Thursday, December 23, 2010

Can service provider take you down?

And I don't mean just your ISP but all the providers of services to you.

Just a couple of weeks ago, Walgreen and McDonald's both revealed that data breaches at partner marketing firms had exposed customer information. I got one of those letters from the mailmen myself last Friday. 

All signs point to "spear phising" attacks against email marketing firms that has been going on for a few months. This brings up a new situation that CSO's would unlikely have foreseen. 

3rd party email marketing firm are usually chosen and contracted by the Marketing Department. I doubt IT and Security Officers would be involved in the selection process. But when a data breach such as this occurs, CSO is now charged with the clean up.

The medical industry has a process whereby service providers have to undergo security and compliance training. While there is no certification process for these 3rd party providers, they do need to conform to certain standards.

Can a corporation hold its suppliers to these security standards? Does your agreement hold any clauses regarding information leakage. This need to go beyond just NDA's. You should take this into account at your next security procedure review.

Thursday, December 9, 2010

Wake up call from Wikileaks

The damage that Wikileaks caused is far more than just the leakage of classified information that governments all over the world do not want us to know. It also contains embarrassing information and behind the scene dealings that would have been best kept under wrap.

Stopping Wikileaks is even worse. It mobilized the under estimated group of social activists who are looking for a cause to raise havoc with establishments. Who would have thought that these people would be willing to self inflict with malware so that Denial of Service Attacks can launched from their own computers. That really is no different than a suicide bomber willing to destroy its own life or equipment to cause damage to others. Only difference is that equipment is cheap and can be replaced, while human life is not.

At this time, it is still too early to find out who these attackers are. Are they truly acting "for the cause" or are they just causing trouble for trouble's sake? I guess there are both.
As a private sector organization, should we be concerned with this?

I believe so. There are always others who do not agree with us. Whether they are willing to take these drastic actions is a matter of the level of animosity against us. But Wikileaks sympathizers have shown how easy it is to launch cyber attacks against a target. And there are plenty of willing participants with their own sense of self-righteousness.

Large organizations like Visa and Mastercard have adequate resources to partially stop these attacks, but how would a smaller organization responds if this happens to it?

Wikileaks has shown us two things: external cyber attacks live on at a fast and furious pace, but the long overlooked internal data leakage prevention is what caused this outbreak in the first place. 

It is time we look within our organization and revisit the importance of tightening information access. Every employee within the organization should also be aware of how damaging certain information can be. 

I'll follow up in my next blog with an actual incidence that happened to a small organization that I know and the damage it caused.

Monday, November 15, 2010

Koobface points out weakness in current security training

Koobface - the network worm that preys on social networking like Facebook points out that fighting malware needs more than just technology.

In reading Nart Villeneuve's exhaustive analysis (PDF) , you can see that the scammers were not using very high tech, hidden means to infect users. It is just like the old email routine in which users were asked to download and install a piece of software.

Gee, isn't that something we've been told not to do, over and over again?

I believe why this was successful was due to the lack of vigilance on the part of the users. There is so much information and miss-information regarding malware that users are getting overwhelmed and desensitized.

That's a dangerous thing!

We face this problem in real life as well as in cyber space. We complain if the airport security is too slow and we complain if our email gets block by spam filters. We turn our day-to-day security over to the Dept of Homeland Security,  and we ask the CSO and the IT to be the sole group responsible for security in our organization.

As individuals, we need to be more observant in dealing with both real life and cyber threats. Organizations need to provide updates and trainings to its members and employees frequently.

Organizations are asked to hold "Sexual harassment"  trainings and hold periodic fire drills. But how many organizations have frequent "cyber security awareness" training?

Isn't it time we elevate Cyber Security to the same level of awareness as the other threats?

Wednesday, November 3, 2010

Stuxnet Worm is to blame?

Forbes reported on yesterday's outage of the Heysham 1 nuclear plant.

While the unplanned outage is still being analyzed, it is interesting to note that the article points out the business politics behind the European power industry.

Wednesday, October 13, 2010

Chief Security Officer is a lonely place.

In a recent security meeting, I came to the realization that Chief Security Officer is a lonely position. Not only do we have to fight external attacks, we have to explain, educate and justify the actions we take within our organization.

What is your experience?

October is National CyberSecurity Awareness Month

It seems to be the appropriate time to start this CSO Insider blog during this CyberSecurity Awarenwess Month. Dept of Homeland Security and President Obama saw the importance of CyberSecurity and wanted to bring attention to the nation.
The theme "Stop, Think, Connect" is so appropriate. I believe much of our security issues can be lessened if the general population has a better understand and awareness of the security issues we all face. After all, how many people even know this is CyberSecurity Month? We can all start by providing the DHS link to others so that they can start getting educated on the challenges we face.