Cybersecurity Training Trickle Down Theory

When top executives are seen participating in cybersecurity training and practices it trickles down.  Each layer below them sees the one above taking it seriously and takes it seriously themselves.  We, as leaders, need to set the example, be seen doing so, and clearly set expectations for the trickle down of a cyber secure organization.

In the aftermath of the revelation of a private email server used for official communications at the US Department of State, it was revealed that former Secretary of State Hillary Clinton completed no security briefings or courses on the proper handling of classified materials and how to conduct communications while she served.

Many have said that ignorance is no excuse.  Many have said she should have known the content was classified regardless of markings.  Nearly all acknowledge that it is the responsibility of each individual, including top executives, to handle classified or other sensitive corporate or government information appropriately.

How do executives gain the skills they need to handle emails and cybersecurity appropriately?  What happens when executives do not attend training?  What unpublished message is given to subordinates when executives don’t attend training?

As seen at the US State Dept and numerous corporations it is clear that training needs to be conducted at all levels and all levels need to see those above them take it seriously and attend it.

When top executives don’t take or aren’t seen taking cybersecurity training it sends a clear message to everyone in the organization that cybersecurity isn’t important and doesn’t warrant their time and concentration.

What do you want to trickle down in your organization?  Insecurity that breaks down the organization? Or, practical cybersecurity that builds up the organization?  Your actions will speak louder than any security poster in the break room or missive on the organization Intranet to assure your expectations of what should trickle down does trickle down.  Be secure out there!

 

SMB are Not Low Value Targets to Cyber Criminals

In 2015, 74 per cent of small and medium-sized businesses (SMB) reported a security breach. In response, less than 10% of them say they are increasing cyber security budgets in 2016.  Why is this so?

Many small and medium-sized businesses believe the myth that they don’t face a threat but that is simply not true. For a cyber criminal, SMB are seen as an opportunity as they believe less is in place to protect data. This data might be information about clients, customer details, bank details or it might be as a way into one of your customers’ systems where you are linked through e-commerce, by email or in some other way.

Ransomware is a low-cost (to the cyber criminals) tool that affects large, SMB and individuals alike. The bad guys do not ask for millions from their victims but instead ask for a sum of money that is significant but acceptable to organization or individual under attack.

The typical ingress point for ransomware is the user who clicks on links in emails or opens attachments. SMB’s should train their employees on avoiding this scam.  When it happens, if you have not done your due diligence of backing up your data, you may be tempted to pay the ransom. Before paying the ransom to get back to business, you should consider that the sum you pay may be going to a criminal enterprise that is involved in gun running, human trafficking, child exploitation, or other unsavory lines of crime.  Secondly, many companies and individuals have found either that the criminals don’t provide the key even after paying up or they find out that the key given unlocks a portion of the files but they then receive a demand for more $$$ for the next set, and the next set, and . . .  . Also,  the fact that you are willing to pay may be quickly passed to other similar groups and you will find you or your company subject to ongoing demands for ever-increasing ransom.

Studies have shown that for every $1 invested in cyber security, the typical SMB garners an $8 – 11 return.  Most businesses, big or small, would jump at the chance of a margin like that.  Are you that type of SMB?

LinkedIn Breach Email

From: LinkedIn Legal <legalnotice@linkedin.com>
Date: May 25, 2016
To: <linkedin.member@email.com>
Subject: Important information about your LinkedIn account

 

LinkedIn
Notice of Data Breach
You may have heard reports recently about a security issue involving LinkedIn. We would like to make sure you have the facts about what happened, what information was involved, and the steps we are taking to help protect you.
What Happened?
On May 17, 2016, we became aware that data stolen from LinkedIn in 2012 was being made available online. This was not a new security breach or hack. We took immediate steps to invalidate the passwords of all LinkedIn accounts that we believed might be at risk. These were accounts created prior to the 2012 breach that had not reset their passwords since that breach.
What Information Was Involved?
Member email addresses, hashed passwords, and LinkedIn member IDs (an internal identifier LinkedIn assigns to each member profile) from 2012.
What We Are Doing
We invalidated passwords of all LinkedIn accounts created prior to the 2012 breach that had not reset their passwords since that breach. In addition, we are using automated tools to attempt to identify and block any suspicious activity that might occur on LinkedIn accounts. We are also actively engaging with law enforcement authorities.
LinkedIn has taken significant steps to strengthen account security since 2012. For example, we now use salted hashes to store passwords and enable additional account security by offering our members the option to use two-step verification.
What You Can Do
We have several dedicated teams working diligently to ensure that the information members entrust to LinkedIn remains secure. While we do all we can, we always suggest that our members visit our Safety Center to learn about enabling two-step verification, and implementing strong passwords in order to keep their accounts as safe as possible. We recommend that you regularly change your LinkedIn password and if you use the same or similar passwords on other online services, we recommend you set new passwords on those accounts as well.
For More Information
If you have any questions, please feel free to contact our Trust & Safety team at tns-help@linkedin.com. To learn more visit our official blog.

