Archives For heartbleed

What Happens When the Entire IT Infrastructure is Taken Down?

Days after IT said “they have it covered…”

Well, the article didn’t say IT had it covered, but I bet if we talk to the sales people calling on Canada’s Research and  Technology Agency, they’re getting push back on security sales, budgets, and more important initiatives. At least until now.

In case you didn’t see the article earlier this week announcing the attack, there were more details in the paper this morning.  In my book The House & the Cloud I talk about the importance of sound bites – here’s a few you might want to know before heading out to your client meetings this morning.

Today’s WSJ article brings out some devastating news…This organization, responsible for innovation and research, had to completely shut down! Imagine the financial impact to any one of your clients – big or small.  And then to rebuild the entire IT infrastructure! How much will that cost? And if this were a private sector company with a large customer base…

Well, here are the sound bites to give you the bottom line.  Note the last one on Heartbleed. This was mentioned as an aside, but many have asked me about data loss due to Heartbleed…the answer is YES. People did lose data.

KEY SOUND BITES:

  • Canada’s research and technology agency recently experienced a cyberattack by “a highly sophisticated Chinese state-sponsored actor”.
  • This organization is saying – it will be forced to rebuild its entire information technology infrastructure – estimated a 1 year effort.
  • What are the after: scientific research and innovation.
  • The attack was so significant that the only alternative was to shut down the entire system.
  • HEARTBLEED NOTE: “This comes less than four months after Canada’s tax authority temporarily shut down online tax-filing services after the discovery of a system breach related to the Internet security flaw known as the Heartbleed bug. Canadian police later charged a Canadian college student with stealing confidential taxpayer data by exploiting the flaw.”

If you have access to the WSJ, here’s the entire article: http://online.wsj.com/articles/canadian-government-reports-cyberattack-1406638057

© 2014, David Stelzl

P.S. Do you have a copy of The House & the Cloud?  It’s one of the only books I know of on how to sell security…get it free in PDF format right here…(CLICK).

Advertisements

IMG_8202We’re All Going to Lose if We Don’t Change Directions

Thanks to Konsultek for sponsoring yesterday’s business leaders’ luncheon focusing on Information Security in Chicago…

The truth is, without a change in strategy, companies will continue to lose big. My keynote focused on a number of trends to be watching out for this year – and on the heels of Heartbleed, there’s more than usual to be thinking about.

In case you missed the article published in Wired a few days ago – Heartbleed is still a major issue. The big guys have their servers patched, but it turns out that thousands of devices are still highly vulnerable, and many of these devices sit in the smaller companies and homes of unsuspecting, non-technical people. I’m talking about routers, switches, printers, and even firewalls. How will these devices get patched? Many are owned by people who have no idea what Heartbleed really is, and who don’t know where to start unless someone from the product manufacturer contacts them and walks them through some sort of patching process. I don’t see this happening.

At the end of our session, Konsultek offered their guests a complementary assessment to review some of the critical areas we touched on in the meeting. From my brief observation, every single attendee agreed to take this next step.

Wrong Mindsets Prevail

This most common mindset out there is the “Compliance” Mindset – compliance centric security strategies prevail, and they’re dead wrong. Getting the boxes checked off is a requirement, but it’s far from secure. It seems ironic that a company can be said to be compliant – then it get’s hacked. And suddenly, they are no longer compliant. Does that mean the initial audit was wrong, or do the “compliance police” think that a compliant network can’t be hacked? All networks can be hacked – I don’t care how compliant they are.

The other wrong mindset is the, “We’ve got it covered” mindset. This mindset bubbles up from the IT group in hopes of creating some sort of job security. Notice that Target has now replaced their CIO – is that because the CIO screwed up? Might be. The way Target was hacked was preventable, but was the hacking of Target preventable? The answer is no. If they can access NASA and the Pentagon, they can get into Target. They’ll simply find another door (whoever “They” is.)

Building the Right Mindsets

While security is often a losing battle, companies can gain a lot by simply building the right mindsets into the minds of those who create and use data every day. Making a company stronger than a nearby competitor can at least make it an easy choice for the hacker to go next door. That’s a bit like being a little faster than your friend while being chased by a bear, but it works.

The right mindset involves knowing you’ll be compromised at some point, and watching every moment until it happens. At that point, the response plan should be strong enough to keep the perpetrator from gaining access to critical data – in Target’s case, POS systems. We covered seven important mindsets in our discussion – mindset that are easily built, starting at the top, and which will go a long way in keeping things secure. While nothing is iron clad in this business, fixing 80% of the problem is worth doing. But buy-in at the leadership level is required, or it just won’t happen.

© 2014, David Stelzl

P.S. If I can help you get this message into the hands of your customers, give me a call, I’ll be happy to share some ideas with you.

 

 

 

heart“Heartbleed, Just Another Excuse to Sell Me More Products…”

You and every one of your competitors want to jump on the bandwagon and talk about Heartbleed to sell your customers something new.

Just today, a sales rep in my SVLC Insider’s Circle was called out by his client  – accused of selling on the heels of Heartbleed. It seems like a great time to bring up security, but this client has already been hit with so many calls, he’d become sarcastic over it.

What Approach Could you Take That Would Allow You To Break Away From the Competition?

Today in our SVLC Insider’s Circle Web Session, we’ll be covering this. Heartbleed is all over the news, all over the web, and already the topic of every sales call. At some point people get tired of this. But it’s not over. It’s a real issue that needs to be addressed. The question is, can you inject some freshness into this catastrophe and shed new light on it?

We already know SSL needs to be patched and people need to change their certificates. That’s in motion in most companies right now (I hope). In fact, in many organizations, it’s already done.  What’s next?

What is the impact of this news to the business? Where are the holes that no one has thought to patch? Where might there be a need for education and guidance?

Forget about selling for a moment and focus on the assets and asset owners.  I repeat this over and over in my book, The House & the Cloud (Which is close to being complete in it’s second edition!). I love the idea of setting up executive briefings on this sort of thing. Do managers and executives really understand what happened and where a response or education is needed? Could you or your company come out with something unique like this?

The Power of Executive Briefings

First, the executives are probably getting some input from their IT people, but in most cases they don’t consider their own IT to be the expert. This kind of thing takes some initiative, research, overtime effort, and a quick response to make it work – so it may already be too late. But don’t give up! Give it a try. Try answering questions like:

  • What does this really mean in plain English – something managers might be interested in.
  • What happens when the end-users in finance visit their favorite shopping sites, and have not changed their passwords – and get hacked? How easy will it be for cyber-criminals to gain access to that company’s digital assets?
  • What about people using their home systems – with compromised passwords on their favorite Yahoo sites – and then use that same infected computer to access company systems?
  • What about BYOD companies – how will they protect themselves from all the users who don’t change their passwords?
  • What about corporate communications? Any advice as to how your clients should be communicating with their customers who are likely using that company’s online web services?

These are just some of the questions I would want addressed if I were a non-technical manager in a large corporation, handling lots of sensitive information.

Briefings like this are not built to pitch a product, they are services you provide to build credibility, and to position your firm as the adviser. If the briefing is designed correctly, it will raise questions. It will build credibility, and it will position your firm to make some recommendations. It will also allow you to understand more about what that company is doing to sure things up after this major cyber event.

This is just one of the many ideas I worked with my clients on. And given a message, we can now start looking at different ways of getting the message out – the media we use. We’ve worked on interviews, videos, special reports, live briefings. There are endless ways to do this – it all boils down to focusing on the people who really do need some help with this, developing a unique and educational message, and delivering in a media/format that will move them to action.

We’ll be covering more of this today at 4:00 PM ET in our Insider’s Circle. You can join us for a free 30 day trial right here: (CLICK).

Do something new and innovative with this – don’t get caught trying to pitch another product.

© 2014, David Stelzl

 

 

 

heartbleedThis is the time to Schedule The Heartbleed Briefings…

Heartbleed is big news. For a week straight, The Wall Street Journal has been writing about it.  Are you leveraging this news – taking full advantage of the opportunity to help your clients and visit with prospects?

In my Making Money w/ Security Training Program I explain how to go about leveraging “The Briefing”. This is a powerful way to get into new accounts and move up in existing accounts with news and a clear, concise explanation of exactly what this is, as well as how companies should be responding to their clients.

Here are some ideas on how to do it.

Create the Executive Level Explanation – The Analogy

Last week, I happened to have scheduled a Lunch & Learn just a few days after the Heartbleed was announced. It was the perfect time to be meeting. In fact, several more people signed up to attend this meeting, probably thinking they would get some more insight on what this is all about.

