- Twitter « Secure Thinking

Posts tagged - Twitter

Monday, July 11, 2011

On Cyberspace, Cyber Security, and War

By Jim Tiller, Vice President, Security Professional Services, North America, BT Global Services

Back in 2000/2001 I started giving a number of speeches about cyber war. Funny thing was, back then, most of the audience concluded I was simply nuts. The concept that a war could occur in cyberspace seemed so surreal to most people.

Given how reliant we are on the digital world I thought it was obvious that issues in cyberspace would have implications in the physical world and the two would eventually become inseparable. With the rash of cyber policies emerging from governments, the recent report that the Pentagon has noted that computer sabotage coming from another country can constitute an act of war is entirely predictable.

Today, technology – interconnected and interdependent technology – has become so integrated into how we function it’s nearly invisible. It’s not simply e-mail, Twitter, Facebook, cable TV, and iPads, but that’s what you see every day. Technology is what moves trains and trucks, electricity and water, food, fuel, and, importantly, money. It enables resources, such as emergency services, military, textiles, communication, transportation, and intelligence.

Technology, or more specifically cyberspace – a genera term representing a digital ecosystem – is a resource. And, it is a resource that has become essential to all other resources. As such, it is a force multiplier and can have far reaching effects. Although it may be hard to imagine, it is not beyond comprehension that a cyber-attack could result in the loss of life directly and indirectly. Disruptions in the digital world can have resonating impacts, most notably in the form of resource impedance, such as shutting off electricity, disabling the banking system, or shutting down the transportation infrastructure. It can affect production leading to economic instability and downstream civil unrest. We need to take a defensive stance to protect our resources, because without it, the country will dissolve and cyber space is no different from the other resources we seek to protect.

The resort to war is human and is usually a result over competition for resources. Accumulation of resources means power and, eventually, someone wants your resources and your power, or wishes harm against you because of your power. To ignore this is ignorance and denial resulting in being unprepared, ineffective, and, frankly, doomed.

So, what is my take on the Pentagon’s position? On a very basic level it is an acknowledgement of the importance of cyberspace as a resource, and this isn’t a bad thing. The point here is that, like it or not, an attack in cyberspace is quickly becoming indistinguishable from a physical attack and we must prepare, on many levels, for this outcome. I’m not suggesting you go off-grid, hide in a bunker, and fill your basement with food, water, and ammo… far from it. I’m saying understand the realities of the 21st century and recognize the entanglement of things we’ve tried too hard to view separately.

We need to come to grips with the importance of cyberspace, not only as a nation, but as a global community. I for one don’t. I don’t differentiate the relevance of cyberspace and our national infrastructure as separate resources. You can’t because the lines have grown so thin they are invisible. But know they are there and becoming more integrated and important every day.

Friday, May 20, 2011

Book Review: Global Terrorism and New Media: The Post-Al Qaeda Generation

By Ben Rothke, Senior Security Consultant, BT Global Services

Global Terrorism and New Media: The Post-Al Qaeda Generation. By Philip Seib and Dana Janbek; published by Taylor & Francis Group/Routledge, www.routledge.com; 160 pages; $38.95.

The Internet has revolutionized how we socialize and do business, speeding commerce, facilitating knowledge sharing, and creating networks that could not have existed a decade ago. Unfortunately, terrorists reap the same benefits. Global Terrorism and New Media: The Post-Al Qaeda Generation is a fascinating new book that provides an excellent overview of how terrorist organizations use today’s technology to spread their message.

The book opens with the observation that communication is at the heart of terrorism. The principal accomplishment of al Qaeda on 9-11 was not mass murder and destruction of property but rather terrifying millions and, by doing so, changing the way people live the world over.

The authors note the central role news media plays in defining terrorism. Knowing this, terrorists calculate the consequences of their deeds and the likely scope of media coverage to inject themselves into the conversation of civil society. The authors also discuss how terrorist organizations often make full use of various technologies, including producing periodicals for their followers to learn about using electronic data security to evade detection online by authorities.

From Facebook, YouTube, Twitter, online forums, and more, terrorist organizations are making full use of Web 2.0. Hezbollah, the authors note, used Facebook to try to arrange meetings with Israeli soldiers in the attempt to kidnap them. Elsewhere, terrorists use the Web to exchange confidential information for money.

To fight the terrorist threat, Yuval Diskin, head of Israel’s internal security service, recently observed that “countries need to cooperate closely and develop technology together to counter new threats.”

The authors concede that there’s no easy way to stop terrorists’ extensive use of new media. The best approach may be to create a comprehensive communications strategy, executed via new media, to counter the extremists’ messages. So far, extremists who embrace violence have done a superior job of mastering these tools, but there is no reason why they should be allowed to maintain the upper hand.

Global Terrorism and New Media is a fascinating read and of benefit to anyone involved in terror prevention, security studies, or political science.

This book review was originally published by Security Management Magazine in the May 2011 issue.

Monday, April 18, 2011

Brother, Can you Spare a Dime? Or Perhaps Your Credit Card Information and Your Digital Identity?

