Archives For wall street journal

U.S. Eyes Pushback On China Hacking

Reads the headline in today’s tech section of the Wall Street Journal.  Over the past several months there have been numerous articles published in the Journal – some saying this is real, others denying it…I appreciate one article stating that these attacks are small enough for our government to ignore, so that there is no one single incident demanding a response, but big enough to threaten the long term viability of some of the major companies in the US.  In another Journal article I read, “All major US companies have been successfully compromised…”  Where is this all headed?

Companies who insist “They’ve got it covered…” are in trouble in my opinion.  No company is really impenetrable.  In fact, the idea of using a pen-test to show your clients that their data is safe is a false sense of security.  A failure to break in simply shows the incompetence of the pen-testing team.  It certainly doesn’t mean the company is well secured.

In today’s article the Journal reports – “The Obama administration is considering a raft of options to more aggressively confront China over cyberspying,…, a potentially rapid escalation of a conflict the White House has only recently acknowledged.”  The key phrase here is, “Only recently.”  Why have government officials denied this for so long?  Perhaps for political and economic reasons. The Journal states it like this, “Before now, U.S. government officials and corporate executives had been reluctant to publicly confront China out of fear that stoking tension would harm U.S. national-security or business interests.”

Why are the Chinese on the attack?  “China is stealing trade secrets as part of plans to bolster its industry.”  It’s simple, the US has a greater capacity for innovation.  By invading company’s intellectual capital, other nations can cut thousands of man-days out of the R&D process.  Google, EMC, RSA New York Times, Wall Street Journal, and many other well-known companies, along with many federal organizations including the Pentagon, have reported problems traced back to China in recent years.  However, things like “dependency on China to underwrite U.S. debt and to provide a market for U.S. businesses,” have allowed these nation-state sponsored attacks to go unchallenged.

Recently our government officials have come out saying, “Cybersecurity threats are the greatest threat to our security—economic security, political security, diplomatic security, military security.”  No matter how big your customers are, cybersecurity is something you want to understand and engage them in.  We’ll be covering more on this threat in the coming weeks as we approach the May, Making Money w/ Security workshop.  I’m looking forward to seeing you there.

© 2013, David Stelzl

As I prepare for this week’s educational security event in Michigan, I am reminded that this is the perfect time to be reaching out to business owners with an educational message. Security issues are rampant, and businesses are being compromised every day.

I was talking with another one of my clients this morning reviewing  their blog posts and other educational social media programs online.  We were talking through some of the major challenges business owners face and what topics integrators and solution providers should be focusing on.  In his case, his entire company has moved to a security message simply because the need is there.  Everyone has a security need right now – areas may differ, but they all need it.  This is a time in history where security is urgent for businesses of all sizes.

In the case of the Michigan event, our initial response has been very strong – we’ll have a packed room for this event.  We have about 30 business leaders signed up – business owners and executives all facing the same issue; that of making sure their data is safe:

1. Wall Street Journal reports that 75% of employees admit to stealing data.  How should business owners view the hiring process and what steps should be taken to ensure new employees have the right access, with the right amount of accountability?

2. Gen Y hires are turning down jobs that won’t allow them to use their own smart phones and tablets.  How do companies address  this type of thing.  Smaller companies probably lack detailed employment policy handbooks and training on this sort of thing – what should they do?

3. Work-at-home programs are also growing.  The State of VA. has, in the past, offered a substantial grant to small businesses who move some of their office workers to home offices.  But how do these companies maintain control of  home based computers used to access sensitive information?

4. Recent advancements in malware have made many of the older anti-malware technologies useless.  With little or no info security skills on staff, how will these companies ensure computers are not infected with spyware and keystroke loggers?

5. Liabilities are growing as threats increase – what policies must be in place and how do these businesses deal with compliance?

On Thursday we will be going through some of the business level mindsets from my book Data@Risk to address the root problems most of these companies have.  It’s a difficult area for these businesses, but our goal is to give them some direction on how to get their company thinking about, and doing the right things to reduce the amount of exposure they have; things they can actually get started with right away.

© 2012, David Stelzl

Sound bites are a term I use for collecting and memorizing powerful statistics or statements that come from credible sources like The Wall Street Journal.  By themselves, they won’t sell a thing – in fact most technology sales people are guilty of overusing them, or using them with the wrong people.  They have two purposes:

  1. They build credibility when taken from the right sources
  2. They soften cries from IT that the company has everything they need – “We have it covered”, they claim.

