Starting a company is not for the weak kneed. It takes a lot of ambition, hopefully a good idea, maybe a dash of luck and a buyer. Maybe you are launching a new mobile app for the iPhone, IPad, and Android and just about any other mobile platform out there. So your new startup company will sell mobile applications. But what else goes into starting this company? You need a website to promote your application. You need to send out press releases. You need to design a logo. You need to so some social media marketing. And about a hundred other things.

Startup Challenge
The challenge is doing all of this on a budget. You do not even know if you will make money so putting a lot of money into upfront costs might not be feasible. I have faced these same challenges in the several companies I have worked on. But the wonderful thing about this whole “cloud economy” me we are living in is that there is a site that can help you with just about everything you need, and for a reasonable price.

When I someone told me about Fiverr (www.fiverr.com) I thought it was pretty funny idea. What will people do for $5? I thought about what I would do for $5 and the list is probably too long for this post and might scare the faint of heart. My first foray into the site was fun. You can have a guy dance around in gorilla costume for $5.

startup company fiverr

Or you can have a guy scream like a psychopath. I am sure someone will find that valuable.

 

startup company fiverr

startup company with fiverr

 

 

But as you delve into www.Fiverr.com there are a lot of great services for $5. (Btw, I have no other interest in Fiverr other than I think it’s a great service.)  You can have some write your press release and have someone else distribute it to 10 press release sites for $5 each. It would take at least 30 minutes to write a good press release and another 30 to distribute it to multiple sites. So $10 for an hour of work is probably not a bad deal.

Fiverr press release distribution

You can find some very valuable services in just about every area you need to build your business. For a limited budget, its a pretty good start.

There are some other great sites you can use to get your company off the ground including Odesk (www.odesk.com), Elance (www.elance.com), Guru (www.guru.com) and TenBux (www.tenbux.com) among others. Save your money where you can when starting a company and good luck!

Gary Bahadur

www.kraasecurity.com

www.razient.com

Social Media Security

Website Security Testing

Vulnerability Analysis

HIPAA Security Assessment

 

Enhanced by Zemanta

Recently Citibank announced that they were hacked, a typical data breach. See the International Business Times article here, http://www.ibtimes.com/articles/160376/20110609/hacking-citibank-citibank-hacked-citi-hacked-citibank-hack-2011-citibank-online.htm. Were they not conducting vulnerability tests on their own system to see if they were vulnerabile? The comes on the heels of Sega, Sony, Lockheed Martin amongst others. So far they only report that 360,000 cards were compromised. We can assume that those customers, if they actually know which accounts were compromised will get 2 years of credit monitoring. But what happens when you actually get false charges? You now have to go spend time to resolve the problems and most likely you might take a hit to your credit score.

Its amazing that this continues to happen and there isn’t a stronger tie between the credit reporting agencies and the hacked banks to help consumer manage their credit and not be responsible to follow up on a data loss. The consumer is the one who has to bear all the burden. And the banks will probably just add another fee to cover their costs to managing the security breach.

These banks should really be more proactive in conducting vulnerability scans daily, conducting website security testing and implement intrusion detection and prevention systems. We do not know if Citibank had a IDS system in ploace but you would think that with a good prevention system in place, this hack should have been immediately identified and stoped before the data breach could occur?

Gary Bahadur

www.kraasecurity.com

Social Media Security

Website Security Testing

Security Policy Development

 

Enhanced by Zemanta

Google has a new feature in their dashboard, “Me on the Web“. The pitch is that it will help your protect your identity.  The Huffington Post did a write up of it here, http://www.huffingtonpost.com/2011/06/16/google-me-on-the-web_n_877996.html Google ‘Me On The Web’ Tool Promises To Help You Manage Your Online Identity. “Your online identity is determined not only by what you post, but also by what others post about you — whether a mention in a blog post, a photo tag or a reply to a public status update,” Google explained in a blog post. But what is it really all about?

At first glance it seems to be just an interface to Google Alerts (www.google.com/alerts).  I use google alerts for all kinds of key word searches, (my name included). In this screen shot you can see what the interface looks like for Me on the Web

Google me on the web

Nothing terrible exciting here. The advice they give you about managing your online reputation is particularly bland. “If you find content online–say, your telephone number or an embarrassing photo of you–that you don’t want to appear online, first determine whether you or someone else controls the content. For example, if the photo you want to hide is part of your Picasa account, you can simply change your photo visibility settings If, however, the unwanted content resides on a site or page you don’t control, you can follow our tips on removing personal information from the web and removing a page from Google’s search results

There really isnt anything proactive or defensive about this “new tool”. But setting up appropriate alerts is definitely a must in the online world.

For some really intersting tracking of online activity, check out SocialMention.com

Gary Bahadur

CEO KRAA Security

www.kraasecurity.com

Social Media Security

Network Risk Assessment

New book coming soon “Securing the Clicks: Network Security in the age of Social Media” http://www.amazon.com/Securing-Clicks-Network-Security-Social/dp/0071769056/ref=sr_1_1?ie=UTF8&s=books&qid=1308343778&sr=8-1

 

Enhanced by Zemanta

In this time of global financial insecurity, large scale companies are stretching further and further across the planet in order to reduce costs and remain competitive. But this strategy brings with it risks. The pressure on a global company’s supply chain is simply immense, with operations stretching across whole continents and handfuls of countries, variables are introduced that can be incredibly hard to track. A company need a global supply chain risk management process.

