Hey there! I hope your week is off to a great start.
Here is Episode 13 of the State of Security Podcast. This new “tidbit” format comes in under 35 minutes and features some pointers on unusual security questions you should be asking cloud service providers.
I also provide a spring update about my research, where it is going and what I have been up to over the winter.
Check it out and let me know what you think via Twitter.
MSI’s specialized offerings around Mergers & Acquisitions are designed to augment other business practices that are common in this phase of business. In addition to general security consulting and intelligence about a company from a “hacker’s eye view”, we also offer deeply integrated, methodology-driven processes around:
To learn more about these specific offerings, click on the links above. To discuss these offerings in more detail, please contact your account executive for a free consultation.
Plus, we also just added some new capabilities for asset discovery, network mapping and traffic baselining. Check this out for some amazing new ways we can help you!
I’ve lost track of how many useful cloud-based services I have signed up for within the last few years. I can’t picture my life without products like Uber, FancyHands and Gmail. It often surprises people to find out that these products are free or very inexpensive. If they’re giving the service away for free or at a very low cost, how can the companies make money?
Typically, a service provider is able to gain a substantial profit based on the fact that they are able to harvest your data. Imagine what an advertiser could gain just by learning information about your latest Uber ride. When using a service provider, it’s important to ask yourself, is the convenience worth the sacrifice of your privacy? While it’s possible that not all of these service providers are harvesting or selling your data, it’s worthwhile to at least consider your loss of control.
Personally, I have found that there are circumstances in which I am willing to sacrifice my privacy for a cheaper and more effective product. I feel that the convenience of being able to order a cab with the touch of a button on my phone is worth the risk of another corporation learning details about my trip. Another circumstance in which I am willing to forgo a bit of my privacy to gain a convenience would be my use of a “savings card” at my local grocery store. I have no doubt that they are tracking and analyzing my purchases. However, I have always felt that it is worthwhile to share my purchase history with the grocery store due to the discounts that they provide for using the “savings card”.
Despite the fact that I am often willing to forgo my privacy in an attempt to gain access to a service offering, there are products that I do not feel that the offered convenience warrants the loss of control over my personal information. For example, I recently looked into leveraging a service that could automatically unsubscribe me from a number of subscription emails. As annoying as those emails can be, I didn’t feel that the convenience of this service was worth letting a 3rd party parse through all of my emails.
Each time my personally identifiable information (PII) is exposed to attackers as a part of a data breach, I become more likely to voluntarily share my personal information with a 3rd party in an effort to gain a convenience. Next time you prepare to sign up for a free or discounted service, be sure to take a few extra moments to decide whether or not you are willing to expose your private information to gain access to the service. After all, there’s no such thing as a free lunch.
It’s great now days, isn’t it?
You carry around devices with you that can do just about anything! You can get on the Internet and check your email, do your banking, find out what is new on Facebook, send a Tweet or a million other things. You can also take a picture, record a conversation, make a movie or store your work papers – and the storage space is virtually unlimited! And all this is just great as long as you understand what kind of risks this freedom poses to your privacy.
Remember that much of this stuff is getting stored on the cloud, and the only thing that separates your stuff from the general public is a user name, password and sometimes a security question. Just recently, a number of celebrities have complained that their photos (some of them explicit) have been stolen by hackers. These photos were stored in iCloud digital vaults, and were really very well defended by Apple security measures. But Apple wasn’t at fault here – it turns out that the celebrities themselves revealed the means to access their private stuff.
It’s called Phishing, and there are a million types of bait being used out there to fool or entice you. By clicking on a link in an innocent-looking email or answering a few simple questions, you can give away the keys to the kingdom. And even if you realize your mistake a couple of hours later, it is probably already too late to do anything about it. That naughty movie you made with your spouse during your romantic visit to Niagara Falls is already available from Peking to Panama!
Apple announced that they will soon start sending people alerts when attempts are made to change passwords, restore iCloud data to new devices or when someone logs in for the first time from new Apple devices. These are valuable controls, but really are only detective in nature and won’t actually prevent many data losses. That is why we recommend giving yourselves some real protection.
First, you should ensure that you educate yourself and your family about the dangers hackers and social engineers pose, and the techniques they use to get at your stuff. Second, it is really a lot better to store important or sensitive data on local devices if possible. But, if you must store your private data in the cloud, be sure it is well encrypted. Best of all, use some sort of good multi-part authentication technique to protect your stuff from being accessed easily by hackers. By that I mean something like a digital certificate or an RSA hard token – something you have or something you are, not just something you know.
If you do these things, then it’s a good bet your “special moments” won’t end up in your Momma’s inbox!
Thanks to John Davis for this post.
Cloud computing has become a buzzword over the past few years. Some organizations wonder if it would benefit them or not. What are some of the questions an organization should be asking? In this episode of MSI Strategy & Tactics, Adam Hostetler and Phil Grimes discuss the various aspects of “the cloud” and how it can affect an organization. If you are considering transitioning your data to the cloud, you’ll want to listen! Discussion questions include:
Click the embedded player to listen. Or click this link to access downloads. Stay safe!
One of the government’s major initiatives is to promote the efficient use of information technology, including the federal use of cloud computing. So good, bad or indifferent, the government is now moving into the wild, world of cloud computing – despite the fact that it is a new way of doing business that still has many unaddressed problems with security and the general form that it is going to take.
At the Cloud Computing Summit in April 29 2009, it was announced that the government is going to use cloud for email, portals, remote hosting and other apps that will grow in complexity as they learn about security in the cloud. They are going to use a tiered approach to cloud computing.
All businesses, both large and small, are now investing resources in cloud computing. Here are seven problematic areas for which solutions need to be found:
Opportunities abound for those who desire to guide cloud computing. Those concerned with keeping cloud computing an open system drafted an Open Cloud Manifesto, asking that a straightforward conversation needs to occur in order to avoid potential pitfalls. Keep alert as the standards develop and contribute, if possible.
We hear a lot of questions about how organizations should handle the increasing consumer use of IT services based on the cloud. Services like Dropbox, Google Apps, Github and many others offer unique and powerful tools for users that they have come to depend on in their personal lives, and thus, some of those tools “leak” into their work lives as well. Often this means that data that was once considered corporate in nature is increasingly in play in these largely consumer-focused services. In fact, with the coming iCloud integration from Apple on the horizon into all iOS devices, some organizations are in a down right panic about how to manage these new services in their user populations.
We want to offer up three suggestions for organizations facing these issues (most of us):
We know these three suggestions have a “soft skills” feel. Maybe you expected a suggestion for more firewalls, detection tools or crypto? But, the real story here is, we need not only better tactical approaches and toolkits to solve the coming security issues we face, but we need a holistic strategy to do it effectively as well. That said, before you invest in another round of cloud-based detection thingees or a new quantum cryptography system with geo-spacial locations for keys, how about we all take a moment, sit down, discuss how users are really working now and what they want for the future? Maybe if we think this next huge step forward through a bit more and take a more strategic approach, we can figure out how to make users happy AND secure their data. Hey, I can dream, can’t I? 🙂