I try to be a good C-level executive but am really getting fed up by my cyber security staff. Every time I ask them if we’re going to get hacked like everyone else, they ask me to buy a sandbox for them. I mean, seriously… a sandbox? I’m trying to keep my company safe and they want to build sand castles. What the hey?
Dear Mr. or Ms. CxO,
Before I reply to your question, let me give you a some hacking history.
In the dawn of the personal computer revolution, 15-year-old Rich Skrenta pranked Apple II owners with a self-replicating program called “Elk Cloner.” This program spread itself on floppy disks. If an Apple II booted from an infected floppy disk, Elk Cloner became resident in the computer’s memory and wrote itself to any other floppy disk inserted into the machine.
The cure to Elk Cloner was to read any floppy disk inserted into the machine, look for the program, and delete it. Because there was one version of the program and programmers knew what to look for, it was obvious what to erase from the disk. In other words, the program had a “signature” that was easy to detect so that it could be isolated or erased.
As hobbyists and then criminals started writing more software like this for fun and profit, Norton, McAfee, and dozens of other companies sprung up with software written to detect malicious software (now dubbed malware) by their signatures. Each time a new piece of malware was detected, the anti-malware companies would update their signature list to detect it. But then more sophisticated criminals and governments got into the malware business. Not only did the volume of malware increase, but chameleon-like malware that didn’t have a fixed, detectable signature started to appear.
By the time a company realized that malware was running on its systems, confidential data could be long gone. As I wrote on a Forbes blog, many companies only learned that they were hacked after law enforcement told them that their confidential information was being sold on the black market.
With that out of the way, now I can answer your question. According to Wikipedia, a cyber sandbox is used to isolate and watch untrusted code to see what it is really up to. There are several types of sandboxes, from traditional Type 1 and Type 2 virtualization to a hardware emulation sandbox. To keep this short, I’m not going to go into the differences between virtualization and emulation or why one may be better than the other. I’ll just answer your question in a couple sentences:
Today’s volume and sophistication of malware leave signature-based detection in the dust. The only way to keep up is to understand the expected behavior of approved applications, then look for unexpected actions which may indicate the existence of malware on your systems. And since the only way to see what an application is really doing is to run it in a sandbox, that is why your engineers want you to buy one for them.
When was the last time that you heard a little girl make that statement? For that matter, when was then last time that you heard any child make that statement? In many urban areas, including the nearby cities of Oakland and Richmond California, law enforcement officers are the enemy. It’s not my job to get into the politics of why this is so – and that discussion could fill an encyclopedia’s worth of volumes.
What I would like to talk about is how you can make a law enforcement career seem pretty cool to the “iPhone and Android generation.” If you haven’t yet heard of S.T.E.M. (or STEM), now is the time to learn about it. STEM stands for Science, Technology, Engineering and Mathematics – educational areas where the United States is falling behind the rest of the world and industries where women, Latinos, and African-Americans are at the end of the pack.
Many technology companies, such as Oracle, Honda, and Toyota, along with dozens of public organizations offer STEM grants to communities throughout the United States.
But you don’t need to fire up your own program because for the past 31 years, the Science Olympiad has led a revolution in science education.
This organization has a nationwide network of science teachers, advisors, judges, and parents who take advantage of a pre-packaged set of documentation, video training, and rules for a wide range of real-time live-fire science competitions in three divisions from grades K-12
Unlike static science fairs with tri-fold cardboard popups and baking soda volcanoes, Science Olympiad competitors need to solve real-life problems while the clock is ticking.
Forensics at Science Olympiad
One of my favorite competitions, and one that I have judged a number of times, is Forensics, where two students from each team first need to determine if a crime was committed and then “whodunit.” Tests include lifting prints (and explaining how to lift them from various surfaces), reading blood spatters to determine their trajectory, matching DNA and spectrometer plots, and determining the origin of various fibers and hairs. This is science that is much more fun than a cardboard tri-fold and which teaches real-world problem solving.
If I showed you photos of the events that I have judged over the years, what will pop out is that over 90% of the competitors are East-Asian or Indian with a smattering of Whites, a handful of African-Americans, and very few Latinos. What also will surprise you is that over 60% of the participants in my events are female.
In my day job consulting on disaster recovery services to enterprises, I have a mantra of, “Crawl, Walk, Run.” If you already have a local Science Olympiad group that your department can join, that’s great. But if not, you can start as small and as local as you like.
In my own California county of San Mateo, the Office of Education has a robust STEM program, with a specific program targeted at girls. San Mateo County Sheriff Greg Munks is committed to diversity in his ranks and is proud to have women at every level of command, from correctional officers to deputy sheriff, sergeant, lieutenant, captain and finally, assistant sheriff (one of whom is Trisha Sanchez, pictured to the left). His organizations’ support of the STEM program includes staff and materials for teaching these young ladies what being a deputy sheriff is all about.
Through a partnership between the San Mateo County Sheriff’s Activities League and the advertising technology company Rocket Fuel, 50 third- through sixth grade girls, half from schools in East Palo Alto and half from Garfield Community School in Menlo Park spent the eighth day of 13 STEM sessions learning about being a woman in law enforcement.
Deputy Rosemerry Blankswade and Assistant Sheriff Trisha Sanchez discussed examples of some of the different specialties and tasks the young ladies could pursue including working as a K-9 handler, motorcycle officer, detective, a crime lab technician, lifting latent prints and pulling DNA samples, or even using a radar gun on patrol.
The session ended with the assistant sheriff and deputy encouraging the girls to stay in school and excel in their studies, swearing them in as honorary sheriff’s deputies and inviting them to join the Sheriff’s Explorer Program when they turn 14.
Does your department have an Explorer program? Do you reach out to children before gangs can get to them? Do you work with your local community leaders to help keep kids in school and encourage them to excel in their studies? Please let me know in the comments.
A quarter century ago, I got into the disaster recovery business by accident. I was walking through my company’s loading dock and found a huge fireproof safe. When I asked what was in it, I was told, “Reel-to-reel backup tapes of all of the software that we develop and sell to our customers, and our accounting records.” Since I was the company’s IT security guy (we didn’t have CISOs back then), I commented to my manager that if an earthquake rendered the safe unreachable, we could be out of business. My manager encouraged me to outline a strategy and budget for disaster recovery, but my plan was subsequently shelved due to the expense. That was in April of 1989.
Six months later, on October 17th, 1989, the Loma Prieta earthquake rocked northern California, measuring 6.9 on the Richter scale. Immediately following the quake, I was called into the CFO’s office and asked if I could start implementation of my disaster recovery plan and how long it would take for us to be protected.
The 1989 Loma Prieta earthquake provides a cautionary tale for business. Is your disaster recovery strategy prepared for a natural disaster?
The plan started with taking tapes offsite, working to ensure that a backup system could take over in a pinch, documenting data flows, building call trees, and exercising everything. “Crawl, walk, run,” as I like to say. Later that year, I received certificate #117 as a Certified Disaster Recovery Professional and the rest, as they say, is history.
We escaped disaster that time and were able to consider the earthquake a timely warning. Another company was not so lucky. In 1984, Laury Ostrow created Chi Pants, a new kind of pants with an extra square of fabric for added comfort and movement. His client list included A-list celebrities and his pants were so popular that the Santa Cruz mayor TWICE proclaimed Chi Pants’ Day.
When the Loma Prieta earthquake struck, their primary building was destroyed and their accounting records irretrievably lost. While Ostrow found other space to get some of his 85 employees back to work, he couldn’t get his production line to resume.
In the aftermath of the earthquake, the workers at Chi Pants’ manufacturing factory stopped showing up. If Ostrow wanted Chi Pants to be sewed, he needed to pay a substantial premium for using supervisors at the sewing machines…but only if Chi Pants paid their outstanding invoices to the manufacturer first. Unfortunately, without their accounting records, Chi Pants had no way to invoice many of their customers and thereby get the cash needed to foot the bill. And it’s no surprise that Chi Pants’ customers didn’t volunteer that they owed Chi Pants money.