With supply chain infrastructures running the length of the planet, how is it possible for a company to know what is happening at any given time and at any given point within its chain? A supply chain is only as strong as its weakest link, and in this fragile economic state, global operations rely on their supply chain management to bring together all the disparate elements into a smooth churning synergy. But how does a company’s supply chain cope with all the challenges that these variables produce?

Global companies face challenges on all fronts regarding the pressures of supply chain on an international scale. With head offices say in New York, and a production arm in China or Pakistan, the most obvious challenge faced by a global company is one of distance. But what specific challenges does this kind of distance throw up?

Like a fog, distance can cloud vision, and block out or at the least delay information – and to a supply chain, information is money. A global company, with its head offices in the West, is going to be unaware, at least for a time, of the state of its supply chain in the event of localised flooding or civil unrest. The supply chain may not even be aware that the issue even exists until severe damage has been caused. Even if the factory was untouched by such a disaster, what about the infrastructure – roads, airports and harbours? Large scale emergencies create questions and uncertainty for those on the ground, never mind those in large corner offices in Manhattan.

The problem is not just limited to natural disasters or weather systems. Civil and political unrest can cause chaos to even a healthy supply chain. Then there are epidemics and pandemics, such as the H1N1 flu, which have the potential to grind a whole economy to a sudden and shuddering halt. These situations can cause utter chaos to those present, but the real danger to a global companies supply chain is more subtle than this chaos… it is ignorance.

Ignorance to a crisis is the arch enemy to a supply chain. It may be a cliché but it is true – knowledge is power, or in this case, money – and even the most solid supply chain can crumble through nothing more than a little ignorance. Even if contingency plans were made, the delay in being aware enough of the crisis to implement the contingency can cause severe flow problems.

To an extent, these challenges can all be overcome or circumvented by good planning and a world class supply chain management system but only if they are aware of the crisis. It is this knowledge gap – between the event happening, and feedback working its way all the way across the planet to head office, that can make or break a company’s financial position. It is not the event itself, cataclysmic as it may be, but it is ignorance to the event that is the killer for supply chain. How can you overcome a challenge that you are blind to?

The secondary challenge faced by a global operations supply chain management is one of local knowledge and experience. Civil and political unrest, for example, can seem to strike as suddenly and as unexpectedly as forked lightening to the outsider. Yet to those who live on the inside of that country, the sense of radical change or shift in power can almost be sensed. There is something about being on the inside that gives one the ability to more accurately predict, and therefore to prepare for this kind of change.

It is this preparation that is key to the success of any supply chain. Sensing and predicting the event or crisis, allows for contingency plans to be drawn up and/or implemented. These are essential for the reduction of downtime, and for shipping dates to be met. Contingency plans, if acted upon swiftly enough, can really protect the integrity of the supply chain. The key to this swift acting, once again, is information. Factories in neighbouring countries can be actively tooling up as the sense of political unrest grows in another, with one factory primed to take over as soon as trouble rears its ugly head.

Of course, not everything can be predicted, and some events, such as the recent volcanic ash cloud over Europe, can catch everyone by surprise. But the majority of incidents, problems and challenges faced by the supply chain of any global company can be pre-empted, predicted and planned for. But a contingency plan is only as strong and useful as the information that brings about its implementation. It is this information that will determine the success of a supply chain management system when disaster strikes, as it surely will, given enough time.

 

Enhanced by Zemanta

The Birmingham news (http://blog.al.com/spotnews/2011/05/pleasant_grove_man_sentenced_t.html)  reported that a Pleasant Grove man received six years in prison for HIPAA violations. Included in his crimes was aggravated identity theft and disclosures. These violate the HIPAA regulations.

Identity theft with regards to healthcare information is on the rise. There is a lot of value in stealing an identity to get healthcare. If you could do that for someone under 18, then you might have several years before they actually notice. Kids generally do not need to check their credit ratings until they get that first credit card in college. BY then the thief could have racked up a lot of charges on that identity.

Using healthcare access can allow the thief access to drugs which are then resold. In this case the thief used the stolen identity to cause the prescription drug plan to pay for $72,746 in drugs.

The Obama Administration announced a cyber security plan recently. Does it take into account the rise in identity theft? Are government agencies actively trying to find solutions? So far the answer seems to be No.

Regards

Gary Bahadur

www.kraasecurity.com

blog.kraasecrity.com

Enhanced by Zemanta
Seal of the United States Department of Homela...

Image via Wikipedia

The Whitehouse has release a cybersecurity plan.  “White House Cybersecurity Plan: What You Need To Know” (http://www.huffingtonpost.com/2011/05/12/white-houses-cybersecurity-plan_n_861382.html). Perhaps the administration is finally waking up to the need.

According to the press release they say  “Our critical infrastructure – such as the electricity grid, financial sector, and transportation networks that sustain our way of life – have suffered repeated cyber intrusions, and cyber crime has increased dramatically over the last decade. The President has thus made cybersecurity an Administration priority. When the President released his Cyberspace Policy Review almost two years ago, he declared that the “cyber threat is one of the most serious economic and national security challenges we face as a nation.” The Administration has since taken significant steps to better protect America against cyber threats. As part of that work, it has become clear that our Nation cannot fully defend against these threats unless certain parts of cybersecurity law are updated.”

