Clean out your contact lists

I recently watched Rob Braxman on the security of encrypted messaging apps like Signal and WhatsApp. In his video, Rob pointed out that many apps access our contact lists and build webs of associations. Even though the cryptography protecting message contents is generally effective, it may be possible for law enforcement and intelligence agencies to know the identity of a person’s connections.

Let’s dig deeper.

If a law enforcement agency considers you a person of interest, they may discover that you use encrypted messaging apps like Signal. While law enforcement will not be able to easily view the contents of your conversations, they will be able to see with whom you are conversing.

Image courtesy Aussie Broadband

Also, the appearance of using an encrypted messaging app could suggest that you have something to hide.

Let’s look at this from a different perspective. Consider an active law enforcement investigation focusing on a particular person. If you are in the person’s contact list, and if that person is known to be communicating with you on an encrypted service, then you may become another person of interest in the investigation.

I watched Rob’s video twice, and then I recalled something I see in Signal often: when someone in my contact list installs Signal, I get a notification from Signal that the contact is using the app. I recently noticed that I frequently do not recognize the contact’s name, and I dismiss the notification. I’ve had this occur dozens of times this year.

Then it hit me: I have been collecting contacts for decades, and they’re stored in multiple services (primarily, Yahoo and Google). In previous jobs, I’ve had associations with numerous clients, partners, vendors, co-workers, and other associates, resulting in an accumulation of thousands of contacts, most of whom I barely know.

Last week, I found it difficult to rationalize keeping all of these contacts and purged them. In Google alone, I had well over one-thousand contacts. After spending time last weekend deleting extraneous contacts, I’m down to about three hundred, and I might go back through them and remove many more.

Encrypted apps and your association with contacts are not the only risks related to maintaining a long contact list. Another issue is this: if someone breaks into any of my services where I keep many contacts, I don’t want people getting Joe Job and other attacks made possible through contact harvesting.

Until recently, I didn’t consider my accumulated contacts a liability, but I do now.

In my day job, one of my responsibilities includes leading numerous programs, including data governance, which includes data classification and data retention. And, having been a QSA for many years, the concept of data-as-asset and data-as-liability are clear to me. For instance, retaining credit card data after a transaction has been completed may provide value to an organization. Still, it also presents itself as a liability: if that stored card data is compromised, the consequences may significantly outweigh its benefit.  Somehow, I didn’t apply this concept to personal contact data. Thanks again to Rob Braxman for nudging me to realize that contact data can be just as toxic as other forms of sensitive information.

Postscript: think about this in another way: would you want others you worked with in the past to remove you from their contact lists?

Backups – the apparently forgotten craft

At the dawn of my career, I worked in two different old-school computer mainframe operations organizations. We spent a considerable amount of time (I’m estimating 20%) doing backups. Sure, computers were a lot slower then, and we had a lot less data.

• 

We did backups for a reason: things happen. All kinds of things, like hardware failures, software bugs, accidents, mistakes, small and large disasters, and more. I can recall numerous times when we had to recover individual files, complete databases, and ground-up (“bare metal”) recoveries to get things going again.

We didn’t wait for these scenarios to occur to see whether we could do any of these types of restores. We practiced, regularly. In one mainframe shop early in my career, we completely restored our OS every Sunday night. Okay, this was in part a storage defragmentation measure and performed mainly for this purpose. However, we were still doing a bare metal restoration, precisely like what we would do if our data center burned down and we had to recover our data and applications on a different system.

Was this exciting work? Certainly not.

Interesting? Not in the least.

Essential? Absolutely.

So what am I getting at here? Am I merely reminiscing about the good old days? Hardly.

I’m talking about ransomware. At times, it’s difficult for me to sympathize with the organizations that are victims of ransomware. It’s hard for me to rationalize why an organization would even remotely consider paying a ransom (particularly when the FBI reported that only about half of organizations would be able to decrypt their data when they paid the ransom) (sorry, I cannot find the link to that advisory, I’ll keep looking and update this article when I find it).

A survey by Kaspersky indicated some facts that shocked me:

• 37 percent of respondents were unable to accurately define ransomware let alone understand the damage it can deliver.

• Of those survey respondents who suffered a ransomware attack, 40 percent said they would not know the immediate steps to take in response.

