Archives For hacked

ohioSpeaker Notes for Tomorrow’s Session in Cincinnati…

This morning I am headed to Ohio to meet with business leaders in the Cincinnati area – Another Digital Money session on Stopping Hackers!

If you provide IT services to businesses, I hope you’ll consider doing one of these with me at some point. Every business needs it, and most don’t understand the threats they are up against.

It’s a busy fall for us. Last week we wrapped up a session in San Francisco with large reseller executives, then headed down to work with a large sales team in Irvine, CA.  And tomorrow, Cincinnati, a session sponsored by InTrust-IT…

The Most Frequently Misunderstood Truth In Small Business

The big question always comes up, “Why would anyone want my data? After all, we’re just a local business. There’s nothing interesting here.”  I think Verne Harnish answered that question last week. If you’ve read his books, Rockefeller Habits, and Scaling Up, you know he’s a small business with very little in the way of infrastructure. Like me, he’s a speaker and a business coach, supported by a small team. Yet his blog post tells the story of a $400K ruse that caught him and his team completely by surprise.

Why small business? Because small businesses still have money, take out loans, and process credit cards. They have bank accounts and payrolls. Today’s hacking tools are largely automated. So sending out hundreds or thousands of scamming emails takes the hacker very little time. When one lands, the hacker will follow up. Small businesses are also largely unprotected by this sort of thing.

It might be a fraudulent invoice or request for ACH wire transfer. In Verne’s case he writes, “They sent an email to my assistant completely imitating my style, subject line, and signature asking her to wire funds to three different places.” This is getting more and more common. The more data we put online about ourselves, the easier it is for someone to impersonate us!

Tomorrow’s Session is About Digital Money and the Value of Data

Digital Money, my latest book, goes into detail on this. Data aggregation is in motion, pooling our data in one place where it can be analyzed.

There are several major data aggregators out there doing this. But the idea is to collect enough data to profile YOU. This is usually for the purpose of some analysis or marketing effort. We’re seeing it used right now in the election. That’s right. The candidates are leveraging this data to figure out who is likely to be on the edge, and needs a push. The data tells them both who to target  and how to influence them.

That data in the hands of the hacker allows the hacker to act just like Verne, or whoever they need to be, to issue orders to the team. Verne’s on stage in Russia, meanwhile his team is getting instructions to transfer funds. Will they? Of course. They’ve received these requests in the past, and they were real. There’s no reason to question them now, and the hacker knows that. These attacks are well scripted and highly successful. And the likelihood of prosecution is low.

Can it be stopped? Not completely. But there are ways to reduce the risk…and that moves us to a managed security program that involves people and technology, well equipped to deal with these common attacks. A program that detects these threats early on, before data has been compromised, and stops them before damage is done. Tomorrow, my goal is to give our audience the business-level understanding they need to make wise decisions going forward. And then to point them to the tools and process they’ll need to combat these attacks in the coming year.

© 2016, David Stelzl

 

Today I’m out in Sunnyvale visiting Arctic Wolf – A Cyber SOC company that provides the detection element of security so many are missing!  We really do need more detection…check out this video. If the hacker hadn’t announced himself, the victim would still be clueless.

This Story Tells It All – Man Hacked On Go-Go Wireless. It could have been Starbucks, City Wireless, McDonalds, or any other public wireless network. Something you should be passing on to your clients who still think their firewall is keeping them safe – even when they are working at Starbucks.

Copyright 2016, David Stelzl

HIPAAHIPAA Isn’t Helping

If You Want To Help Sure Up Security, Start With HIPAA

As I mentioned in yesterday’s post, I’ll be interviewing Marc Haskelson later today, Founder and President of The Comliancy Group. He didn’t write the HIPAA requirements, but he understands them, and knows which of your clients need HIPAA.  He also knows where it falls short.

HIPAA Is Not Security – It’s A Government Law

Do you know what HIPAA stands for?  Google it and you’ll come up with more than one answer…if you’re going bring it up in a meeting, make sure you know.  Here it is: Health Insurance Portability and Accountability Act. (Note, it’s not the information portability act, and it’s not HIPPA).

It would have been great if the authors of HIPAA understood technology and security. The fact is, many of your clients either require HIPAA compliance, or will in the near future. The problem is, “HIPAA isn’t helping” healthcare security according to Gary McGraw, CTO of Cigital (a leading software development firm headquartered in Dulles, VA.)  If you’ve read my book, The House & The Cloud, 2nd Edition, you know I agree.  There’s a large chasm between compliance and security, but regardless, HIPAA is required.

In a recent study, “Healthcare overwhelmingly scored lower than financial services firms, ISVs, and consumer electronics firms, which include some Internet of Things providers.” according to Kelly Jackson Higgins, in an article posted on DARKReading.

As McGraw states it, “All [HIPAA] did was increase bureaucracy and the tiny print stuff handed out each time you go to the doctor. It over-focused the healthcare domain on privacy and patient privacy data, which is an important thing. But there are many other aspects of security that have little to do with privacy.”

