Tom Olzak

Posts Tagged ‘Cloud Computing’

Shadow IT: Treat the cause, not the symptom

In Application Security, Business Continuity, Cloud Computing, Critical Infrastructure on July 8, 2015 at 04:00

I just posted an article at Toolbox.com about the business risks associated with shadow IT.  Many organizations see shadow IT as a disease to be cured.  However, as I write in my post, shadow IT is a symptom of a deeper issue.  It is this issue, related to IT remaining stuck in the past, that must be addressed.

Facebook employees should know better

In Business Continuity, Cloud Computing, Computers and Internet, Data Security, Insider risk, Java on February 15, 2013 at 20:27

While I believe that posting any private information to a social networking site is… well… nuts, I also believe we should have a reasonable expectation of privacy.  This means companies like Facebook must do a good job of protecting themselves from potential attacks.  So why were laptops used by Facebook employees targets of a recent zero-day attack?

Yes, it was zero-day.  We can’t foresee all possible attack vectors.  The threat agent used a hole in Java to infect the laptops.  Further, the Java exploit was setting on a developer site.  Doh!  Didn’t see that coming, Facebook?  You should have.

Java is full of holes.  It is an exploit waiting to happen, and it is not the first time attackers circumvented the Java sandbox to get at the underlying platform.  Some, like Andrew Storms at nCircle Security, believe Java needs a complete overhaul (via Gregg Keizer, Computerworld).

 “Oracle should just take a mulligan and redesign Java before everyone completely loses faith in it…”

Apparently, Facebook didn’t get the memo.  Why would a social network company allow its employees to visit risky sites and then connect back to a network where customer and other sensitive data reside?  Why would any organization?

For more information on end-user device security, see Chapter 6 – End-user Device Security.

It’s All about TRUST…

In Business Continuity, Data Security, Risk Management, Security Management, Trust on June 20, 2011 at 18:41

Consumers and the press like to bash vendors and online social networks for lacking perfect privacy, but there is no such thing.  Rather, this is the victim’s argument for getting pwned…

Whenever we perform an action, or fail to act, there are consequences.  A popular zen teaching uses an analogy of picking up a stick; if you pick up a stick holding one end, the other comes with it.  The same is true of sharing personal information online.  There is always the chance  your information will fall into the wrong hands.  Whether or not you share your information should be a matter of trust, of your assessment of risk.

Trust varies between online services.  For example, the steps my bank takes to protect my information are regulated and pretty strong–not perfect, but strong enough for me to take the risk of using its online services.  On the other hand, I would never post anything I don’t want the world to know about on Facebook.

Social networks are not heavily regulated… yet.  And we don’t want them to be.  I don’t want the government sticking its finger into everything I do online.  So, I need to take some responsibility for my actions and not complain to my congressman or senator when my pictures of my last frat party compromise my integrity and that of several others.  Knowing Facebook is a social network, designed for SHARING, why would I assume the risk of putting sensitive content there?  Why would I place my trust in any social networking service?

The same is true of doing business online.  There are differences in how “due diligence” is defined between online business services.  It is our responsibility to ask the right questions before using any service.  If we don’t, we are just as responsible as the service provider when data is stolen… or worse.  Further, regular audits or other assessments are necessary to ensure initial trust does not drift in the wrong direction.

Before sharing your business or personal information with anyone, ask yourself how much you trust the other guy.  If the answer is, “not as far as I can throw him,” then go somewhere else.

Government Dysfunction Strikes Another Blow for Insecurity

In Access Controls, Business Continuity, China, Cyber Espionage, Government, Hacking, Network Security, Password Management, Policies and Processes, Risk Management, Security Management, Vendor Management on October 12, 2010 at 12:51

For many years, even before the Internet, changing default access codes, passwords, and other vendor assigned information was considered a basic no-brainer.  And I understand normal people (non-IT) not getting it.  After all, if it wasn’t a good password, why would a vendor assign it…?  And who wants to argue with a support guy on the phone who can’t understand why you changed it?  I get it.  However, when our government doesn’t see the value in the change, we have a big problem.

According to an article last week in the New York Times,

[University of Michigan researchers] infiltrated the District of Columbia’s online voting system last week. They changed all votes for mayor to Master Control Pro and elected HAL 9000 the council chairman. The blaring University of Michigan fight song played whenever a new ballot was successfully cast” (Wheaton, 8 Oct 2010).

To be fair, this is a pilot project by the District’s Board of Elections.  However, I always thought “pilot’” meant seeing how it works in the real world.  So it should also mean setting security for testing system trust.  One reason why this is necessary was included in the same article:

“[Professor J. Alex Halderman] said he also saw signs that computer users in Iran and China were trying to crack the system’s master password — which his team obtained from an equipment manual. (Network administrators had never changed the four-character default password.) He said that the foreign hackers were probably not specifically trying to break into the District’s voting system, but that they represented a threat nonetheless” (ibid.)

In addition to immediate attempts by our “enemies” to hack into the system, we decided to practice global good will by leaving the vendor password in place for anyone who wanted into our system.  What a novel idea regarding how to meet the cyber-crime and warfare challenges we increasingly face.

In case you haven’t yet gotten the message across to your network engineers or internal support personnel, this might be something you can use as an attention-getter (instead of the bat you’ve placed strategically next to your filing cabinet.

This is just one more example of the dysfunction of our government information handling capability.

Cloud Security – Extend Your Risk Framework

In Cloud Computing on April 3, 2010 at 11:54

From a security analysis perspective, use of cloud services is the same as using internal services. It only presents unacceptable business risk if analysts fail to apply formal risk framework processes and effectively deal with gaps.

Yes, this is a pretty strong opening statement. But security professionals and businesses who see cloud services as high-risk solutions to be avoided do so at their peril. Organizations that get it can safely implement cloud services, reducing costs. improving customer satisfaction, and enhancing competitive advantage. Here’s how this might be done.

%d bloggers like this: