IoT Brings Danger – And The Executives Around You Don’t Understand!

Do You Sell Technology? What About Security?

If your company sells technology, and specifically security technology, your firm has an important job to do.  It’s frustrating when marketing efforts seem fruitless or when prospects seem to have no real needs. Or when executives refuse to meet with you, insisting that your meet with IT Administrators.  But the truth is, they all have an urgent need. And your technology firm could be helping them.

The Internet of Things (IoT) is a game changer. I’ve posted the TED video above because it speaks to the future when just about everything is online. Even the chair sitting next to the speaker.  The IoT can mean a lot of things. It offer all kinds of efficiencies, like resetting your A/C while away on a trip, to using your smartphone to control your home security system, or maybe a deer cam deep in the woods.  But there’s a problem no one’s really addressing.  It’s a big opportunity if you’re ready for it.

So Where’s The Big Opportunity?

It’s the threat that stands behind the chair in the TED video. Target was attacked through an HVAC connection.  But an article posted in the Wall Street Journal today sheds light on a much bigger issue. Critical Infrastructure Devices on the Internet.  Stuff that’s connected that no one is really thinking about.

The U.S. tops the list of connected critical infrastructure.  Rachael King, one of the WSJ writers I follow daily, writes, “control systems used in utilities, health care facilities and transportation systems are connected…to the Internet…In many cases, the operating companies are not even aware…” That last sentence is the key. The people running the companies you call on have no idea what’s connected and how that exposes them. In fact, Rachael goes on to point out that “Most of the systems that are exposed seem to be accidental…and the result of poorly configured network infrastructure.” In other words, no one really knows until a thorough investigation takes place.  IT is making mistakes, and no one really knows until it’s too late.

This is a topic for your next Live Event Demand Generation Program!

Next week I’ll be speaking about these things in Cincinnati, Ohio.  It’s an educational event with a big opportunity on the other side.  My goal is to get business leaders thinking about this. No one has it covered. The question is, can we convince them to take a closer look?  If we can, there’s an opportunity, because 95% of the time we will find evidence of data exposure or critical devices or data accessible from outside the firewall.

One of my coaching clients recently took a job with RiskIQ.  This is cool technology.  The idea is to profile the attacker. To take a look at a company’s assets from outside the firewall. Using some pretty sophisticated scanning technology, this company will scour the Internet to find data that belongs to a given company. That data might be unstructured date on a Sharepoint server, or it might be stolen data being sold in a chat room.  In most cases they’ll find something that isn’t supposed to be outside the firewall. And when they do, it’s a surprise to the CIO. But it’s also an opportunity – a project opportunity.

While you don’t have to use RiskIQ, these types of issues demand something more than simply scanning the perimeter for open ports.  In my book, From Vendor to Advisor (pg. 139), I describe an executive approach to discovery. The security message demands a executive audience. It requires involvement from the people who are liable when a breach occurs.  Preparing to deliver this message might be the key to your future value proposition – the thing that sets you apart from the average reseller.

© 2014, David Stelzl

P.S. Looking to Make Quota This Year?  Make sure you have a copy of my security sales book, The House & the Cloud… Get  the free ebook version (CLICK HERE TO GET IT).

IMG_2593

Healthcare Records Can Be More Valuable to Hackers Than Your Credit Card Number…

On the day JP Morgan announced the theft of 79 Million account records, I will be presenting a keynote on healthcare security at the annual 3T Systems Healthcare Summit, in Avon Colorado.

My heading – “Healthcare Records Can Be More Valuable Than Your Credit Card,” comes from a Sept 2014 article from Reuters. While the full details on one’s financial account information is worth quite a bit, card numbers and names have become a commodity.  That doesn’t mean hackers don’t want them. They do.  When a hacker steals 56 Million from a POS system, there’s money to be made.

But Healthcare records, containing names, birth dates, social security numbers, and medical history are worth about $10 per record. So when Community Health Services announced a 4.5 Million record breach earlier this year, you can believe the hackers are doing pretty well.  And there’s no federal tax to be paid on the resale of this information.

Other important sound bites:

  • Medicare fraud over the past year is up to $6 Billion. Who is going to pay for that? You and I will.
  • 40% of healthcare companies have reported a breach over the past two years according to a resent threat report.
  • 90% of healthcare cloud services are hosted by companies with a medium or high risk rating….
  • The FBI tells us medical security is weak and it may take years before a victim catches on.

What Will Hackers Do With All This Data?

They’ll resell it of course. There is the threat of someone misusing this information on purpose for extortion purposes. And there’s that risk that data could leak out, exposing someone in a way that would harm their reputation. But the real threat is fraud. When Community Health Services was hacked, China was blamed. Why would the Chinese want this data?

Healthcare data is primarily used in two ways. The buyer will use it to buy expensive medical equipment that can then be resold – such as expensive motor scooters. The other scam is to file fraudulent medical claims. When this happens the victim will likely start getting medical bills that aren’t theirs.  Trying to fight this won’t be easy if you’ve ever had to deal with bill collectors.

All of these costs will eventually be passed onto us as consumers and tax payers.

The Key Problem

The problem is HIPAA.  I don’t mean that the HIPAA laws create a weakness. What I do mean is that they have pulled everyone’s attention toward compliance laws requiring a lot of effort to keep up with – but don’t necessarily lead to security. Take the assessment requirement for instance.  Doing automated pen tests is something every company should do, but in my opinion it’s hardly an ethical hacking test.  All it does is expose major weaknesses in the systems that are scanned.  It does nothing to combat the social engineering tactics that hackers will actually use.

Thanks to 3T Systems for hosting this informative event, along with their partners including Check Point and Citrix.

© 2014, David Stelzl

Fraudulent Transactions Can Destroy Your Client’s Brand!

Is there something you can be doing to help them?

“Fraudulent transactions… are rippling across financial institutions and, in some cases, draining cash from customer bank accounts,…” This is bad news for Home Depot…as reported in this week’s WSJ.

Look over the past several months. Things are getting worse out there.  Yet many business executives are still ignorant of their exposure.  IT organizations aren’t addressing this issue. Who can?

And if you’re waiting on chip and pin technology or new compliance laws to improve things – don’t hold your breath. Compliance does not equal security and chip & pin is an October 2015 thing. It might help, but security issues aren’t going away.

The diagram below summarizes some of what’s going on – thanks to SRC for providing this!  A recent post on their site reports  a “782% increase in cyber incidents from 2006-2012 (Source – The U.S. Computer Emergency Readiness Team).” Note: SRC Cyber exist to “Mitigate the risk of a cyber breach and circumvent the harm one could cause.”

SRC_CyberSecurity_IG_FINAL

What Can You Do?

It’s time to put more focus on security. But not the product. This is an opportunity for education and consulting. Followed by strategic projects. It’s an open door to really help clients. And it’s worth a lot of money to be that person.

Last week I spoke to CIOs in the DC area. They came because they know something bad is happening.  And they don’t really understand it. Security is complicated.

This event was sponsored by The Teneo Group, a security consulting firm and reseller of Check Point Products.

They invited clients and prospects to learn more about the trends and what business leaders should to be thinking about as they migrate to cloud applications, BYOD, and other transformational technologies to grow their business.

What Executives Need

Unlike many lunch events – The Teneo Group didn’t make this a technical meeting. They targeted business leaders including CIOs and CFOs. Their goal: to equip these leaders for the future of Data Security.

My presentation focused on major threats to expect over the coming 12 to 18 months.  Certainly cyber threats such DOS from ISIS will be one of them.  Another is the constant drain of intellectual capital from the innovators of this country. WSJ recently called this, “The biggest transfer of wealth in History.”

I showed them one of the biggest mistakes businesses are making in security; the inability to detect and respond to an incident in real time. It’s a lack of realtime intelligence. It took Home Depot 5 months, and it was the bank, not IT, who figured out something was going very wrong!

Finally I gave them 7 things to change – 7 things to build into their security program.

A Different Kind of Assessment Is Needed

The Teneo Group generously offered to provide a targeted assessment to measure likelihood of an attack for these companies. Most companies in the mid market probably do assessments.  But most are focusing on the wrong things. As companies move toward cloud and BYOD (just to name two big trends right now), assessments of a different flavor are needed. Just about every attendee agreed to take this next step – I expect The Teneo Group will be busy this fall!

What can you do to educate your clients on security? Do they know what the likelihood is that they’ll be a victim? Probably not. Most are just focusing on the meaningless compliance regulations being handed out by PCI and government officials.  This is not security.

There’s an opportunity here for those who are ready to do something new. An opportunity to provide some real value, and an opportunity to grow your business in a direction that is in increasingly high demand.  But you can’t just do it. It requires some ramp up. Wait, and you’ll be leaving a lot of business on the table – and perhaps watching you clients move to providers who can.

© 2014, David Stelzl

P.S. Make Sure You Have a Copy of My Latest Report – What You Need to Be Doing Right Now to Be Relevant to Your Clients!

Download it << Get the report right here!!!

 

 

Is Cloud Computing Safe?

What about Apple and iCloud – Is it Secure?

In the above video Raj gives some balanced perspective on the recent celebrity photo leak. However he doesn’t clearly answer the question, “Is data safe on the Internet?”

Tomorrow I’ll be speaking to business leaders in Bethesda MD on this subject:

Things to consider before moving into cloud, BYOD, and other transformational technologies.

There’s a lot of things to think about here, but the bottom line is, Data is Not “Safe” on the Internet.  It’s a matter of impact and likelihood; a graph I refer to extensively in some of my books.

Safety is never guaranteed – not while driving your car, and not in transmitting data. The question is, what’s the impact of certain things happening, and what is the likelihood of them happening. Before putting data on cloud services, or really any Internet connected computer, the data owner has to ask, what is the impact of certain potential events. It might be helpful to make a short list.

Data may be targeted by hackers like it was with Home Depot, or I might just lose connectivity to my cloud service like when my Internet connection goes down and I can’t make a land line phone call.  So what’s the impact of each thing I come up with?

Now, what’s the likelihood?

If I thought I might experience a deadly crash every time I got behind the wheel, I guess I’d stop driving.

As it stands, after over 50 years of incident free driving, I feel pretty good about taking my car rather than walking or riding my mountain bike. Yet the risk of a deadly accident still exists. The impact is high; the likelihood is low.

Cloud computing is complicated. As Raj explains, it’s not some mysterious technology. It’s simply someone else’s computer and I’m renting some space on it. Microsoft OneDrive gives me 1 TB for a reasonable monthly price, so I use it. However, I don’t think I’d be putting explicit photos of myself on it.  I’m okay with the idea that someone might expose a picture of me hiking through the woods with one of my kids.  So the impact is low, and since I can’t really see the Microsoft security set up, I don’t know what the likelihood is.  But I don’t really care that much.

The point here is, no one really knows how secure any given cloud provider is…it’s always a guess.

Now with my accounting data I might feel differently. It might be too sensitive to put in the cloud, or I might do some more research before placing my trust in Intuit or Amazon, or whoever hosts the accounting application I use.

If you do the research, it wasn’t iCloud that created this photo problem. It was social engineering. It almost always is in some way. No matter how good the security is, you can always talk someone into installing a bot or program to capture passwords (Key logger) as they’re entered in. And you can almost always put something together to run through the dictionary of likely passwords and simply guess. And it’s human nature to use a password that is both easy to remember and easy to guess.

So there’s no reason to sit around blaming Apple. It could have been any cloud storage with pictures. Next time it will be Dropbox or Google Drive…Cloud is not an ultra safe place to store explicit pictures or any other highly sensitive data.  And Internet connected servers aren’t much better. After all, that is what the cloud is…a bunch of Internet connected servers just like the ones sitting in your home or office.

© 2014, David Stelzl

P.S. Are you the trusted security advisor to your clients?  Make sure you don’t miss this upcoming workshop (Online) specifically for technology resellers selling security and managed services offerings!  