Chi Pants was forced to borrow from private lenders, but many of the new products they had developed for the Christmas season were never made. As you can imagine, Christmas that year in Santa Cruz – a region devastated by the quake – wasn’t very merry anyway. Chi Pants’ lost roughly $1 million, could not get out from under its debts, and subsequently folded in 1991.
I wish I could have saved Chi Pants and the other companies that Loma Prieta put out of business…I wish I could have put their records in a fireproof safe and shipped it to a secure offsite location along with those of my own company. But I couldn’t. What I can do, however, is to spread the word far and wide: after a disaster, it’s often the little things that can bring a company down. For example, Chi Pants still had a way to make their wares and a place to sell them, but a little thing like accounting records prevented them from accessing the working capital they so desperately needed to survive.
The story of Chi Pants’ history and their earthquake-driven demise can be seen on this video. It’s quite the cautionary tale, however, so beware – you just might go running down the hall to find out more about your company’s business resiliency capabilities.
Finally, I want to leave all companies with a thought, in honor of 2014 being the 25th anniversary of the Loma Prieta earthquake: Will you trust your company’s survival to fickle Lady Luck, or will you be confident because your organization and its supply chain have business continuity planning programs in place?
This article was originally published on the Forbes Sungard AS Voice blog.
I missed a very important component of active shooter response in the series that I wrote. Luckily, Jan Glarum from A Better Emergency consulting can fill in the blanks. This article was originally published on his own blog.
In a perfect world police are there to handle criminal acts, fire fighters available to perform rescues, and EMS personnel close at hand to apply life-saving interventions. Unfortunately, that is not always the world we live in.
We need to have the conversation on how best to address the “planned” response to the aftermath of a violent criminal act. The data tells us it could occur anywhere — at work, out in public, a recreational facility, sporting event, place of worship or healthcare facility. Unless it occurs at a police, fire, or EMS station, the first people on scene will be members of the community. Why don’t we train them so their reaction is not random but based on tasks designed to positively influence survival?
There are a number of mitigation strategies organizations and facilities should undertake in cooperation with their local police and emergency management agencies. This can include training their staff in how to respond to this type of situation — a program similar to people learning CPR. Lets call it community-based hemorrhage control for lack of a better term. Science tells us that the people whose lives are saved at the next attack will be by someone who can apply a tourniquet within minutes of injury.
Consider this case study from the Boston Marathon bombing. A 34-year-old man was brought to an emergency department at a hospital suffering from multiple traumatic injuries which included a complete amputation of his leg below his right knee. A tourniquet had been applied to the right upper leg by prehospital providers but was not adequately tightened to control the bleeding. At the hospital the tourniquet was tightened, and a second, military-style tourniquet was added which stopped the bleeding.
Tourniquets work and the risk of complications from aggressive and unnecessary use is outweighed by the risk of not controlling bleeding in situations like these. The public is trained in CPR. We see Automated External Defibrillators (AEDs) in most large buildings and venues, all designed to help save lives from heart attacks. Granted, more people die of sudden cardiac arrest than bleeding to death from a gunshot wound or blast injury from an Improvised explosive Devices (IEDs, but there is a need for this training.
I’m advocating all citizens learn how to improve survival in active shooter situations and to use hemorrhage control kits that are placed in venues alongside AEDs.
Like it or not, members of the public will be first on scene of the next sick attack by a gunman or the detonation of an IED. Why not offer training designed to change the outcomes of the wounded? Naturally there is risk to any type of action in the face of this type of attack and education is the best way to give them the ability to make the best risk-reward decision.
Jan and I look forward to your comments and discussions in how we prepare to handle these emergencies.
The year is 2015. You walk into your bank to make a withdrawal, hold your smartphone to the terminal with one hand, and put the fingers of your other hand on the small green-glowing window.
A buzzer sounds and the words “IDENTITY REJECTED” flash onto the screen. A security guard appears from nowhere.
