Would Encryption Have Prevented The Target Hack?

Hard DriveLast week I said that I would go deeper into the forms of encryption that can be used to protect your information and I stated that, “the most common encryption method in use today for data at rest won’t do anything to protect your company from a system hack.” But let me back up for a moment.

Just like matter can exist in the 4 states of solid, liquid, gas, or plasma, information or data can exist in 3 states; in rest, in motion, and in use. In the December 2009 issue of HP Connect Magazine, I published an article that asked the question, “Will Volume Level Encryption Keep My Data Safe?” Even though computing has seen radical shift in the last half a decade, the information presented in that article is just as accurate and valuable today as it was 4 years ago. (With the exception that IBM received a patent for their data in use protection method and are now promoting it as a solution to cloud security.)

The Cliffs Notes version of that article is that data can be encrypted at the container level (disk, communications link), hardware block level, file level, record level, or field level using the same or different keys and the encryption can be performed in hardware or software. If done in software, the encryption engine can be built into the disk driver, operating system, database, application, or an encryption library.

The most common type of encryption is at the volume level and can be done in software (Microsoft Bitlocker, Symantec Drive Encryption, etc.) or hardware (self-encrypting disk drives). The answer to the question asked in the title of my HP Connect Magazine article is no – volume level encryption won’t keep your information safe unless the system or disks are powered off. So even if Target encrypted their data, it wouldn’t have done anything to stop the theft of 40 million customer credit and debit card accounts from their systems if they used full disk encryption.

While I said that the amount of protection afforded an object should be proportional to its value, I glossed over the fact that you also need to determine the lifetime of your information. That is, when does it stop being valuable? Are you protecting product launch dates or battle plans (a few months), credit card numbers and PINs (3 years), product design documents (from months to years), or government and trade secrets (generations to forever)? You need to encrypt for the life of your data. That means choosing an encryption algorithm and key length that can stand up for the lifetime of the data.

Credit cards and PINs have a lifetime of about 3 years. Target says hackers took encrypted PIN data but can’t crack it because it’s secured with Triple DES. But Target is not saying how many keys or what key length was used, and that is important according to NIST. Two-key Triple DES encryption was only acceptable through 2010, it is in restricted use from 2011 through 2015, and it is disallowed after 2015. So the PINs may be at risk depending on the keys and the computing resources of the hackers.

In my Fall World DRJ session on the intersection of cyber security and business continuity, I said that  All of your information should be laid out on a grid, with its value to the company on one axis and its lifetime on the other. Information that is low in value with a short lifetime falls at the left bottom, while information that is key to your organization’s existence with a very long lifetime appears in the upper right and corner. The Coca Cola formula probably would go there.

Actionable Information

I dumped a lot of information on top of you in this entry and pointed you to even more, but all of it is actionable. If you are concerned about the security of your information, you need to identify:

  • Your most important information
  • Its lifetime
  • What needs to be done to protect it from cyber threats

And if your IT staff tells you that your information is encrypted, ask about:

  • Full disk encryption versus more granular encryption
  • If hardware or software encryption is in use
  • The encryption algorithm and key length
  • How the encryption key is protected
  • The certification of the encryption implementation

 

Is There a Target On My Back?

TargetAnyone who hasn’t been hibernating since Thanksgiving already knows that critical information from 40 million credit and debit cards used in Target stores from November 27 to December 15 was exfiltrated from their computer systems.

The stolen information includes customer names, credit or debit card numbers, expiration dates, and card security codes. Additionally, debit card PINs (the digits that you enter on the keypad when you use a debit card) were also lifted, but Target says that the PINs were encrypted and the encryption key was stored at a different company.

This story begs a number of questions both from an organizational point of view as well as a consumer point of view. First off, Target said it began investigating the incident as soon as they learned of it through a leading third-party forensics firm. Now how could Target not know that its own systems were hacked?

You might be surprised to find out that every year, the FBI or other security organizations notify hundreds of companies when they learned there was an intrusion into the companies’ networks. Often, these companies didn’t even know they were under attack until there was a knock on their door. And while still other companies may have known there was something wrong, they didn’t know what to do about it or who to call.

As CEO, you can’t pass the buck to your IT department and say, “You handle this…I can’t be bothered.” A serious hack can materially affect the status and future of your company. And in fact, plaintiffs in California are working to bring a class action lawsuit while local media reported that another lawsuit was filed in a Rhode Island federal court.

Clueless politicians are also sticking their noses under the tent. US Senator Chuck Schumer called on the Consumer Financial Protection Bureau to report on whether retailers should be required to encrypt customer card data. (Note to Chuck – retailers already are required to encrypt customer card data. See the PCI security standard.)

Whether the hacked cards get used or not, this is a PR nightmare for Target and could very well lead to lower sales as customers seek safer harbors for their shopping trips. But unfortunately there are no safe harbors in today’s world. You see, hackers have infinite time to find a single hole to let them in while the targets of their evil deeds have to try to defend thousands of known and unknown attack vectors.

So what can you do to protect yourself?

  • If your credit card company offers it, use a smartphone app that notifies you every time your card is used.
  • Regularly check your paper or online statement. Sometimes hackers ping an account for only few cents to verify they have an active account.
  • If anything looks amiss, don’t be afraid to contact your credit card company to let them know.

My mom is absolutely convinced that she will be safer if she doesn’t use her credit card online and shreds anything with her name and address on it. But as we saw this month, you can still be at risk even if your credit card never leaves your hand. This hack didn’t even touch Target.com shoppers.

As a CEO, what can you do to keep off of the front page for the wrong reasons? Read more about this on my Forbes.com blog post.

Next week I’ll go deeper into the forms of encryption that can be used to protect data at rest, data in motion, and data in use. You might be surprised to find out that the most common encryption method in use today to protect data at rest doesn’t actually protect anything as long as your systems are up and running.

Black Friday and The Art of the BCP Test

TabletopOnly 40% of IT organizations have tested their disaster recovery plans in the last 12 months, according to the 2013 InformationWeek State of Storage Survey.

Working at SunGard Availability Services, I see this lack of preparation first hand every day. SunGard offers Mobile MetroCenters® that bring custom-designed, fully equipped office space to customers to support their business continuity plan in the event of an emergency. During roadshows of the Mobile MetroCenter, customers are constantly coming up to me and telling me that they’ve had this service under contract for years, but have never actually been inside one before. And they’ve certainly never tested the Mobile MetroCenter in conjunction with their overall Business Continuity Plan (BCP).

Now testing disaster recovery plans is essential. You can’t just leave your recovery to chance or you’ll take a tremendous risk that your plan won’t work properly when you need it. The trouble is, doing a full “live fire” exercise of your recovery plan is time consuming and expensive. Such a test involves sending your people to a backup site; bringing up the computers; moving tapes from storage to the backup site—not to mention paying the high costs of transportation, housing, meals, test fees and so on. Which means that you want to ensure that your processes and procedures are complete before your schedule one.

Before a ‘Live Fire’ BCP test, Do Some Tabletop Exercises

Here’s where we get to Black Friday, as I hinted at in the title of this post. The way you plan for a Black Friday shopping expedition is a perfect example of how you would run one or more so-called “tabletop exercises” before you run a live fire exercise.

What do I mean?

Well, for many families, Black Friday is the center of their Thanksgiving tradition. Once they’ve gobbled up the turkey and cleared the dishes, the family members gather round the table to build their Black Friday battle plan. They set shopping objectives; search for coupons; create a step-by-step timeline; specify family staging, transportation, and gathering locations; and finally set up a tactical communications plan to relay deals that can’t be missed. They may even develop code words so as not to tip off other shoppers as they discuss a particularly good sale.

