Reflections from the 10th Safer Internet Day Conference in Berlin, February 5th 2013
Earlier this month, I had the pleasure of speaking at the Safer Internet Day Conference in Berlin, organized by the Federal Ministry of Consumer Protection, Food and Agriculture and BITKOM, the German Association for Information Technology, Telecommunication and New Media. The conference title, ‘Big Data – Gold Mine or Dynamite?’ set the scene; after my little introductory speech on what big data really means and why this is a relevant topic for all of us (industry, consumers, and government), the follow-up presentations pretty much focused either on the ‘gold mine’ or the ‘dynamite’ aspect. To come straight to the point: I was very surprised, if not slightly shocked at how deep a gap became visible between the industry on the one side and the government (mainly the data protection authorities) on the other side.
While industry representatives, spearheaded by the BITKOM president Prof. Dieter Kempf and speakers from IBM, IMS Health, SAS, and others, highlighted interesting showcases and future opportunities for big data, Peter Schaar, the Federal Commissioner for Data Protection, seemed to be on a crusade to protect ‘innocent citizens’ from the ‘baddies’ in the industry.
Your customers are consumers too. They don’t turn into business bots when they set foot in the enterprise. Whether your organization sells a product or a service to enterprises or consumers, you’re interfacing with consumers who have opinions about security and privacy. S&R pros, you already know that you have to be on top of things like regulatory compliance (Hello HIPAA! Hi EU Data Protection Directive!) when creating policies and implementing controls. But what about consumer perceptions and behavior? Consider that*:
49% of US online consumers are concerned about security and privacy when purchasing products online
44% of EU online consumers say the same about sharing personal information to access a website
39% of US online consumers express security and privacy concerns over sharing personal information to participate on a website (e.g, discussion boards, writing reviews)
20% of EU online consumers are concerned about their security and privacy when downloading apps to their mobile phone
Undoubtedly, most of you will have seen the amazing story about the developer who secretly outsourced his own role to China, investing 20% of his annual salary to free up almost all his work time. The ruse came to light when the firm, who were pushing forward with a more flexible working package, noticed anomalous VPN activity and called in their telecom provider to investigate. The logs indicated that their lead programmer, "Bob," was apparently regularly telecommuting from Shenyang despite being peacefully sat at his desk surfing the Internet for amusing cat videos.
It transpires that "Bob" had FedExed his SecurID token to China and was allowing the remote development company VPN access to his employer's network so that they could do his day job for him.
Irrespective of the terrible security implications here, and they are pretty horrid, "Bob" was delivering high-quality code to schedule. In fact, his performance review regularly identified him as the best developer they had! And what "Bob" did here was not difficult – many sites offer the services of dedicated professionals such as developers, designers, proofreaders, even lawyers, for a small price.
In a business environment where we encourage flexible working, allow personal devices, and seek to incentivize workers for innovation, excellence, and performance, "Bob" could be held up as a role model, but at what cost to the enterprise?
When you fly nearly every week, you can get pretty bored on a plane. When I am sick of working, playing games, or watching movies, my latest distraction is checking out laptop screens. Sometimes I'm curious what movie you are watching but other times I am interested in what type of confidential company information you are displaying for the world to see. In the past few weeks I have seen the following types of information on my fellow flyer's screens:
End of year/end of quarter sales numbers
Disciplinary emails regarding employee peformance
Pre launch marketing information (which I presumed to be under embargo)
Competitive displacement information
Most of the time I suggest that my fellow traveler invest in a privacy screen, and most of the time they are receptive to the suggestion. It really is astounding how many people don't spend the approximate $30 on one. If your company doesn't issue them, I suggest you work to change that stance. World readable aren't the permissions you want on your laptop screen, time for chmod (UNIX joke).
You remember the tribbles don't you? The cute, harmless looking alien species from the second season of the original Star Trek that turn out to be anything but benign. They are born pregnant and reproduce at an alarming rate. The tribbles threaten the ship, but fortunately Chief Engineer Montgomery Scott is able to transport all of the furry creatures to a departing Klingon ship. The tribbles remind me of technology investments:
You start out small, but before you realize it the technology is everywhere and you are overwhelmed. It ends up in places you never intended.
Like the relaxing purr of the tribbles, the flashing lights of racks and stacks of gear gives us warm comfort at night
Tribbles consume everything, just like the operational requirements of much of our technology investment: resources, budget, and productivity are all devoured.
Data security consistently tops the laundry list of security priorities because it must. Organizations are collecting data, creating data, using data, and storing data in some way or another. Mishandle data or disregard privacy, and you’ve got a public relations fiasco on your hands with the potential to disrupt business operations or hurt the bottom line.
So, we know that data security is a priority, but what does that mean? What are organizations actually doing here? How much are they spending, and where are they focusing their efforts? And what are they doing about privacy? I’ve dug into data from Forrester’s Forrsights Security Survey, Q2 2012 and data from the International Association of Privacy Professionals (IAPP) to answer these questions in a newly published benchmarks report for our Data Security and Privacy playbook. Note: This is not a shopping list, nor a check list, nor is it a “spend x% on data security because your peers are doing so!” manifesto. This report is meant to be a starting point for discussion for S&R pros within their organizations to take a closer look at their own data security and privacy strategy.
I recently went for coffee with a very interesting gentleman who had previously been responsible for threat and vulnerability management in a global bank – our conversation roamed far and wide but kept on circling back to one or two core messages – the real fundamental principles of information security. One of these principles was “know your assets.”
Asset management is something that many CISO tend to skip over, often in the belief that information assets are managed by the business owners and hardware assets are closely managed by IT. Unfortunately, I’m not convinced that either of these beliefs is true to any great extent.
Take, for example, Anonymous’ recent hack of a forgotten VM server within AAPT’s outsourced infrastructure. VM "sprawl" is one of the key risks that Forrester discusses, and this appears to be a classic example – a virtual server created in haste and soon forgotten about. Commonly, as these devices fall off asset lists, they get neglected – malware and patching updates are skipped and backups are overlooked – yet they still exist on the network. It’s the perfect place for an attacker to sit unnoticed and, if the device exists in a hosted environment, it can also have the negative economic impact of monthly cost and license fees. One anecdote I heard was of a system administrator who, very cautiously and very successfully, disabled around 200 orphaned virtual servers in his organisation – with no negative business impact whatsoever.
Now, I wasn’t born in Texas, but I got here as soon as I could. I’ve lived in Dallas, TX for 30 years so I consider myself an adopted native-Texan. I’ll be at South-by-Southwest Interactive this weekend, so I thought I’d share some tips for all my current and future friends. For those of you from out-of-state – known as furriners – I hope you’ll find this advice helpful.
Last Friday, after a long week of RSA conference events and meetings, I eagerly looked forward to slipping on my headphones and enjoying the relative silence of my flight back to Dallas. As I approached my seat, I saw I was sitting next to a United States Air Force (USAF) officer. I looked at his rank and saw two stars on his uniform, making him a major general. I had a sudden sense of nostalgia and I instinctively wanted to salute him. I resisted the urge, introduced myself, and thanked him for his service.
Over the next two hours I had the most unexpected and fascinating conversation of my RSA week. It turned out that my fellow traveler is the commanding officer of the Air Force Research Laboratory (AFRL). According to the website, the AFRL is “the Air Force’s only organization wholly dedicated to leading the discovery, development, and integration of war fighting technologies for our air, space, and cyberspace forces.” We discussed a variety of open source topics, including electromagnetic pulse weapons, cyberweapons, Stuxnet, unmanned aerial vehicles, USAF renewable energy initiatives, as well as national policy.
Yesterday, WikiLeaksreleased emails taken in the highly-publicized Stratfordata breach. While many of the emails are innocuous, such as accusations regarding a stolen lunch from the company refrigerator; others are potentially highly embarrassing to both Stratfor and their corporate clients. The emails reveal some messy corporate spycraft that is usually seen in the movies and rarely is illumined in real life. For example, one email suggests that Stratfor is working on behalf of Coca-Cola to uncover information to determine if PETA was planning on disrupting the 2010 Vancouver Olympic Games.