You begin the first of many long, frustrating protestations. You are who you say you are, but you can’t prove it.
Your identity has been snatched.
The Not-Too-Distant Future
I am interested in the problems – and dangers – of proving your identity through your biometrics (i.e., retinal scans, fingerprints, etc.) because of a problem that I have. Namely, my fingerprints are unreadable. The ridges are badly broken and my hands lack the oils and moisture necessary for live scan fingerprinting to work.
For well over a century, fingerprinting has been the accepted verifiable method of personal identification. Fingerprints are used for all sorts of things, such as getting a driver’s license, applying for the Transportation Security Administration (TSA) pre-check program, getting a background check, and buying a gun.
Minor Annoyances For Some
Having unreadable fingerprints has had its share of annoyances. For instance, as a volunteer for my local sheriff’s office, I had to go through a law enforcement background check, as I did for the other licenses I need to do my job. In every case, I go through the same process. Submit prints, get rejected in 30 days, submit a second set of prints, get rejected in 30 days, and then perform a “no-fingerprint” search. So it takes three months after my initial submission before the background check can proceed.
And since I travel frequently, I have a Clear card which gets me to the front of the TSA lines in several airports. Clear uses both live scan fingerprints and a retinal scan. They managed to get a few prints from me, but because they couldn’t pull enough to meet the TSA’s standards, they had to apply to the TSA for a waiver and I select the retinal scan at the airport. Lucky for me, the U.S./Canada Nexus trusted traveler system uses iris scans.
Okay, so all of the above are a pain, but I don’t need to go through background checks or apply for a Clear card every day, and the retina scan works to get me through airport security.
The reason I am much more concerned about my fingertips today than I was, say, a decade ago, is that with the introduction of Apple pay, fingerprints just moved into the mainstream. Another example is Alaska Airlines using biometrics, or “e-thumb” technology, to allow passengers to access some of its airport lounges. They plan to be the first U.S. carrier to employ biometrics for boarding passes and inflight purchases. I am so screwed if this happens. But maybe so are you – although in a different way. Let me explain.
Identity Snatchers For All
With Apple biometrics technology, your fingerprints are stored in a secure area on your iPhone or iPad and are checked locally. This is called “multi-factor authentication.” Your device is something that you have, and your fingerprints are something that you are. Clear also checks local versions of your prints and retina scan on the smart card that you insert into their reader (you have the card and you are your fingerprints/retinas). That’s good.
But other companies, such as Global Entry and Nexus, use a central database to check your biometrics against the set that you initially submitted. That’s bad.
- If someone steals your phone, you can deactivate it.
- If your password is compromised, you change it.
- If someone steals your driver’s license or passport, you get a marked replacement and a note is placed in your file so that law enforcement or customs knows to be suspicious when it is presented to them.
But what happens when someone copies your fingerprint or makes a contact lens with a copy of your iris? If someone steals your biometrics, they may be able to prove that they’re you.
You’ve probably seen or heard about Hollywood sci-fi movies where eyeballs are plucked out of skulls, fingers are cut off, or even whole hands severed to access biometric systems (sorry for the disgusting imagery). Well, with today’s technology, identity snatchers don’t have to go to these physical extremes (which, thankfully, don’t work anyway). They can simply replace the data about your biometrics with data about their biometrics in the central databases of companies who do not use multi-factor authentication. Presto-change-o, they can now prove that they are you!
Encryption, Inspection, And Good Old-Fashioned Control
One way to prevent theft of biometrics would be to not supply them in raw form to anyone, but rather use an encrypted form – what is referred to as “cancellable” biometrics. Off-board hardware processors are used to hash and encrypt the biometric at the point of collection (the capture station), perhaps embedding the time and capture station ID. The keys used for hashing, encryption, and decryption would then be changed on a regular basis and if Public Key Infrastructure (PKI) is being used, the encrypting keys can be destroyed so that a hacker cannot encrypt replacement biometrics without the change being obvious.