By Tara Savage, Senior Marketing Manager, BT Global Services

It seems that every time there’s a natural disaster, people’s instincts to do good are undermined by a small group of people who seek to exploit the situation for their own gain or to carry out criminal activities.

Unfortunately, despite far too many recent experiences with cyber crime and virus vectors emanating from web sites and donation campaigns for relief efforts for Haiti, Chile, and New Zealand, there appears to be just as many scams emerging that complicate attempts to get aid for the victims of Japan’s earthquake and tsunami.

Digital Forensic Investigator News reminded me just how insidious this type of crime has become. Not only do fraudulent sites spring up within moments of a disaster being reported, but they are now able to spread much more quickly via social networking sites like Twitter and Facebook.

So, how can you be sure you’re looking after your personal financial information and your digital identity while making good on your charitable impulses?

SecureThinking and CSR Perspective, a site hosted by Kevin Moss, BT’s Head of Corporate Social Responsibility for the U.S. & Canada, addressed these issues in the aftermath of the Haitian and Chilean quakes in 2010.

Jim Tiller and Sushila Nair have discussed the biggest security threats posed by charitable giving scams, while Kevin and Sushila have given their perspectives on ways to avoid becoming a victim of a scam.

To read what Kevin and Sushila Nair discussed, click here.

To read what Jim Tiller and Sushila debated, click here.

Wednesday, April 6, 2011

Guest Post: Power To The People: Empowering users and increase security

By Terry Greer-King, UK managing director, Check Point

The consumerization genie is out of the bottle. Employees have seized the initiative and are increasingly using their personal PCs, laptops, tablets and smartphones for work purposes. What’s more, they are using consumer-focused websites such as Twitter, Facebook and LinkedIn for work-related content, blurring boundaries between business and personal data.

So how do you secure this ever-growing, nebulous estate of devices and applications? How do organizations ensure employees observe corporate security policies, irrespective of the device or app they are using?

The answer is simple. As users have started to take control of the devices and apps they use for work, so organizations need to empower them to make decisions about security, not rein them in. Users should take some of the responsibility for security when they use their personal devices and Web 2.0 apps to help mitigate the risks of data leaks and losses.

For example, the most common vector for data leaks is by email – sending confidential data to the wrong person or attaching the wrong file. To stop this, an effective Data Leak Prevention (DLP) solution should inspect the content of an email; and if it detects content that could be sensitive, a pop-up dialogue would alert the user, asking if they intend to send the email with the file to the recipient.

This holds a mirror to the user’s actions, and they can either confirm their intended action, or realize they were about to make a mistake. This prevents inadvertent leaks and builds a log of user actions. The same principle can apply to the use of Web 2.0 apps — rather than blocking users in a Big Brother manner, they could be allowed access to apps if they log their reason for wanting to visit.

As the old adage puts it — with power comes responsibility. By giving users some responsibility for their actions, you can help to cut the risks of losses and leaks at source.

Next month, BT will be at Infosec 2011 in London with our partners. As such, we will be featuring guest posts on SecureThinking and BT Viewpoint leading up to the event. If you plan to attend the conference, come and find us at C92 (near the theatre and workshop area).

Monday, March 14, 2011

SPAM: Clogging your Internet arteries since at least 1994 — but perhaps no more?

By Jim Tiller, Vice President, Security Professional Services, North America, BT Global Services

SPAM, a constant fixture in the Internet, reached a feverish pitch around the turn of the century and represented the lion’s share of e-mail traffic around the world. This situation continued for several years – until recently. Based on a number of reports, at a time of year when SPAM is usually at its annual zenith, there has been a significant decline in SPAM volume. While this has baffled some and many see it as an anomaly, it can also be seen as an indicator of a change in the threat spectrum.

E-mail is a universal method of Internet communication, but with the proliferation of Twitter, Facebook, unified communications, mobility, and the complex array of collaboration apps and services that exist, e-mail has become, well, old school. Moreover, the simple fact remains that a large percentage of the most common forms of SPAM are filtered out by layers of well-established, proven technologies. In short, from a SPAMer’s perspective, they’re getting less bang for the buck. Therefore, it should be no surprise that as the use of the Internet shifts for businesses and individuals, so will the threat. And SPAMers, too, will look to leverage new communication methods to fill your inbox, Facebook wall or Twitter account.

Of course, there is a more sinister element at play – specifically, highly targeted SPAM – or phishing, spear phishing, etc. This is unwanted communications that look and “feel” real, but are just noise at best, contain malware at worst, or most dreadfully, fool people into exposing private information. The drop in detected SPAM may be simply that these more, well-formed communications in e-mail, Twitter, and others are simply getting past the net undetected.

Now that established organizations are using these technologies and apps to interact with their clientele in new ways, people expect to see a tweet, SMS or wall post from a company they have a relationship with – and the threats know this. When one extrapolates and projects out the potential of this reality, it is well within reason to see an increased level of fraud, identity theft, and malware proliferation because this is Greenfield opportunity for threats.

Although all this is completely speculation, it’s reasonable to assume that SPAM is migrating to other evolving forms of Internet-based collaboration technologies and by doing so, broadening their spectrum of opportunity to manipulate systems and people, and potentially more effectively. Although anti-SPAM technologies exist, many are still directed at traditional e-mail and not necessarily social networking interactions that are accessible from virtually any platform, any time, from anywhere.

