Filter by: Latest Video

keyboard-279667_640

The Russian Password “Store” – 1.2 Billion Reasons to Be Concerned about Security, or Ho-Hum?

by |

We are in the middle of security conference season. Therefore, it’s not entirely unexpected to see headlines from Black Hat and other conferences discussing “grave” security threats, and what they mean to our ability to protect our organizations and ourselves.

Arguably, the biggest headline of the past few weeks has been the purported discovery of Russian hackers having access to 1.2 billion usernames and passwords across hundreds of thousands of sites. This number has been subject to some scrutiny, as has the methodology and motivation of the individual who disclosed the data store. Indeed, the “1.2 billion records” number seems to be shrinking by the day.

So, is this a turning point as some media outlets seem to think? Honestly, many of us who live and breathe security every day see it a different way:

  • This should not be a surprise to anyone. While large username and password breaches make the news, smaller, lesser-known leaks occur on a regular basis, so the collection of such a list would not be unusual.
  • We have been suggesting for some time that this is the precise reason why protecting usernames and passwords is so critical – it just isn’t possible to know the scope of every breach, and what records are out there.
  • We have NO idea how many of these records are encrypted or clear-text. The notification from the company responsible for disclosing the information did not specify what state the credentials were in.

In other words, I personally do not see this as a particularly earth-shattering event. That said, it is indeed a teachable moment. I think some useful lessons can be learned from this.

Protecting Accounts

We all can use periodic reminders that protecting our usernames and passwords are important. Nearly everyone is guilty of having at least one weak username or password out there. I think many folks are starting to get the message that strong password selection is indeed important. That in and of itself reduces risk in many cases – longer, more complex passwords are typically more difficult to “crack” when stored in an encrypted format. Give your password the best chance of surviving a cracking attack by making it strong.

Aside from strength, this is an excellent opportunity to revisit the notion of unique per-site passwords. The goal is to have each site we log into have a unique password, which reduces the risk of a single password being compromised on a poorly-secured site and being usable on an otherwise secure one.

For example, if your password on a small, poorly-secured Internet vendor selling widgets is the same as your banking password, attackers may be able to compromise the weaker site, steal your credentials, then try them against various more important sites, including banks. Your banking password has been reduced to the lowest common security denominator.

Selecting unique per-site passwords may sound difficult, if not impossible. However, it’s actually quite easy. Password safes such as KeePass can allow you to locally store your passwords in an encrypted format with a master key, where you can retrieve them as-needed.

Such password stores can also automatically generate long, complex passwords on demand such that you don’t have to keep thinking them up. By using per-site passwords, you dramatically reduce the risk of a breach affecting large portions of your Internet life. Perpetrators may compromise one site, but they are going to have to work at breaking each one rather than just the weakest link.

Constant Vigilance

As I mentioned, this “breach” probably isn’t news to many folks in the security industry. It does, however, remind us that this type of accumulation of data is occurring constantly, much of which is unseen. I respectfully submit that, if you wait for news like this to occur and are panicked into taking action, you may wish to reconsider how you are managing account security.

When I am browsing the Internet, buying items – yes, I do buy things online despite the risks– or even banking, I am aware that it is entirely possible someone has stolen the database powering the website. It’s an admittedly cynical view, but it helps me focus on protecting my identity. When I assume someone already has my data, I can consider a few things, all of which I would suggest can help make anyone more secure:

  • If I assume data was stolen, how comfortable am I that the data was well-encrypted? A bank, I presume, will get that part right, but what about a small vendor? If I think there’s a reasonably good chance of poor encryption, I consider other methods of protecting myself.
  • Do I need to periodically change my password? This is governed by my own comfort level with a site, how long the password is, when it was last changed and other factors. Regularly changing passwords may or may not have benefit, and it certainly isn’t any fun. But I want to be thinking about the risks of doing so or not doing so.
  • Was this password used elsewhere? If so, I am likely to be more concerned, unless it is data I literally don’t care about.
  • Does the leakage of data from this site provide an attacker with anything I am uncomfortable with? I am going to be far more concerned about sites with medical information about me than I will about what parts I happened to purchase for my project car in the garage. I will factor this into how complex I make a password, and how often it gets changed
  • Can I use fake information? I do this a lot with online purchases where I am not having anything shipped. There’s no reason for a seller to know my true street address in many cases, so I don’t provide it. Someone at 123 Sesame Street may be getting a lot of junk mail, though…

If you are responsible for the security of an organization, similar trains of thought can be used to gauge your organization’s risk. How likely is it your data has or will be stolen? (Hint: it’s not a zero probability.) How well protected is the data? Do you need to force users to change their passwords? (Ask eBay about this one.)