Scheduled scans of the database could look for clues that biometrics may have been compromised and the records would be flagged for further inspection. If an offline biometric capture station log is available, the hashed place and time in the biometric can be compared to the log and a discrepancy should be apparent.
But in my opinion, the best place to store a biometric is in something that I personally control, such as a smartcard or my smart phone. While a central database would validate that the smart card or smart phone belongs to me, it wouldn’t actually have my biometric data stored anywhere. I would be able to file a report if I believed that my information had been compromised in any way; any activity could then be cancelled or suspended until it was investigated. On the other hand, if someone compromises my biometrics in a centralized database, there is little that I can do to prove that I am me and not who my biometrics “prove” that I am.
If you like being “you” – and you’d rather not share that distinction with anyone else – the new world of biometrics is definitely worth thinking about.
This article was originally published on the Forbes Sungard AS Voice blog.
The name Colleen Hufford may not mean anything to you. For whatever reason, this story disappeared from the news pretty quickly – perhaps because it didn’t involve naked celebrities, schoolchildren, or an assault rifle.
In case you missed it, a recently suspended worker at a Vaughan Foods processing plant came from behind the 54-year-old Hufford with a large bladed knife that he brought from home, and sliced her head off. But before he could do the same to 43-year-old Traci Johnson, the company’s chief operating officer, Mark Vaughan, shot him, stopping the attack.
The September 24, 2014 incident apparently was triggered when the murderer was suspended after Johnson initiated a complaint against him. And this wasn’t the first time the murdered became violent. Police records show that he had a history of violence. He was convicted in January 2011 of multiple felony drug offenses, assault and battery on a police officer and escape from detention. Because of the way that Huffard was murdered, the local police called in the FBI to assist in the investigation.
Dawn Perlmutter, director of the Symbol Intelligence Group wrote up an analysis of the actual event and believes that this was not an act of pure workplace violence but is a textbook case of Individual Extremist Religion Inspired Homicide. But the driving force behind the murder and attempted murder is immaterial to my interest in the case.
You see, if the company’s COO hadn’t shot the murderer, the killings would have continued. Oklahoma County Sheriff John Whetsel agrees, saying “There is every reason to believe that the lives of untold others were saved who would have been targeted by the suspect if it hadn’t been for Vaughan’s actions” – and this is what interests me.
In most instances, shooters have taken their own lives, been shot by police, or surrendered when forced with a confrontation by law enforcement. According to New York City Police Department (NYPD) statistics, 46 percent of active shooter incidents are ended by the application of force by police or security, 40 percent end in the shooter’s suicide, 14 percent of the time the shooter surrenders or, in less than 1 percent of cases, the violence ends with the attacker fleeing.
In a previous blog entry, I talked about sheepdogs and the mindset and training needed to kill someone who is intent on causing great bodily harm to you, your friends and loved ones, or even your co-workers, before they kill you or someone else. The point is that Mark Vaughan saved Traci Johnson’s life by shooting someone actively trying to kill her.
Now it turns out that Mr. Vaughn has been a reserve deputy with the Oklahoma County sheriff’s office since 2010. Deputy Vaughan is a card-carrying sheepdog. And as a law enforcement officer, federal law allows him to carry a gun when off duty.
In that same blog, I ask how many active or retired peace officers are working at your organization, but cannot carry a firearm due to company policy? Is there a specific reason for that policy or is it because a sheep in the executive staff is afraid of guns?
People like Deputy Vaughan have the mindset and the training to be sheepdogs and you should offer them every opportunity to protect their coworkers by allowing them to carry while at work.
But not every sheepdog is a law enforcement officer. Citizens from all walks of life can become a sheepdog with the proper mindset and training, and many states will issue a permit to carry a concealed firearm to any law-abiding citizen that applies and passes the required training.
Would your workplace firearms policy have prevented someone like Deputy Vaughan from protecting other employees from a murderer? What about employees who have had extensive firearms training but are not law enforcement officers? Can they protect your sheep against wolves like the one that murdered Colleen Hufford?
