January 28 is National Privacy Day. The Prime Minister of the Bahamas, Perry Christie, proclaimed this week as National Privacy Week (source). National Privacy day was adopted in Europe in 1981 to celebrate the signing of Convention 108, the first legally binding international treaty dealing with privacy and data protection.
Why is there a day (or week) dedicated to personal privacy? It's an opportunity to educate people to protect
their privacy, to think about your digital footprint, and prioritize the protection
of privacy. It's a great time to consider making privacy a priority in your life.
Naked Security published an article describing several ways that you can protect
your privacy online:
1. When signing up for an online profile, be thoughtful about the
information you provide. There may no reason the provider needs to know
things like where you went to school. I always cringe when I am asked for my mothers maiden name as a security question. It seems like a stupid trick question. I can't imagine any lucid person actually supplying this information. I probably should
follow up with companies who have the gall to ask this.
2. Consider phone apps on your smart phone. Many of them take
huge liberties with your information. They might have access to all the contacts on your phone! The advice on the page said it's
smarter to simply use the web browser on your phone versus using the
app. That really made me think about deleting some of the apps I have.
3. When you're in a brick and mortar store sometimes they ask for
your zip code. Why? I don't know. I have provided it without asking.
I won't do that anymore without a good reason.
4. The last thing the article discussed was checking the privacy laws in
your jurisdiction. I probably should know what is legal and illegal
with regard to my privacy and merchants.
Most of us know that our electronic communications are being intercepted
by the NSA. You might not realize that data is being siphoned from our
smart phones when we enter some brick and mortar stores (source).
The Washington Post reported that some stores are using the WiFi card
in your smart phone to track you. What are they tracking? Once the
system has your MAC address it tracks where you go through the store, if
you buy anything, etc. It's sort of generic marketing information. The data can be manipulated to determine what sells, where things should
be placed, etc. You know, marketing stuff. However, it can also be used to spy on you as well. The data captured
can be used with other known information to determine who you are. With
that the device knows who you are and what you buy, how often you buy it, etc.. It's likely you
would not know you are being watched (or followed?!!). How does it make you feel? Unless you 'check-in' on Facebook every place you go, you might not appreciate being "checked-in" at a store! It
makes me feel a little too exposed. I am going to try to turn off the WiFi
on my phone when I go into a store. It will definitely take some
practice!
Our privacy is not something to take for granted. I hope you spend a little time this week thinking about your privacy and a few things you can do to protect yours!
Thursday, January 30, 2014
Sunday, January 26, 2014
Cloudy with a Chance of Convenience
Cloud computing is a fairly new concept that, in the past, caused me to look at it with a cocked head and squinty eyes. In short, I have been skeptical. After all, the cloud lives everywhere. It lives in countries where there are strict privacy laws and in countries where privacy is far less restricted. To add to the suspicion, I think of the privacy issues with the NSA capturing data traversing ISP connections. Is it safe to transfer data to external entities who might not treasure your data like you would? What if someone or something taps the data in route to the cloud? What if the cloud vendor fails?
Recent experiences have led me to consider the benefits of cloud for the purpose of routine data backup. Backing up to the cloud can benefit an organization in many ways. First, if a DR (disaster recovery) plan is enacted, the process to download data to an alternate site is simplifed. It's important to note that data might not be worth anything if data relies on a server or service that was affected by the disaster. Second, there is a convenience factor when files or other data must be restored due to accidental deletion. Typically, when data needs to be recovered a courier must be contacted from the off-site storage location or someone must get in a car to drive to the off-site storage location to retrieve the media. Cloud backup speeds the process to restore data. Third, the cost of off-site media and equipment is reduced. Organizations might pay $100 for each backup tape and more for external drives. Tape drives can cause headaches when they do not work. They're expensive (a site could have many tapes to ensure proper rotation) The cost for backup media, software and maintenance are costly. Backing up to the cloud reduces the need for the equipment, software, maintenance and support time dealing with equipment that doesn't work.
The advantages make cloud computing look promising. While they look good and will benefit an organization, there are a few issues you should get answers to before signing the dotted line:
1. Identify the confidentiality of your organization's data that you plan to move to the cloud. Many organizations have confidential or proprietary data. It may not be prudent to store sensitive data in the cloud. Also, if the cloud provider does not host a private cloud, that data might be available to others using the same space. This might not be acceptable.
2. How does the vendor protect your data? The vendor likely has multiple customers (or they will). How will they ensure other customers do not have access to your data (and vice versa)? How does the vendor ensure their employees do not have access to your data? Is the data encrypted?