There are a couple of key elements to the proposed legislation:

Protecting the American People

  1. National Data Breach Reporting. Proposal to help businesses by simplifying and standardizing the existing patchwork of 47 state laws that contain these requirements. (I personally do not think we will have 1 national privacy policy anytime soon. States rights!!)
  2. Penalties for Computer Criminals. Clarifies the penalties for computer crimes, synchronizes them with other crimes, and sets mandatory minimums for cyber intrusions into critical infrastructure

Protecting our Nation’s Critical Infrastructure

  1. Voluntary Government Assistance to Industry, States, and Local Government. Proposal to enable DHS to quickly help a private-sector company, state, or local government in a breach
  2. Voluntary Information Sharing with Industry, States, and Local Government.  Proposal to help entities share information. ( Sure ATT will share information with Sprint and Bank of America will share information with the government)
  3. Critical Infrastructure Cybersecurity Plans. Proposal to enable transparency to help market forces ensure that critical-infrastructure operators are accountable for their cybersecurity.(Thats way to vague)

Protecting Federal Government Computers and Networks

  1. Management. Update the Federal Information Security Management Act (FISMA) and formalize DHS’ current role in managing cybersecurity for the Federal Government’s civilian computers and networks. (They definitely need this now!).
  2. Personnel. Recruit and retain highly-qualified cybersecurity professionals. (With reduced funding for education, we will probably have to recruit from China)
  3. Intrusion Prevention Systems. Implement better IDS systems. (Imagine having to read all the log files from all the government agencies, need to outsource this effort)
  4. Data Centers. Embrace Cloud Computing. (if you use cloud computing, you will rely on Facebook for your security requirements?)

New Framework to Protect Individuals’ Privacy and Civil Liberties

The Administration does propose protecting civil liberties. Can the plan be any worse that everyone giving away all their information anyway on Facebook, Twitter, LinkedIn etc?

Enhanced by Zemanta
Facebook logo

Image via Wikipedia

When you take a photo of yourself in your house and then post it via Facebook or twitpic, you assume that no one will really know where you are taking that picture. Well, you may be wrong. Social media security is in a very nascent development stage. There are a number of theats already to social media such as malicious applications in Facebook or trojans in shortened URLs that the average user does not know about or where to turn to for advice.

A new threat could be giving up your location when you post a picture from inside your house. A team of scientists dicovered that with some smartphones, a user’s latitude and longitude can be attached tothe picture you post in the metadata. That’s pretty scary. See the news story ” Tips to Turn Off Geo-Tagging on Your Cell Phone”  (http://abcnews.go.com/Technology/celebrity-stalking-online-photos-videos-give-location/story?id=11443038) “Many people are not aware of the fact that there are geotags in photos and videos,” said Gerald Friedland, one of the scientists.

A website that has been setup to show the dangers of this capability is www.icanstalku.com. So what can you do about this? Do you want to be stalked?  ON the IPhone, go to Settings, General, then Location Services and disable the applications you do not want to use Geo-tagging, such as Camera.

Regards

Gary Bahadur

www.kraasecurity.com

blog.kraasecrity.com

888-572-2911

Enhanced by Zemanta

This past week was eventful for Facebook and for Mark Zuckerberg. The Facebook page was hacked as first reported by Techcrunch ““Let The Hacking Begin” Declares Person Who Hacked Zuckerberg’s Facebook Fan Page”  (http://techcrunch.com/2011/01/25/zuckerberg-fan-page-hack/) . The message left on the page was:

“Let the hacking begin. If facebook needs money, instead of going to the banks, why doesn’t Facebook let its users invest in Facebook in a social way? Why not transform Facebook into a ‘social business’ the way Nobel Price winner Muhammad Yunus described it? http://bit.ly/fs6rT3 What do you think? #hackercup2011”

Facebook then said it was a “bug” as reported by the BBC “Facebook blames bug for Zuckerberg ‘hacking’” (http://www.bbc.co.uk/news/technology-12286377). Well I guess they can speak to Microsoft about “bugs” and letting their software be hackable. Not much more was explained.

One other interesting event that was also news with Facebook was the launch of their encrypted login process as reported by the Huffingtonpost “What Facebook’s New Security Features Mean For You”. This has actually been around for a while but not published. What does this mean? Well when you go to Facebook.com now, just go to https://www.facebook.com.  The “https” will allow you to have your login encrypted so the guy sitting next to you in Starbuck and capture your traffic on the wireless network and steal your login ID and password by running Firesheep or other sniffing program. You can also do this with many social networking sites even though they do not publicize it.

To turn on this feature automatically go to “Accounts” -> “Account Setting” -> “Account Security” -> “Change” and select “Browse Facebook on a secure connection (https) whenever possible”. If you have never played with the Privacy Setting you should probably check those out as well. Stop sharing everything about yourself with “Everyone”!

Facebook privacy settings

Facebook privacy settings

Gary Bahadur

CEO KRAA Security, baha@kraasecurity.com

http://www.kraasecurity.com

http://blog.kraasecurity.com

http://twitter.com/kraasecurity

*Vulnerability Management

*Compliance & Police Development

*PGP Security

*Free Website Security Test

Enhanced by Zemanta

Employers are constantly hearing of social media this and social media that. When your employees go on break or eat lunch, they are usually on their cell phones talking. But, now there are also applications on phones like Facebook, Twitter, FourSquare and others where an employee can actually send photo uploads while being mobile and even post to Facebook automatically. Are employees using social media securely?

