The obvious entry would be to discuss the recent news about China and their hacking activities, but I haven’t decided what I think about that yet.  On one hand, I’m surprised that people are so surprised about it.  On the other, I think it takes a lot of balls for a country to sponsor hacking activities (and there is no convincing me the government wasn’t aware).  Bt then on the other hand, is this really that different from the espionage activities that were conducted between us and the Soviet Union during he Cold War.  The targets are different, but the goals are similar.  Instead of spying on the military to better defend the home country, China is hacking to better develop the home country.  This doesn’t excuse the activity, but this thought process is at the core of why it doesn’t surprise me that it happened.  I guess what does surprise me about all this is that it took ten years for it to come out.  How is this news going to affect businesses?  Well, I assume there will be many internal investigations to determine exactly who was hacked and what data was compromised.  How is this going to affect individual people?  I don’t know that it will alter the behavior of too many people.  Last night Jimmy Fallon had a joke bout the China hacking situation by announcing that he still isn’t going to change his email password from “jimmy.”  I think this is probably going to be the case for most people -they aren’t going to give it any thought other than “Oh, China hacked businesses.”  Hopefully I’m wrong. 

The paranormal side of privacy and security


I struggled to come up with something to write about for this week’s blog. I did several searches online for information security and related topics, but nothing jumped out at me. So, I decided to write about something that came up last night I got to think about everyday personal security and privacy. I am co-founder of local ghost hunting group and we just accepted three new members into our organization last night. We take what we do seriously because we going to people’s private homes and wander around in the dark unsupervised. There is a high level of trust these individuals are placing us when they let us into their homes to do this. This means we have to choose new members carefully because they are going to be representing us. We need people who are going to respect the homeowners policy regarding what we see in the house (not just paranormal – we seen some really hot stuff that people have).

The most important thing is safeguarding the person’s privacy. Most of our clients are genuinely scared of whatever activity is going on in their home, and we are often their final attempt at a resolution. The very last thing they want is someone blabbing about the fact that they think they have ghosts in their house or business. Fortunately, we are able to debunk probably 75 – 80% of activity as everyday stuff like doors don’t latch properly or plumbing noises, et cetera. Even though that is the case, it still doesn’t mean that they want word to get out. The reason it’s so important to them is that it can affect how they are perceived by others. In the case of a business, it can cost the money customers believe you hear that the place is haunted, or that the owner is a little “off” for thinking that might be haunted.

So, we teach our new members to speak generically when telling investigation stories. Instead of saying something like Bob’s house in Central Omaha, we would just say a house in Omaha. It may seem like a small thing, but it really matters to our clients. The case files and pictures because our website are labeled in the same generic way (unless the home or business owner has given us permission to use their names, like Mystery Manner or the Squirrel Cage Jail in Council Bluffs).

Disaster Planning

I was initially going to do a post about Mac versus Windows and the ease of establishing VPNs for this weeks post. It’s a topic that would have tied into the general theme that is kind of present in my previous post, but hurricane Sandy got me thinking about disaster recovery from a business aspect. After I read the article in the link below, I was especially interested in this topic. So, join me on my deviation, won’t you?

DTCC is a company I have worked closely with for years, and their location in lower Manhattan was directly in Sandy’s path. The wall to their vault where they store the stock certificates borders the East River, so their lower levels are underwater and they are still unable to go in and assess the damage. Here is the first sentence from the article, “trillions of dollars worth of stock certificates and other paper securities that were stored in a vault in lower Manhattan may have suffered water damage from superstorm Sandy.” As of Friday, they have been able to reopen and now except physical security deposits at an alternate location in Brooklyn. This means that clients will be able to trade on the physical securities that has been deposited to their brokerage accounts, this is important because clearing firms can once again contact this business as normal. Unfortunately DTCC is still unable to process settlements, which means clearing firms are unable to settle trades based on the physical certificates already in DTCC’s custody. This was runs into regulatory and delivery issues, that at this point, I’m not sure how we will work around. I assume FINRA is going to grant exceptions and waive the extension fees that would normally apply, but something that will take a lot of planning and communication to all the broker/dealers.

My point to all this rambling is this. While DTCC’s disaster planning and recovery plan has obviously gone into effect, there has been a trickle-down effect that has created an immediate consequences on businesses here in the Midwest for very far from any kind of physical storm damage. There is no primary disaster plan for the company to put into place in this situation, but we still have to react and create new policies based on the East Coast conditions. There are workarounds to using DTCC as the primary certificate processing facility, but it is a lengthy and sometimes more expensive alternative.  I guess the purpose to this writing is to bring up the fact that just because the company does not directly suffer any kind of disaster or damage, the planning team still needs to take outside factors into consideration. They need to plan for alternative ways to conduct business if one of our primary partnerships loses the ability to operate.

http://buzz.money.cnn.com/2012/11/02/stock-certificates-sandy/

I don’t have an article to reference for this weeks blog post because I want to talk about something that happened at work this week. It turned out to be I’m not even, but the level of awareness (or lack of) has me concerned. Here’s what happened:

I start work later than most of my department, so by the time I come in everyone is usually busy and getting things done. When I got in the other day, everyone was milling about and talking so I knew something was up. They told me the phones were down so we couldn’t do anything. Shortly after that the network went down as well. My first thought was, “could this be the result of some kind of an attack?” When I asked this question of my co-workers, I received a range of looks from confusion to disbelief. I don’t work in the technology department, so I understand that an attack might not be the first thought people have. But, what I found surprising is the fact that they wouldn’t even consider it as a possibility. Some people thought no one would be interested in attacking us, others not an attack wouldn’t affect our internal network. I pointed out that neither of those things were necessarily true, but no one was interested in discussing it. 

Like I said earlier, this turned out to be a non-event, but I’m disturbed by the fact that no one even considered the idea that we could have been attacked. I think it comes down to a training issue. Even though we aren’t a tech department, I think we would benefit from a training program that would address threats  and the fact that the company could be a target. I don’t mean to sound like I’m judging my coworkers – I’m not – but I think there needs to be a higher level of security awareness. It comes down to if employees think a company wouldn’t be a likely target attack, how can you expect them to follow the security rules in place?

Access Control and Training

In the chapter we rent this week, the book referred to access controls. There are two sides of this: the electronic and the physical. Naturally, the electronic access controls are going to address what systems and information can be accessed by which users. While that is a topic that would sustain its own lengthy conversation, I want to focus on the physical side of access control, specifically some of the dumb reasons why people I work with think it should apply to them. I know that sounds like a negative statement, but seriously it’s one of my pet peeves. Physical access control has been a factor in most of my adult working life. First in the military, then my career within the financial industry. Maybe it’s due to my time in the service that doesn’t bother me now, but it really seems to be a hassle for some people to grasp the importance of it.

I work in a building which requires that we have badge access not only for the building itself, but to get into my specific department. The entry points and key areas within my office are monitored with security camera, and there are additional measures that I’m not going to discuss for security reasons. All of this security is because we work with a lot of high-value and very portable assets. If someone were to run off with one of them, it could literally cost the company millions of dollars. All of these controls make sense to me, and I understand the reasoning behind the need for them, but I’ve heard people complain about them daily. Here are some examples of the complaints from just this week, “Do I really need to wear my badge everywhere?”  “I should be able to have people visit me in the office if I want to – other departments allow it.”  “It’s a violation of my rights for them to record me coming in and out of the office.”  

First, is it really that much of a hassle to put a badge on your belt loop, or to talk to the friend over chat instead of having to come to your desk. That one I understand can be a little bit frustrating when you can just walk into other departments, but the no visitor policy does reduce the risk of lost assets. And lastly, a violation of your rights? Seriously? How do you survive going into a mall? or a gas station?

