In what seems to be a common trend in Cloud service businesses, Dropbox announced a security breach this week in which an user e-mail addresses and passwords were obtained from an employee account.
Earlier this month, Yahoo made a similar announcement with at least 400,000 users e-mail addresses and passwords breached with the resulting information posted online by a group of hackers trying to push yahoo to secure their numerous vulnerabilities.
Back on June 6th, LinkedIn confirmed that there was a major security breach on their website and that “some passwords” were stolen from user accounts. Those passwords were posted on a website in Russia with containing 6.5 Million encrypted passwords with additional reports of 200,000 of those passwords already been hacked.
In the next few days the media will probably pounce on this story and discuss various the various steps you should take in order to protect your identity online. What they will probably ignore is the fact that in the past year there have been over 800 security breaches and over 174 million compromised records. And that’s only the security breaches that were discovered and reported on.
The truth is that most data breaches aren’t even discovered by the people who own the data, it’s usually a third party that makes the discovery. It just goes to show that if big companies like Linkedin, Yahoo or Dropbox can be compromised, any business can be at risk.
Jacadis' advice:
Have a monitoring system in place that tracks and reports aberrant network traffic on your network or on any server that is exposed to the internet.
Make sure your computers and network systems are up to date on their service and firmware patches.
Make sure all your computers are up to date with their anti-virus program.
Have a quarterly security audit performed on any internet applications your business might have to identify any possible security vulnerabilities.
Perform a regular audit on your systems to make sure that your anti-virus and patching solutions are performing properly.
After a forced vacation from the blog due to an office move I am here to warn you. I'm back.
That said I'm getting reoriented to the knowledge needs of entrepreneurs who must protect their critical data and to the risk management needs of those infosec and auditing types who must assure their small business vendors are doing the right thing.
As I do that a quick tip ...
If you are a regular tweeter log in to twitter and check your authorized apps. I was surprised when I resurfaced at the number of apps that were authorized to use my twitter account. Almost half of them were from long forgotten experiments. Experiment on! But clean up the lab from time to time to ensure you don't leave key information exposed from a forgotten test.
Here's the quick to do:
Log into twitter at twitter.com
Choose view profile page
Choose edit your profile
Choose apps
Review the list of applications. Revoke any that you no longer use.
When we started Jacadis in 2001 most work focused on assessing whether client's networks were secured, particularly at the firewall, and helping companies implement servers "hardened" or properly secured to be exposed to the public internet.
Today we still assess client networks to determine whether they are secured properly. We answer the questions "are you vulnerable" and "are you secure" but those assessments include a lot of other assets that can be attacked such as web sites, mobile devices, remote access facilities, wireless as well as the paper in your dumpster and your employees.
We are also increasingly asked "are we doing the right things to be compliant with this regulation, this contract, or this industry best practice.
Every organization has some level of compliance obligation relating to how they collect, store, process, handle, sha and discard data. An organization's obligations are determined by your organization's unique compliance footprint:
What is the nature of your business?
What types of data does your business collect, store, process, handle, share and discard?
What government jurisdictions do you operate in? have customers in?
What do your vendor and customer contracts obligate you to?
What are the nature of your business processes?
What are risks apply to your environment? business sector? location? technology choices?
Not knowing can lead to inefficiency, breached contracts and lost customers, fines, pain and pestilence.
Knowing can lead to competitive advantage, new business, efficiencies and costs savings.
With so much focus these days on data privacy and individual identities much of the conversation within the security community and from the security community to the business community skips over other critical information types that need to be protected.
This is a list of information that you should also work to protect:
1. Information about your systems and networks. When I backpack I don't do very well if I have to go off trail and I don't have a map. The same is true for someone trying to break into your information systems. If you fail to protect the information describing your systems and networks (network maps, configuration files, etc.) then you may just be providing a map to someone who wants to explore your network and find more valuable information. Are you making your network an outside explorers paradise?
2. Your company's secret sauce. You may not have a secret sauce made of "11 herbs and spices". Or your business may not depend on the mysteries of an ancient chinese secret (Remember the Calgon commercials?) but all of us in small business have our secret sauces. For Jacadis, it is the unique way we deliver many of our services. For a printing client of mine, it is the unique steps that they have created to protect confidential data transmitted to them from larger customers. That process has helped them win business because other printers aren't doing it. Years ago we did work for a company that made a unique material used in the florist business. They were the only company in the world that could produce the material at quantity and had factories world wide that did it. Their key asset was the chemical formula and process to produce that material. Are you protecting your secret sauces?