Does your company have anything in place for protecting confidentiality through social media usage? Do you have a Social Media Security Policy? Employees sign agreements when joining the company but did the business cover disclosing things like pictures or private conversations and even meeting information via Google Buzz or Facebook? What about brand new products being developed that are trade secrets?

If your employees are online working to do their job and Facebook, MySpace, or gaming sites like Pogo are not blocked, how do you know they are doing their work 100% of the time? Just because their production numbers look great, doesn’t mean they are not slacking. Have you done a Social Media Security Assessment?

It is becoming an epidemic in the work force with employees breaking rules and ultimately being fired every day. If security monitoring technologies are in place you could possibly sue the former employee but your trade secrets are gone and so might be your reputation. If an employee is bad-mouthing your company and tells everyone to not buy or shop with you, there goes your business immediately.

You can make a legal policy for employees to sign when they start their job that they will not talk, disclose, or say anything bad about the company on social media sites. If businesses do not step up soon and do something it can be a total free for all!

Here are a few interesting facts to consider. One out of every ten employees admitted overriding their job’s security system so they could access restricted sites. In 2009, 24% of eight hundred employers surveyed said they had to discipline an employee for using social media sites. Another study showed 8% of employees were terminated for accessing Facebook out of two hundred businesses polled. Twenty eight thousand people were polled in the United Kingdom at the beginning of 2010 and a whopping 87% said they can do what they want; it is their right to do so.

It is now believed that social networking will replace email by 2014 as the main way to communicate for 20% of all business owners or users. Is your company prepared for Secure Social Media?

Gary Bahadur

CEO KRAA Security, baha@kraasecurity.com

http://www.kraasecurity.com

http://blog.kraasecurity.com

http://twitter.com/kraasecurity

*Managed Security Services

*Vulnerability Management

*Compliance & Police Development

*PGP Security

*Free Website Security Test

Social media sites have gained popularity in the past ten years as a medium to keep in contact with loved ones, business associates and friends. However, there can be drawbacks to the usage of said media when one is employed in certain career fields, such as the healthcare industry. Utilizing social media networks can inadvertently give way to the sharing of confidential patient information with people that may not have a need to know which would then cause the company to violate HIPAA Security Rule compliance.

Social media applications are not just a part of one’s personal lifestyle; this has also become incorporated in the corporate climate. Many places use these applications for marketing, file sharing, communication, and employee recruitment. While these applications can open up a great many doors of communication, some type of guidance or governance is necessary. Because banning the use of such sites is most likely unenforceable or impractical, a hospital or other such entity that must shield private information should at least ask or force their employees to adhere to some Social Media Policy guidelines.

For instance, when utilizing social networking sites, one should use separate passwords for the different sites, as an individual can easily hack all of one’s accounts if they know the one password. A security breach of one account could snowball. Passwords should be complex and change every 90 days. Accessing social media sites should be over SSL and only from trusted network connections, not coffee shops especially for business purposes!

In the case of company documents or patient information, if it isn’t found on the company’s web page it probably should not be posted elsewhere. There are sites that exude a feeling of privacy and security, but are far from it. Allowing one’s corporate information security team to determine what sites are acceptable is the best option.

Another thing one should not do is post his or her own identifying information publicly, such as date of birth, his or her social security number, or an employee ID number. If a site requires this information, 1) it is most likely not a reputable site, and/or 2) one could make something up or ensure that it is not going to be displayed in a profile that will be public.

Some information may not be considered confidential; yet not posting these items to public social media sites is probably a good idea. This can include anything from rumors, to purchases the company plans on making, anything about the technology one’s company uses or will use, and any projects the individual may be working on.

So in one’s personal endeavors, it is most beneficial to all involved if confidential information, or information that could be considered secret, stays out of the hands of the public. Follow practical posting guidelines and do not share more information than is necessary in corporate social media activities.


Gary Bahadur

CEO KRAA Security, baha@kraasecurity.com

http://www.kraasecurity.com

http://blog.kraasecurity.com

http://twitter.com/kraasecurity

*Managed Security Services

*Vulnerability Management

*Compliance & Police Development

*PGP Security

*Free Website Security Test

Enhanced by Zemanta
Image representing Facebook as depicted in Cru...
Image via CrunchBase

Is there such a thing as Social Media Warfare? We have had cyber warfare going on for years now. So it should be an obvious “YES” that Social Media warfare exists. But is that true?  To get to a full blown war opposing sides go through an escalation process. Where are we in this process? From a pure cyber warfare perspective, we are in world war three, many opposing sides, lots of new and improved weapons, completely escalating attacks and no end in sight. Companies are used to conducting vulnerability management and risk assessment. This new war will require new tactics and defense strategies.

I think we have seen the first skirmishes of the war. It started with all the spammers morphing their tools into Facebook and Twitter hacking. Then moving into phishing. Then into negative attacks on your reputation by disgruntled customers and competitors. So what is the progression of this coming war? Is there a similarity to how “normal” cyber  warfare started? But why is this war inevitable?

The attack vectors in the Social Media War are probably categorized into personal use and corporate use. If these are the assets that needs to be protected, we can then figure out how the assets will be attacked, how will the enemies do reconnaissance, what alliances will be formed and what should be the defense strategies and weapons for defense.

The progression of of this war will follow different patterns and there is probably no end in sight.