Just because we saw less SPAM when we should have seen a spike doesn’t necessarily mean the SPAMers took a holiday. In fact, the decline in SPAM should be seen as evidence of a new focus – one more targeted, impactful, and one taking a path of least resistance.

Given the entanglement of technology, mobility and anything-all-the-time-app-for-that-culture, e-mail is yesterday’s technology – the threats know this and are moving to capture this new market – you.

Wednesday, January 26, 2011

PCI Survey Reveals Organizations are Prepared, Spending More, and Focusing on Education

By Tara Savage, Senior Marketing Manager, BT Global Services

Cisco Systems recently issued the results of its PCI Pulse Survey, which revealed some surprising sentiments from those whose job it is to implement PCI programs.

While some security practitioners think that PCI requirements are just another façade of security theatre, the survey respondents beg to differ, with 70% expressing positive opinions about the improved security posture that comes with being PCI compliant. What is also interesting is that organizations are increasing their spending and investment in technology in advance of PCI requirements, rather than in response to pressure to comply. Next on the agenda for most companies is education and, in particular, education and training for employees in how to handle credit card data properly.

Overall, the survey appears to show a growing maturity of PCI as a standard. But I wonder, based on other results and findings, if the survey doesn’t actually reveal an on-going weakness in PCI. If, as the report states, 85% believe they would pass a PCI audit and 78% passed their initial assessment, then why do we still see so many data breaches?

What’s your take? Let us know in the comments below or send us a tweet.

Monday, November 22, 2010

The social media wake-up call

By Ben Rothke, Senior Security Consultant, BT Global Services

The action earlier this month from the National Labor Relations Board when a Connecticut woman was illegally fired from her job as an emergency medical technician after she posted disparaging remarks about her boss on Facebook is a big wake-up call – both for the employer and the employee.

An administrative law judge is expected to hear the case in January 2011, but it is likely not to end there, as the losing party will certainly appeal. It is expected that this case will make its way to the Supreme Court.

From an information security perspective, far too many firms wait for these kind of wake-up calls before taking action. Leading companies, however, will be proactive to ensure that the appropriate information security policies and guidelines are there from the beginning.

The truth is that the term “wake-up call” may understate the situation. This is a legal issue — and if organizations find themselves at the losing end of such a case, it can turn out to be an expensive proposition — lawyers’ fees, punitive damages, negative PR, regulatory findings, and more. Not being prepared can be an extremely expensive lesson.

The courts seem to be leaning to where comments in a social network setting are constitutionally protected speech, a factor that would allow employees to discuss their jobs and working conditions with co-workers. Those employee rights translate into responsibilities that employers must undertake.

As more employers and employees are using social networking sites, this is a most topical issue.

The way to deal with social networking in the workplace needs to be dealt with differently for the employer and employee.

For an employer, the following are a few of the many steps you need to take action on:

First off, get in front of the social media wave. Be proactive and assign a dedicated team to deal with the myriad issues around social networks.
As social networks blur boundaries between roles, policy and strategy are crucial. The border between the company and the outside world is evaporating, so your policy and strategy must reflect that. Two firms that have comprehensive social media guidelines are IBM and Intel.
Social networking policy is a must. Even if your course of action is to completely prohibit social networking, you still need a clear and established policy.
Create a rational, sensible program around your employees’ use of social media services. Make sure this includes photography and video, and common sense advice (don’t reference clients, customers, or partners without obtaining their express permission, etc.).
Human resources must be involved as social media can open a Pandora’s Box of HR issues. HR needs to create directives for managing personal and professional time and create reasonable guidelines. As part of the HR awareness process, explain how innocent social media postings can be misconstrued, how confidential data can accidently be shared, and other germane topics.
Social media security awareness is crucial. Don’t just give employees a generic five-slide PowerPoint. Follow the “three Cs” of information security awareness — make it clear, comprehensive and continuous.

For the employee:

For those new to Facebook, Twitter and other social media sites, curb your enthusiasm. This is especially true for those with OCD or addictive personalities who often don’t appreciate the addictive nature of social networking. Facebook is viral and indeed addictive — and as a salaried employee, don’t waste your workday on it.
Realize that Facebook and postings on other social sites can get you fired. When at work, realize that you are being paid to work. Don‘t abuse the trust your employer had in hiring you.
Most jobs in the US are at-will employment. This is a doctrine of American law that defines an employment relationship in which – a) either party can break the relationship with no liability, provided there was no express contract for a definite term governing the employment relationship; and b) that the employer does not belong to a collective bargaining group (i.e., has not recognized a union). Simply put, you are but one Facebook post away from losing your job.
Ensure you know about and are compliant with your employer’s social media guidelines. In the event you post something corporate, ensure that it is public information.
Take extra care if you “friend” your boss on Facebook

Social media is awesome, but it is undeniable that it has introduced significant information security and privacy risks and issues.

At the organizational level, companies must recognize these risks and take a formal approach to deal with them.

At the individual’s level, employees can’t be naïve about their responsibilities when using social media.