With the increased fighting against ISIS and the knowledge that the White House-targeted Khorasan cell was plotting an “imminent” attack against the United States or Europe, wouldn’t this be a good time to ensure that you have enough trained sheepdogs guarding your flock?
It’s late at night, you’re in a hotel, and the fire alarm goes off. What do you do? For around 1,500 people staying at Sheraton hotels in Downtown Philadelphia and the Philadelphia airport on July 22, this was not a rhetorical question. I’m going to separate the two incidents since I can only talk about one of them from first hand experience. Now don’t get me wrong – I’m very loyal to the Starwood chain and these events could have happened at any hotel.
The fire department was called to the Sheraton in downtown Philadelphia at about 4 am because of a report of a light haze of smoke in the hotel’s basement. Fire officials reported that the cause of the smoke was an electrical panel that controls the HVAC system in the basement and declared the situation under control around 6:45 am.
Fans were set up on each floor to push the smoke into the fire tower and clear the building and hotel guests were let back into their rooms at about 12:30pm after the smoke had dissipated.
Several miles out of town at the Airport Sheraton Suites, where I was staying, the fire alarm went off at around 9:30 PM. I turned on the bedside light, got dressed, and opened the door to see dozens of people standing around the landings in front of their rooms. I headed to the stairs and walked down eight floors to the lobby along with two other people.
When I got to the front desk, I noted that one employee was on the phone, two other employees were standing around, and only I and the other two people whom I met in the stairwell were headed outside. I stopped at the front desk to ask what was up and the woman on the phone told me that it was a false alarm.
I asked why they didn’t announce that it was a false alarm and and she told me that she was on the phone to get help with the system but that security was walking the floors to let everyone know that they could go back to bed.
I returned to my room using the elevator, tweeted the situation to the Starwood hotels social media team, then went back to bed. Thirty minutes later the front desk called to tell me that they got a call from the social media team stating that I was concerned about the situation. She told me that they had everything under control.
It was ironic to me that the guests at the downtown Sheraton were there for the 69th Biennial National Association of Letter Carriers conference (Neither snow nor rain nor heat nor gloom of night…). While they were kept from their rooms for 8 hours with only whatever they carried out when the alarm sounded, they also were offered shelter at the nearby Pennsylvania Convention Center.
So we come full circle to the title of this entry; are you prepared to take decisive action when you need to evacuate your hotel? I am and this is my plan:
- I locate the two nearest exits to my hotel room (I also do the same on an airplane).
- I lay out my next day’s pants, shirt, and jacket.
- I always carry a small flashlight and whistle in my pocket and before retiring I take them out and place them on the nightstand next to my watch, glasses, wedding band, and charging phone. Because the silent vibration mode wakes me up, I sandwich my phone between a clean pair of socks and underwear.
- All of my important medications are in a bag that sits on the nightstand
If I need to bail for any reason, I am set to go with light, clothes, phone, and medication.
What is your plan? And seriously, would you lay in bed hoping it was a false alarm, open the door and stand on in the hallway, your get yourself out of the building and not risk the chance that it is for real? Please let me know in the comments.
Last week I said that I would go deeper into the forms of encryption that can be used to protect your information and I stated that, “the most common encryption method in use today for data at rest won’t do anything to protect your company from a system hack.” But let me back up for a moment.
Just like matter can exist in the 4 states of solid, liquid, gas, or plasma, information or data can exist in 3 states; in rest, in motion, and in use. In the December 2009 issue of HP Connect Magazine, I published an article that asked the question, “Will Volume Level Encryption Keep My Data Safe?” Even though computing has seen radical shift in the last half a decade, the information presented in that article is just as accurate and valuable today as it was 4 years ago. (With the exception that IBM received a patent for their data in use protection method and are now promoting it as a solution to cloud security.)
The Cliffs Notes version of that article is that data can be encrypted at the container level (disk, communications link), hardware block level, file level, record level, or field level using the same or different keys and the encryption can be performed in hardware or software. If done in software, the encryption engine can be built into the disk driver, operating system, database, application, or an encryption library.
