January 28th passed mostly in silence - February 1, 2018

Why do I mentioned January 28th? It was Data Privacy Day. So, what‘s the big deal?

Data Privacy Day is an annual international event to remind everyone to be diligent about online privacy and online information. The National Cyber Security Alliance led efforts in the USA to call attention to the event. Part of the message is to “own your online presence.”

So, here's the deal.

Part of owning your online presence is understanding what information about you is available to others. Why does that matter?

A recent investigative report aired on a local TV station. “Bogus background check could be costing you money” revealed how incorrect cyber information can hurt you. In this case a gentleman had his insurance rates go up dramatically because a company that collects credit records and provides them to insurance companies supplied bad data. 

Yes, I know this is a case of garbage in garbage out, but whose garbage is it?

In this case the negative factors in the “Bogus background check,” came from the victim’s son who had the same first and last names, but we was “the second.” The son’s history was erroneously mixed in with the father’s record. According to the news story the company supplying the report responded that they do rigorous checks to maintain quality; but they didn’t in what they characterized was a “rare case.” The algorithms did not perform as intended.

What was the advice of the investigative reporter? Check the information that is available for accuracy. Sounds like “own you online presence.” I’ll be sure to add this story and this advice to people come next Data Privacy Day (January 28, 2019). Maybe more people will take notice and think more about their online presence.

The investigative news story mentioned the offending companies, but I have left them off. These kinds of mistakes are detrimental to corporate reputation. Sure, it was inadvertent, but was the company paying enough attention to the collection and use of data? What were they doing to avoid unintended consequences? One of the companies mentioned had a hugely embarrassing incident recently. It was credited to lax policy enforcement. What about you and your company?

I am proud to say that Marquette University is putting together a Symposium on the Ethics of Big Data III. This is the third in a series of meetings on privacy, data collection, and the consequences of Big Data technology. This year we will meet on April 27 in a discussion that is open to businesses, academics, students, and the public. Folks at Northwestern Mutual are demonstrating their recognition of the importance by joining us to sponsor and host the meeting at their new tower in downtown Milwaukee. See http://marquette.edu/ethics-of-big-data for information. Other companies have regularly made an appearance and supported this annual event..

Help make a difference; be cyber security and privacy aware.

(See https://staysafeonline.org/data-privacy-day/about/ for information about Data Privacy Day and https://www.tmj4.com/news/i-team/bogus-background-check-could-be-costing-you-money to see the full story about the bogus background check.)

 

Cyber Security Awareness Requires Leadership - October 20, 2017

Cyber security is a question of leadership and awareness is the responsibility of leaders.

Most all successes are the result of a proper combination of People, Process, and Technology. The importance of these three items is apparent in the examination of the cyber security incidents that have gained national attention. It always starts with people. People can prevent breaches or people can cause them. Incidents can result from inadvertent behavior or by malicious intent. Cyber Security Awareness focuses on reducing inadvertent behavior that leads to failure of the security system. Often someone with malicious intentions takes advantage of the inadvertent action, but that is not always the case. There is not always a bad guy trying to take advantage of others.

Safety in manufacturing plants is not the same as safe computing but safety awareness is remarkably similar to Cyber Security Awareness. During my career before academia, I had the privilege of observing a dramatic improvement in plant floor safety that resulted from leadership and awareness. General Motors went from having a mediocre safety record to being by far the safest manufacturing environment in the industry.

The journey from mediocrity to excellence started with recognition of the problem created by workplace injury. Leadership from the C-suite resulted in having all executives take safety training from the world leader in workplace safety, DuPont. Having been in the explosives business is is clear why DuPont emphasized safety.

The manufacturing organization followed the leadership of the VP of Manufacturing, Joe Spielman supporting the theme "Safety is Our Overriding Priority." The corporation regularly heard the message that came form DuPont, "All incidents can be avoided." The term "incident" replaced "accident" in the conversation because accidents imply that they are somehow unavoidable. 