Action Personal Corporate
Skirmish Home users receiving spam and phishing attacks and scams Corporate users seeing more phishing attacks, attackers going through Linkedin profiles
Protest Actions Users might complain to attorney generals, or write nasty messages about Microsoft Adobe or Apple security weaknesses The IT department is inundated with help desk calls. Companies have the ability to complain to ISPs or event countries about originating attacks.
Negotiations There really isn’t anyone to negotiate with. Writing on your Facebook wall will not do a darn thing. Companies definitely do not want to negotiate. But will see blackmail more and more.
Failed Negotiations The home user is bascially screwed anyway. Succumbing to blackmail will only lead down a bad path.
Declaration of War This is a defacto state with the home user. They are at war whether they know it or not. Companies have to take a proactive approach to security versus reactive. Anticipate the next types of attacks and have a budget to address it.
Launch Attacks and Defend More defend, get your anti-spyware, antivirus, personal firewalls and encryption up to speed. But after that, understand how attackers use Social Media. Spend massive amounts of money on understanding how so fight in the Social media landscape, security hardware and software are not enough.
Allies Join the War The home user can only rely on the Social media companies for basic security. Their will be more collaboration between companies and governments. Perhaps together they have a fighting chance. Regulations are also going to force changes.
Years of Conflict – Never Ending Whats the next thing after Facebook and Twitter? Whatever it is will have its own security challenges. But by that time the home user will probably have given out every bit of personal information on all the Social Media venues anyway. A company can only rely on the right process to secure their social media usage. As technologies change and new sites go live, a good process and social media security policy is all you can rely on.
Winner The ISP, they get to sell bandwidth. The VCs who fund companies like Facebook and Twitter.

I will get into more tactics in the coming war in future posts.

Gary Bahadur

CEO KRAA Security,  baha@kraasecurity.com

http://www.kraasecurity.com

http://blog.kraasecurity.com

http://twitter.com/kraasecurity

*Managed Security Services

*Vulnerability Management

*Compliance & Policy Development

*PGP Security

*FREE Website Security Test

Enhanced by Zemanta
Social Media Buzz
Image by ivanpw via Flickr

Social Media Policy

Social Media has become part of the user community several years ago. Today we have social media in the corporate environment. The main problem we have is how social media has evolved. It has been a bottom up approach. By bottom up I mean that the consumer has determined how to use a technology and the corporation is playing catch up. But the social norms that are appropriate for a consumer “product” are not appropriate in a corporate environment.    

 

Social media usage is being retrofitted into the corporate environment. But the consumer is already used to using social media in an insecure, “information must be free” manner. Employees who have been used to giving up all their information in places such as Facebook and Twitter must now be retrained to use social media in a whole different manner to meet corporate standards. (Assuming we have a corporate standard for social media security)  
But what is a corporate standard for using social media in an appropriate fashion that does not put the company at risk? Corporations have not made a concerted effort to define that secure social media strategy, or even a strategy for training their employees in the “correct” use of social media.

 

Social Media Policy Infrastructure

What is a good starting point for implementing a social media policy? Here is a basic guideline.   
1) Define a policy – You cannot assume employees will do the right thing without guidance. You already have things like Expense Policies, Acceptable Use Policies, Internet Use Policies. Write a basic guideline. What’s in that guideline will vary from company to company.  

 2) Information Classification – You have to explicitly define what information can be shared and what information should not be Tweeted, FaceBooked, BlibbedBlabbaded (I made that up)about. If your employees do not know how valuable information is that you cannot blame them for inadvertently being sucked into the blogosphere. (I am not sure blogosphere is yet a word, but who cares)3) Keep It professional – If you allow your employees to Socialize (that a word with any meaning here?) information about your company, you have to give them standards to follow. Things like cursing, grammar mistakes, casual conversation style discussions might not be the image you want to portray when discussing anything related to your company.

4) Tracking and Monitoring – If you are going to have a policy for anything, you have to have a mechanism for tracking compliance, reporting on activity and have consequences for breaking that policy. How much tweets that are over the line makes you bring an employee before HR? What is a firing Facebook picture offense?

This is a very abbreviated start. In later posts I will define more aspects of a social media policy. But let’s get the conversation started about the necessity for this as a standard policy in every organization, both large and small.

 

Enhanced by Zemanta
Image representing Facebook as depicted in Cru...
Image via CrunchBase

When you join a company, you relinquish certain rights. The workplace is not a democracy. Yet many people still think that their corporate email, their corporate computers and the data they use is “theirs”. Who owns that data? Well the answer is the company. Companies are concerned with data loss prevention. A company can fire you for mis-using company data, that is obvious. A company can fire you for portraying a poor image such as drunkenness, poor behaviour, saying negative or derogative things about your boss or company,  public displays of nudity, well I could go on about why you can be fired.

One example is a young woman who got fired from her job because she said she ” thought her job was boring. So she said so on her Facebook page.  Her employer, Ivell Marketing and Logistics of Clacton, U.K., gave her this update: “Following your comments made on Facebook about your job and the company we feel it is better that, as you are not happy and do not enjoy your work we end your employment with Ivell Marketing & Logistics with immediate effect” as stated in this CNET article, http://news.cnet.com/8301-17852_3-10172931-71.html

So the question is, can a company can fire you for your out of office activities, should they have the right to monitor your activity? Should an employee be required to register all their social media profiles with their employer so that the reputation of the company can me monitored? It would obviously make it easier to know if an employee is damaging the reputation of the company.

