations are trying to layer defenses at the fortress wall, while the cyber attackers are parachuting inside and then free to move around as they want inside the data center and cloud.”

He continued, “I still have conversations with CISOs that don’t know how their devices are connected to their networks. And I don’t mean just a list of these devices, but how they are related to each other, both logically and operationally. This is the kind of information that attackers can exploit.”

His work with the Secret Service has him focused on understanding some of these lessons from providing physical security to protect the President. “People don’t see the Secret Service advance work that was done months before any presidential visit. They had to map the location and understand the physical space. The same is true for cybersecurity, because we need to identify the attacker quickly and respond fast too. This means that any cybersecurity effort should start months before any potential attacker actually shows up.” In other words, it isn’t just about stopping someone from getting across the White House fence, but understanding what will happen once then enter the grounds and what they might end up doing.

He agrees that good security isn’t easy. And he started early in his career with his first IT job for the Peace Corps. There he created a created a campus-wide network to connect 85 machines that were located in the different buildings of a college on a Caribbean island. Less than five minutes after it was first connected to the Internet it was breached. It took him several tries to close various ports and other vulnerabilities before he could defend the network properly. “This was an early lesson on how hard it was to do security properly: there are way more people trying to get in than keeping them out. It also showed me that the steps to strengthen data security aren’t rocket science and are very straightforward. It is a lot more how to orchestrate them and use them efficiently across the enterprise.”

Instead of focusing on the lack of response, he says we should be doing a better job of evaluating the highest-value targets, which is another lesson he learned from watching the Secret Service in action. He said, “You shouldn’t be in the business of protecting the app that handles your employee’s lunch request.” And not everything in the data center should be treated equally, too. “There are some things in your data center that are more valuable and you have to focus on what needs the most protection. If a burglar gets into your house and gets into your basement that is different from him getting into your bedroom where you keep your jewelry.”

On TechShop in St. Louis

Posted on September 3, 2016 by dstrom

What would it be like if you had access to just about any kind of metal or wood cutting and shaping tool right in your neighborhood, with the ability to learn how to use the more advanced equipment from the most patient teachers? That is somewhat what the new TechShop facility is like.

In this story for Nicki’s Central West End Guide, I wrote about my experience with visiting the Detroit area Techshop. The St. Louis facility has moved to a nearby location on Delmar in what is now called “The Maker District.”

iBoss blog: How Cyber-geddon Could Happen to Financial Networks

Posted on August 31, 2016 by dstrom

An article in the June Economist paints a dark picture of the aftermath of a fictional financial services hack. They start with some history and extrapolate based on current potential compromises to various networks. What is interesting about this piece is how cold and calculating they can be: “Processes designed to make banking safer have created new vulnerabilities: large amounts of money flow through certain key bits of infrastructure.”

What this means for the finserve industry and a more detailed description of their scenario can be found in my blog post for iBoss here.

How to create a great content strategy for your company (podcast)

Posted on August 30, 2016 by dstrom

Does this sound familiar: You don’t have a coherent content marketing program at your company. You have multiple stakeholders and content authors scattered across several divisions, with no single person in charge overall. You don’t have an editorial calendar, or even know what one is. You don’t have any content strategy or an editorial advisory board, or have a clue how to create either of them. You have a corporate blog but haven’t posted anything in weeks, or maybe months. You began a corporate YouTube channel years ago but don’t know who is in charge of posting videos there.

Sadly, most of these aspects are all too often the situation when it comes to how many companies treat their content. I have been in many organizations where content is often a dirty word, and a lack of understanding of how to produce great content is pervasive. It doesn’t have to be that way. This isn’t a hard thing to turn around, and indeed I came across recently a great case study of one company where they did exactly that.

This week, my podcasting partner Paul Gillin and I interviewed Giuseppe Caltabiano for our latest episode, which you can play directly here:

He is the VP of marketing integration of the IT division at Schneider Electric, a company with 180,000 worldwide employees and a producer of data center power conditioning equipment. When he took the job, he was brought in to fix their marketing efforts, and he realized that he had to turn towards managing their content to do so.

His story is an interesting one, because within a year he was able to pull together the things that I mentioned up top: pull together a unified edit calendar (the company had several), set up an editorial advisory board, and assemble a solid team who understood the importance of great content and how to formulate a strategy.

One of the things that Caltabiano did was to focus on their corporate blog and use it as the center of their content strategy. He planned content that would target readers who are at the very early stages of their journey as potential customers. They also supplemented the blog with an internal email newsletter and with paid promotions too.

He uses what is called a “big rock” strategy for his content. This means stories are centered around anchor feature topics that can be repackaged and reused in multiple formats and on multiple platforms. “Content leads to three times as many downloads as traditional marketing campaigns,” he writes.

Another element was the role that pilot projects played in getting executive buy-in to his plans. “If your bosses are pleased with the initial progress, they’ll give you the money so you can” run with your plans. They are now setting up pilots in other places around the world to expand their reach.

“We learned that email newsletters drive more traffic than other owned channels, SlideShare and YouTube are great for B2B content, and that we need weekly governance calls with employees from each country to solve any immediate problems that pop up,” he wrote.

So take a listen to our podcast interview, and see if there are ways that you can reinvigorate your content plan with some of the innovative ideas that Schneider used.

Redmond magazine: Skype for Business, some assembly required

Posted on August 30, 2016 by dstrom

The on-premises and cloud editions of Skype for Business Server and the Cloud PBX are promising and less-expensive alternatives to traditional phone systems, but come in a complex array of options and require integration. The software has gained some promising features along with growing support for third-party software, hardware and services. In my review for Redmond Magazine, I look at what is involved in getting it setup and how it works with a sample video conference phone from Logitech here (shown above).

Security Intelligence blog: The Increasing Dangers of Code Hooking

Posted on August 29, 2016 by dstrom

Security researchers discovered a series of implementations of an old type of exploit known as code hooking. These implementations are increasing and becoming more dangerous. Operating under the name of Captain Hook, these exploits make use of code injection techniques that could cause numerous vulnerabilities and potentially affect thousands of products.

I look at the process of code hooking and its relevance to your enterprise security in my latest post for the IBM blog Security Intelligence here.

iBoss blog: Wireless Keyboards are Vulnerable to Sniffing Attacks

Posted on August 26, 2016 by dstrom

One of the most vulnerable places across your enterprise (apart from the inner workings of your user’s brains, that is) can be keyboards. And recently, an innovative keylogger attack has been found by Bastille Networks that intercepts wireless keyboard transmissions. The attacker can be located up to 250 feet away from the computer and is a new twist on some old exploits. Out of 12 wireless keyboard manufacturer, the researchers found that eight (such as the one from Kensington, above) were susceptible to the attack. You can read more in my post for the iBoss blog here.

EventTracker blog: What is privilege escalation

Posted on August 24, 2016 by dstrom

A common hacking method is to steal information by first gaining lower-level access to your network. Once inside, the hacker will escalate their access rights until they find minimally protected administrative accounts, where the attacker can steal data. This is called privilege escalation, and it happens often.

You can read my post here on the EvenTracker blog on what you can do to protect yourself.

WindowsITpro: Choosing among various Slack-like communication tools

Posted on August 24, 2016 by dstrom

We all spend too much time on email, and if your inbox is overflowing with messages from your coworkers, it might be time to investigate another way to communicate. I review for WindowsITpro some of the issues involved in choosing a tool for team communications with intranet-like features, text messaging, workflows and collaboration features. While Slack is a leader in this field, there are lots of other choices that could cost less or do more.

(Note: this article is outdated and products are no longer available.)

Web Informant

David Strom's musings on technology