Enough of the rant. I think a lot of the issues in access control compliance come down to training. A company can deploy risk management policies all day long, but if employees are trained in how the procedures related them into their daily work, we are going to understand why it’s so important.  According to DiversifiedRiskManagement.com, “probably the simplest and most cost-effective precaution one can take is to see that every employee is involved in maintaining a safe and secure work force and work area, and through employee awareness training and empowerment of the workforce to get involved in daily security at work, even the most skilled intruder can be stopped in his tracks.” I think this statement meals the solution to the problem of getting employees to follow risk management procedures.

http://www.diversifiedriskmanagement.com/articles/access-control.html

Career Thoughts

I had a weird week. I spent some time in the hospital, and whenever I was trying to do homework someone would come into the room and asked me what I was studying. This resulted in my having the same conversation several different times with different people.  I would explain that I am enrolled in a cyber security program degree program.  This would invariably would get the reaction, “I didn’t know that was a job.” I told them it is and what the program was about, and that I hope to get a job as a civilian contractor once I graduate.  If I’m lucky enough to do this, it means I can apply my active-duty time towards a government retirement. Even though this has been my plan all along, I got to thinking about other possibilities for a career in cyber security. Since there’s nothing else to do in the hospital other than daytime TV, I did some research on the web and came across an article in which the interviewees complained about the lack of inspiration of their government jobs.

The article interviewed a couple different individuals who work in cyber security capacity for the government, and both called the boring and unimaginative. They talked about how regulated the environment is, and the lack of access to the computers they are actually protecting. They went on to talk about the restrictions they face when it comes to the type of security programs that can be applied.  In the article said that individuals working in cyber security for the government were essentially acting as a gate keeper who spent their time explaining to people what they can or cannot do ensuring that they either do or don’t do it.  There was nothing in this article that the sweets me from my original goals.  

After my years of working in Air Force Intel, I’m very well aware of government bureaucracy and what kinds of restrictions the place on various points of access.  For example, I remember the IT guys coming into our secured work space , and every time they did, we had to secure the classified and bring everything down to zero before they could be escorted in.  It was an Airman’s duty to watch them like hawks in case they found any kind loose paper, or anything that could potentially be classified.  if they did come across something, we were actually instructed to grab it out of their hands before they could look at it.  So yeah, I think I am prepared to face restrictions over what I can or cannot access.

http://gcn.com/Articles/2010/08/23/Cybereye-cybersecurity-jobs.aspx?Page=2

Poster Thoughts

Even though it’s off-topic from previous post I’ve made to this blog, I decided to just do a Google search for information security posters to see what comes up. And, there were a lot of examples.  Some of them were quite clever, and got their point across using just visuals with very little commentary.  

For example the “Take it From Red” poster raises awareness about social engineering, and the different forms the threat can take. It uses figures that are immediately familiar to us, and places them into a security conscious context.

http://www.educause.edu/visuals/shared/policyAndSecurity/TakeitFromREd.jpg

Another poster I thought was very effective raised wet awareness of emails and attachments. It’s simple, grabs your attention, and gets the point across through a combination of graphics and few words. It is something that you can read on the go, and immediately understand the message.

http://www.sandiego.edu/its/images/security/Amanda_Abito.jpg

Then there were others like the, “only the strong survive,” which initially grabs your attention.  But then I was so busy trying to figure out what cheese has to do with the message, that I really didn’t pay attention to anything else in the poster. sometimes being too clever get in the way of your message.

http://mindfulsecurity.com/posters/highway/CompromisePoster.jpg

Generally speaking, I’m in favor of using animals to make a point, but I didn’t understand this one at all. It asks “is your identity in safe hands?” and then says “security is everyone’s responsibility.” Good question at the top, but the following statement is a non sequitur. And where does the dog in the pink wig come in? It makes no sense to me.

http://4.bp.blogspot.com/_Mt0djarkXrA/TUCQTJsR-rI/AAAAAAAAAuQ/AtCP7YFtJh0/s1600/PIMI%2BGuard%2BDog%2Bposter2.jpg

Of course this is all just my opinion because different graphics are going to stand out in different ways different people. These are some examples of what either did or didn't appeal to me.