The real problem with HIPAA is it has given doctors a false sense of security. In a recent healthcare conference I spoke at, every session that had something to do with security was all about HIPAA. When I gave my presentation, I started by asking the audience to forget about HIPAA for just one hour, and listen to what it means to be secure.  The response was one of surprise. No one had ever told these people that data, governed by HIPAA, was still at risk.

Over the past year we’ve seen numerous companies attacked, regardless of their HIPAA compliance efforts. To name just a couple; Anthem and UCLA Health come to mind.

I have a colleague who recently took a job with Websense.  This year they publised a study showing healthcare organizations are being hit 3 or 4 times as often as other firms by cyber attacks. Forbes noted in a recent article that healthcare data is worth 10 times that of credit card data on the black market.  A Trend Micro study shows that “nearly 27% of data breaches reported over the past decade occurred in the healthcare sector, and healthcare was the hardest hit by identity theft in the past 10 years, with 44.2% of those cases caused by insider leaks,” (Cited by the DARKReading article above).

Here’s The Problemcompliancy group

People think they are secure when they are compliant. HIPAA requires so much paperwork that the security issues get lost in the process. The financial companies know they’re a target, while a recent survey published by Trustwave reports that healthcare IT professionals don’t.

How can you get involved? First, where there’s a problem, there’s an opportunity.  I’m interviewing Marc today to get a better sense of what HIPAA really requires, and to show technology resellers how to get involved. Healthcare companies and their third-party providers both need help as well as education on HIPAA. The House & The Cloud Message was extremely effective in the healthcare conference I spoke at. For the first time their eyes were opened, and they saw the need. This kind of education opens doors of opportunity that are both helpful to your clients and profitable to your business.

Here are two things you can do…

First, visit the Compliancy Group Site to get more information on how to become a HIPAA Security Provider. Marc will do everything he can to help you get up and running with minimal time and investment.

Second, enroll in the Security Sales Mastery Program – If you qualify with one of the many sponsors supporting this program, I can get you a free seat (Normally $450).  Contact me and we’ll find a way to get you into the program.

© 2015, David Stelzl

boardroomWhat Question is Most Often Asked of the CISO, By The Board Of Directors?

And What Questions Should They Be Asking?

The big question being asked, according to Kim Nash, columnist for the WSJ, is; “Whether their company is vulnerable to breaches similar to those at Target Corp., Anthem Inc. and the U.S. Office of Personnel Management (OPM)?” There’s two things to consider here – First, who can answer this question? Second, is it the right question?

According to Kim, it’s not the right question – but let’s go to my first concern which is, “Who can answer this question?”

Will We Be Hit Like Target, Home Depot, or OPM?

Most executives can’t answer this question honestly. And their security team doesn’t really have a clue either. If they did, we wouldn’t be reading these stories every day.  And, if you look at the stories being published, it’s the big guys – yet we know statistically, 60% of the breaches are hitting the SMB market.  Most of these breaches never make the news.  So the board can ask, but they’re not likely to get the real answer.

If you didn’t see my comments on OPM, you might want to take a look (Read about Donna Seymour and OPM’s failure to protect our nation’s critical personnel data.) The board is missing the mark here because they misunderstand risk.  In my book, The House & The Cloud (2nd Edition), i’ve given a lot more attention to the impact vs. likelihood graph than I did in the 2007 version – it’s a model I use to communicate risk to business leaders.

If you know security, the concept is pretty simple. The missing link in most assessments is a measure of likelihood.  And that’s what the board is really asking – although they are asking it incorrectly.  What they really need to know is, where’s our data, and what are the top 3 to 5 threats we are facing right now. Given these threats, what are the odds we’ll be hit over the next 12 months?  (More detail on how to figure this out, starting on page 194 in The House & The Cloud.) As I said in my latest speaker promo video, risk needs to be presented in simple business language – in terms everyone who uses and depends on data can understand.

One thing everyone must comes to grips with is, every company is vulnerable just like Target, JP Morgan, Home Depot, and most recently Ashley Madison.Check Point Training Ad

The question isn’t “Can they get in like they did at Target?” Rather, they should be asking, “Can we detect a breach in time to stop the damage?” Remember, like a house or bank physical robbery, hacking does take some time, and it does make noise – but you won’t hear it with your ears. You’ll need detection technology in place and the people with the skills and understanding to turn that data into intelligence.

So what’s the right question? Can we detect and respond before it’s too late?

Are You Getting To The Board?

Have you ever been invited to meet with or present to a board of directors? It’s a powerful moment in the sales cycle if you have something meaningful to say.  Yesterday I was working with a rep on some strategy, as part of the SVLC Security Mastery Sales Program. We were discussing strategies to get a CEO or Board level meeting.

Most are still working at the IT Director Level. Remember, the IT Director is low on the liability list for security. They might lose their job – but getting a new one, if they know security, won’t be hard. In fact, they may take a pay raise.  On the other hand, people like Donna Seymour of OPM are in trouble. (Again, read my post and consider Donna’s situation – is it her fault, or is there something bigger going on here?)