A tabletop exercise of your BCP is similar to this Black Friday planning session. You gather around a table and walk though your BCP step-by-step. The purpose is to ensure that you’ve included everything you’ll need to recover your critical business processes when disaster strikes and get your employees back to work. These steps include setting the exercise objectives; ensuring that you have the proper inputs and documentation; creating a step-by-step recovery timeline with employee staging, transportation, and gathering locations; and finally setting up a tactical communications plan to ensure that you can notify your vendors, employees, and stakeholders when disaster strikes. You may even develop a set of “pre-populated” messages as part of your crisis communications plan.

Tabletop exercises don’t cost a lot of money or take a lot of time. But they do help reduce expenses for your live fire exercises by letting you carefully hone your recovery processes before you actually test them out. You can talk through what you need to do. And if you find that you’re missing something, you can include that in your next tabletop go round. Once you’re satisfied that your tabletop exercises have caught all the holes in your planning, you can move to a real “live fire” exercise with a BCP that’s far more likely to succeed.

One final takeaway. When you go on your Black Friday expedition, you may have to leave one or more family members home because they’ve had too much to eat or drink or are in bed with the flu. Similarly, don’t let all your employees participate in the tabletop. If you know that you have a key employee that holds your BCP together, give them a vacation day and see if your company can still run the tabletop without them – after all, you need to know what would happen without that one key person should disaster strike.

This was first published on the SunGard AS blog.

Protecting Our Kids From Active Slaughter

 

In the past, we called them active shooters. but police and sheepdogs also can be active shooters when they going after a bad guy who is actively slaughtering your children in a school setting (or as we saw in Kenya, in an upscale shopping center). So Lt. Col. Dave Grossman has taken to using the term Mass Slaughterer for these cold-blooded killers.

I am a big supporter of Col. Grossman and his theories about why we seem to be in an era of mass bloodletting. But even if you don’t believe him, he also has dozens of pearls of wisdom for how to make your schools safer for your children and their teachers. I covered one of my own recommendations, the Crisis Response Box) in this post. Here are some additional recommendations from the Colonel for making schools safer (that frankly might help make all workplaces safer…) Remember that adrenaline is pumping in these events and people lose their fine motor skills, memory, and most of their ability to think. This means that all of the labeling that I list below should be in easy to spot huge characters.

  • Make it harder to get into your school or organization. Keep doors locked, use glazing that is hard or impossible to break, and keep a watchful eye on the grounds for people that just shouldn’t be there.
  • Assign a unique label to each exit. Keep it simple – single letters or numbers work best – and ensure these labels are on the inside and outside walls ned to the doors and on all maps. Make sure the labels won’t be blocked when the door is open. This makes it easier to relay instructions. Hint: If the label is on the door, it probably won’t be visible from at least one side if the door is open. Even if you put the label on the door, also put it on the wall.
  • Assign unique room numbers and ensure that rooms are labelled inside the door, outside the door, and outside the building on an exterior wall. I might be in the same room my whole career but when it hits the fan, my memory could go blank.
  • Paint outlines of classroom walls on the exterior of the building and on the roof. If first responders need to get into a specific room from the roof or outside of the building, this will help them locate it.

What hints do you have to assist first responders? Please add them to the comments.

See Me, Feel Me, Touch Me, Heal Me

My title comes, of course, from the Rock Opera “Tommy” by The Who. But this blog is really about companies that are invading my personal space with their overblown “Hear me, Smell me” campaigns.

Maybe you haven’t noticed, or maybe you have, but it seems like every store, hotel, or restaurant that I walk into these days has “background music” playing much too loud, as if it was the main event. Studies have shown that people eat faster when listening to louder, faster music, allowing restaurants to turn their tables faster and increase their profit.

As for retailers, Paco Underhill, a shopping anthropologist, says that retailers are increasingly relying on music (plus lighting and scents) to make shopping more sensory, or “experiential” as industry experts like to say. The use of background music in the foreground causes me to tune out everything because my constantly ringing ears don’t seem to support the cocktail party effect, possibly caused by some too-energetic pyrotechnics use during high school and college.