I’m amazed by these results. Do IT organizations no longer understand IT operations fundamentals that have been around for decades? I hate to sound harsh, but if this is the case, organizations deserve the consequences they experience when ransomware (or human error, or software bugs, etc.) strikes.

That said…. I am acutely aware that it can be difficult to find good IT help these days. However, if an organization is crippled by ransomware, they’ve already gone “all-in” with information technology, but neglected to implement common safeguards like data backup.

(image courtesy recordnations.com)

Security: Not a Priority for Retail Organizations

Several years ago, VISA announced a “liability shift” wherein merchants would be directly liable for credit card fraud on magstripe card transactions. The deadline for this came and went in October, 2015, and many merchants still didn’t have chip reader terminals. But to be fair to retailers, most of the credit/debit cards in my wallet are magstripe only, so it’s not ONLY retailers who are dragging their feet.

My employment and consulting background over the past dozen years revealed plainly to me that retail organizations want to have as little to do with security as possible. Many, in fact, even resist being compliant with required standards like PCI DSS. For any of you who are unfamiliar with security and compliance, in our industry, it is well understood that compliance does not equal security – not even close to it.

I saw an article today, which says it all. A key statement read, “There is a report that over the holidays several retailers disabled the EMV (Chip and Pin) functionality of their card readers. The reason for this? They did not want to deal with the extra time it takes for a transaction. With a standard card swipe (mag-swipe) you are ready to put in your pin and pay in about three seconds. With EMV this is extended to roughly 10 seconds.” Based on my personal and professional experience with several retail organizations, I am not surprised by this.  Most retailers just don’t want to have to do security at all. You, shoppers, are the ones who pay the price for it.

The security breaches continue

As of Tuesday, September 2, 2014, Home Depot was the latest merchant to announce a potential security breach.

Any more, this means intruders have stolen credit card numbers from its POS (point of sale) systems. The details have yet to be revealed.

If there is any silver lining for Home Depot, it’s the likelihood that another large merchant will probably soon announce its own breach.  But one thing that’s going to be interesting with Home Depot is how they handle the breach, and whether their CEO, CIO, and CISO/CSO (if they have a CISO/CSO) manage to keep their jobs. Recall that Target’s CEO and CIO lost their jobs over the late 2013 Target breach.

Merchants are in trouble. Aging technologies, some related to the continued use of magnetic stripe credit cards, are making it easier for intruders to steal credit card numbers from merchant POS systems.  Chip-and-PIN cards are coming (they’ve been in Europe for years), but they will not make breaches like this a thing of the past; rather, organized criminal organizations, which have made a lot of money from recent break-ins, are developing more advanced technologies like the memory scraping malware that was allegedly used in the Target breach. You can be sure that there will be further improvements on the part of criminal organizations and their advanced malware.

A promising development is the practice of encrypting card numbers in the hardware of the card reader, instead of in the POS system software.  But even this is not wholly secure: companies that manufacture this hardware will themselves be attacked, in the hopes that intruders will be able to steal the secrets of this encryption and exploit it. In case this sounds like science fiction, remember the RSA breach that was very similar.

The cat-and-mouse game continues.

Recovery Capacity Objective: a new metric for BCP / DRP

Business continuity and disaster recovery planning professionals rely on well-known metrics that are used to drive planning of emergency operations procedures and continuity of operations procedures. These metrics are:

• Maximum Tolerable Downtime (MTD) – this is an arbitrary time value that represents the greatest period of time that an organization is able to tolerate the outage of a critical process or system without sustaining permanent damage to the organization’s ongoing viability. The units of measure are typically days, but can be smaller (hours, minutes) or larger (weeks, months).
• Recovery Point Objective (RPO) – this is a time value that represents the maximum potential data loss in a disaster situation. For example, if an organization backs up data for a key business process once per day, the RPO would be 24 hours. This should not be confused with recovery time objective.
• Recovery Time Objective (RTO) – this is a time value that represents the maximum period of time that a business process or system would be incapacitated in the event of a disaster.  This is largely independent of recovery point objective, which is dependent on facilities that replicate key business data to another location, preserving it in case the primary location suffers a disaster that damages business data.
• Recovery Consistency Objective (RCO) – expressed as a percentage, this represents the maximum loss of data consistency during a disaster. In complex, distributed systems, it may not be possible to perfectly synchronize all business records. When a disaster occurs, often there is some inconsistency found on a recovery site where some data is “fresher” than other data. Different organizations and industries will have varying tolerances for data consistency in a disaster situation.

In my research on the topic of business continuity planning and disaster recovery planning, I have come across a standard metric that represents the capacity for a recovery system to process business transactions, as compared to the primary system. In professional dealings I have encountered this topic many times.

A new metric is proposed that is used to establish and communicate a recovery objective that represents the capacity of a recovery system:

• Recovery Capacity Objective (RCapO) – expressed as a percentage, this represents the capacity of a recovery process or system as compared to the primary process or system.

Arguments for this metric:

• Awareness. The question of recovery system capacity is not consistently addressed within an organization or to the users of a process or system.
• Consistency. The adoption of a standard metric on recovery system capacity will facilitate adoption of the metric.
• Planning. The users of a process or system can reasonably anticipate business conditions should a business process or system suffer a disaster that results in the implementation of emergency response procedures.

Why there will always be security breaches

At the time of this writing, the Target breach is in the news, and the magnitude of the Target breach has jumped from 40 million to as high as 110 million.

More recently, we’re now hearing about a breach of Neiman Marcus.

Of course, another retailer will be the next victim.  It is not so important to know who that will be, but why.

Retailers are like herds of gazelles on the African plain, and cybercriminals are the lions who devour them.

As lions stalk their prey, sometimes they choose their victim early and target them. At other times, lions run into the herd and find a target of opportunity: one that is a little slower than the rest, or one that makes a mistake and becomes more vulnerable. The slow, sick ones are easy targets, but the healthy, fatter ones are more rewarding targets.

As long as their are lions and gazelles, there will always be victims.

As long as there are retailers that store, process, or transmit valuable data, there will always be cybercriminals that attempt to steal that data.

A perspective on endpoint security

I’m preparing a webinar on endpoint security and was thinking about the problem while on a flight to Chicago. Consider it this way: in an organization with 10,000 employees, you’ve got your servers in the data center managed by IT. But you’ve got 10,000 more machines with the same – or more – complication than those servers. These machines also have access to sensitive data and often store it themselves.

But there’s more. Those 10,000 machines are managed by non-technical people who have the same system-level privileges as trained and certified system engineers. And not only that, but those 10,000 machines are not in your data center but out of your physical control, often operating in external environments away from really important network security controls such as firewalls, data leakage prevention, command & control detection, and intrusion prevention systems.  These are our endpoint systems. Is it any wonder we are living in the era of colossal security breaches?

This is insanity, but there is a way out.

New Year’s Resolutions: safer Internet usage

Celebration of the New Year is a time of looking back at the closing year and looking forward to the new year. This is often a time when we set new personal goals for improving our lives in meaningful ways.

Given how much we all use personal computing (you do if you are reading this), all of us can stand to make one or more improvements in our computing hygiene, making us safer and better off.

This article contains categories of ideas that you can choose from. Read through these and decide which of them will be best for you to adopt as a resolution.

Home computing

• Back up your data, so that you can recover it in case of theft, disaster, or other loss.
• Keep your anti-virus working and healthy.
• Configure your computer to automatically download and install security patches.
• Use an online virus scanner to scan your computer, in case your install anti-virus misses one.
• Use different user accounts for each family / household member.
• Use OpenDNS to help prevent visiting phishing sites.
• Use OpenDNS to restrict the types of sites that can be visited from your home (or office) network.
• Tune up your home firewall (which may be in your DSL router or cable modem).
• Use different passwords for each online site you log in to; use a password vault to remember your passwords.

Safe smartphone usage

• Choose a good unlock password for your smart phone. If you insist on using numeric only, use 8 or more digits.
• Set your smartphone auto-lock to 15 minutes or less.
• Keep track of where your smartphone is at all times.
• Install a “find my smartphone” app to discover its location if lost or stolen.
• Do not save any passwords on your smartphone.
• Limit your access to sensitive / valuable information (e.g. online banking) from your smartphone, especially if it is Android.