How many executives really understand what OpenSSL and TLS is all about? Probably not many. Imagine being a C-Level leader in a business that uses the web extensively to interface with customers. It might be a lending organization, investments, or retail. Whatever it is, if your servers had the problem, you owe your customers an explanation.

Last week, 100% of the executives attending our lunch & learn signed up for an assessment. I wonder if Heartbleed had something to do with it. In my talk I went through the House & Cloud analogy from my books, Data@Risk and The House & the Cloud (which I am feverishly working to update this month!). This type of explanation works because it brings life and concrete understanding to a very complex subject of protocols that, otherwise, is just too hard to comprehend without going back to college for a computer science degree.

The person who can take the details of protocol handshakes and encryption, and turn it into simple, visual analogies is worth a lot of money.

What about Executives that Refuse to Take Your Calls?

We all have a list of executives we would like to get in front of, but who have not made themselves available. This is the perfect time to get their attention. What do you think a CIO would do if they received a FedEx package with a DVD titled, “The Executives Guide to Heartbleed?” Would they hand it to their IT department?

I’m thinking they would watch it!

What if it also demonstrated your unique value and had some stories and examples along with some practical steps executives should be taking to keep their online customers happy? This might be just the thing to help create a relationship at the adviser level.

Something Better than Another “Company Overview” Session.

If you’ve already tried getting face-to-face meetings, or perhaps are afraid to call into the executive offices because you have nothing interesting to say, this could be the ticket. This is interesting. If it’s not, it’s simply because you don’t understand it. This is the kind of thing that deserves working overtime to create books, DVDs, briefings, and any media that can make its way into the executive offices. Don’t let this moment slip away.

© 2014, David Stelzl

P.S. Attend my upcoming briefing on how to leverage this!  We will be covering this in more detail, with assessment ideas and more, Thursday this week at 4 PM ET in a Webinar. Anyone registered with the SVLC Insider’s Circle will be receiving Login Details.  Join us by signing up for a FREE trial membership – CLICK TO GET A FREE TRIAL MEMBERSHIP TO THE SVLC INSIDER’S CIRCLE – AND ATTEND MY BRIEFING ON HOW TO LEVERAGE HEARTBLEED and MORE…

 

 

 

heartbleedA Big Thanks to ePlus and Their Partners for Hosting Yesterday’s Security Event!

Yesterday, ePlus, along with their vendor partners hosted an executive lunch meeting to discuss security and the future of disruptive technologies, and how security must change in 2014.

This just happened to coincide with Heartbleed – on of the biggest disasters we’ve seen yet on the Internet.  At the end of the session, ePlus offered to provide an assessment to those who attended, helping them uncover anything that might not be inline with the protection needed to guard against current threats.

The Biggest Problem With Security

In my keynote, I addressed what I believe are some of the biggest problems with companys’ security strategies right now.  There are all kinds of problems out there, but I firmly believe the biggest one is that corporate leaders think their systems and networks are more secure than they really are.

Target thought they were PCI compliant, until they were hacked – and I guess since the PCI people said they were, they were. Are they still?

66% of the Internet Webserver Administrators probably had no idea that OpenSSL was broken, and has been for two years…so for two years they’ve been saying, “We’ve got it covered,” and for two years, they’ve been dead wrong.  Could they have known? Probably not, since the bug wasn’t known.  But it’s that attitude that bothers me. The arrogant answer of, “We’re all set,” that makes the company leaders think they are more secure than they are.

Great Time To Review the Rest of Your Strategy

There are some great tips out there on what to do now.  I suspect that most companies will jump on this update and get their webservers in order. Somehow the Heartbleed patch needs to be validated by the PCI police.  Will the users all change their passwords too? Probably not.  But this is a great time for companies to reevaluate their security overall.  Don’t stop at SSL – consider looking at the rest of it. If you’re a technology reseller or consulting company, I would recommend contacting every one of your customers by Monday with a simple plan to help them ensure their systems are set up correctly. If the end-users of that company are using outside websites (which of course they are) for shopping, social media, daycare, and who knows what else, their credentials are now compromised. If they don’t update them, they are creating an avenue back into their company’s secure systems.  Chances are they are using the same password on everything they touch from email to Yahoo, and their ERP systems.

© 2014, David Stelzl