Practical Password Practices

Be Creative.  Beyond avoiding easy sequences like “123456” or classics like “password”, avoid using things that are trending in popular culture.  SplashData, which collates passwords from data breaches in America and Western Europe to build samples, said “123456 was, for the fifth year running, the most common password” in 2014.  While in 2015, one of the most frequently found passwords in USA corporate networks was “Starwars!” and all of the stars, roles and events of the Star Wars franchise were popular too.  The bad guys know that and will be sure to have those things in their PW libraries.  Think out of the box.  If you know “Gone with the Wind” forwards and backwards, exploit your trivia knowledge; if you are an organic gardener then plant some healthy ones; if you enjoyed a class on French romance poems in college it is time to use your studies in a way you never foresaw, Vivre sans aimer n’est pas proprement vivre (To live without loving is to not really live – Molière).

Change is over rated.  Many organization and some websites require frequent changes to passwords.  Some set even shorter life spans for privileged accounts (like admins).  But if your password is sufficiently long and complex, studies have found that requiring 30, 60 or 90 day changes don’t add value (or security).  Changing your password for no good reason actually detracts from security because it is more likely you will forget it and more likely you will write it down to avoid doing so.  And many users will find ways around policies, like adding a new sequential number at the end which complies with the password change policy but doesn’t achieve a higher level of security.  Admins, I’m talking to you – don’t require frequent periodic changes; and users, I’m talking to you – change your password anytime you think it might be compromised (by a shoulder surfer or your ex-boyfriend).

Don’t Re-Use.  It is tempting to re-use passwords, especially when you have worked hard to create a complex one and have finally managed to memorize it, but avoid the temptation.  Some people make categories of web services and create a shared PW for each tier of risk or type of service.  Others append the company name or website initials to make unique passwords of “Apple#123”, “Google#123”, and “USPS#123” but that reveals a pattern that a breach of any individual account will reveal a lot to the adversary about your PWs.  Don’t do it.  Make each one unique – that way if one place is breached and your credentials show up on the black web they won’t give away the key to multiple sites you use.

Enter it with care.  And no, I don’t mean slow deliberate key strokes (observers will love you if you do that).  To avoid shoulder surfers, don’t enter your password in a place that allows others to register your entry.  And don’t enter your password over unencrypted public WiFi networks (I’ll take a hack with my Triple, Venti, Half Sweet, Non-Fat, Caramel Macchiato).  And, please, don’t mouth it or say it out loud as you enter it.  These all seem like no brainers but you would be surprised how often unauthorized account access is granted through ignoring these simple safeguards.

Keep it real.  You don’t have to make your password so cryptic that a super computer will take 10,000 years to crack it.  You are not a financial institution (unless you really are one) or a highly classified network (unless you are one of those), so get real.  Keep your panic for when the sky is falling.  For the majority of us, reasonably complex and lengthy PWs will suffice.  Keeping it real will encourage you to create hard to guess but easy to remember (for you) passwords.  The bad guys will move on to the next target if you don’t make yours an easy one.

Make your password long to make it strong.  The longer the better.  “A longer password is usually better than a more random password,” says Mark Burnett, author of Perfect Passwords, “as long as the password is at least 12-15 characters long.”  The excuse of keeping it short for your smartphone keyboard is no longer defensible with the advent of password managers and biometric authentication on mobile devices.

Second Level Authentication is Your Friend.  When offered, take them up on adding second level authentication to access your account.  Some services offer a text of a one-time-passcode (OTP) to your designated phone.  Others allow you to register trusted devices and/or networks and deny attempts from all others.  Some may offer image selection from a gallery of 6 or 8.  Using multi-factor authentication doesn’t have to mean retina scanners or cypher locks but it always means greater security for you.

Use Capital Letters with Care.  One of the recurring complaints from business users and website visitors is the requirement of the use of upper & lower characters.  Most people put a capital letter at the start of their PW and call it done.  This makes is simpler for the holder of the PW but it also makes it simpler for the bad gal.  Mix it up, put some near the middle & end.

Use Special Characters with Care.  Another recurring complaint from business users and website visitors is the requirement of the use of special characters.  Most people put a pound sign (#) or an exclamation point (!) at the end of their PW and call it done.  This makes is simpler for the holder of the PW but it also makes it simpler for the bad guy.  Mix it up, put some near the beginning & middle.  When websites don’t allow special characters consider making your password a bit longer; consider dropping feedback to the webmaster, or even declining to use the website plus telling them why.

Zzzz . . . Lastly, Develop a framework for your passwords.  Human minds prefer patterns (that is why many people choose “12345678” or “abcdefgh” or “qwerty789”).  A framework is a pattern on steroids; your mind will like it but the bad gals won’t.