Save me a Seat  << Find out more and sign up for Sept 26th, 2014! It’s Free to Technology Resellers.

Home Depot In the Headlines

Expect This to be a Daily Thing Over the Next Several Weeks

How would your customers like to be Home Depot right now?

Who’s at risk? Remember Sound Bites? I talk about this extensively in The House & the Cloud. And the new edition has an entire chapter on how to effectively use sound bites, and how to not use them.

Home Depot is heating up and overtaking the stage from Target. The number might exceed 60 million identities on this one – up from 40 million with Target. The amount of time these hackers had access is certainly longer. Let’s look at some key sound bites coming to the forefront of this story…

  • “U.S. states probe Home Depot breach, senators seek FTC investigation” – How about this for a headline? This should wake up just about any CIO. How would your customers like to have the FTC investgating.  It gets worse…(Read the entire article).
  • “Two senators asked the federal government to investigate a data breach on the payment-card processing systems,” – If the FTC isn’t enough, how about having senators and other governmental officials requesting more investigation. This makes it sound like Home Depot isn’t really on top of this.
  • “An Illinois customer sued Home Depot saying the company failed to properly safeguard customer data from hackers.” – The lawsuits are just starting…Home Depot didn’t properly safeguard the data? That’s  a due care issue and a serious one if they prove it.
  • “The news also caught the attention of credit ratings agency Moody’s, which said the attack is a “negative” factor.” – Credit ratings are taking a hit?
  • “If Home Depot failed to adequately protect customer information, it denied customers the protection that they rightly expect when a business collects such information,” the senators said in a statement. “Such conduct is potentially unfair and deceptive, and therefore could violate the FTC Act.” – speaking of  the two senators above.
  • “When asked if investigators had confirmed the attackers had been removed from the company’s network, Drake declined to comment.” – Translation; they don’t really know. If Home Depot’s networks is under control now, don’t you think they would be broadcasting that fact loud and clear?  This has to be bad for business.
  • “Home Depot shares fell 2.1 percent to $88.93″ – and of course a fall in stock price. Expect to see some numbers on how much this is going to cost the company.  It was 1.4 million last time I saw numbers on Target. Will this exceed that?

The Really Scary Part of this is that Home Depot did not Detect the Attack!

These hackers have been in the systems for at least 4 months according to WSJ reports, but it was the banks reporting fraudulent activity that brought this to light. In The House & the Cloud I discuss the need for detection – I point out that perimeter protection only keeps the honest people out. At least Target detected their attackers within weeks of the attack. This is a disaster.

How can shoppers go back to Home Depot if they’re not sure things are repaired. The company says card holders won’t be responsible for fraudulent charges. Will that be the case on debit card transactions too?  And what about those who don’t take the time to scrub through all of their cards and transactions? Will the bank notice a wrong transaction and call it to the consumer’s attention? Maybe, but maybe not.

What To Do With This…

This is the perfect time to create some sort of briefing! You have Target, Home Depot, Chip & Pin trends, PCI and compliance…was Home Depot PCI compliant? I didn’t see that mentioned, but I bet they were!  If that’s the case, what does that say about PCI compliance? Does compliance make a company secure?

Next week I’ll be speaking to CIOs in the DC area at a reseller lunch & learn. (Thanks to Check Point for sponsoring this event!) What are you doing to do with it? It’s not all about Home Depot – it’s about hackers, their tools, and the weak security programs these companies have in place.

If you provide security solutions and managed services, don’t just go in spouting off about Home Depot. Instead, consider the briefing approach. What trends are relevant right now? What mistakes are companies making? What does this have to do with PCI compliance? What tools, education, and processes, should be put in place to prevent this sort of thing. We can’t change the dates on Chip & Pin requirements, but we can show business leaders how to become a less attractive target for hackers.

© 2014, David Stelzl

P.S. Are you signed up for my session tomorrow on Making the Move From Vendor to Advisor?

Save me a seat!  << Get a seat now!

DO you have my special report?  Don’t Get Fired!!!!

Don’t Get Fired – Retool Yourself! << Download it!