The most common type of encryption is at the volume level and can be done in software (Microsoft Bitlocker, Symantec Drive Encryption, etc.) or hardware (self-encrypting disk drives). The answer to the question asked in the title of my HP Connect Magazine article is no – volume level encryption won’t keep your information safe unless the system or disks are powered off. So even if Target encrypted their data, it wouldn’t have done anything to stop the theft of 40 million customer credit and debit card accounts from their systems if they used full disk encryption.
While I said that the amount of protection afforded an object should be proportional to its value, I glossed over the fact that you also need to determine the lifetime of your information. That is, when does it stop being valuable? Are you protecting product launch dates or battle plans (a few months), credit card numbers and PINs (3 years), product design documents (from months to years), or government and trade secrets (generations to forever)? You need to encrypt for the life of your data. That means choosing an encryption algorithm and key length that can stand up for the lifetime of the data.
Credit cards and PINs have a lifetime of about 3 years. Target says hackers took encrypted PIN data but can’t crack it because it’s secured with Triple DES. But Target is not saying how many keys or what key length was used, and that is important according to NIST. Two-key Triple DES encryption was only acceptable through 2010, it is in restricted use from 2011 through 2015, and it is disallowed after 2015. So the PINs may be at risk depending on the keys and the computing resources of the hackers.
In my Fall World DRJ session on the intersection of cyber security and business continuity, I said that All of your information should be laid out on a grid, with its value to the company on one axis and its lifetime on the other. Information that is low in value with a short lifetime falls at the left bottom, while information that is key to your organization’s existence with a very long lifetime appears in the upper right and corner. The Coca Cola formula probably would go there.
I dumped a lot of information on top of you in this entry and pointed you to even more, but all of it is actionable. If you are concerned about the security of your information, you need to identify:
- Your most important information
- Its lifetime
- What needs to be done to protect it from cyber threats
And if your IT staff tells you that your information is encrypted, ask about:
- Full disk encryption versus more granular encryption
- If hardware or software encryption is in use
- The encryption algorithm and key length
- How the encryption key is protected
- The certification of the encryption implementation
Anyone who hasn’t been hibernating since Thanksgiving already knows that critical information from 40 million credit and debit cards used in Target stores from November 27 to December 15 was exfiltrated from their computer systems.
The stolen information includes customer names, credit or debit card numbers, expiration dates, and card security codes. Additionally, debit card PINs (the digits that you enter on the keypad when you use a debit card) were also lifted, but Target says that the PINs were encrypted and the encryption key was stored at a different company.
This story begs a number of questions both from an organizational point of view as well as a consumer point of view. First off, Target said it began investigating the incident as soon as they learned of it through a leading third-party forensics firm. Now how could Target not know that its own systems were hacked?
You might be surprised to find out that every year, the FBI or other security organizations notify hundreds of companies when they learned there was an intrusion into the companies’ networks. Often, these companies didn’t even know they were under attack until there was a knock on their door. And while still other companies may have known there was something wrong, they didn’t know what to do about it or who to call.
As CEO, you can’t pass the buck to your IT department and say, “You handle this…I can’t be bothered.” A serious hack can materially affect the status and future of your company. And in fact, plaintiffs in California are working to bring a class action lawsuit while local media reported that another lawsuit was filed in a Rhode Island federal court.
Clueless politicians are also sticking their noses under the tent. US Senator Chuck Schumer called on the Consumer Financial Protection Bureau to report on whether retailers should be required to encrypt customer card data. (Note to Chuck – retailers already are required to encrypt customer card data. See the PCI security standard.)
Whether the hacked cards get used or not, this is a PR nightmare for Target and could very well lead to lower sales as customers seek safer harbors for their shopping trips. But unfortunately there are no safe harbors in today’s world. You see, hackers have infinite time to find a single hole to let them in while the targets of their evil deeds have to try to defend thousands of known and unknown attack vectors.
So what can you do to protect yourself?
- If your credit card company offers it, use a smartphone app that notifies you every time your card is used.