Measurements were put in place; goals were set and clearly articulated. For example the goal at one assembly plant in Oshawa was a 50% reduction in lost time injuries and “recordable” injuries every three years. This led to reducing lost work day cases per 100 employees from 13 in 1994 to under 1 before the close of 2001. In 2002, GM plants from around the world had achieved an industry leading 3.6 recordable incidents per 200,000 hours worked compared to an industry average of 20.3. [1]

A practice that helped lead to the improvement was attention to "near-misses." These were recorded and analyzed at safety meeting which were mandated to occur regularly. In our office environment, we held these meeting weekly. The clear goal was fool-proofing the system. In all plants, serious near-misses required the Plant Manager to tour and assess the situation within 24 hours. Supervisors and team leaders were required to investigate all actual incidents before the end of a shift.

There is a strong parallel between this example and the Stop. Think. Connect. campaign coming from the Department of Homeland Security. This is one of the primary concepts included in the DHS program in cyber security awareness.

I mentioned that there must be attention to People, Process, and Technology, The culture must change. An example from GM of the emphasis of balanced attention to People, Process, and Technology can be found in the 2004 announcement of a new safety device aimed at reducing railcar workplace injury. A joint union-management memo stated, "constant vigilance to the safety process and ongoing training to ensure compliance to safe operating practices is necessary to protect all employees." [2]

All of this provides a nice story for safety management. Why don't we do that for cyber security? Who is providing leadership? Who is measuring the organization? What are the goals?

I am organizing a Colloquium on Cyber Security Awareness to start a conversation about how we improve security within populations such as the general public that is involved using hundreds of apps and social computing, our customers who use our IT infrastructure to communicate with us, our employees who have access to the information we need to secure, and students who are the future of computing. This event will come in October, National Cyber Security Month.

References

[1] M. Rosen, General Motors: Achieving and Maintaining World-Class Leadership in Worker Health and Safety in the Automotive Industry, Safety Management Education, May 2008, available on line at: http://safetymanagementeducation.com/wp-content/uploads/2015/06/Case_Study_GM_Truck_Plant_Case_study.pdf on 22 July, 2016.

[2] C. Suemnick and

 

NIST publishes NICE Cybersecurity Workforce framework

The National Initiative for Cybersecurity Education (NICE) released Special Publication 800-181, the NICE Cybersecurity Workforce Framework. The framework presents common terminology to be used to support a capable workforce. It provides a common, consistent lexicon that categorizes and describes cybersecurity work by Category, Specialty Area, and Work Role.

The Cybersecurity Jobs Heat Map has also been updated with new data and other features to align with the NICE workforce framework. The the CyberSeek portal provides access to the heat map.

 

Do you need Geek-speak to be convinced?

If setting up automatic system updates sounds too simple to be effective in combating cyber-attacks,

 

try this....

employing the auto-configurator to engage both server side and client side dissociated daemons in a distributed multi-tasking environment to update the hierarchical organized services directory and install executable specifications, processing abstractions and physical implementations of application program interfaces, peripheral drivers, communication protocols, dynamically linked libraries, interpretable kernels, and other service components and abstractions to their most immediate revision levels as prescribed by the service vendors.

 

STOP.THINK.CONNECT.- May 15, 2017

Over the weekend there was an international alert about ransomware. This attack was particularly troublesome, because it combined a worm (a kind of malware that looks for ways to spread itself) with a “payload” that was ransomware, asking for a ransom to free up locked files.

The shame of the situation was that simple measures, which we remind users about regularly, could have saved the infectious nature of this incident. The malware is named “WannaCry” and it makes you want to cry to realize that following advice about not clicking on suspicious items and updating your system to the latest releases of software, could have stopped this massive intrusion on cyber lives.

We are living in a cyber world; we cannot afford this kind of problem. A few simple steps can help avoid disruption.

  • Keep a clean machine—get the latest versions of software and consider automatics updates to services and apps including your operating system
  • Be web wise – keep aware of threats, think before you act, back up valuable work, and do not install random malware removal tools from untrusted sites

These are simple things. Are they too obvious to be taken seriously? Are you looking for something more technically complex for the advice to be believable? Don’t. Leave that to the technical experts who are constantly providing the complex solutions to make it easy for you.

Just take those simple steps. Clean up your computers, tablets, and smart phones. Be wary of the threats that are posed. Follow the theme put forth by the National Cyber Security Alliance, Stop.Think.Connect and visit their website regularly for information and tips.