The biggest challenge Social Media plays for a company is damage to reputation. A silly yet powerful example of Social Media affecting a company’s reputation is United Airlines breaking a musician’s guitar and refusing to pay for it. The musician Dave Carroll had a YouTube hit with his song about the poor airline response to him (http://www.boston.com/travel/blog/2009/07/song_over_guita.html) This viral video caused reputation damage. So this is a bit different from an employee posting something, but it has the same end result, reputation damage.

So when you start a new job, you have to take a drug test, get a background check, so why not register all your social media profiles? What are the pros and cons? Is it to much “Big Brother” or is it becoming a relevant reality of doing business in the Social Media age?

Gary Bahadur

CEO KRAA Security,  baha@kraasecurity.com

http://www.kraasecurity.com

http://twitter.com/kraasecurity

*Managed Security Services

*Vulnerability Management

*Compliance & Policy Development

*PGP Security

*FREE Website Security Test

Enhanced by Zemanta

Data Lifecycle Management: How to reduce risk

Part 2
The Data Lifecycle Management (DLM) goes through 5 steps: creation, usage, transport, storage and destruction. Most companies have parts of this lifecycle under control, but that means there are lots of areas for gaps in the control measures that could let a threat affect the data. The multiple part blog, (I am not sure how many parts it will take), will walk through the steps of the data lifecycle and what a company can do to implement a good process for all the data management challenges.

In the first part of this series, we covered what it means to say you have or want a data lifecycle management process.  So why do we need something different from what we are already doing around DLM?

Why does traditional security not work for DLM?

Users have risky behavior. They will always have risk behavior and we rely on mostly technology controls to keep them in a secure box.  Solutions aimed at the external threats coming in, not the regulation and governance of internal communications going out. Problems we see are typically:

  • Unauthorized application use: 70% of IT say the use of unauthorized programs result in as many as half of data loss incidents.
  • Misuse of corporate computers: 44% of employees share work devices with others without supervision.
  • Unauthorized access: 39% of IT said they have dealt with an employee accessing unauthorized parts of a company’s network or facility.
  • Remote worker security: 46% of employees transfer files between work and personal computers.
  • Misuse of passwords: 18% of employees share passwords with co-workers.

The reasons typical technology controls will not work in the full DLM process are:

  • Products are not geared to protect a full life cycle of a customer records
  • Most solutions and processes are outward facing, based on perimeter security
  • Encryption can affect data management
  • Real-time intrusion detection and remediation is rare
  • Context and intent of messages was not analyzed properly
  • Functional areas in organizations create different policies, monitoring requirements, enforcement priorities and reporting
  • New technologies can avoid security measures
  • Technologies look at the network, the operating system or the application not the data across all environments
  • Not mapped properly to regulations

What risks does customer data loss pose for organizations?

If we know that security is not working, what are the risks we face? A very recent example of how this can have a practical affect is with the Massachusetts Privacy Law 201 CMR 17.00. Loss of data can have a great financial impact with this law.  Key things we need to consider include:

  • Penalties: Not complying with regulations can cause civil and financial penalties
  • Confidence: Loss of customer confidence because of a customer data breach can lose customers
  • Reputation: Damage to reputation will lose customer and damage relationships
  • Competitive Advantage: Information and customers can move to competitors
  • Costs: Ponemon Institute’s 2008 annual study, average $6.6 million per breach.
  • Valuation: Decreased stock prices could result

I will continue this process in the next post…

Gary Bahadur
http://www.kraasecurity.com

http://blog.kraasecurity.com

http://twitter.com/kraasecurity
Address: 200 Se 1st St #601 Miami FL 33131

*Managed Security Services
*Vulnerability Management
*Compliance & Policy Development
*PGP Security
*FREE Website Security Test

Reblog this post [with Zemanta]

What is Data Lifecycle Management?

The Data Lifecycle goes through 5 steps: creation, usage, transport, storage and destruction. Most companies have parts of this lifecycle under control, but that means there are lots of areas for gaps in the control measures that could let a threat affect the data. The multiple part blog, (I am not sure how many parts it will take), will walk through the steps of the data lifecycle and what a company can do to implement a good process for all the data management challenges.

Data lifecycle management (DLM) is a policy and procedure based approach to manage information movement. Data has to be classified and evaluated to properly protect it with the right resources. Ownership is a key factor in managing and maintaining data throughout the lifecycle

The 5 Steps

  1. Creation – How does data creation get managed?
  2. Usage – What limitations are on data usage?
  3. Storage – What controls are in place for storage?
  4. Transportation – How is data transmitted between company, customers and business partners?
  5. Destruction – What is the validation and verification process over data destruction?

The Data Management Problem

  • Weak processes in place to track creation usage, transportation, storage and destruction
  • Weak ability to monitor and manage a customer record throughout the lifecycle
  • Inconsistent processes across each phase of data movement
  • Lack of enforcement capabilities

What should be the goal of data lifecycle management?

