Linode: How to Build an Information Security Risk Management Program

Understanding and quantifying information security risks lies at the heart of many security issues. If you can’t quantify risks, you can’t address how to protect your data assets, corporate secrets, and employees’ and customers’ privacy and information. Managing these risks and improving security is everyone’s responsibility, not just the province of the IT department. Businesses are moving in this direction in part because of the Covid pandemic, and also because more companies are becoming dependent on digital technologies, thus increasing their potential attack surface. More sophisticated attack methods make the world of security risk management more complex and important to understand.

In this post for Linode, I describe what is Information Security Risk Management, why it matters for businesses, how to develop an appropriate plan (such as the above suggestions from a recent Dragos report above) and get management buy-in, and why you should periodic risk assessments.

 

How Misty Sutton fell in love with the American Red Cross

Misty Sutton never set out to work at the American Red Cross, but she quickly fell in love with both the mission and the overall organization. “I love that the Red Cross is neutral and provides universal assistance, no matter what the client’s circumstances might be,” she said.

Since connecting with the Red Cross two years ago, she has filled a variety of positions, first as a volunteer, and since August 2021 as a full-time disaster program specialist for the Missouri-Arkansas Region. Her most memorable deployment was the massive River Valley floods of 2019, which hit soon after she began volunteering. You can read my interview with her here.

CSOonline: Top tools and best practices for WordPress security (2022)

If you run a WordPress website, you need to get serious about keeping it as secure as possible. WordPress continues to be a widespread target for hackers. There have been numerous breaches over the years and WordPress has become more popular with both its customers and hackers. I have been using it as my main blogging platform for more than a decade, and secure it with free versions of Wordfence and MiniOrange MFA tools. In my updated post that I originally wrote for CSOonline several years ago, I examine what has changed and why you need to be deliberate and serious about securing your blog.

The Russians have an airplane problem

Have you ever heard of the following companies: Nordstar, S7, Angara, Amur or Barkol? Probably not. All of them are just some of the names of dozens of airlines operating in Russia. Right now, Russian airlines have a problem and they are about to make international insurance lawyers very busy for the next decade to solve it. The problem stems from the way that all modern airlines operate their fleets. Since the airspace restrictions and sanctions were imposed earlier this year, all Russian airlines can only fly domestically. Given that Russia has more than 500 daily domestic flights, you would think that would still be a viable market for them, but you would be wrong.

I am writing about the Russian plane problem because it is something that I can get my head around in this horrific war with Ukraine. My heart breaks as I try to follow the latest news and see the misery of millions fearing for their lives and fleeing to other parts of Europe that I never thought I would cast in a kind light. But I have to remember not to confuse the people of a country with its leaders, too.

There are several problems with the planes.

First, there are more than 900 aircraft that are registered in Bermuda. Think of this as a “flag of convenience” as many ships are registered in Panama, but there is a separate complication. Bermuda has a very robust registration entity and favorable tax and treaty laws, so the Russian airlines have taken advantage of this and have registered more than 500 planes there. Last week, Bermuda pulled these registrations, fearing quite rightly that the planes will be held hostage as the war continues. The second problem is that the major aircraft manufacturers (Boeing and Airbus) have pulled their people and stopped parts shipments (so no one can maintain the planes). A third plane maker, Antonov, is based in Kyiv and its factory was recently bombed by the Russians. Planes require regular maintenance, but more importantly, they require people to log these repairs so insurers can be satisfied that the planes are safe and properly cared for.

The third issue is that many of the Russian planes are financed by leasing companies, which happen to be based in Ireland. Again, favorable taxes and treaties. The leasing companies tried to repo a few of the planes that were sitting outside of Russia when the sanctions went into effect, and managed to take control over a few (and lose a couple too). Now that is a high-stress job, being a plane repo dude.