Protecting your identity

• Keep your anti-virus working and healthy.
• Check your credit report at least once per year (or, more ideally, every four months by checking your credit report for a different bureau each time).
• Be conscious of where and how you provide personal information (name, address, date of birth, etc.) to online sites.
• Resist the urge to click on links or documents in suspicious looking e-mail messages. If it sounds too good to be true, it probably is a scam.
• Carefully review all financial statements from banks and credit cards. Consider closing some accounts if you have too many.
• Get a home safe or use a bank safe deposit box to store valuables such as passports, birth certificates, seldom-used credit cards, and other valuables.
• Use a home shredder to shred documents containing sensitive or personal information.

If you feel you need to starting doing all of the above, I suggest you choose the few that are most important and establish them as good habits. Then, return to this list and choose a few more to implement. If you attempt to make too many changes at once, you might become frustrated by all of the changes and revert back to your old ways.

New Christmas computer, part 3: data backup

You’re a few days into your new computer and you are getting used to how it works. Probably you’ve figured out where all of the controls are located in terms of look-and-feel, so by now you’ve been able to personalize it (wallpaper, colors, mouse/touchpad behavior, and so on) and make it “yours.”

If you save data locally in your computer, whether it’s photos, documents, or data related to a local application, the longer you keep your data just on your computer, the more at risk you are of losing your data should something go wrong.

There are a lot of ways to lose your data, and if your data is at all important to you, then you should sit up and pay attention. Sooner or later, you’ll find some or all of your data has gone missing. A few of the ways this can happen are:

• Stolen computer
• Hard drive failure (this can happen to SSD’s too – you’re not immune)
• Operating system  or application malfunction
• User error

Rather than describe specific tools or services, instead I’ll describe the general methods that can be used to back up your data, as well as some principles that will help you make good decisions about how to back up your data.

Backing up your data means simply this: making a copy of it, from time to time, for safe keeping, in case something goes wrong.

Methods

Available methods for backing up your data include:

• Copying to a thumb drive, external hard drive, or a CD or DVD
• Copying over your network to another home (or office) computer
• Time Machine, if you use a Mac
• Copying to a cloud-based storage provider such as Mozy, Box.net, Dropbox, or iBackup.
• Copying to backup media such as magnetic tape

Location

Let’s talk about the location of your backup data. This matters a lot, and you have some choices to make here. The two main choices for location are:

• Near you and your computer. When you keep your backup data close by, you will be able to conveniently recover any data that you might lose for most any reason: accidental deletion, updates you wish you didn’t make, hardware failures in your computer, or software bugs that helped to corrupt your files. Do be aware, though, that if you only keep your backup data near your computer, then certain events such as fires, floods, or theft may result in your computer and your backup data being lost. For this reason you will want to consider keeping your backup data away from you and your computer.
• Far away from you and your computer. When you keep your backup data far away from you, it may be slightly less convenient to recover data, but the main advantage is that most types of disasters that may happen to you (fire, flood, theft) is not likely to affect both your original data and your backup data.

One thing to keep in mind is that you don’t have to make an OR-type decision about where to keep your backup data. There is no reason why you cannot do both: keep backup data nearby, and keep backup data far away. This will help to protect you from events like accidental erasure as well as disasters like fires or floods.

Out of your control

One important matter to keep in mind is this: if you are considering use of any of those cloud-based data storage services, then you have to understand the risk of another type of data loss: a compromise of the security used by the data storage service, which could lead to your data being exposed to others. Many cloud based data storage services describe mechanisms such as encryption that they use to protect customer data. But what may seem like solid protection may instead only be window dressing. Depending on the sensitivity of the data you are considering keeping with a cloud-based storage service, you might consider encrypting it yourself before copying it to the storage provider, or you might consider using a different storage provider. Unless you are an expert in data security, you may need to consult with a security expert who may be able to better understand the effectiveness of a storage provider’s claims of safety and security.

My own methods

Being Mac users, we use Time Machine for automatic incremental backups that occur on an hourly, daily, and weekly basis. I rotate two different external hard drives for my Time Machine backups, and usually keep the other hard drive in a safe or take it to work. I also use an Internet based data backup service and regularly back up my most important current information to the service (such as book manuscripts I am currently working on).

Part 2: anti-virus