3. How will your organization connect to the cloud? Security considerations are very important! If the vendor proposes tha the data moves across an unencrypted line - run. Do you have adequate bandwidth to move data on a daily basis? Testing (from both sides) connectivity will ensure there there is no packet loss to guarantee data integrity.
4. What is the vendor's SLA (service level agreement) with your organization? When do they do maintenance? Will it be the same time that you want to move data to the cloud? How does the vendor deal with DoS attacks? How will you be notified of outages?
5. Where does the vendor store your data? Will you data be stored in a data farm in a country where privacy laws differ from the U.S.?
6. How does the vendor back up your organization's data? Equipment could fail in the vendor's organization just like it could in yours? If they have a failure, how quickly will it be resolved?
7. How much space do you need on the cloud? Is data overwritten? How much can your data swell before you saturate the vendor's network?
8. What is the vendor's agreement with regard to making data available after a disaster? If the vendor hosts data for multiple organizations who were affected by a disaster, what is your priority to get your data?
9. In the unfortunate event your organization decides to move your data to another provider, how can you be sure the vendor no longer has your data? What if the vendor's business fails? What happens to your data?
This list is not intended to be a complete list of issues that you should consider before moving your data to the cloud, but it's a start. Are there issues you think should be added to the list?
The cloud holds benefits that might provide advantages to your organization. I am not sure I'm 100% for it, but I think that when the decision meets organizational requirements and the vendor can satisfy the organization's requirements, it is worth a second look.
Recent experiences have led me to consider the benefits of cloud for the purpose of routine data backup. Backing up to the cloud can benefit an organization in many ways. First, if a DR (disaster recovery) plan is enacted, the process to download data to an alternate site is simplifed. It's important to note that data might not be worth anything if data relies on a server or service that was affected by the disaster. Second, there is a convenience factor when files or other data must be restored due to accidental deletion. Typically, when data needs to be recovered a courier must be contacted from the off-site storage location or someone must get in a car to drive to the off-site storage location to retrieve the media. Cloud backup speeds the process to restore data. Third, the cost of off-site media and equipment is reduced. Organizations might pay $100 for each backup tape and more for external drives. Tape drives can cause headaches when they do not work. They're expensive (a site could have many tapes to ensure proper rotation) The cost for backup media, software and maintenance are costly. Backing up to the cloud reduces the need for the equipment, software, maintenance and support time dealing with equipment that doesn't work.
The advantages make cloud computing look promising. While they look good and will benefit an organization, there are a few issues you should get answers to before signing the dotted line:
1. Identify the confidentiality of your organization's data that you plan to move to the cloud. Many organizations have confidential or proprietary data. It may not be prudent to store sensitive data in the cloud. Also, if the cloud provider does not host a private cloud, that data might be available to others using the same space. This might not be acceptable.
2. How does the vendor protect your data? The vendor likely has multiple customers (or they will). How will they ensure other customers do not have access to your data (and vice versa)? How does the vendor ensure their employees do not have access to your data? Is the data encrypted?
3. How will your organization connect to the cloud? Security considerations are very important! If the vendor proposes tha the data moves across an unencrypted line - run. Do you have adequate bandwidth to move data on a daily basis? Testing (from both sides) connectivity will ensure there there is no packet loss to guarantee data integrity.
4. What is the vendor's SLA (service level agreement) with your organization? When do they do maintenance? Will it be the same time that you want to move data to the cloud? How does the vendor deal with DoS attacks? How will you be notified of outages?
5. Where does the vendor store your data? Will you data be stored in a data farm in a country where privacy laws differ from the U.S.?
6. How does the vendor back up your organization's data? Equipment could fail in the vendor's organization just like it could in yours? If they have a failure, how quickly will it be resolved?
7. How much space do you need on the cloud? Is data overwritten? How much can your data swell before you saturate the vendor's network?
8. What is the vendor's agreement with regard to making data available after a disaster? If the vendor hosts data for multiple organizations who were affected by a disaster, what is your priority to get your data?
9. In the unfortunate event your organization decides to move your data to another provider, how can you be sure the vendor no longer has your data? What if the vendor's business fails? What happens to your data?
This list is not intended to be a complete list of issues that you should consider before moving your data to the cloud, but it's a start. Are there issues you think should be added to the list?
The cloud holds benefits that might provide advantages to your organization. I am not sure I'm 100% for it, but I think that when the decision meets organizational requirements and the vendor can satisfy the organization's requirements, it is worth a second look.
Wednesday, January 15, 2014
Finding work as an IT Security Specialist
 |
| Image credit: Photobucket |
Every person I talked to recommended that you start with a college degree. Many colleges and universities offer college degrees in Cybersecurity. This won't guarantee that you will get your dream job in IT Security after graduation... but it might. A few schools that offer Cybersecurity programs include: Bellevue University offers both a bachelor and masters (classroom and online) and the University of Maryland University College (UMUC) offers a bachelor and masters (classroom and online). The National Security Agency (NSA) and DHS have teamed up to promote security by naming academic institutions that meet curriculum standards. Institutions that meet the standards (including Bellevue and UMUC's program) comply with the NSS and DHS standards. Check to see if the academic institution you're interested in utilizing is recognized as being part of the National Centers of Academic Excellence.
Read a book! There are numerous books available that will expose you to information. A few recommendations include:
The Web Application Hacker’s Handbook
Social Engineering: The Art of Human Hacking
CISSP (Shon Harris)
Download software and learn how to use it on your home network. The Nessus scanner is a free tool you can download and run on your home network to learn about penetration testing. Kali Linux is an operating system available at no cost to learn how to perform penetration testing. The website provides a link to documentation and forums to learn how to use the tool.
Attend a conference. SANS is an organization that offers training and seminars for individuals with a variety of levels of experience. SANS offers some resources at no cost.
Attend a security conference. Conferences are held all over the world and provide information and access to professionals and companies that might hire you. Here is a link focusing on Cybersecurity conferences in the United States.
Get certified! The CISSP certification is the gold standard in IT Security. Check out ISC(2)'s website. You will find information on the kinds of information you need to know, take a practice test and learn about the requirements to get certified. ISC(2) has an Associate of ISC(2) program for individuals that do not have the experience required for the CISSP.
Monday, January 13, 2014
Bitta Bitta Bitcoin
 |
| Image credit: Wired.com |
Late in 2013, Bitcoin captured my attention. First, Magistrate Judge Amos Mazzant of Texas declared it real money (source) in a case against Trendon Shavers. In August, Bloomberg gave Bitcoin an experimental Ticker (XPT) (source). In November, Bitcoin was alleged to be used to traffic illegal drugs on the internet. A few days ago, Overstock.com began accepting Bitcoin payments (source). What seemed like an interesting concept is picking up steam.
What is it? Bitcoin is an experimental currency that can be
considered an invisible virtual currency. It was created in 2008 by a
person known as Satoshi Nakamoto (this is not believed to be the
individual's given name). This currency is not controlled by
universally accepted laws or regulations and is not backed by what most
people consider to be the standard tangible item of value, gold. In
order for Bitcoin to work, all users must agree that the Bitcoins have
value.
What do people use Bitcoins for? It can be used to buy a Subway sandwich in Allentown, Pennsylvania (source). If you’re in Omaha, an establishment called Covis CoWorking allows you to pay with Bitcoin to work remotely in their space on 108th and Pacific. Photographer Elizabeth Crow allows her customers to pay with Bitcoin in Eugene, Oregon. An
underground marketplace, Silk Road, allows people to sell illicit goods
and services using bitcoin via the anonymous browser Tor.
How does it work? First
you must install a Bitcoin wallet on your computer or smart phone.
"Once you download and run the Bitcoin client software, it connects over
the Internet to the decentralized network of all Bitcoin users and also
generates a pair of unique, mathematically linked keys, which you'll
need to exchange Bitcoins with any other client. One key is private and
kept hidden on your computer. The other is public and a version of it
dubbed a Bitcoin address is given to other people so they can send you
Bitcoins" (source). Once a person makes a Bitcoin
transaction, that transaction is processed by transferring the
information to a distributed consensus system that is verified by the
network. This process prevents a user from using the same coin (or
coins) for more than one transaction.
How safe is Bitcoin? Bitcoin is not insured like your money in a federally insured bank. A strong word of caution: Bitcoin transactions are uninsured and irreversible.
How do Bitcoin users protect their wallet? Since your wallet is electronic, it is critical that it is stored on a computer that is well protected. Storing your wallet on a computer connected to the internet that is not a good idea. Also, backing up your wallet to a cloud service might make the data vulnerable to theft.
I will sit the Bitcoin game out for now. It’s too new for me to really consider using it.
Monday, January 6, 2014
Snowden Continues to Impact Cybersecurity
Edward Snowden continues to make waves. I've seen news articles suggesting that he be granted clemency along with reports of more hardware and software that has been used to illegally gather information. Thank you New York Times for suggesting the notion that Snowden should be granted leniency for his crime (see the article written on January 1, 2014). The New York Times Editorial Board states, "Considering the enormous value of the information he has revealed, and
the abuses he has exposed, Mr. Snowden deserves better than a life of
permanent exile, fear and flight. He may have committed a crime to do
so, but he has done his country a great service."
I think it's time to back up. My career started in the 1980's when the world was very different. Consumers did not have computers in their home. There was no electronic messaging. Phone calls were very expensive and overseas calling was something most people didn't do much of -- it was far to expensive for most people. Over the past thirty years a great deal of power was given to each one of us. We use social media tools to connect with people all over the world at virtually no cost, news stories spread in minutes and any person with access to the internet can research almost any subject and within seconds get results and many people use Skype to talk to people in other countries at a very low cost.
In the 1980's it was very likely possible to discover information about threats to our government and businesses because the world was smaller. I don't think that the CIA and other intelligence agencies used the shoe phone I remember Maxwell Smart using in the television program "Get Smart". Ok, that was a long time ago. Over the years James Bond demonstrated how he used tools to finish feats that seemed impossible. His Aston Martin allowed him to defeat the enemy or anyone in the way. 007 had the support of "M" and the United Kingdom's Secret Intelligence Service (SIS), more commonly known as MI6 (originally Military Intelligence Section 6).
The world has changed since Maxwell Smart relied on his telephone shoe and James Bond showed us how to really drive a car and remove "obstacles". We can't rely on shoe phones or cars with special tools to save the world or rid the world of thieves and traitors. We must rely on sophisticated tools to discover problems so they can be acted upon.
It's preposterous that the New York Times Editorial Board would even suggest that Edward Snowden be granted an ounce of mercy. His actions have further divided our frail country. The New York Times Board states that "The shrill brigade of his critics say Mr. Snowden has done profound damage to intelligence operations of the United States, but none has presented the slightest proof that his disclosures really hurt the nation’s security." Bull pucky. Snowden has, in fact, damaged our nation's security and economy. SC Magazine published an article referring to a German article that states that routers sold by CISCO and Juniper as well as several Dell servers contain NSA backdoors. I wonder if CISCO, Juniper and Dell will lose market share or suffer economically from the "intelligence" Snowden is making available.
I think Snowden should come back to the United States and face the music. He can lob grenades at the United States and companies all day long. I think that it would be irresponsible to say that he has done his country great service. It is an injustice to all Americans. Furthermore it does nothing to discourage other individuals who might consider leaving the country illegally with documents and information owned by the United States.
 |
| Image credit: http://blog.spycentre.com/calling-agent-86/ |
In the 1980's it was very likely possible to discover information about threats to our government and businesses because the world was smaller. I don't think that the CIA and other intelligence agencies used the shoe phone I remember Maxwell Smart using in the television program "Get Smart". Ok, that was a long time ago. Over the years James Bond demonstrated how he used tools to finish feats that seemed impossible. His Aston Martin allowed him to defeat the enemy or anyone in the way. 007 had the support of "M" and the United Kingdom's Secret Intelligence Service (SIS), more commonly known as MI6 (originally Military Intelligence Section 6).
 |
| Image credit |
The world has changed since Maxwell Smart relied on his telephone shoe and James Bond showed us how to really drive a car and remove "obstacles". We can't rely on shoe phones or cars with special tools to save the world or rid the world of thieves and traitors. We must rely on sophisticated tools to discover problems so they can be acted upon.
It's preposterous that the New York Times Editorial Board would even suggest that Edward Snowden be granted an ounce of mercy. His actions have further divided our frail country. The New York Times Board states that "The shrill brigade of his critics say Mr. Snowden has done profound damage to intelligence operations of the United States, but none has presented the slightest proof that his disclosures really hurt the nation’s security." Bull pucky. Snowden has, in fact, damaged our nation's security and economy. SC Magazine published an article referring to a German article that states that routers sold by CISCO and Juniper as well as several Dell servers contain NSA backdoors. I wonder if CISCO, Juniper and Dell will lose market share or suffer economically from the "intelligence" Snowden is making available.
I think Snowden should come back to the United States and face the music. He can lob grenades at the United States and companies all day long. I think that it would be irresponsible to say that he has done his country great service. It is an injustice to all Americans. Furthermore it does nothing to discourage other individuals who might consider leaving the country illegally with documents and information owned by the United States.
Subscribe to:
Posts (Atom)