3. Work. Think of the endless hours that you spent putting together that killer sales presentation. Should it be corrupted or removed from your computer you’ll have to redo the work. The same is true for data entry, etc. The work itself might not be “secret” but should you lose it you’ll really be losing time and value. As I sit here typing most of my work is electronic collections of media (words, video, slide presentations, papers, articles, Secure-Value, jacadis.com). For your business your work may be many other things. My sales team would tell me that their biggest collection of work is the information they have on clients. A friend of mine has a laser cutting business. Unique programs are written to consistently and repeatedly cut 3D designs into different materials. These programs are his work. Another friend has a much lower tech manufacturing business, an old sand mold foundary. His forms and molds breaking means he has to redo them just as my more high tech laser cutting friend would have to do should those laser programs get lost or corrupted. In the end the loss of work means the loss of time or information. You'll have to invest time to recreate the information. In some cases you may not be able to recreate it. Are you protecting your work?
4. Personal information about your executives, leaders and key employees. Again, to explore something you need a map. To attack a target you need a map. Freely and without thought sharing personal information on your executives, leaders and key employees may just be providing a map. This is a tricky subject though. I won't do business with a company if I can't see some information about its ownership. Most people do business with people so a company that completely hides the details of their key players doesn't earn my trust. Likewise, though, a firm that freely shares contact information, addresses, personal information, etc. about its members opens itself up. On a simple level, executive emails sprinkled all over a web site invite spam. On a more complicated level, in some businesses, travel plans and other locational information improperly shared invites more nefarious attacks. Are you protecting your key people? Are you protecting all of your people?
5. Personal, though non-protected, information about your customers and prospects. Again, protect the map. Customer lists, detailed information about your customer's pains and challenges, and the other sort of information that fuels a personal realationship between your business and your clients should be protected regardless of whether or not the informaiton is consdiered private, confidential or in some way protected by law or regulation. Protecting your customers information promotes trust. Are you promoting trust with your customers?
What types of information that must be protected did I miss?
We had a unique call come in yesterday, one I wish we had more of, but we don't.
A small business owner with a brokerage of sorts wanted to develop a website that would allow the producers and the buyers to post information, in some cases highly personal information, review non-confidential subsets of the data about the other and keep the whole thing secured from the outside.
She asked if we could help and provide "small business pricing quotes."
In fact, I don't think many security firms get those calls.
Most of our calls are after the fact either after the app or system has been developed or just after it has been breached.
She called us asking questions because she didn't have any answers. I think that approach serves us well in many endeavors.
We can help her. We offered to help her develop a list of functions and safeguards she needed in her application, help her manage the procurement process and then to test the application for security before she accepted it from her developer.
In 10 years of business that was a first.
Most web applications, particularly web applications are built with out much thought to information security, customer privacy or regulations covering the information.
Truthfully no application is 100% secure. But an application that has been designed and developed with careful consideration for its information security, user privacy and regulatory requirements stands a great defensive chance once it has been launched. Testing that application before launch further raises the defensive posture. Regular testing and a proper operational routine after it has been released to production even further raises that posture.
Again, our experience has been that most businesses, particularly small business, design and develop applications, release them to production and then through some event realize that security is a concern. There is a breach or a break-in. The site is knocked off line by a denial of service attack and revenue streams are interrupted. The invoice from the payment card processor is higher than they want to pay and they find it is because of non-compliance with PCI. And so on.
This occurs because two things don’t happen up front:
Security just isn’t talked about as part of the deisgn process. It must be!
An assumption is made that developer and hosting providers on the project will handle security. In most cases they won’t unless you demand it of them and back the demand up with contracts and tests.
Here is a list of non-technical questions you need to consider as part of your design conversation. Getting technical on some of these issues may require a member of your IT staff or an outside consultant. But any small business owner should be able to answer these questions if they are trying to build a business using technology:
What is the sensitivity of the data on our planned site? Is it regulated data?
Who regulates the information or audience that uses our site? What are your obligations to protect it? What are your obligations to maintain user privacy? Does your privacy policy match that obligation? Will the site be developed with the guidance of a privacy policy?
How long can the site be offline before it negatively impacts our business? When will customers usually visit the site to transact business? If we are off line an hour of peak traffic time how much revenue will we lose? Profit?
What do our customer’s expect from us in regard to protecting their privacy?
Will you have user forums or accounts on the site? How will you verify those signed up are really customers? Or really people?! Does that matter? Will you allow any and all comments in your forums? Do you need to edit them or block them?