  • Provide practical steps to manage each step of the customer record management process
  • Provide cost effective solution for risk mitigation
  • Provide framework for data management
  • Reduce risk of data loss

Challenges to Customer Data Records Management

  • Rarely does a company have a centralized process to track controls over data, over management processes around data, over logging and monitoring, and removal
  • Organizations rely on technology to secure data not processes that drive technology purchases
  • The 5 steps of data management are not followed by all functional groups in a company
  • No clear ownership and classification of customer data elements

Did you know…

  • 1 in 400 emails contains confidential information
  • 1 in 50 network files contains confidential data
  • 4 out of 5 companies have lost confidential data when a laptop was lost
  • 1 in 2 USB drives contains confidential information
  • Companies that incur a data breach experience a significant increase in customer turnover—as much as 11%
  • Over 35 states have enacted security breach notification laws
  • Can openers were invented 48 years after cans
Reblog this post [with Zemanta]
Windows 7 is the latest stable Windows operati...
Image via Wikipedia

There is a lot of focus on network security and application security today. Years ago it was operating system security that was all the rage. But with the advent of the strict requirements of some of the regulations such as HIPAA, PCI, SOX, and FISMA, more attention needs to be paid to the operating system. As Windows is still dominant, what are some of the features you need to be concerned with in an application?

Some key feature of a host security assessment tool are: 

  1. Ability to quickly audit
  2. Ability to inventory
  3. Structure for classification of components
  4. Patch management of course
  5. Ability to baseline and report against the baseline
  6. Templates of the regulatory requirements
  7. Templates of different levels of security configurations
  8. Threat identification and classification
  9. User management
  10. Port security assessment and management
  11. Service and process analysis

A baseline configuration for operating system security, cover things such as patch levels, ports, services, processes, logging, policy settings and user configuration, should be the first step for any company in host security assessment and diagnostics. If you build from scratch, or don’t use a secure template, you will always be in trouble. Timely updates and reconfiguration of your baseline is necessary.

Your operating system like your network security should match your corporate business practices and procedures. Policies should be in place for this of course.  Over time you should be able to benchmark your host security problems, solutions and changes.

Gary Bahadur

http://www.kraasecurity.com

http://blog.kraasecurity.com

http://twitter.com/kraasecurity

Address: 200 Se 1st St #601 Miami FL 33131

*Managed Security Services

*Vulnerability Management

*Compliance & Policy Development

*PGP Security

*FREE Website Security Test 

Reblog this post [with Zemanta]
The Washington State Capitol. Taken from The J...
Image via Wikipedia

PCI laws are expanding around the country. Washington State is the latest to add a law to their books. Washington state follows Nevada and Minnesota in implementing Payment Card Industry Data Security Standard (PCI), the law is HB 1149. It changes the breach notification law they already had on the books. The key point is that it allows issuing banks a method of collecting the costs to reissue payment cards after a breach.

Organizations who must abide by the law

It defines “business(es)” as merchants processing more than six million cards and sell to Washington state residents.  “Processors” manage account information for others and “vendors” sell software or equipment that processes, transmits or store account information.  Account information can is not so clearly defined. It will be interesting to see how companies outside of the state are affected. PCI Security Assessments are going to become even more prevelant.

How is the law implemented?

Entities that fall under the law are required to provide reasonable security measures. They can be liable for damage and if they have to reimburse their banks for reissuance of card, that can get very expensive.  The law should probably have been more clear on this point

Determining a breach has been defined as “unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the person or business.”  There is the possibility of confusion between account information and personal information. That will probably cause problems in the future lawsuits. Encryption is also going to be a challenge in the implementation and review for compliance requirements.

How this law integrates or conflicts with PCI requirements will news worthy. The different levels of PCI compliance and the levels identified by the law are now completely consistent. Can PCI SAQ assessment be enforced by the law? Can you be PCI compliant and not compliant with the law, or vice versa? I would venture to say yes.

If only we have a National Standard for all of this. Wouldn’t that be a progressive move?

Gary Bahadur

http://www.kraasecurity.com

http://blog.kraasecurity.com

http://twitter.com/kraasecurity

Address: 200 Se 1st St #601 Miami FL 33131

*Managed Security Services

*Vulnerability Management

*Compliance & Policy Development  

*PGP Security

Reblog this post [with Zemanta]
Adobe Systems Incorporated
Image via Wikipedia

We have seen a lot of problems with Adobe vulnerabilities. Adobe has been getting beat up with all the negative publicity in the past few months. Apple is restricting access to Adobe on their devices. Has anyone tried their remote desktop sharing? I wonder if some vulnerability will be release in that application. What is the real problem with electronic document sharing and what are some of the solutions? Adobe is just an example; the whole industry of electronic documents is finally coming into its own. 

Problems with Electronic Douments

How are people accessing electronic documents and how are they signing them and verifying them? Well there are multiple companies out there touting secure signature applications for documents. When do you use these companies?  Some questions to ask include:
1. When and how do you determine the importance of the document?
2. Have you implemented a data classification scheme for electronic documents?
3. Who has the right to sign and read these documents?
4. How do you track usage and distribution?
5. Is there a time frame associated with the life of the document?
6. Can you prevent screen scraping of the secured document?
7. What is the “hackability” of the secure document?

Signing an electronic document can be a challenge for the technology challenged. Some documents might trigger antivirus or malware protection applications. If some intrusion detection applications can read a document or data loss prevention applications do not have access, you could be blocked from that document. Convenience of use is a major hurdle for the adoption of secure documents.

Printing, modifying, viewing, and deleting these documents require all kinds of levels of authorization that is probably difficult to manage. If you can have a location based “bomb” in the document for when it left the organization domain, that would be an interesting play on data loss prevention. We know client side options are easily broken, how do we change the mentality of secure document management?