Now is the time to move up – company leaders need more security insight right now and the WSJ is backing you on this. The CISO cannot possibly figure all of this out in a vacuum. And aside from some of the largest accounts out there, their people won’t have the experience to do it either. Managed services (with a security focus), backed by skilled security experts is needed to collect and analyze the data, repackaging it into something business leaders can use – intelligence.

What About SMB Companies?

Don’t let the Board of Directors thing keep you from your SMB accounts. The SMB is under fire right now – and the owner of that business is similar to the Board. They need to know the same things, they just have less resources to figure it out.

© David Stelzl, 2015

p2BpCAshley Madison Digital Assets

For some reason people still think their data is safe with someone else…  

First it was Adult Friendfinder, now Ashley Madison, hacked…

In this most recent attack, 37 Million users are waiting to see what their online profiles might look like posted online somewhere. Back in March it was 3.5 Million users, taken from Adult Friendfinder.  The hacker says he did it for money, and was looking to shame government workers.  In case you’re not familiar with these sites, they specialize in extramarital hook-ups.

Speaking of this week’s hack, Brian Krebs writes, “The data released by the hacker or hackers — which self-identify as The Impact Team — includes sensitive internal data stolen from Avid Life Media (ALM), the Toronto-based firm that owns AshleyMadison…In a long manifesto posted alongside the stolen ALM data, The Impact Team said it decided to publish the information in response to alleged lies ALM told its customers about a service that allows members to completely erase their profile information for a $19 fee.”

Apparently that delete function doesn’t really work…but in the data world, you can almost never count on delete, actually deleting!

Why am I writing about Ashely Madison?  There are a few important lessons here…

1. First, no site is safe from hackers – and like this hack, disgruntled employees or customers should always be considered in the long term defense planning.  Many of your clients assume their employees and customers are safe. They’re not. One small problem can set off a business crippling sequence of events. Will Ashely Madison recover from this? Regardless of whether you agree with their business, the point is, it’s their data and their business – it could be any business.

2. Since no site is safe, people should be thinking hard about the data they entrust to someone else.  People forget, but passwords don’t work. We should all be considering what data we put on a device that connects to a network…of course most of us have most of our lives online right now. How hard would it be to erase your bank account?  It’s just data at this point.  It’s also true that altering your medical data could disqualify you from a job or lead to all kinds of questions being asked.  Data is an asset – the stakes are growing as we put more of it online.

3. When you move to the cloud, something most businesses are doing to one degree or another, the data is owned by someone else. Of course the cloud based provider will tell you it’s still your data, but when you say, DELETE, don’t be surprised if your data isn’t actually deleted – which brings up the $19 fee Ashley Madison charges to delete. Can you believe it? You have to pay to have your account deleted. And from what the hacker is saying, they don’t actually do the DELETE. They just collect the money. Do I hear another law suite coming?

The underlying problem here is education.  Most of the companies you call on don’t understand their risk. They don’t understand where the data is, what’s protecting it, and the odds it will be compromised. I’m not speaking of IT here. I am speaking of the company leadership. IT will just go get a new job – the leadership will be stuck with the lawsuits and the mess to a clean up. In many cases they will go out of business.  Only when they understand their likelihood can they make wise decisions to change their security approach.  Either that, or wait until the hack happens, and then start scrambling for new strategies and technology.

© 2015, David Stelzl

What Happens When the Entire IT Infrastructure is Taken Down?

Days after IT said “they have it covered…”

Well, the article didn’t say IT had it covered, but I bet if we talk to the sales people calling on Canada’s Research and  Technology Agency, they’re getting push back on security sales, budgets, and more important initiatives. At least until now.

In case you didn’t see the article earlier this week announcing the attack, there were more details in the paper this morning.  In my book The House & the Cloud I talk about the importance of sound bites – here’s a few you might want to know before heading out to your client meetings this morning.

Today’s WSJ article brings out some devastating news…This organization, responsible for innovation and research, had to completely shut down! Imagine the financial impact to any one of your clients – big or small.  And then to rebuild the entire IT infrastructure! How much will that cost? And if this were a private sector company with a large customer base…

Well, here are the sound bites to give you the bottom line.  Note the last one on Heartbleed. This was mentioned as an aside, but many have asked me about data loss due to Heartbleed…the answer is YES. People did lose data.

KEY SOUND BITES:

  • Canada’s research and technology agency recently experienced a cyberattack by “a highly sophisticated Chinese state-sponsored actor”.
  • This organization is saying – it will be forced to rebuild its entire information technology infrastructure – estimated a 1 year effort.
  • What are the after: scientific research and innovation.
  • The attack was so significant that the only alternative was to shut down the entire system.
  • HEARTBLEED NOTE: “This comes less than four months after Canada’s tax authority temporarily shut down online tax-filing services after the discovery of a system breach related to the Internet security flaw known as the Heartbleed bug. Canadian police later charged a Canadian college student with stealing confidential taxpayer data by exploiting the flaw.”

If you have access to the WSJ, here’s the entire article: http://online.wsj.com/articles/canadian-government-reports-cyberattack-1406638057

© 2014, David Stelzl

P.S. Do you have a copy of The House & the Cloud?  It’s one of the only books I know of on how to sell security…get it free in PDF format right here…(CLICK).