When the buyer hears powerful statements from The Wall Street Journal telling them that Visa, MasterCard, and the Pentagon have experienced major attacks and are unable to defend themselves, it is hard to sit there and claim to be in better shape – especially in the small and mid market companies.  In today’s session we explore marketing theory and what it is that actually motivates the buyer to carve out funding for major security projects.  We use the sound bites to accomplish their task, but then move on to more advanced marketing strategies (ones that should be taught in school, but just aren’t).  Here are some of the sound bites sent to me as part of last night’s homework…I thought everyone might benefit from seeing some of these things.  Note:  These are in not particular order, and may not even by the most significant…just a sampling.  Feel free to add more powerful ones if you like.

1. The people in the IT department pose the biggest risks to data security. They can access nearly anything on the network, usually with no one looking over their shoulders. WSJ 4/4/12
2. 56% of those surveyed (WSJ) after financial crimes were committed, said the most serious crimes involved insiders WSJ 4/4/12

3. 53% of respondents indicated IT was involved in serious cyber crimes involving money over the past year 4/4/12 (WSJ)

4. Damage is only just now coming to light in the form of millions of false 2011 income tax returns filed in the names of people currently receiving Social Security benefits – reported by WSJ for Puerto Rico, but not the US – just coming out now!  Cringely Report.

5. Out of 47 attempts last year, hackers managed to penetrate NASA’s computer network 13 times – Ziff Davis  – March 2, 2012

6. Global Payment Inc – shares dropped 9% after disclosing a cyber attack – Reuters.3/30/12 – affected Visa, MasterCard, Amex, and Discover – 10 Million Card holders affected  (all 4 had stock price drops as a result).

6. The Chinese People’s Liberation Army (PLA) runs a very active industrial espionage program because it has the joint mission of ensuring both military and economic security. So when companies from another country attempt to do business with a Chinese company or agency in an important area of technology, the PLA helps give its side an advantage by stealing data from the other side. They use the same targeted cyber-intrusion techniques they use to steal military secrets. They are after the “play books”–the documents that tell what the company is willing to give up and where it will hold the line. That data gives their side an advantage in negotiations. Sometimes, as in the Google case, they just steal the technology they want.  (FBI discussion with SANS – March 2012)

7. Shawn Henry, who is preparing to leave the FBI after more than two decades with the bureau, said in an interview that the current public and private approach to fending off hackers is “unsustainable.” Computer criminals are simply too talented and defensive measures too weak to stop them WSJ 3/28/12

8. James A. Lewis, a senior fellow on cybersecurity at the Center for Strategic and International Studies,  I think we’ve lost the opening battle [with hackers].” Mr. Lewis said he didn’t believe there was a single secure, unclassified computer network in the U.S.  WSJ  3/28/12

9. 24 Million customers compromised through Sony PlayStation last year, over 100 million on NASDAQ.  WSJ 3/28/12

© 2012, David Stelzl

Yesterday we completed our first day of Making Money w/ Security – an online security sales course I provide through webex.  As security trends evolve, one area has become particularly interesting to me – that of social media and how it can be used as a vehicle for social engineering.  After class one attendee passed on an article from the WSJ, Spam Finds a New Target…here are some important points from the Wall Street Journal’s write up…

  • Facebook blocks over 200 million malicious actions every day!
  • In August 2011, over 92% of email messages were spam messages, in Nov, over 70%.  These numbers fluctuate month to month, but they are always high.
  • Twitter and Facebook are the new targets – people are on to the email problems, but social media is wide open as people accept friend requests from unknowns.  In fact, in another recent article, WSJ reported on a study showing the number of men who gave out sensitive information, including passwords, to a white hat hacker posing as a 25 year old woman using social media!  Incredible, but believable.

As I speak to executives around the world at Lunch & Learns and other customer facing events, I am hearing the need to leverage social media as a means of marketing and branding.  I agree, this is a tool that can accelerate any company’s business when used correctly.  But this also opens the door for users, who are completely unaware of the security risks, to invite predictors to install code on their machines.  The same machines that will later access the company’s most sensitive data.  If you are not attending Making Money w/ Security this week, stay tuned – we’ll be scheduling more later this year.

© 2012, David Stelzl

Remember the sound bites….bits of information that come from credible sources like the Wall Street Journal or other mainline news sources.  I prefer ones that IT does not frequent – it widens the gap between what you know and their ability to hijack an executive level meeting.   A few pointers on sound bites:

  • I mostly post these on twitter now – make sure you are following
  • You don’t need hundreds, you need a few hardcore, recent, security sound bites
  • They must be on the tip of your tongue – memorize them and practice them
  • Use them to grab your audience – make sure they are attention grabbing
  • Sales are emotional, sound bites are not.  Use the sound bites early on, then move to emotional sales stories.
  • Save them for management – not the technical people.  They don’t really care.
  • If you spend 15 minutes on this each morning, it will pay back a hundred fold!

Looking back at the information security sales training programs I’ve run, this has been one of the highlights for those who have attended!

© David Stelzl, 2010