The total value of the planes stuck in Russia was somewhere around $10B, including some brand new planes that were just delivered before the start of the war. The reason I say was is because their value will plummet even if they sit on the Russian tarmac: think of having your car sit in your garage for many months. Stuff just starts to deteriorate. So Russia is trying to do an end run around the Bermuda registration by passing a law that says they can re-register their planes in Russia, no harm no foul. Except registering a plane is a lot like registering a car: there is only one country allowed, and to change the registration involves some paperwork and agreements that aren’t just signing the plane over. For example, a lease becomes void when the registration changes. The international aviation industry has these rules, otherwise there would be chaos. Which there now is.

And the planes are just the beginning of other issues for Russia. This piece in CSOonline describes how Russia is disconnecting itself from the rest of the global internet by requiring use of its own digital certificates and DNS resolvers. We are witnessing the unbanking and disconnecting of Russia from the rest of the global economy. There is certainly more turbulence and misery ahead.

Infoworld: How to evaluate software asset management tools

The vulnerabilities of the Apache Log4j logging package—and the attacks they’ve drawn—have made one thing very clear: If you haven’t yet implemented a software inventory across your enterprise, now is the time to start evaluating and implementing such tools. These aren’t new —  I recall testing one of the earlier products, Landesk, which is now a part of Ivanti, back in the early 1990s. In this post for Infoworld, I go into detail about how you can evaluate Ivanti and four of other leading tools from Atlassian, ServiceNow (shown above), ManageEngine and Spiceworks, why these tools are needed in modern software development organizations, how you should go about evaluating them, what their notable features are, and what these tools will cost.

Avast blog:

US President Joe Biden recently issued an executive order that will oversee various cryptocurrency efforts, including a study of whether there should be a virtual dollar-based cryptocoin, the efficacy of various future banking regulations for the Federal Reserve, and the roles for executive agencies including Treasury, Justice and Homeland Security on how to best manage crypto markets. Additionally, those of you who have already begun doing your US federal taxes might have noticed that the IRS now wants you to document your crypto holdings for the past year.

These moves show that crypto is moving quickly into the mainstream. And with mainstream acceptance also comes the criminal element. Cryptocurrency-based crime hit new levels last year, doubling the amount collected from 2020 to $14 billion. According to a new report by Chainalysis, 2021 criminal crypto transaction volumes skyrocketed by more than six times what was seen in 2020. In this post for Avast, I explore some of the other trends in crypto crime, its intersection with ransomware, and what law enforcement is doing to stop it.

Moving money around: questions to ask

If you are looking to transfer money to someone quickly, you have a lot of choices, including Zelle, Venmo, Wise (form. Transferwise), Paypal and Xe.com. But with choice comes learning what is involved in using each vendor, including getting answers to the following questions:

  • Can you move money internationally? Not with Zelle or Venmo, but the others offer this service. Zelle can only be used to move money between US bank accounts with US mobile numbers. Venmo also requires users to be physically in the US to complete their transactions. Paypal has the widest selection of currencies, claiming they are available in 200 countries (which is pretty much everywhere), and Xe claims 170 countries. Wise is available in 59 different countries.
  • What is the effective exchange rate for your funds? Exchange rates change constantly, and it is hard to anticipate when the best time to move your money can be. None of these services makes it easy to figure this out, and tack on various fees for particular circumstances. I say “effective” because each service quotes rates differently. For example, Xe and Wise both use “midmarket rates” which they are very clear about up front, and for both you can actually run a quote before you do the transaction and see the rate and the fees deducted. Paypal has a whole bunch of fees, terms and conditions that are explained here, and their rates are usually less favorable. Monito.com, another money transfer service, has a real-time rate comparison shopping tool that looks at several competitors (I am not sure how accurate it is, but it can be helpful).
  • How safe is it to use the service? A recent NYTimes article documents how Zelle has become the fraudster pipeline of choice, with banks making it difficult to resolve complaints or reimburse fraud victims.
  • Can you secure your account with MFA? Speaking of fraudsters, you should set up this additional authentication factor to protect your accounts and your transactions. Some services make this process easier than others.
  • How easy is it to use the service? Some of the services have really poor usability experiences, making the process a lot more difficult that they could be. Some only work with a mobile app, while others support both mobile and web platforms. Some of the services can move funds into your recipient’s bank account, others require your recipient to open an account on their platforms before they can access their funds.
  • How fast is the money moved? Everyone operates at different speeds, so if this is important, check the fine print on when the funds will actually be available.
  • What other services are offered? Some of the vendors (like Wise) have prepaid debit cards and multi-currency accounts that reduce fees. If you have to move money on a regular basis, you might want to check into these.

