Friday, August 23, 2013

Airports and APTs




I'm sitting here at Logan Airport waiting for a flight. Like a lot of folks, I am a people watcher. As the crowds float by, I am fascinated by human interactions. What I tend to notice more often than not is the complete and utter lack of personal security most adults display.

Humans by nature are very trusting individuals, and this is the crux of the problem, especially to those of us in the world of security.

Society dictates that we be polite to one another, and it is a common belief that in general people are not out to do us harm.

This statement, although primarily true, has a weakness: there are always people willing to do us harm. The Media makes a living off of reporting it.

As folks stand in line, I am often amazed by the amount of information that they give out: where they are going, who they are meeting, if they are alone, where they are from, what they do for a living, and on and on. This information, in the hands of a malicious person can be an entry point into your personal and professional data. If we are willing to give up our personal security to complete strangers at an airport, how can it be expected that we make a paradigm shift as a culture towards cyber security? How do we make people more vigilant in their ever increasing dependence on current technology?

Hold that thought.

So as I sit here in the terminal, I'm also reflecting on the notion of short term vs long term "pain". The website Hackmageddon lists current cyber security threats and there is always some interesting analysis to be found. For example, 57% of the cyber crime perpetrated last month is general financial theft, fraud, and the like. Only 4% of crimes in the previous month are the Advanced Persistent Threats: highly targeted industrial espionage attacks. This is where intellectual property of high profile companies is stolen, resulting is significant and negative financial impacts.

What kinds of intellectual property? How about the plans for your next phone or your next network-connected television or the control systems of your car? 

If you're more concerned about the 57% than the 4%, then we have some work to do. The short term cyber crime (credit card theft, etc) is painful for the individual. There is no doubt about that. However, losing the intellectual property that is driving this country's future innovation is hurting all of us at once and will lead to longer term national impacts.

So how does this all tie together?

Typically, hackers will use exploits in general human interactions and security practices to gain access to the networks that drive our companies.

Maintaining proper security practices is vital to keeping us all safe. If you're new to security and are reading this blog, you are well ahead of most individuals. One of the best ways to learn more is to actively engage with other people passionate about the same topics. That's what we do every day at Wapack Labs in the Beadwindow™ portal. Get in touch with us and join the conversations.

Friday, August 9, 2013

Silence Ain't Golden



I'm a gun guy.

I shoot frequently, I attend as much training as I can, I research gear incessantly, and I am constantly staying up to date on what is "best of breed" in the industry. I network with folks to get news on trends and understand why a product does or does not work. This social connection is the single most important influence in my purchasing.

I read books on tactics, mindset, preparedness, and avoiding violence in the hopes of one day being able to use that knowledge to help myself and those around me should I ever be in a situation where it is needed.

I owned a small profitable business. I am very active in social media. I have many terabytes of information stored across disk arrays in my house that make my electricity provider very happy.

I spent MANY years at a top networking company in the IT organization.

I own a big dog.

Nutshell, I take my environment and situational awareness very seriously.

Why is it then that until recently, I did not take the same precautions with my digital security?

Why? Because when I step away from my keyboard, I don't see anyone in my environment that can physically harm my equipment. And this is bad.

As a small business owner, I rely on my systems to work when I need them. I do not want to find myself in the Ron Burgandy-type situation of saying that "60% of the time, my credit card processing works every time"

I also do not want to leave myself open to unknown threats.

Now more than ever, SMBs are hosting their websites, card processing, customer data, and financials out in the cloud. Often times, these systems are secure at the individual account level, but what about the host themselves? Are they not subject to attack? Do you know the ins and outs of their disaster recovery or intrusion prevention strategies? No? How does that make you feel?

Let's suppose you are a brick and mortar retail owner that runs Quickbooks on their personal laptop in the office, and then goes home or to a coffee shop and surfs the web and checks email? You happen to unknowingly install malware. This vicious little bit of code then contacts a Command and Control server (CNC) and alerts the hacker that info is ready for the taking. From that point, you, your financials, and your customer data are compromised. Depending on the sophistication, your machine can then be used to penetrate others.

Point is, most small companies or individual businesses do not spend enough time considering the implications of the security of their data environment. They expect that their backups are being backed up by some geek in a closet, and if something goes wrong, they just get restored and running without a hitch. Unfortunately, most of us learn the hard way that this is far from reality.

As business owners, we host with companies that are recommended by friends. We use products recommended by peers. We read Amazon reviews religiously. Why is it then that we don't use the same peer group style of interaction to maintain vigilance over our digital world? Because we don't want anyone knowing our business.

This is where I have changed my point of view. As a life long student, I find that the best way to learn is to talk to the folks that have been there and done that. The people that are experts in their fields and are more than willing to give me advice to spare me pain. Freeing myself of my own ego in this regard has allowed me to learn more than I ever imagined.

The moral of the story:
As individuals, we spend an infinite amount of time and energy preparing ourselves for physical situations, but rarely apply the same consideration to our digital lives. We're afraid to reach out for help or talk to others for fear of appearing weak.

It's time to change that mindset. This isn't about being weak. It's about becoming strong. Take a look at what is going on over in Beadwindow® at Wapack Labs. These are the experts that can help and they are doing it by the best way we as humans know how: by talking to each other.

Join our conversations.