How does the developer ensure the web application is secure? The database?
How does the hosting provider help secure your application? How will you know they are doing their job?
You then need to make sure that your development partner builds the site to meet the requirements these questions should raise to the surface.
That site must be deployed in a technical environment that is at minimum protected by:
Proper and verified operating system and application hardening procedures
Separation of the development (where you’ll continue to create and innovate as well as test) and production
We then recommend you test the site against your requirements to make sure they were met (best to do that before that last check goes to the developer!). We also suggest you conduct a vulnerability scan against the site to make sure that it wasn’t developed with technical weaknesses a hacker could use to create havoc for you.
And then finally we recommend that you, as a matter of routine, continue running those tests to make sure the sight maintains the secure posture you paid for in the first place.
Yesterday, I had a prospective vendor tweet out details of our infrastructure right after he got off the phone with one of our engineers. I guess he thought letting me know he was working for me was cute. He lost a deal because he violoated my trust.
Today, we had a client ask if we could speak to their sales people about the importance of information security and privacy from their customer's view.
Do you sell products or services into markets that have information security risks or fears? Do you consider security to be a feature of your product? Do your customer's routinely include questions about how you handle information security in their RFQs and RFPs? Do your contracts include clauses that allow your customer's to audit your infrastructure? Do you sell products or services into regulated industries such as healthcare (HIPAA/HITECH) or public companies (SARBANES-OXLEY) and so on?
If you said yes to any of those questions do your sales people understand the importance of security in building and maintaining customer trust?
Do you train them? Do you make their role in building and maintain trust an obvious part of their performance expectations?
Security training for sales professionals selling into protected markets should include:
1. Information Security 101 covering basic terms that your customer's auditors and IT staff will use as a matter of everyday language. They should be comfortable with terms such as risk, vulnerability, threat, safeguard, confientiality, integrity and availability.
2. Industry issues related to security, privacy and regulatory compliance. A salesperson serving health care markets needs to have a different knowledge base than a salesperson selling into financial markets and so on. We've been involved with clients purchasing technology from vendors who have sales people claiming knowledge about regulatory issues that is wrong. They don't get those sales.
3. Product and service features that support a client's information security, privacy and compliance pains.
4. Basic online ettiquite and secure online behavior. Preparing sales people to participate securely and privately in communications particularly if social media is part of your communication strategy or part of the culture of your work force.
5. General trends in information security including some pointers on news sources that can keep your sales team informed.
An example:
After Epsilon was hacked two weeks ago, I had two conversations with senior executives from two differenct firms that provided consumer oriented services that had never heard of the Epsilon. Epsilon is an email marketer that provides email marketing services to large companies. They were hacked and the customer emails of some 50 companies were taken. You can expect firms in the direct consumer market to be concerned with the risks of having their customers exposed through other services. These execs had no idea. Without some idea of what to watch for in the news I wouldn't expect them to, but it would give an edge in customer conversations because the customers are very aware and knowledgeable.
We've seen good sales people with bad security habits lose business. We've helped some of them change and with their companies create competitive advantage as this knowledge prepares them to begin building trust at the inception of the first lead contact. I prefer to have my sales people be as productive as possible. If you sell into security concerned markets this is a tool you should consider.
"I don't want to know anything about HIPAA. I just want to be compliant.
Can't you just tell me what I need to do and then give me a certificate or something?"
So one of our sales reps was asked last week ...
To many an entrepreneur government regulatory requirements are simply a bother that gets in the way of us doing what we love in running our businesses.
In this case the firm in question is a Software as a Service provider in a niche part of the health care market. The business is under 5 people; the licensing for the service costs less than having a lawyer review each HIPAA BA agreement sent their way.
But because HIPAA compliance in how they protect and use the protected health information hosted in their application and touched by their staff during support interactions HIPAA is a part of the feature set. Like their desire to know Web 2.0 and other evolving technologies, knowledge of secruity and privacy
It isn't a whole lot different than a chef that just wants to create fabulous meals with no care or concern for a clean kitchen or the health inspector that is sure to come one day.
If you are going to play in the health care space providing services to HIPAA Covered Entities you must educate yourself and understand that part of your environment as much as you understand the technical and operational aspects of your business.
We provide services to educate companies of any size on the HIPAA Security and Privacy Rules, to assess how they stand in compliance with those rules and to plan for closing any gaps our assessments may uncover. We also help firms operationalize their HIPAA compliance because the law doesn't say "get there" in regards to compliance with the HIPAA Security and Privacy Rules but "get there, stay there" which means HIPAA must become a regular part of your day to day.