Stay Informed

The more informed we all are, the better we can be prepared. I am a strong advocate of routinely monitoring security feeds for news about breaches, trends, concerns and such, then applying those lessons to my personal and professional lives. Every user has the same ability – take just a few minutes every week and see what’s going on out there.

Decide if it has an impact on you, or if it changes your risk calculus. There will always be risks; the tricky part is determining which ones hold enough relevance for us to do something about them.

Do not wait for some headline to light a fire under you in terms of protecting your data, and that of your organization. Ongoing diligence is essential to reducing our risk in traversing what is becoming an increasingly hostile Internet environment.

goldfish

Application Optimization Can Make Efficient Use of Bandwidth and Boost Performance, but Implementation Can Be Tricky

by |

I recently took part in a small executive dinner panel to provide an integrator’s perspective on the topic of application optimization. This event was produced by IDG/CIO magazine and moderated by one of its editors.

CDW hosted the event in partnership with F5 Networks, who also had a subject matter expert on the panel along with a local customer. It was a great evening with about 35 people from the Seattle area attending. I like attending these events, as you get to hear the real-life stories – straight from the trenches – of how IT professionals are dealing with various issues.

triangle1

What You Need for an Effective HIPAA Security Risk Assessment

by |

Good risk assessments tend to include at least three distinct assessment components of varying complexity, followed by a good reporting system with internal and external checks and balances.

While specifically designed for the Health Insurance Portability and Accountability Act (HIPAA), this general methodology could be used for any assessment project with a compliance component. For example, this could include the Payment Card Industry (PCI) credit card rules or the Gramm–Leach–Bliley Act (GLBA) for financial institutions – with a few minor changes.

photo 1

Microsoft Surface Pro 3: The “Notelet” that’s Bigger, Brighter and Bolder

by |

As promised in a previous blog post, I’ve done some road testing (planes, trains and automobiles) with Microsoft’s new Surface Pro 3. The only way for me to do this right was to use the device as my main computing device. So I finally got my Surface on the company network, installed Symantec Endpoint Protection, Office 365, Adobe Creative Cloud, Box.com and I was up and running in no time.

Actually, I probably spent more time downloading software, syncing docs and installing Windows and Office updates than actually doing any setup/customization work. But that was expected since it was a brand new machine.

ITtoolbox

Getting Your Feet Wet with IT Orchestration

by |

In a prior post I offered the recommendation of surveying your staff before you jump into orchestration.  Did you find any nuggets?  Was your staff excited to hear about the initiatives or were they hesitant?  Were there any organizational changes you could make to better set yourself up for success?

When you got answers, you probably found the good along with the bad.  As I brought up before, this is to be expected and should be that of as your base IT footprint.  You are always better for knowing what your strengths and weaknesses are.  Not facing them for what they are means you would only be stacking the deck against yourself.

Software: Business Expense or Business Asset?

by |

Software is what’s required to make the train run on time and keep the lights on, or perhaps a little more tangibly stated, software is what some IT guy writes to produce those reports that management expects at the end of every month.

Software is everywhere and it’s a lot of things, but in accounting terms, it’s merely an operating expense. In other words, software is merely a cost you must control to positively affect the bottom line. 

clouds

Cloud Computing – Start Small, Win Big

by |

The word “cloud” is thrown around today like the word “green” was about 5 years ago. With all that background noise, it becomes a problem to discern whether or not this technology is beneficial for an organization, or just another craze. To confuse issues more, there is rampant “cloud washing,” wherein products that are not cloud native are being branded as such to garner attention.

cloud image

Healthcare and the Cloud: A Warming Relationship

by |

For a long time, security concerns have hindered cloud computing implementation among healthcare organizations. The fact that this is changing is not unheard of if you consider that when the stethoscope was first invented in 1816, doctors originally thought it too cumbersome to use. By 1850, stethoscopes were widely used among most doctors.

In fact, history is full of examples where emerging technologies have been met with initial skepticism. But now it would be hard to imagine our lives without them. For example: the personal computer or the mobile device…and yes, admittedly, I am one of THOSE whose smartphone is connected to me nearly 24/7.