I do not see how secure documents make too much sense in any public forum. Its not worth the effort to worry about secure documents outside of a strictly controlled corporate environment. Different forms of watermarking have their place in identification but not much in control.

 
The most likely areas are in Research and Development, Legal, Banking and Healthcare. These should be the quickest to adopt a secure framework for electronic documents. Some industry standards need to be followed and a process developed that all companies can follow. This would make it into all the data loss prevention applications eventually and really provide some security.

Gary Bahadur

http://www.kraasecurity.com

http://blog.kraasecurity.com

http://twitter.com/kraasecurity

Address: 200 Se 1st St #601 Miami FL 33131

*Managed Security Services

*Vulnerability Management

*Compliance & Policy Development 

*PGP Security

*FREE Website Security Test 

Reblog this post [with Zemanta]
Image representing Facebook as depicted in Cru...
Image via CrunchBase

 The trends in Social Media are heading towards more sharing of information. But sharing of information has moved beyond your circle of friends and family. Social media is becoming less social and more… well more corporate. Or more like many people shouting in a bar, you are all in close proximity, but you can’t distinguish the individual conversations, you can’t make out who people really are or who is a potential quality relationship.

How many random friend requests do you get now from Facebook, Friendster, MySpace, LinkedIn, etc. Twitter is a bit different obviously, but that’s a whole other story. Now you are also getting bombarded with corporate Fanpages, groups and other means of luring you to their sites, brands and social following. This is the erosion of your true social circle.Social Media Security is really more about Insecurity. The distribution of your information across multiple platforms used to be in a restricted circle. This can be true data loss.  Now its pretty much everywhere. You can find a person’s LinkedIn profile with a generic Google search. This should be restricted to the LinkedIn environment, but it’s not.With the advent of location based services, we will see physical insecurity based on social media usage. A recently popular site Please Rob Me http://pleaserobme.com has already begun taking advantage of the Twitter location feature. Imagine what can be done by a stalker following someone on twitter or a deranged Ex-boyfriend following you based on the events you are attending on Facebook? It’s easy to see how you can give away all your personal information without event thinking of it. Trends towards making information available will lead to Insecurity. Insecurity will lead to data breaches and compromise. Compromise will lead to lots of crying, money lost, probably lawsuits and other painful results. How do we get past this Social Media Insecurity

Gary Bahadur

http://www.kraasecurity.com

http://blog.kraasecurity.com

http://twitter.com/kraasecurity

Address: 200 Se 1st St #601 Miami FL 33131

*Managed Security Services

*Vulnerability Management

*Compliance & Policy Development 

*PGP Security

*FREE Website Security Test 

Reblog this post [with Zemanta]
Facebook, Inc.
Image via Wikipedia

One of the greatest challenges to privacy and security in the next several years is Social Networks and Social Media. Sites like Facebook, Twitter, LinkedIn, MySpace and others can be the downfall of valuing information. The ability to share and provide information is completely the opposite of network security requirements.  This is really encouraging people to do things that are not security conscious activities. Social media encourages:

  • Lack of privacy
  • Encouraging information sharing
  • Giving away answers to security questions
  • Social engineering

As we have seen recently, a lot of spam, spyware and malware is attacking social network. Just in the past week I have probably recieved a 100 requests to be my friend on Facebook from people who I do not know and funny enough, all the message have the exact same personal message. Malicious people are attracted to social networks because of the ease of gaining trust and availability of data for social engineering.  Relationship building is easier through social media which can easily lead to phishing attacks.

With these sites, people install applications without knowing what goes on in the background, and its easy to download malicious code to your computer. There are no external third party audits of these applications before the make it to your Facebook application. Your computer can be easily infected by a virus or spyware.

What does the Social Media user to protect their information?
No Personal information – This is anti-social network, but there are things you can limit about what you post. Don’t post your Birthday! Or your address or your mothers middle name or any really personal data.

Limit who can view and contact you – Don’t let your profile be truly public, restrict to people you know for requested users.  Remember you can’t retract information you put out there. 

Don’t trust strangers – Your mother was right, don’t open the door to strangers. Limit who you accept chat or friend requests from and well as even communicate with.

Trust no Profile – People lie, it’s sad but true. So profiles lie, they might say they went to your college or high school.  They might be interested in your groups, so don’t take anyone at their word.

Restrict your privacy – There are some configuration setting in all the social media applications that can allow you to turn on some restrictions on your privacy. Take a minute to actually look at them. One easy example is in Facebook you can create groups that you can place friend in; you don’t want business people seeing what your friends are posting.

Password management – An oldie but a goodie, always use a strong password and don’t share it. And change it periodically.

Layers of protection – You should be running a personal firewall and antivirus software on the machine you are viewing social networks. This will help if a malicious piece of software tries to download something to your machine. Keep your protection software up to date as well and run the patch management software on your machine, this is especially important for you Windows users.

Child protection software – You should have some kind of child protection software running on machines where children under 13 are using. This will help with all that shady software that is out there.

Gary Bahadur

http://www.kraasecurity.com

http://blog.kraasecurity.com

http://twitter.com/kraasecurity

Address: 200 Se 1st St #601 Miami FL 33131

*Managed Security Services

*Vulnerability Management

*Compliance & Policy Development

*PGP Security

*FREE Website Security Test 

Reblog this post [with Zemanta]