Here is one other alternative: using a brokerage account to move your money. I recently had to get funds to my daughter in Israel. She wanted dollars, not Shekels, but we both used Morgan Stanley to manage our investments. It was a simple matter to take money from my checking account, and deposit it in her brokerage account, and no fees were involved and the whole operation took a few minutes.

 

FIR B2B podcast episode #153: How to Build Your “Voice Brand”

David CiccarelliPaul Gillin and I talk with David Ciccarelli, the CEO of Voices.com about how to build a stable of voice and sonic branding for your business. David C. has created an online marketplace for voice actors and believes audio is the most underused asset B2B marketers have. 

We discuss how to build a brand with the voice actors. This means deciding on what your organization “sounds like” and how you want to connect with your customers. The choice of a voice actor matters. Should you go with a commanding narrator or an approachable expert guide? Your sonic brand is the unique soundscape that drives home the tone and personality of your brand voice,” he says. The company has created a guide to becoming a voice actor and also produces an annual “State of the Voice Over” report.

David says visual media has become crowded and notes that nearly one-third of people are primarily audio learners. “Marketers have saturated the eyes and we have to move on to the ears,” he says. “They have found that audio presents an opportunity to tell their story in a deeper, more meaningful way.”

He shares several podcast tips for B2B marketers. Commit to a small number of initial episodes or set a threshold and evaluate, but once you commit, stick with it. Decide if you want to primarily be a guest on other podcasts or host one of your own; those are very different strategies. Prepare show notes in advance, and make sure to tell a story with a beginning, middle and end. He has found that 20 minutes is the ideal podcast length as it’s the average duration of a commute, walking the dog or a daily exercise routine.

David has appeared in numerous media outlets, including Business News Network and The Globe and Mail TV, and is a frequent guest speaker at industry conferences.  He is also a great resource for all things audio, such as this online recording studio and this streaming production service.

You can listen to the 24 min. podcast here.

Avast blog: Tips for securing your WordPress website

Last November, more than 1 million GoDaddy-managed WordPress customers were part of a breach that could have exposed their email addresses, private SSL keys, and admin passwords. The attacker was apparently able to operate undetected inside their networks for two whole months. This is just one data point in a long history of past exploits because WordPress has been a very rich and desirable target. There are numerous things you can do to protect your site, including using two tools that I have been using  (Wordfence and MiniOrange, shown here).

You can read more about how to secure your WordPress site on Avast’s blog. If this is a new topic for you, you shouldn’t operate WordPress without making use of these steps — even if you gradually add in individual security measures one by one.

Book review: Suddenly Hybrid Provides Good Advice On How To Manage Our New Way Of Meeting

Karin Reed and Joseph Allen have written a great sequel to their book, Suddenly Virtual, titled, naturally enough, Suddenly Hybrid: Managing the Modern MeetingIt should be required reading for all of us as we try to keep up with the changing nature of work as we move into the third year of the COVID pandemic.

The authors have a few suggestions on how to improve hybrid meetings and other practical tips and tools to both run them and participate in them. This book will help you build upon the habits from our fully remote world over the past few years and use the collaboration tools found in videoconferencing platforms, even when we are conducting meetings in person or with hybrid audiences. It will help you figure out where an organization wants to land on the “hybrid meeting spectrum,” and remove any obstacles from fully realizing their benefits.

You can read my full review on Biznology here.