 

WORLD PASSWORD DAY-May4, 2017

Thousands of people and hundreds of global organizations will support WORLD PASSWORD DAY on May 4, 2017. We asks students, faculty, and staff to consider using multi-factor authentication.

As more and more sensitive data is stored online, the effects of cybercrime grow more significant each year. In fact, identity theft is among the fastest growing crimes in America. Passwords are critical gatekeepers to our digital identities, allowing us to access online banking, email, and social media, yet the majority of passwords are vulnerable to hacking. Millions of Americans have had their digital accounts hacked because of stolen credentials or weak logins, but many are not using widely available, simple technologies to better secure their online accounts.

The Center for Cyber Security Awareness and Cyber Defense suggests that you join on May 4 to take a social media pledge to improve your password habits. Go to https://passwordday.org/ to find out more and take the pledge

 

Speak Up - November 29, 2016

This week I am sponsoring a meeting on campus entitled "Stay Safe Shopping Online." It will be tomorrow evening and I hope people take the time to come to listen to the messages about reality, security, responsibility, and recovery. 

Here on a campus, from an academic perspective, this is unremarkable, but I felt the need to do it. I was thinking of opening the session with the disclaimer that there is nothing in the presentation that is original. The only thing that is original is the thought to make the presentation. In deed, all of the material comes from sources readily available. The lesson for students, beyond the cyber security ideas, is,  "If you feel there is a need to address a topic, take action, and speak up."

I suppose I could claim something about the importance of establishing a culture of cyber security awareness. How many times have experts told us about the importance of the correct culture for organizations? This is not about establishing a culture; it is about facing the facts and starting the conversation. Establishing a culture for this, or a culture for that, is manipulative. I have watched numerous leaders who worked at establishing a culture; and I have followed others who took the lead. I have seen many who advocated walking the talk and been skeptical. Something I learned from a leader that I followed is to talk the walk; that always seemed more effective.

But stay realistic. My observation is, if you believe in something, act on it out of passion, and speak up, it will either change the culture or not. The organization will be the judge.

So, from where does the material for "Stay Safe Online Shopping" come? It comes from people who felt some passion about cyber security awareness. They saw the need and started the conversation. I guess having heard them, I have either "drunk the Kool-Aid" or become a part of the culture.

I hope students leave campus with an openness to ideas, a penchant for action, and an eagerness to speak up. The education is there to help them to know what they are seeing, to know where to seek knowledge when they don't have it, to know what to do, and to speak up in a way people understand.

That represents a kind of culture too.

 

IOT Breach

We just finished providing advice about Cloudbleed and now we have another incident requiring comment, CloudPets data breach.

The number of users impacted (800,000) in this case is less important than is the nature of this attack. The internet of things is booming. Refrigerators, televisions, cars and toys are becoming targets. Toys used to be push toys then they became motorized, then they made sounds, and now they are becoming smart. Consumers need to be smart. In the case of toys, information about your children may be getting into the wrong hands.

The National Cyber Security Alliance (the nation's leading nonprofit, public-private partnership promoting cybersecurity and privacy education and awareness) produced a statement about CloudPets that includes some good advice and an infographic. While much of this is a repeat of the messages from cybersecurity Awareness Month, you ought to heed their warning. In summary you need to:

  • Know how to maintain cybersecurity for your IT devices.
  • Own your online presence.
  • Lock down you login.
  • Pay attention to your Wi-Fi in your home.

  • Research before you purchase.

What to do about Cloudbleed?

The full impact of Cloudbleed is still unknown, however, it is "better to be safe than sorry." Cloudbleed provides an opportunity to remind everyone to be more diligent in managing their passwords. Given the millions of transactions performed by Cloudflare for numerous highly recognized websites, anyone's authentication or personal information may have been leaked. No one yet knows if Cloudbleed was exploited. We recommend doing a risk assessment and following the best practices. There are password creation tips provided by Stop Think Connect.

We have published a more complete explanation of "What to do about Cloudbleed" on the MSCS website. This includes:

  • Understanding your risk.
  • Using pass phrases that you can remember.
  • Creating unique pass phrases for unique sites.
  • Using multi-factor or two-factor authentication.

Other Resources for News and Views

There are many websites that provide access to news and views about information security.

These include the following:

While not exactly industry views, here are links to two videos that suggest the importance of cybersecurity technology: