HID ActivID Authentication Server: A very capable and comprehensive IAM product

Posted on by
Reply

If you are looking for a comprehensive identity and access management (IAM) tool that can cover just about any authentication situation and provide ironclad security for your enterprise, you should consider HID Global’s ActivID product line.

Even if you are an IAM specialist, it will take days and probably weeks of effort to get the full constellation of features setup properly and tested for your particular circumstances. There is good news though: you would be hard pressed to find an authentication situation that it doesn’t handle. t has a wide range of tools that can lock down your network, covers a variety of multifactor authentication methods and token form factors (as shown here below), and provides single sign-on (SSO) application protection.

f you are rolling out MFA protection as part of a larger effort to secure your users and logins, then the case for using HID’s product becomes very compelling.

I was hired to take a closer look at their product earlier this year, and came away impressed with the level of thoroughness and comprehensive protective features. You can download my report here and learn more about this tool and what it can do.

FIR B2B podcast #107: What LinkedIn’s Latest Sales Research Says About the State of B2B Marketing

Posted on by
Reply

When we last spoke to Justin Shriber (below), Vice President of Marketing for LinkedIn Sales and Marketing Solutions in episode #87 last January, he offered some predictions about the upcoming year in B2B marketing. His forecasts turned out to be is pretty solid, including closer alignment of marketing and sales functions and the growing importance of storytelling in promoting your brand. So we took advantage of a pitch for LinkedIn’s new State of Sales report to connect again. This third annual report examined how top sales performers – B2B in particular – are using technology and modern strategies to build trust with buyers and close more deals. The addition of buyer views this year makes the survey even more interesting reading.

The report found a resurgence of buyer interest in doing business with trusted vendors: 40% of sales professionals rank trust as the number one factor in closing deals — surprisingly rated above ROI and price. 

There are also some interesting age breakdowns. Millennials are outperforming their peers in sales effectiveness pretty much across the board, the survey found. Young sales reps are tapping into marketing insights and using tech at higher rates than their elders to help them succeed. Of course, their quotas might be lower, as well!

Buyers who are decision-makers are least likely to engage with sales professionals who lack knowledge about their company (79 percent) and whose products or services are irrelevant to their company (76 percent). Understanding the buyer’s business is now table stakes for salespeople, Shriber told us. Of course, LinkedIn has some features that can help with that. 

In this interview, we dig into a number of highlights of the survey as well as discuss trends LinkedIn is seeing in the use of its platform by sales pros. You can listen to the 20 min. podcast here. 

How great collaborations occur

Posted on by
2

What do the Beatles, Monty Python, the teams behind building the Ford Mustang and the British Colossus computer, and the Unabomber manhunt have in common? All are examples of impressive and successful collaborative teams. I seem to return to the topic of collaboration often in my writing, and wrote this post several years ago about my own personal history of collaboration. For those of you that have short memories, I will refresh them with some other links to those thoughts. But first, let’s look at what these groups all have in common:

Driven and imaginative leadership. The Netflix series on the Unabomber creates a somewhat fictional/composite character but nevertheless shows how the FBI developed the linguistic analysis needed to catch this criminal, and how a team of agents and a massive investigation found him. Some of those linguistic techniques were used to figure out the pipe bombing suspect from last week, by the way.  

A combination of complementary skills. The Beatles is a good example here, and we all have imprinted in our early memories the lyrics and music by John and Paul. On the British code-breaking effort Colossus,  that team worked together without actually knowing what they each did, as I mentioned in my blog post. Another great example is the team that originally created the Ford Mustang car, as I wrote about a few years ago. 

Superior writing and ideation. An interview that Eric Idle recently gave on the Maron WTF podcast is instructive. Idle spoke about how the entire Python team wrote their skits before they cast them, so that no one would be personally invested to a particular idea before the entire group could improve and fine-tune it. Many collaborative efforts depend on solid writing backed by even more solid idea-creation. There are a number of real-time online writing and editing tools (including Google Docs) that are used nowadays to facilitate these efforts. 

Active learning and group training. A new effort by the Army is noteworthy here, and what prompted my post today. They recognize that soldiers have to find innovative ways to protect their digital networks and repel cyber invasions. They announced the creation of a new cyber workspace at the Fort Gordon (near Augusta Geo.) base called Tatooine, which refers to the Star Wars planet where Luke spent some time in the early movies. The initial missions of this effort will focus on three areas:

  • drone detection,
  • active hunting of cyber threats on DoD networks, and
  • designing better training systems for cyber soldiers.

Great communicators.  Many of these teams worked together using primitive communication tools, before the digital age. Now we are blessed with email, CRMs, real-time messaging apps, video chats, etc. But these blessings are also a curse, particularly if these tools are abused. In this post for the Quickbase blog, I talk about signs that you aren’t using these tools to their best advantage, particularly for handling meeting schedules and agendas. In this post from September, I also provide some other tips on how to collaborate better. 

Unique partnerships. All of my examples show how bringing together the right kinds of talent can result in the sum being bigger than the individuals involved. At the Army base, both military and civilian resources will be working together, and draw on the successful Hack the Army bug bounty program. On Colossus, they recruited people who were good at solving crossword puzzles, among other things. The Python group included Terry Gilliam, who was a gifted animator and brought the necessary visual organization to their early BBC TV shows. 

Certainly, the history of collaboration has been one of fits and starts. As a former publication editor, I can recall the teams that I put together had some great collaborative efforts to write, edit, illustrate and publish the stories in our magazines. And while we continue making some of the same mistakes over again and not really considering the historical context, there are a few signs of hope too as the more modern tools help folks over some of these hurdles. That brought me a solid appreciation for how these best kinds of collaborations happen. Feel free to share your own examples if you’d like. 

CSOonline: What is application security and how to secure your software

Posted on by
Reply

Application security is the process of making apps more secure by finding, fixing, and enhancing the security of apps. Much of this happens during the development phase, but it includes tools and methods to protect apps once they are deployed. This is becoming more important as hackers increasingly target applications with their attacks.

In the first of a two-part series for CSOonline, I discuss some of the reasons why you need to secure your apps and the wide variety of specialized tools for securing mobile apps, for network-based apps, and for firewalls designed especially for web applications. Next month, I will recommend some of these products.

Looking for a portable VPN? Don’t pick these products.

Posted on by
8

I have been testing some interesting devices to help you set up VPNs when you travel. By now most of you know not to connect to open WiFi access points, because your Internet traffic can be monitored, recorded, invaded, and used against you. The way to avoid these issues is to use a VPN. Until recently, you had a few different choices to install some software or bring your own VPN device. Both are more suitable for corporate networks, and aren’t all that easy to install and configure. These three devices attempt to make things easier for consumers. Sadly, they all aren’t quite up to the task.

Both the Butterfly and eBlocker are small hardware devices. The Butterfly has a USB end that fits in any USB AC power adapter. The eBlocker is a cube two inches on a side with its own Ethernet and power cables to connect it up. The Webroot product is only software. You see I listed their prices above, and that is my first complaint: a consumer VPN should be priced transparently. Figuring out their prices shouldn’t take a combination of a CPA and a PI.

The appeal of the three products are their supposed ease of installation. However, I ran into problems on all of them. For example, the eBlocker is made in Germany, and the default menus are shown in German. If you want to change this to English menus, you have to learn enough German to navigate through the menu tree to find the switch to make this happen. The Butterfly (setup menu at left) is designed to operate with a simple open WiFi router. As you move about the world, you have to find and connect to one before you can establish your VPN connection. That is great, but you will have problems on other routers that aren’t completely open. For example, you’ll have issues if you connect to hotel or airport routers with captive wireless portals that require you to bring up a web form to acknowledge something. Also, there was no way to change the default password in any of its  configuration menus, which seems like a major security shortcoming. The Webroot VPN was the easiest to install, since it was just software that runs in the background, but it had issues that I will get to below.

On all three, you can select various VPN endpoints for your traffic to appear to come from. At right, you can see how you can do this with Webroot, by clicking on the locations shown in the list. That has a lot of appeal — if it really worked as advertised. With eBlocker, you can also set up your Internet traffic thru the TOR network for even more privacy. I had issues with all of them when verifying the IP addresses with a public service, such as WhatisMyIP.com. They didn’t always consistently work, and despite conversations with each vendor, I couldn’t exactly tell you why.

Webroot also allows you to select a particular VPN protocol (like IPsec or PPTP) if you need to connect to a corporate VPN. That is a nice touch.

All three also do more than just setup a VPN. Webroot does rudimentary content filtering. eBlocker can anonymize your originating IP address and block ads in your browsing sessions. It has this privacy discovery page where you can see what kind of information is being collected from your browser session, if you need reminding. Here is what its dashboard looks like:

Blocking ads seems like a great idea, until you run into lots of websites that won’t deliver any content to you until you unblock them. As an example, my hometown newspaper doesn’t allow any visitors from EU countries because of potential GDPR liabilities. (That is probably a canard, but still.) There is a whitelist to add sites to try to get around this, but it didn’t seem to always function as intended.

Using a VPN can also come in handy when you travel overseas and want to access content from the streaming video services. This is because the shows that we take for granted here in the US aren’t necessarily licensed for overseas viewing. For example, I was recently in Israel, where I was pleased to see that Amazon was streaming “The Man in the High Castle” but blocked just about every other one of their other original shows. However, none of the VPN services of the three devices would work reliably in this situation. And with Webroot’s VPN engaged, I couldn’t access any Netflix content whatsoever. It could be because of cookies set on my computer, or because of how I registered for the service, or it could be something else. The bottom line: if you want to securely access your content when you travel, you can’t depend on any of these devices.

And that is why I recommend you don’t buy any of these three items, at least until each vendor does a better job with fixing the issues I mentioned above. Consumer-grade VPNs are a great idea, especially if you travel frequently. But they are still a challenge, unless you have an IT department standing by to assist you when you run into snags on the road.

FIR B2B podcast episode #106: Tips for auditing and fine-tuning your content

Posted on by
Reply

This week Paul Gillin and I look at several resources that can be used to help examine your content marketing strategy in our podcast. You can listen to the 17 min. episode here.

First up, this piece by an executive with Athena Health talks about how the company took the time to look at how their site visitors were reacting to their posted content and adjusted accordingly. It also discusses the importance of storytelling as a component of content marketing. There are great tips here on how to improve your content portfolio.

Last month, GlaxoSmithKline introduced a brand incubator that is used for internal audits of all aspects of its marketing and messaging. While your company may not have the resources to do this on a full-time basis, reading this post on MarketingWeek could help inform your own thinking about how you can accomplish rebranding and using content specifically for this task.

Paul shares his thoughts about how small teams can be useful for this effort, particularly since they aren’t direct stakeholders.  This could be a way to innovate and fail fast. He also refers to a presentation that he has put together about content audits. You can download this slide deck from one of Paul’s presentations here. 

He suggests that you think across what he calls the content cube, as shown here. Each cell of the cube classifies the type, delivery vehicle and stage in marketing funnel for a particular content asset. Finally, we offer another content auditing worksheet from Hilary Marsh here.

HPE Enterprise.nxt blog: 10 security trends to watch for in 2019

Posted on by
Reply

This has been quite a year for data breaches, with reports that numerous unsecured Amazon Web Services storage containers were inadvertently made public, a rise in hidden cryptomining malware, and lots of victims continuing to fall for ransomware and other botnet attacks. So, with that context, let’s look at what security trends 2019 could bring and ways to prepare for the coming year. I cover security awareness training, hiding malware in plain sight with fileless and other techniques, the rise of FIDO2 and better cloud security in my story in HPE’s Enterprise.nxt blog.

RSA: Ten tips to make your Archer deployment successful

Posted on by
Reply

One of the best takeaways I got from attending the RSA Archer Summit 2018 this past September was to listen to customers tell their stories about their deployments. I have put together a series of tips based on this testimony from several IT managers who have been using the product for many years. Some of them have asked me to obscure their identity, but the message rings true. You can read their suggestions here.

RSA blog: Everyday we should practice cybersecurity awareness

Posted on by
Reply

Yes, just like last October, this month we celebrate National Cybersecurity Awareness Month. So let’s look at what happened in the past year since we last honored this manufactured “holiday.”

We started off 2018 with more than three million records breached by Jason’s Deli, moved into spring with five million records from Saks/Lord&Taylor and 37 million care of Panera Bread restaurants. May saw breaches from fitness tracking company PumpUp and clothing retailer UnderArmor. July was a new low point with breaches from Ticketfly, the Sacramento Bee newspaper chain, and MyHeritage. And let’s not forget Exactis with 340 million records placed online.

And there are many, many other companies who have been breached that I haven’t even mentioned. The issue is that with security awareness, you are only as good as yesterday’s response. In this post for RSA’s blog, I have several suggestions on ways to make this month more meaningful and actionable for IT managers.

RSA blog: Everyday we should practice cybersecurity awareness

Posted on by
Reply

Yes, just like last October, this month we celebrate National Cybersecurity Awareness Month. So let’s look at what happened in the past year since we last honored this manufactured “holiday.”

We started off 2018 with more than three million records breached by Jason’s Deli, moved into spring with five million records from Saks/Lord&Taylor and 37 million care of Panera Bread restaurants. May saw breaches from fitness tracking company PumpUp and clothing retailer UnderArmor. July was a new low point with breaches from Ticketfly, the Sacramento Bee newspaper chain, and MyHeritage. And let’s not forget Exactis with 340 million records placed online.

Even with this list, I am sure that I haven’t even accounted for many other breaches of the past year, including the various data leaks from GoDaddy, LevelOne Robotics, Nice Systems, Los Angeles’ 211 service center, Localblox, Octoly and Viacom. These and many others put unprotected AWS S3 storage buckets online and forgot to secure them. All it took was a single check box and the data in all of these situations would have been easily secured.

Of course, who doesn’t remember Facebook’s woes, which thanks to Cambridge Analytica divulged more than 100 million of our accounts. And if we look beyond just private data leaks, who could forget the City of Atlanta finding out their backups were worthless after being hit by a ransomware attack. This resulted in the spending millions of dollars, eventually close to their entire annual IT budget to learn that lesson.

With security awareness, you are only as good as yesterday’s response. Every day, someone is trying to leverage their way into your network, your data and your corporate reputation. Every day, your network is being bombarded with thousands of phishing attempts. Someone is sending multiple emails with infected attachments; hackers are continuously trying reused or common passwords, and coming up with new blended threats that we don’t even know how they are constructed. Every day, users are attaching infected phones and laptops to your network that can serve as new entry points for attacks. So do you really want to take a moment and celebrate? Go right ahead. Go have a piece of cake.

But let’s get down to work and make October more meaningful. Let’s use this month to try to do something positive about security awareness that can last more than just a few days and a few meek attempts. It is time to make security awareness a year-round event. And this isn’t just for the IT department, or your security staff, but something that has to happen across the board. Here are a few tips to get started.

Make a goal that this time next year will be the time when all of your users have embraced MFA or FIDO for their business-critical logins. The tools are getting better, FIDO is being supported with more products, and even Facebook and Google and Twitter now support MFA logins. Many of the breaches mentioned above would have not happened, or have had less impact, had accounts been properly secured with multiple authentication factors.

Use this MFA effort as a more complete assessment of your identity and access management strategy. Examine what you are doing here and whether any of the newer technologies – such as adaptive authentication and better risk assessments — can improve your login security.

Learn from Atlanta’s woes and make sure your backups are actually useful. Spend some time ensuring that you can reconstruct your servers in case of anything unfortunate happens from a disk crash to a ransom attack. Not too long ago, I had two hard drive crashes on my equipment in a single week. I didn’t lose any data, thankfully – but I did lose a lot of time in getting both PCs back up and running. And I learned how I can improve my recovery procedures a bit better too. You should conduct regular disaster exercises to see what happens when parts of your network or particular servers are taken offline, and how long it takes you to recover from these events. Everyone can benefit from more resilient operations.Review your cloud storage buckets for unintended data leaks. There are numerous security tools (if we can mention RiskIQ’s CloudGoat) that can help you assess your storage buckets and ensure that they are properly protected and not sitting ducks online.

Do continuous user awareness training. There are many vendors that can help with putting together a program. The trick is not doing so just once a year, but on a continuous basis. Think about how you can offer incentives to your users, not just make the training onerous and thereby ineffective. One vendor offers a program that performs assessmenteducationreinforcement, and measurement in a continuous cycle.

Go back to security school. Folks like SANS offer plenty of training for security staff to brush up on their techniques and tools. We all need refreshers to stay current with what the bad guys are constantly cooking up.

It’s time we realized that security awareness needs to be a year-long focus and not just one-and-done.