Some stores like Abercrombie & Fitch and its offshoot, Hollister, use music as a weapon, so that their target customers can buy their wares without their pesky parents seeing the latest fashions that turn their kids into teenaged pimps and whores. On top of the music, their clothes are even sprayed with an intoxicating scent that lingers long after you have left the store.

Which brings me to my next topic – scent marketing. If the music’s too loud, I can pop in a pair of custom-fitted earplugs – which I now carry with me most of the time. But what can I do for the foul stench that is euphemistically called a, “Signature Fragrance?” Wear a gas mask? I travel frequently and am a platinum preferred guest with Starwood Hotels, one of my favorite brands. After going back and forth with their corporate office, I now know that I can ask them to turn off the scent machines when I am a guest at one of their properties. That’s better than the handful of Las Vegas properties that I cannot even set foot into without having to gasp for air while grasping for my inhaler.

I don’t see why I, as a guest, should have to deal with a scent-induced asthma attack when walking into a shopping center or staying in a hotel. Maybe I can shop elsewhere if I don’t want something from my favorite stores, and I guess I can stay elsewhere too (but I really like Westin hotels!).

It’s a free country. If a business wants to play loud music and stink up the place, that’s their prerogative. But honestly, I wish my favorite brands wouldn’t try to drive me away.

What are your opinions on the presence of loud music and scents in restaurants, retailers, and hotels that you frequent?

Marriott Security Breakdown Gets Me Out of Bed (updated)

Along with Westin, Marriott hotels are some of my favorites. But an incident last night, followed by my conversation with management this morning dropped my opinion down a notch.

At 1:36 AM last night, I awoke to someone breaking into my room at the Cambridge Marriott hotel, outside of Boston. I heard the door slam open against the “visitor latch” that lets you open the door a bit to see who is outside. I jumped out of bed with my heart pounding, pulled on my pants and dialed 0 to have them send security to my room.

Less than 2 minutes later, the front desk called me back to tell me that my mother had asked the front desk to deliver a rollaway bed to the room. Since I was traveling alone, I was surprised at this and the clerk apologized about the incident.

Additionally, I now know that the housekeeping keycards bypass the “extra security” knob that occupants turn when they are in the room. In my mind, bypassing the “someone is in the room” lock should only be allowed by hotel security. If I didn’t have the visitor latch closed, I would have had one very surprised housekeeper in my room in the middle of the night.

Management Is Powerless?

Fast forward through a sleepless night full of adrenaline rushes, and in the morning as I was checking out, I asked the clerk (who I had talked to in the middle of the night) if I could talk to a shift supervisor. She told me the woman standing next to her was the supervisor, so I  told her the story about someone breaking into my room overnight. The clerk explained that it was housekeeping and it was a mistake. I then related my security concerns to the supervisor and asked to be comped for a night for the fright that it gave me.

My Security Concerns:

  • Was the  the woman requesting the bed asked for ID?
  • Did they ask whose name was on the room registration and verify it?
  • Why didn’t they call the room to confirm, or at least have housekeeping knock on the door before using their keycard to enter the room?
  • Why do housekeeping keycards bypass the “someone is in the room” lock?

The clerk didn’t say anything and the supervisor told me that I would have to talk to the head of security about the lapses and only the front desk manager could authorize free nights, but neither were in. I gave her my card and she promised to pass it on to them with my concerns.

The Rest of the Story

Justin, the Senior Operations Room Manager (an update to the Front Office Manager title), reached out to me after he and the hotel security manager completed a thorough debrief of the employees involved and an analysis of my room lock and keycard access controls. He apologized profusely and offered compensation to me for the event.

While he could not tell me exactly what went wrong, he did say that security confirmed that housekeeping keycards cannot bypass the “someone is in the room” lock (you can draw your own conclusions about how housekeeping managed to open the door). He also told me that there are always opportunities for retraining and this was one of them.

The camper is now happy again.