An integral part of our being able to help any company is a willingness to learn HIPAA and understand how it will impact your company.
An integral part of becoming and staying HIPAA compliance is a willingness to learn HIPAA and understand it on an ongoing basis.
Jacadis helps businesses prepare and respond to security questionnaires and audit requests from their usually larger customers. We also are the audit and assessment team for some firms who choose to use external resources to review their key vendors' security.
Frankly, as breaches Epsilon isn't a big of deal. No protected information, just names and email addresses were taken. And more sophisticated attacks have come and gone in the press largely unnoticed.
Epsilon has received more attention than the more impactful breaches in part because it touched so many people. Non techies are talking about it. We believe that buzz is going to find its way into the executive suites and audit teams of big companies and boost the rigor and frequency with which larger firms test, prod, and assess their supply partners.
Experts suggest that companies that outsource technology services take some of the following steps:
Make sure the vendor has a recognized certification for information security, such as ISO 27001 or SAS 70 Type 2, granted by an accredited auditing organization such as the International Standards Organization;
Sign agreements that oblige vendors to undergo regular audits by third parties, at least annually. Auditors should test software (especially software that can be accessed via the Internet) and hardware as well as people, to ensure that vendors’ employees themselves don’t fall prey to scams;
Make sure vendors assume liability for breaches that affect customers and end users; and
Make contingency plans with the vendor so that neither is caught by surprise in the event of a security breach.
Management consultants and corporate governance experts are providing similar advice to their Fortune 2000 and similarly sized customers. These recommendations have been around for several years, however, the buzz from Epsilon has the potential to fuel the recommendations to reality.
This will impact you if you answer yes to any of the questions below:
Your business is part of the supply or services chain for larger regulated firms. We see most of the third party verification activity from firms that have regulatory obligations to HIPAA; PCI, GLBA or other financial privacy rules, or Sarbanes-Oxley. We have seen these type of firms apply the highest security and privacy standards to their vendors even if their vendors don’t process confidential or protected information. Do you provide services to these types of firms?
Your business provides a service that includes considerably volatile information. If, for instance, you process non-protected personal information but it is somehow seen as critical to your client’s business or it’s relationship with its customers this might apply. Or, if, for another instance, you process company confidential information such as trade secret related information. Do you provide services to these types of firms?
Firms in the supply chain stack. You may not be doing business with a regulated firm, but you may be providing services to firms that provide goods or services to firms that provide services to regulated businesses. You know what they say about it rolling downhill. Are you at the bottom of a supply chain?
Take action
If you answered yes to any of those questions we suggest the following:
1. Look at your customer agreements with firms in the categories above.
Do any of those agreements place obligations on your company to protect your client’s information in a certain way?
Do they have the right to audit?
Have you told your IT team about these obligations?
Are you prepared to meet these obligations?
2. Sit down with your technical leadership and discuss:
Are we secure? Vulnerable? Do we follow a best practices approach to information security? Which one?
Do we routinely check through tests, assessments, and/or audits our answers to the questions above?
If we got an auditing letter from an existing customer would we be ready for the audit in a week? a month? 3 months?
When the auditor arrives do we have documentation that defines our security programs values (policies), details the routines we follow to meet those values (processes), shows that those routines are being followed (logs, action reports, scorecards, etc.) and that our staff is aware of their obligations (awareness training)?
If we committed during the sales process with a new customer to do certain things to secure their data did IT and the others in the company responsible for delivering on that obligation have a hand in the answer? Are we overcommitting?
Are we managing security well enough that we can create a competitive advantage over other firms in our class? Can we use that advantage to build new business?
If your business provides business to regulated businesses upstream in your market we recommend you keep asking these questions until you feel comfortable with the answers.
Have you read or heard the news about the enormous hack at Epsilon which touts itself as the World's Largest Permission Based Email Marketing Services Company. The hack affects a long list of major brands and probably includes some companies that you use.
If you paid attention to the reports then you've heard that no credit card accounts or social security numbers were taken just millions and millions of email addresses and in some cases full names.
First, the amount of FUD (fear, uncertainty and doubt) included in sales and marketing messages from your technology vendors will increase. With each and every spectacular hack in the market FUD changes and morph to include the new event as a reason to "BUY NOW!" even as we see daily if the product in question doesn't safeguard against that kind of hack. Be an informed buyer, particularly of items as critical as security technologies.