 

Was Home Depot Hacked?

It sure looks that way…this video offers some great insights into the resale of stolen data. They even have a clip with someone trying to buy credit card data.  This clip is from 5 days ago – so what’s happening now?

The ABC Blog – 7 Hours Ago Reported…

“The huge hacking attack against Home Depot’s payment systems could turn out to be the biggest breach of any retailer’s data so far. The company confirmed the data break-in but did not say how many credit and data cards are affected. The total could be as much as 60 million”

In other words, yes, there’s been a breach.

The thing is, Home Depot is saying they are not aware of credit card data being taken. What does that mean?

It means they don’t have to tell us yet – but it doesn’t mean there’s not a problem. Since the breach, ““multiple financial institutions … are reporting a steep increase over the past few days in fraudulent ATM withdrawals on customer accounts.” We’re talking about 60 Million Card Numbers here.  That’s a lot of data – on the video you can see that this type of data is worth a lot of money as long as the consumers have not been notified. That means someone may be using my card right now and I would not know it.  Time to check my card charges online.

Chip & Pin Technology

If Chip & Pin technology had been in place, both Target and Home Depot would not have had this issue. The really bad news is that we have to wait until October 2015 before companies like Home Depot have this technology in place.

Will that stop hackers?

No – security is a long term play for technology providers. Every few months new technology comes out and new hacker strategies evolve. Actually, it’s the other way around. The hackers come up with something that works, and technology companies try to stop it. They then come up with the next thing. So while companies are scrambling to get the Chip & Pin thing going, hackers will be developing something completely different. They use this strategy as long as they can – then at the last minute switch to something completely new.

The Next Edition of The House & the Cloud…

The best thing you can do is get ready with the updated House & the Cloud.  I just finished the edits and the artwork. I have one more chapter coming to me from an expert in managed services to bring this all together…so by the end of this month we will be printing copies.  I know it’s taking longer than expected, but it’s really close now. Stay tuned…

In the mean time, check out my latest report on How to Upgrade Your Sales Position and Not Get Fired!

“Don’t Get Fired!”  << Special Report for Technology Resellers!

© 2014, David Stelzl

What Questions will get the CIO’s attention?

The better you know what it means to be a CIO, the better chance you have of making it through a meeting with one. 

If you know something about information security – you’re in luck.  It’s time to strike. With Target in mind and Home Depot in question, Rachael King writer for the WSJ tells us, board members are asking lots of questions. I suspect the CIOs don’t have the answers. How could they?

In a recent interview, John Stewart, chief security officer at Cisco Systems was asked, “What questions are being asked?” So maybe its less about asking the CIO questions and more about knowing the questions CIOs are being asked – questions they don’t have answers to. This is the heart of what I call Predictable Messaging.

If you know what CIOs are being hit with – if you know the questions they’ll be asked, and that they probably don’t have answers to,…and you know how to get answers, you might become one of their most valuable assets.

Here are three questions reported this week by the WSJ (from Stewart’s Interview):

 

  1. “Do you have a set of security controls that are provably in place, are measurable and are actually effective for the state of business and all the business types you’re currently operating? Even if the answer is no, Mr. Stewart said that he hopes this question starts a conversation in the business about how cybersecurity needs to be approached.”
  2. “Have you ever had any material breaches that have or have not been reported to the board and should have been?”
  3. “With regard to cybersecurity is there anything else I should know right now?”

Chances are the CIO won’t give you answers to these questions…however, knowing what they’re being asked for is the key. Can you help them answer these questions? Going back to an earlier post – do you know the top 3-5 threats, how likely they are to hit this company, and how the company is trending with security – up or down…how do we know. These are all things the board wants to know.

Do you want to be the chosen technology and risk advisor for the companies you call on?  Check out my most recent report on staying relevant in the technology sales industry…

Download the Report << Click to Get it!

© 2014, David Stelzl

P.S. Join me on 9/11 for a live online workshop where I will be discussing key strategies for working with top level executives in the technology world. Specifically Designed for Technology Resellers.

Save me a seat!  << Read more and register…