Don’t Even Think of Outrunning a Tornado

In memory of ”Storm Chasers” stars Tim Samaras, 55, his 24-year-old son, Paul, and 45-year-old colleague Carl Young.

Sometimes it seems like the world is against you. It certainly seemed that way to the citizens of Moore, Oklahoma, where an EF-5 (the worst there is) touched down about a week ago. 70 children were injured and nine were killed, many of them who were attending Briarwood Elementary School or Plaza Towers Elementary School. It seems like a miracle that all of the students at Briarwood survived, but it was because of construction and not luck – we’ll get back to this after our commercial break. Friends, have you ever tried to outrun a tornado?

Just a few days ago, frightened Oklahoma residents tried to. And just like we saw during Katrina, interstates and roadways quickly became parking lots as people tried to escape the oncoming storm, trapping families in the worst possible place to be. Do you want to see what trying to outrun a tornado looks like? The video is right here:

Now back to the schools. At Briarwood, each grade is organized into four pods with a few classrooms in each pod. An opening to the outside runs through the center of the pods which can be used for escape. Plaza Towers is of traditional construction, where all of the classrooms are in a long line under one roof. When the school collapsed, the roof and walls fell on top of each other, leaving no escape path. And while both schools had practiced tornado drills, neither had a safe room, which could have potentially saved lives. Have you looked into the construction of your children’s schools and gotten involved to ensure that your school board has the proper plans, procedures, and supplies in place to protect them when disaster strikes?

While we are on the subject, what about your home?  If you live in an area with extreme weather conditions, do you have a safe room (this would include a properly designed and equipped storm cellar) and have you completed a disaster recovery planning checklist? The Red Cross suggests that everyone get a kit, make a plan, and stay informed. Living in northern California puts me in earthquake central, and unlike hurricanes, tornadoes, or severe weather, we don’t get any advanced warning.

I work for SunGard Availability Services and our Crisis Management Team monitors severe weather that could affect us and our customers. As you can imagine, we have our own checklist that we go through whenever we see something barreling down on us our our customers. While it might be more suited to a company, it could also be a good start to building your own disaster recovery planning checklist. That blog entry is here.

So that’s about it for this post, but I’ll say it once again; Get a kit, make a plan, and stay informed. And above all, ensure that your friends and family do the same.

 

 

Are You Putting Your Organization At Risk?

Apple, formerly Apple Computer, is legendary in its secrecy. In the late 20th century, I was working for Tandem Computers down the road from Apple in Cupertino. There were stories of undercover agents roaming the tables of local eateries listening for employees talking about things that were not to be divulged in public then reporting their names back to the mother ship. In 2012, Apple announced plans to built its own off-campus restaurant to prevent anyone but employees from overhearing each other’s conversations.

Fast forward to modern times, and we’re in the always-connected era. Not only are employees probably talking about your latest secret project in public, they probably are working on it. Unless the information I am viewing is publicly available (like an article or conference presentation), I do not use my notebook, tablet, or phone for anything except playing movies and music on airplanes, in a coffee shop, or any other public location. As an information security professional, I know how easy it is for people to see what I am working on, even if they are hundreds of feet away from me.

Some organizations might mandate the use of privacy filters to limit viewing by seat mates, but take a look at your screen from the row behind you or standing in the aisle and be surprised. Most privacy filters only protect you from the side and not from over your shoulder. There are some with reflective surfaces that can help prevent shoulder-surfing but they may also diminish your own view. In fact, you might find out that your employees are removing the filters entirely because they cannot see the screen properly themselves.

If you travel a lot like I do, you have probably overheard a sales rep trying to close a deal on the rental car shuttle bus. More than once I’ve been able to deduce the company and the deal they were working on. “Look, we can underbid XXX, win the deal, then use the cost rider to get our margins back.” Wouldn’t you be surprised and pleased if XXX was your company and you were on your way to the same vendor meeting?