Second, this large scale hack will catch the attention not just of the security and audit teams at these firms but in the corporate suites as well resulting in greater attention to third party verification and vendor assurance programs. The list of companies affected include a host of major brands. I've worked with small businesses that provide services to some of these firms. We've helped these small businesses prepare their environments to meet vendor qualification requirements and we've helped these firms prepare for audits by the larger firms' audit departments as part of contracturally required vendor audits. If your firm provides services that depend on confidential data from these firms or others with a similar profile be prepared to attend to a heightened audit process.
Third, the information stolen could be used to send targeted attacks to the customers of Epsilon's clients and that might put you at risk in two ways:
Targeted phishing attacks that look like legitimate messages from any of these companies are likely to be in our future. Know how to protect yourself from phishing attacks which Jacadis partner SOPHOS neatly outlines.
Accounts that depend on your email address might be at risk. Better safe than sorry. I would suggest you change your passwords on those accounts and make sure they are strong passwords.
What impacts to business and personal security do you think will be the aftermath of the Epsilon hack? What fears do you have about how it impacts your business or yourself?
Last week I had the pleasure of a lunch with a handful of local business leaders and entrepreneurs and Representative Steve Stivers. Jacadis is an active member of the Hilliard Chamber of Commerce which hosted the event.
He prefaced the mostly question and answer session with a few comments about the goings on in Washington. His overall theme was a recognition that to move the country forward we need to tighten our belts. He shared the Republican controlled house's committment to that tightening and acknowledged the difficulty of getting things done with an opposition Senate. The elections in 2012 will matter.
My perspective on the conversation is from two vantatge points.
First, though we've successfully grown over the last few years of economic difficulty we've been slowed by the finanical crisises and poorly performing economy. We are like your business.
Second, among the work we do, we help businesses manage their security and privacy operations to meet their regulatory options.
From those filters, here are my thoughts from the lunch:
It is difficult to get an accurate and complete measure of a man's character, viewpoints, and committments from an hour's lunch, but Representative Stivers impressed me as a neighbor and peer who goes to Washington to work for us. He didn't come off as a sleazy yes man like some politicians. He mentioned proudly that he is an Eagle Scout. I was most impressed by how he handled said "No" regarding more spending.
Several of the questions and much of Representative Stivers conversation centered on budget and the structural impact Federal spending and debt has placed on the credit markets. Access to credit and cash flow management go hand in hand. Typically those are the biggest limiting factors to small business growth.
Stivers is in favor of finding ways to significantly cut spending. He referenced his young daughter and her future as he discussed the future impacts of our current budget situation.
I asked him to speak to the issues of overregulation. Referencing the Federal Trade Commission's Red Flags and HITECH I asked him his views of government regulation.
(NOTE: In quick summary: Red Flags is a rule promulgated by the FTC during the Bush Administration. It's effective date has been moved 4 times. Early adopters were penalized; late adopters don't believe the FTC will enforce the rule. HITECH came to us as part of the stimulus bill. Those in the health industry are legally accountable to rules that are not yet written yet).
Representative Stivers spoke to the issue of government regulation. In his view government regulation should level the playing field for the market as a whole. The government should not pick winners and losers but allow the market to decide. As we discuss security and privacy regulations I think those are a great yardstick from which to measure healthy regulation.
He spoke to the issue, bundled in my question, of Congress ceding its governing authority to the executive branch. In my view, the crazy implementation of FTC's Red Flags was because the rule making was a political process. As interest groups representing higher education, health care and the legal community identified their opposition to Red Flags the rules were altered and the enforement date was moved back. He acknowledged that Congress needed to work hard to gain that governing authority back after years (not a D or an R thing as it has happened across decades) of letting the technocracy drive rulemaking.
What most impressed me was a moment where Stivers told us no. One business owner, a retailer in Northern Columbus, is impacted by the poor traffic patterns around the OH-23 and I-270 interchange. She inquired if Stivers knew where the funding stood and asked for his support. He committed to checking into it but shared with her that if funding wasn't already approved he was most likely a "NO" vote on it. He went on to explain that we all were going to have to deal with the reality of "No's" on government spending if we had an expectation that the government should live within its means.
And that sounded about right to me.
In the end I was pleased with the lunch. The food at Heritage Country club where the Hilliard Chamber so often meets was good. Our guest, Representative Stivers was a good listener and a straight shooter in discussing the issues. And, in what could have been a grip and gripe session, the business leaders in the room as was Stivers were all positive about the future.
How does the regulatory environment interfere with your business growth? I'd love to hear your stories.
Image via CrunchBase
