Beware of algorithms

Posted on by
1

You probably won’t expect a series on appropriate use of technology to appear on the English Al Jazeera channel, but that is what I am going to tell you about in today’s post. I have been watching a lot more of their news coverage, looking for a place to obtain some “other” news than the continuing political fascination that our American stations offer up these days. So check out the series, entitled All Hail The Algorithm, where you can find links to the five episodes here.

The series is the work of Ali Rae, a British producer for the channel. She travels the world in search of algorithms that have gotten out of hand. While some episodes are a bit uneven, she does a great job of interviewing primary sources including  researchers, tech vendor representatives, and rights and privacy advocates to present a very interesting hour or so of TV.

The first episode is all about trusting the decisions encoded in algorithms. Rae highlights the Australian welfare system and how its algorithm disputed payments made over many years. Computers automatically sent dunning letters to thousands of citizens, called robo-debt.

The second episode, which focuses on Facebook’s abuses, is the weakest, and most of you have probably already read enough about troll farms which have harvested likes and retweets.

The third episode covers the abuse of social media bot networks and how bad actors, under the pay of various political parties, are flooding these networks with incendiary posts that literally enflame passions and have caused all sorts of trouble around the world. This one struck home for me: we have seen (to coin a phrase) the growth of intolerance of people on both sides – both liberals and conservatives – to try to block freedom of expression. Many of the resulting demonstrations and protests are generated by social media ads and misrepresentative posts.

The fourth episode is about the potential abuse of biometrics. The vast majority of British schoolchildren now have their biometric data recorded for easier access to their lunches and libraries. And the UN is using biometrics to make it easier for refugees to access food and money supplies in the camps. The issue here is that once you give up your biometric data, you have no control over how it is used, and more importantly, abused. While the UN representative interviewed in this episode says they are trying hard to prevent security breaches, it is only a matter of time. Actually, last week’s Biostar 2 breach is a good example of how this could go horribly wrong. Millions of users of their “smart locks” now have their biometric data leaked online, something they can’t easily change unlike a password or a PIN. As Rae points out, the biometrics tech is being developed faster than any regulatory efforts, and the lack of transparency by the biometric vendors is alarming.

The last episode is about UI designers, privacy policies, tracking cookies and informed consent. Again, for many of you, this has been covered extensively but Rae interviews a couple of sources that have a few new things to say.

Overall, I learned a few new things from the series and think it is worth your time to watch all of them. Take a gander at what Rae has put together and feel free to share your comments here.

 

RSA blog: How many C-level execs own your security infrastructure?

Posted on by
Reply

Security expert Lesley Carhart tweeted last month, “If you’re a CEO, CFO, or CIO, you’re directly responsible for the caliber of cybersecurity at your company.” During the RSA conference in Singapore a few weeks ago, RSA’s CTO Zulfikar Ramzan described several different C-level executives who could have direct responsibility for some portion of your security infrastructure:  CEO, CIO, CSO (or CISO), CTO, and the Chief Data Officer. If three is a crowd, then this is a herd. Or maybe a pod, I never really learned those plural descriptors. And that is just the top management layer: for a large corporation, there could be dozens of middle managers that handle the various security components.

From the IT folks that I have interviewed over the years, this seems sadly all too typical. And that is a major problem, because it is easy to just pass the buck (or the token or packet) from one department to the next. Even something as simple as your firewalls could be an issue. You might think that they clearly are run by your network administrator. But this person could report to the CIO or the CTO or maybe there is that dreaded “dotted line” responsibility so the network admin needs to report to both of them. That can get messy.

What I am saying here is that security should be everyone’s responsibility, and not just the executives but the worker bees too. This is not a new idea. This post lists four reasons why:

  • Humans are always going to be the weak link
  • Tech is continually evolving, and everyone needs to stay on top of these changes
  • Our hyper-connected world magnifies mistakes
  • Our data privacy is under siege

But if the various execs can’t sort this out on their own, how do you expect your rank and file to get a clue?

Here is a short test to see how you have distributed your security responsibilities across your enterprise. Try to answer these questions truthfully.

  1. Who owns the breach response? When a breach happens, who is in charge, meaning who directs the deployment of resources and analyzes the investigation and mitigation?
  2. Taking the answer to the first question, is this the same person that owns a response to an accidental data leak? Or a leak that is done on purpose from a rogue employee? If they are two (or more) different execs, why?
  3. Who owns the day-to-day security operations, whether that be a SOC, NOC, SOC-as-a-Service, or some combination of those entities?
  4. If one of your C-level execs doesn’t follow best security practices, can you do something about it? What if it is the CEO who doesn’t ever change his default password?
  5. If you move a server out of your data center and spin it up in some cloud service, how many executives have to approve that move? And who takes ownership of the server afterwards?
  6. You probably have a few desktops that are running Windows 7 (or even older versions). Do you know how many outdated desktops you have? This isn’t completely a rhetorical question, given the research that shows that more than 800,000 XP endpoints are still unpatched and could be exploited by Bluekeep Whose budget pays for these updates? Whose budget pays for the endpoint protection software and keeps track of those PCs that haven’t been properly protected? If these are three different folks, how do they communicate in the time of a crisis, such as in the aftermath of a successful phishing attack?.
  7. Speaking of phishing, let’s say you want to establish a regular phishing awareness training effort. Who picks up that tab, and who handles the problems that are uncovered?

I hope you can see a pattern emerging: Chances are, the same person might not be involved in the problem and its resolution. That is what the bad actors count on: they can drive a wedge between these departments. This is how exploits can happen, and how your company can end up in trouble.

By now, you know that I don’t just raise issues, but try to provide some solid action items and offer a few practical suggestions on how to fix things. You mission, should you decide to accept it, is to try to align responsibilities to be more effective in managing your IT security.

First, develop a clear line of authority between different departments to handle breaches, leaks and exploits. Next, have a game plan when it comes to breach response, rehearse it regularly, and make sure that you update this plan as people or equipment change to keep it current. Third, security budgeting should be a joint exercise among the desktop, network, apps, data owners, legal and server department heads. It makes no sense to favor one over another: we all have to learn to share. Finally, in this spirit, identify where your information silos have been built and start thinking about ways to tear them down, encourage cooperation and collaboration to reduce your overall risk profile. That is a lot of work, to be sure, but it is needed, and there is no time like the present to start too.

FIR B2B podcast #125: Buyer Personas: Why They Matter; How to Create Them

Posted on by
Reply

We’re joined by Matthew Naffah, VP of Strategy at International Data Group, who has has been involved in developing buyer personas for many B2B clients. Personas have been around almost as long as the web itself, but lately they are taking on a more important role, particularly as buyers become more empowered in the buying decision.

Matt tell us about how to get started with building the right personas and understanding the level of details that are ideal, and you can err on the side of including too much or too little detail. He also talks about some of the more common mistakes marketers make in creating them.

Personas are most useful when used in conjunction with buyer journeys and content mapping. You need to nurture, adapt and grow all three elements interactively to optimize the experience for your potential customer base. You’ll also want to heed his advice when it comes time to get your management involved to renew and refund your marketing project too.

Here are some resources to check out:

You can listen to our podcast here:

The state of our elections security

Posted on by
4

The past week has seen a lot of news stories about hacking our elections. Today I take a careful look at what we know and the various security implications, which I cover in the last paragraph. It is hard to write about this without getting into politics, but I will try to summarize the facts. Here are two of them:

Russians have tried to penetrate election authorities in every statehouse but weren’t successful — other than Illinois at being able to compromise those networks. We have evidence that has been published in the Mueller report and more recently the Senate Intelligence Committee report from last week.

A second and more troublesome collection of potential election compromises is described in a report from the San Mateo County grand jury that was also posted last week. I will get to this report in a moment.

For infosec professionals, the events described in these documents have been well known for many years. The reports talk about spear-phishing attacks on election officials, phony posts on social media or posts that originate from sock puppet organizations (such as Russian state-sponsored intelligence agencies), or from consultants to political campaigns that misrepresent themselves to influence an election.

Much of this has already been published, including this timeline infographic from Symantec.

What is new though has little to do with technology failures and more to do with how we have structured our communications and threat sharing data. The Senate report says, “often election experts, national security experts, and cybersecurity experts are speaking different languages. Election officials focus on transparent processes and open access and are concerned about introducing uncertainty into the system; national security professionals tend to see the threat first. Both sides need to listen to each other better and to use more precise language.” The report goes on to document the security failings of 21 state election boards’ operations.

One of the issues has to do with the poor security surrounding electronic voting machines. As I said, this is a well-known problem. A University of Michigan computer science professor has been studying this for years. He purchased some of these machines on eBay and set up a demonstration of how easy it was to hack the votes. Digital voting can be solved, but not easily: Estonia has been voting electronically for years because every Estonian has a digital ID card that isn’t easily hacked. (You can read my experiences with using it here – non-residents can buy one but obviously can’t vote.) You can read more about Estonia’s experience with its online voting here. It shows that digital voting doesn’t increase the overall voting population, but has become more popular since its introduction.

What the Senate report doesn’t document is what has been done since it began its research several years ago. That is the purview of the San Mateo grand jury report which posits that social media accounts of county officials — both their personal accounts as well as their official business accounts — have been compromised in the past and could be used to disrupt elections. These accounts could be used to spread false information both before and after an election. This report is quite chilling and Brian Krebs has a lot more to say about it.

Let’s talk a little more about what the state and local election agencies are doing to better secure our elections. To understand how these agencies are trying to improve their security postures, you have to follow the money.

Several years ago, Congress appropriated $380 million for state grants to improve election security. All of this money hasn’t yet been spent, although it has been allocated to the states and you can see where it is eventually going here in a very confusing report from a federal entity called the U.S. Elections Assistance Commission (EAC). The EAC is in charge of distributing these funds. A better analysis from Pacific Standard can be found in this piece. The state election authorities must match five percent of their grants and spend it all before 2023. Most of these funds are being spent on phishing awareness education, doing regular patching and system updates, and according to this report from last year, “ensuring election results have auditable paper trails, have better built-in cyber defenses and can continue to operate resiliently after a digital attack.” Illinois, Wisconsin and New York are planning to dedicate all of these funding allotments to improving cybersecurity measures. The others have proposed a mix of cyber and non-cyber improvements.

The EAC also provides a collection of various tools and best practices for state and local elections authorities, and you might want to spend some time, as I did, visiting its website and seeing the quality of its advice. On the whole, it is sound, but the problem is getting the hundreds of local officials to act on it and to work together with the feds.

One of these tools is an open-source intrusion detection system called Albert that was first developed by the U.S. Department of Homeland Security several years ago and based on Suricata IDS project. This tool has replaced Snort and has become very popular in the commercial IDS world.

States can freely implement this tool and EAC will help them with security monitoring too. This is done with an operations center that houses both one for network-level events called the Multi-state Information Sharing and Analysis Center and one for election security events. It is run by the Center for Internet Security out of an office near Albany NY. Albert sensors are now monitoring election systems that will account for 100 percent of votes to be cast in the 2020 elections. In 2016, it was only covering a third of the votes cast.

Let’s turn from elections operations to influencing how we cast our votes. For that, I will talk about a new Netflix documentary called “The Great Hack,” which is now on its streaming service. I urge you to watch it with your whole family. It mostly follows two people that you might not have heard of and their role in the Cambridge Analytica/Facebook scandal: Brittany Kaiser, a former CA employee and David Carroll, a college professor who tried to sue the company to gain access to his own data. If you can get past the annoying CGI opening credits, there is actually much meat to be gleaned here. The main thesis of the movie has to do with convincing a class of voters it calls the persuadables in swing districts to vote for a particular candidate, or not vote at all. If you don’t have time to watch the movie, you can get the main points from a TED talk by Carole Cadwalladr, one of the reporters featured in the film. Facebook knew about the abuses of its data collection and was fined by the U.S. government last week. (This article by Techcrunch summarizes these details.) Also, in last week’s news: Facebook agreed to pay two fines. First was a $5 billion fine to the Federal Trade Commission, and a second $100 million fine from the Securities and Exchange Commission, which was overshadowed but represents a more important penalty.

OK, that is a lot to grok, I admit. If you have made it this far, here are some action items for you as an individual. First, if you want to vote intelligently, consume social media carefully. Don’t repost without extreme vetting of the source; better yet, go to listen-only mode and steer clear of using social media entirely for politics. I realize that is a lot to ask. Some of you have already abandoned social media entirely. Others have selectively blocked friends who wax too often on political topics. Second, when you vote, if you can use a paper ballot do so, at least until the electronic machines have better protection. Finally, check the election security operations center website to see if your county or city elections authority is a member, and if not, urge them to join.

Password spraying attacks means you need a better password strategy now

Posted on by
4

Those of you in tech have probably used or heard of Citrix. The company has been around for decades and sells a variety of products, including remote desktops and network security. It is ironic that they experienced a security breach across their internal corporate network: the breach began last October and was only discovered in March. A series of internal business documents were stolen as a result of this breach. Think about that for a moment: if a network security company can’t detect hackers living inside their network for months, how can mere mortals do it?

The company recently concluded its investigation and to its credit has been very transparent about its process. They hired FireEye to analyze its logs and have since updated their endpoint protection with its product. This post describes what Citrix is doing to tighten its security, and how it has put together a committee to help govern security going forward. That is great. The post concludes by saying, “we live in a dynamic threat environment that requires a culture of continuous improvement.” Very true.

But what I want to call your attention to is how this breach initially happened, and that is through an attack called password spraying. This is a very simple attack: you start with a list of login IDs and pair them with a series of common passwords until you find a pair that works. The link above has suggestions of how to use common tools to help determine your own exposure, and if you are new to this term you should spend some time learning more about it.

But even if you aren’t part of a corporate IT department, it is high time for you to change your own personal password policy. It is likely that you are using a common password somewhere across your many logins. This isn’t the first time I have made this recommendation. But if a IT vendor that sells security products can get attacked, it means that anyone is vulnerable. And if your password can be easily found (such as in Troy Hunt’s HIBP database), then you need to be concerned. And you need to start by using a password manager and change your passwords to something complex and unique enough. Now. Today.

FIR B2B podcast episode #124: How to supercharge your website content

Posted on by
Reply

In today’s episode, we examine different ways you can supercharge your website content by using some time-tested strategies that we may intrinsically know but don’t always talk about.

The first reference is from an article in Entrepreneur Magazine about three big mistakes one consultant made when building a new site. The mistakes all revolve around not understanding a basic tenet: B2B requires quality, not quantity. He chose AdWords keywords that were too general and ended up spending money on clicks that didn’t generate any real leads. He didn’t understand that buyers need prompting to get further into his content and needed ways for potential customers to actually talk or chat in real time with someone who can get them more engaged and further up the marketing funnel. We suggest all sorts of improvements, including having a FAQ and using different content types, to increase engagement.


The second piece is from Michael Brenner, CEO of Marketing Insider Group, who was our guest way back on episode 12.  He talks about the importance of using serialized content to capture more attention. We need to understand that generating demand is all about cultivating and nurturing your potential customers. Start with a content audit to see what material you have that can be collected and serialize. Also examine some of the leading sites that Brenner talks about in this post. Paul has plenty of other great suggestions that he mentions in this episode, and you might want to also buy his book to get further details.

You can listen to our 14 min. podcast here.

CSOonline: Best tools for single sign-on

Posted on by
Reply

I have been reviewing single sign-on (SSO) tools for nearly seven years, and in my latest review for CSOonline, I identify some key trends and take a look at the progress of products from Cisco/Duo, Idaptive, ManageEngine, MicroFocus/NetIQ, Okta, OneLogin, PerfectCloud, Ping Identity and RSA. You can see the product summary chart here.

If you have yet to implement any SSO or identity management tool, or are looking to upgrade, this roundup of SSO tools will serve as a primer on where you want to take things. Given today’s threat landscape, you need to up your password game by trying to rid your users of the nasty habit of reusing their old standby passwords.

I also look at five different IT strategies to improve your password and login security, the role of smartphone authentication apps, and what is happening with FIDO.

 

Do you really know where your XP lurks?

Posted on by
2

I was visiting an industrial firm this week and had a chance to walk around their shop floor to see their equipment. It was a mix of high and low tech, machines that cost several thousands of dollars sitting alongside some very primitive pieces of hardware. Unfortunately, these primitive things were PCs running Windows XP.

Now, I have a fond spot in my being for XP. Just playing that startup sound sends chills up my spine (well, almost). I spent a lot of time running it for various tests that I got paid to do back in the day when IT pubs paid for that sort of thing. I had a stack of VMs running various situations, along with a couple of real PCs that had different versions of XP that I maintained for years. It was only with some reluctance that I eventually gave them up. Since then I have rarely run any XP on anything, because it has been superseded by several newer (and supported) versions of Windows. It appears I am not alone: XP is still around: according to this report, it can be found on 3% of total PCs on consumer desktops, and I am sure that number doesn’t include those in industrial and embedded environments such as I witnessed this week. BTW, Microsoft ended support for XP five years ago, although earlier this year it did create a patch to fix the Bluekeep flaw for XP.

The XP PCs that I saw were used by the firm to control some of their pricey industrial machines. I have no idea the network infrastructure at this shop, nor how much protection was put in place to continue to use XP in their environment. But it almost doesn’t matter: if you have XP, you are basically hanging a sign outside your virtual door that says, “come on in and hack me.” It is just a matter of time before some bad actor finds and exploits these PCs. It is like leaving a jar of honey out. This post written to help consumers use XP more safely recommends, “stop using IE or go offline.” That is harder to do than you might think.

Most likely, replacing this equipment with a more modern version of Windows isn’t all that simple. The machinery has to be tested, and probably has code that needs to be rewritten to work on the newer Windows. And you will say, that is the entire point, and you would be right. But the firm isn’t going to stop using XP, because then they would be out of business. So they are in between a rock and a hard place, to be sure.

So here is a simple security test that you can try out in your business. How many endpoints do you have that are still running XP? Just take a census, using whatever automated tool you might have. Now walk around and see if you can find a few others that are hidden inside industrial equipment, or a printer server, or some other likely location. Do you have the right network isolation and protections in place? Can you do without an internet connection to these PCs? Why did your automated scanners fail to identify these devices? Can you get rid of them completely, or is the vendor still insisting on using XP for their equipment? I think you will be surprised, and not in a good way, what the answers are.

And for those of you that are running XP at home, do yourself a favor and take a trip this weekend to MicroCenter (or whatever is your local computer store) and buy yourself a new computer, and dispose of your old one (after first removing your hard drive). And if needed, conduct an appropriate memorial service to bid this OS a fond farewell.

 

RSA blog: Taking hybrid cloud security to the next level

Posted on by
Reply

RSA recently published this eBook on three tips to secure your cloud. I like the direction the authors took but want to take things a few steps further.  Before you can protect anything, you first need to know what infrastructure you actually have running in the cloud. This means doing a cloud census. Yes, you probably know about most of your AWS and Azure instances, but probably not all of them. There are various ways to do this – for example, Google has its Cloud Deployment Manager and Azure has an instance metadata service to track your running virtual machines. Or you can employ a third-party orchestration service to manage instances across different cloud platforms.

Here are my suggestions for improving your cloud security posture.

CSOonline: Evaluating DNS providers: 4 key considerations

Posted on by
Reply

The Domain Name System (DNS) is showing signs of strain. Attacks leveraging DNS protocols used to be fairly predictable and limited to the occasional DDoS floods. Now attackers use more than a dozen different ways to leverage DNS, including cache poisoning, tunneling and domain hijacking. DNS pioneer Paul Vixie has bemoaned the state of DNS and says that these attacks are just the tip of the iceberg. This is why you need to get more serious about protecting your DNS infrastructure and various vendors have products and services to help. You have four key options; here’s how to sort them out in a piece that I wrote for CSOonline..