I was at a conference a couple weeks ago and overheard two people at a table behind me talking about their plan to hire college students to ride elevators at another conference and take notes on what was being said if the conversation included certain keywords. Since there is no expectation of privacy in a public place, this is perfectly legal. I guess they could also pay the older students to hang out in the conference hotel’s drinking spots.

Earlier I mentioned that it’s easy for people to see what I am working on, even if they are hundreds of feet away from me. How can this be? Free Wi-Fi. Unless your employees are using a virtual private network (VPN) connection, the information flowing from device to data center is unencrypted. And even if someone is using a VPN, or some versions of SSL, a rogue hotspot can watch everything go by as the “man in the middle” (MiTM).

MiTM

How does this work? I am sitting in a coffee shop (or burger bar, hotel, airplane, etc.) and I fire up Wi-Fi on my device. I see a hotspot called Stabrucks so I link to it. Re-read the last sentence – carefully. This is a rogue hotspot. When I create my VPN, or use SSL to talk to a server, the computer behind the hotspot creates 2 connections; one between the device and itself, and one between itself and your company’s network. Each thinks it is running securely, but the MiTM can read every piece of information going back and forth.

There are ways of guarding against a MiTM attack, but they need to be carefully implemented and used.

Frankly, I wouldn’t be surprised if foreign governments paid agents to ride elevators, hang out at Starbucks and Peets, and fly in first class, all in the name of espionage. What are your thoughts?

Newtown Father Talks About Protecting His Daughter

Bill Stevens, the father of Victoria, a Sandy Hook Elementary school student, asks legislators why the protection that he can give her at home cannot be afforded her in school. Mr. Stevens states that in the event of an intruder, there would be no lockdown at his house, and 911 would only be called after he has secured the situation. This echoes the comments of E. Brian Normandy in an earlier blog post who believes that students should evacuate and scatter so that they don’t become easy targets for a gunman intent on killing as many students as possible.

But back to Mr. Stevens. He comments to the lawmakers that their security is so much better than that of his daughter’s school because they get armed guards while his daughter and her fellow students are left without any protection at all. He further tells them, “…that you will take my ability to protect my Victoria from my cold, dead hands.” In other words, he is of the school of thought that a good guy with a gun is the only way to protect oneself and one’s loved ones from a bad guy with a gun. Here is the video:

Lessons Learned from Superstorm Sandy

Originally called a “Frankenstorm,” Superstorm Sandy has left permanent marks on the Northeastern United States; New Jersey’s Barrier Islands will never be the same.

Millions of businesses and people were left without power immediately following the storm, and more than two weeks later, power is still out to some 50,000 people and hundreds of companies still have not been able to move back into their offices due to mud, mold, and other contamination.

According to Netflix, viewership doubled on the East Coast, with major spikes in cities including New York City, Boston, Philadelphia, Baltimore and Washington, D.C., with an early morning increase in children’s titles being streamed.

And where homes did have power, cellphone service was out for days. Why? Because the carriers had successfully resisted Federal Communications Commission calls to make emergency preparations, leaving Superstorm Sandy survivors to rely on the carriers’ voluntary efforts. And we’ll probably never know why the companies decided not to install backup power, because the FCC has been blocked from asking — even though about a third of people rely on mobile service as their only telephone service.

You see, 5 years ago the FCC, responding to findings that communications companies had supplied too little backup power during and after Hurricane Katrina, moved to adopt rules requiring the companies to have emergency energy sources. In response, the companies sued, claiming that the commission had no authority over them. Hey, life’s tough all over, right?

Which brings up an interesting question; if your organization’s business continuity plan included working remotely, was it successful, or was  bogged down by lack of power, lack of cellphone service, or by everyone watching Netflix and other streaming services while schools and businesses were closed? Are you talking to vendors about shared or dedicated recovery space for the next “big one?” Please let me know in the comments.

Updated 20121124: Marco Arment, creator of Instapaper, wrote a blog on keeping your iPhone charged during a power failure.