A framework is your personal users guide on creating passwords.  The framework should be something that compliments the way your mind works (to aid you in creating and remembering reasonably long and complex PWs) while not being obvious to co-workers or acquaintances.

You can create a PW framework that:

  1. capitalizes every word and
  2. inserts numbers or special characters after every word

In example, if you went to Paris for your honeymoon you might make your password “IReallyEnjoyedOurHoneymoonInParis”.  That is very long by most standards and even includes lower & upper case letters.  Now, if you add the month, day, and year that you landed in Paris after the first three words it might become “I08Really25Enjoyed2012OurHoneymoonInParis”.  Now you have two out of three complexities and will pass the criteria set by many businesses and websites but you don’t have to stop there.  Picking the special characters from left to right on your keyboard and inserting them after all subsequent words will create “I08Really25Enjoyed2012Our!Honeymoon@In#Paris$” and results in a very long (and complex) password.

You can create a PW framework that:

  1. capitalizes every vowel and
  2. makes every consonant lower case and
  3. inserts special characters after every vowel and
  4. places a number at a planned point in the PW

In example, if you don’t want one terribly long, try “mY#dO$g2009spO%t” (this is based on “my dog spot” where every vowel is capitalized, every consonant is lower case, a special character follows every vowel, and a significant year [to you] is inserted after the second word); that password is not nearly as long (or as fun) as your honeymoon to Paris but it is complex, sufficiently long, and easy (for you) to remember.

The framework you use should be something easy for you to recall but hard for others to guess (just like your password).  I’ve covered two but you can probably come up with a better one (or at least one that fits you better).

 

 

Internet of Things (IOT) Analytics Set to Grow Much Bigger

The Internet of Things (IoT) analytics market is rapidly gaining traction primarily due to the sudden outburst of data from IoT-enabled devices and increasing global penetration of connected devices. The IoT analytics tools have a rapidly increasing role in various industry verticals such as energy and utilities, healthcare, logistics, and manufacturing. The role is growing, but slower, in retail and transportation. The basic reason for the growth in all cases is the increasing number of IoT-enabled smart connected devices and sensors which release a large amount of heterogeneous data simultaneously. This data can be harnessed and analyzed using IoT analytics tools and platforms to improve real-time decision making and customer experience. Furthermore, end-to-end automation in various industries such as healthcare, logistics, manufacturing, and transportation and deployment of predictive analytics in businesses are driving the overall growth of this market.

The IoT analytics market is still at an early adopter stage, but it is gradually expected to grow towards maturity in the developed regions of North America and Europe. Emerging regions such as APAC and MEA have great potential and are expected to achieve a bolstered growth in the coming five years. The demand for cloud-based deployments is accelerating in this market due to its cost-effectiveness and benefits of hassle-free maintenance. Since the market is emerging, it is less competitive with fewer entry and exit barriers. However, the control lies with niche players who provide dedicated IoT analytics platforms, thereby increasing their bargaining capabilities among the small vendors and startups. Though there is notable traction of IoT analytics in large enterprises, the emergence of PaaS delivery models has increased its usage in SMBs too. There are still certain concerns restraining growth in this market, including the lack of highly efficient real-time analytics algorithms which leads to underutilization of analytics tools and data security issues.

The market is segmented by region into North America, Europe, Asia-Pacific (APAC), the Middle East and Africa (MEA), and Latin America. Among all the regions, North America holds the largest market size whereas APAC is the major growing region. The global IoT analytics market is expected to grow from $4,857.2 million in 2015 to $16,353.5 million by 2020, at a Compound Annual Growth Rate (CAGR) of 27.4%. The key players in this market include IBM, Intel, SAP, AGT International, Thingworx, Accenture, Capgemini, Mnubo, and Nokia Networks.

There are various assumptions that have been taken into consideration for the market sizing and forecasting exercise. A few of the global assumptions include political, economic, social, technological, and economic factors. The dollar fluctuations are expected to not seriously affect the forecasts in the emerging regions.

Five Internet-of-Things (IoT) Standards Organizations

AllSeen Alliance – https://allseenalliance.org – Linux focused – premier members include Cannon, Electrolux, Haier, LG, Microsoft, Panasonic, Qeo, Qualcomm, Sharp, Silicon Image and Sony

Industrial Internet Consortium – http://www.iiconsortium.org – cofounded by AT&T, Cisco, GE, IBM and Intel

Open Interconnect Consortium – http://openinterconnect.org – cofounded by Broadcom, Intel and Samsung, other board memebers: Accenture, Arkessa, BT Telensa and WSN

Thread – http://threadgroup.org/Home.aspx – cofounded by Google and Samsung

Wireless IoT Forum – http://www.wireless-iot.org – cofounded by Cisco, GE, IBM and Intel

– These are listed alphabetically and not in order of adoption or impact.