- Regularly check your paper or online statement. Sometimes hackers ping an account for only few cents to verify they have an active account.
- If anything looks amiss, don’t be afraid to contact your credit card company to let them know.
My mom is absolutely convinced that she will be safer if she doesn’t use her credit card online and shreds anything with her name and address on it. But as we saw this month, you can still be at risk even if your credit card never leaves your hand. This hack didn’t even touch Target.com shoppers.
As a CEO, what can you do to keep off of the front page for the wrong reasons? Read more about this on my Forbes.com blog post.
Next week I’ll go deeper into the forms of encryption that can be used to protect data at rest, data in motion, and data in use. You might be surprised to find out that the most common encryption method in use today to protect data at rest doesn’t actually protect anything as long as your systems are up and running.
Only 40% of IT organizations have tested their disaster recovery plans in the last 12 months, according to the 2013 InformationWeek State of Storage Survey.
Working at SunGard Availability Services, I see this lack of preparation first hand every day. SunGard offers Mobile MetroCenters® that bring custom-designed, fully equipped office space to customers to support their business continuity plan in the event of an emergency. During roadshows of the Mobile MetroCenter, customers are constantly coming up to me and telling me that they’ve had this service under contract for years, but have never actually been inside one before. And they’ve certainly never tested the Mobile MetroCenter in conjunction with their overall Business Continuity Plan (BCP).
Now testing disaster recovery plans is essential. You can’t just leave your recovery to chance or you’ll take a tremendous risk that your plan won’t work properly when you need it. The trouble is, doing a full “live fire” exercise of your recovery plan is time consuming and expensive. Such a test involves sending your people to a backup site; bringing up the computers; moving tapes from storage to the backup site—not to mention paying the high costs of transportation, housing, meals, test fees and so on. Which means that you want to ensure that your processes and procedures are complete before your schedule one.
Before a ‘Live Fire’ BCP test, Do Some Tabletop Exercises
Here’s where we get to Black Friday, as I hinted at in the title of this post. The way you plan for a Black Friday shopping expedition is a perfect example of how you would run one or more so-called “tabletop exercises” before you run a live fire exercise.
What do I mean?
Well, for many families, Black Friday is the center of their Thanksgiving tradition. Once they’ve gobbled up the turkey and cleared the dishes, the family members gather round the table to build their Black Friday battle plan. They set shopping objectives; search for coupons; create a step-by-step timeline; specify family staging, transportation, and gathering locations; and finally set up a tactical communications plan to relay deals that can’t be missed. They may even develop code words so as not to tip off other shoppers as they discuss a particularly good sale.
A tabletop exercise of your BCP is similar to this Black Friday planning session. You gather around a table and walk though your BCP step-by-step. The purpose is to ensure that you’ve included everything you’ll need to recover your critical business processes when disaster strikes and get your employees back to work. These steps include setting the exercise objectives; ensuring that you have the proper inputs and documentation; creating a step-by-step recovery timeline with employee staging, transportation, and gathering locations; and finally setting up a tactical communications plan to ensure that you can notify your vendors, employees, and stakeholders when disaster strikes. You may even develop a set of “pre-populated” messages as part of your crisis communications plan.
Tabletop exercises don’t cost a lot of money or take a lot of time. But they do help reduce expenses for your live fire exercises by letting you carefully hone your recovery processes before you actually test them out. You can talk through what you need to do. And if you find that you’re missing something, you can include that in your next tabletop go round. Once you’re satisfied that your tabletop exercises have caught all the holes in your planning, you can move to a real “live fire” exercise with a BCP that’s far more likely to succeed.
One final takeaway. When you go on your Black Friday expedition, you may have to leave one or more family members home because they’ve had too much to eat or drink or are in bed with the flu. Similarly, don’t let all your employees participate in the tabletop. If you know that you have a key employee that holds your BCP together, give them a vacation day and see if your company can still run the tabletop without them – after all, you need to know what would happen without that one key person should disaster strike.
This was first published on the SunGard AS blog.