Ponemon on Cloud Security

As I was researching my Cost of Lost Trust blog, I came across “Security of Cloud Computing Users Study.”  The Ponemon Institute published this study in March 2013 based on a survey and analysis completed in late 2012.  It is a follow-up to their initial 2010 study on the same subject, and CA Technologies sponsored both studies.  The full report is well worth a read if you are concerned about security in the Cloud; and if you are moving any part of your IT infrastructure to the Cloud you should be.

The study was based on the analysis of survey responses from 696 IT or IT Security practitioners across the United States. 58% classified themselves as IT in general, with 21% classifying themselves in security roles.  Over 40% were in the banking, government, health care and retails industries, with the rest scattered in about 20 other industries.  Almost 80% of the respondents reported directly to the CIO (Chief Information Officer), the CISO (Chief Information Security Officer) or the CTO (Chief Technology Officer).  The respondents each have an average of 10 years IT or IT security experience.

Here, in my opinion, are some of the encouraging, and disturbing, highlights of this study.  As often happens, some of the survey results can fit in both categories.

Overall, most organizations have improved their Cloud security practices since 2010.  However, only about half of the organizations felt positive about security of their implementation as they moved to the Cloud and were unable to create confidence in the Cloud within their company.

The use of SaaS (Software as a Service) and IaaS (Infrastructure as a Service) has increased, and security practices have improved since 2010.  However, only about half of the organizations even bother to evaluate their Cloud Service Provider (CSP) from a security perspective prior to deployment.  Not surprising, about the same number are not confident about the security provided by the CSP.  Even more worrisome, only about half of the organizations surveyed involve their security team in planning a Cloud implementation.

One of the biggest issues with security is “who is responsible?”  The survey indicated that 36% of SaaS users expect the CSP to ensure the security of their applications, and 22% of IaaS users have the same expectation.  Yet only about 10% of the organizations actually engage in discussions with the CSP on security issues.  Almost 80% of the respondents believe their end-users are “the number one group responsible for the security of cloud service providers.”

No matter how you handle it, security is your responsibility.  If something goes wrong, it is your problem to fix, your fines to pay, and your customer relationships that are damaged.  Your CSP will likely help to investigate the problem, but the CSP will not take responsibility nor accept any liability.  Make sure you and your own security and compliance team are satisfied with your total security and compliance status, including your partners’ security and compliance status.  Also make sure you can convince your senior management and customers that you remain secure.

I have said this many times before, but it is your responsibility to:

1. Understand the real security requirements of the workloads you plan to move to the Cloud.  Remember to include data Life Cycle Management, archive and backup requirements in this analysis.
2. Work with your CSP to make sure these security requirements can be met.
3. Document how your security requirements are being met, and who is responsible for each step and requirements.
4. Periodically review the requirements, since they will change as compliance, laws, and your workload change.  At a minimum you should be reviewing your security requirements anytime you add a new application or start collecting new data,
5. Periodically review the security status of your IT environment to ensure that you are still meeting your requirements.
6. Talk to your stakeholders throughout the process to address their concerns and make them confident of your plans and implementation.

Of course you are already doing 1, 3, 4 and 5 in your IT environment today, so the real work is in adding in a new partner, your CSP.  If by chance you are not currently doing these steps, then I strongly suggest you do steps 1, 3, 4 and 6 before you move to the Cloud.

Security is like dust on the furniture.  Nobody notices when there is no dust, but you will get real attention if you have a security problem.

The last word:

I periodically see articles that the Cloud is not meeting expectations, and I wrote on the State of the Cloud in January.  In September 2012, TechTarget conducted its Cloud Pulse survey, focused on Cloud Computing adoption and usage. Their Cloud Adoption Index for Public and Private Clouds is 25%.  If all respondents moved entirely to the Cloud, then the Cloud Adoption Index would be 100%, so essentially one quarter of the respondents’ workloads are running in the Cloud on average.  61% of the respondents are using the Cloud in some way.

TechTarget found that of those who said in March 2012 they were moving to the Cloud in the next six months, the September survey indicated that many had not yet made the move.  The top reasons for the delay are the usual ones:

• 34% cited a lack of control over what happens in the Cloud compared to their own on-premise facility.
• 33% indicated that they had a ways to go in simple virtualization, a necessary first step for most Cloud migrations.
• 31% are concerned about security in the Cloud.

Both the Ponemon and TechTarget surveys are “glass half full / half empty” results.  But perhaps the real answer is the engineer’s response:  the glass is too big.  The Cloud is a technology, not a product, and your journey to the Cloud is unique.  Someday you will be there, but you need to evaluate the Cloud from your own business perspective to determine how and when you are ready.

Comments solicited.

Keep your sense of humor.

Walt.

Cost of Lost Trust

I have often quoted the Ponemon Institute in these blogs, and this is another example.  I quote them because they do detailed research on privacy, data protection and information security policy and report the results in a compelling and easy to read manner.  These subjects are of great interest to me, and should be important to CEOs, CFOs, and CIOs.  Ignoring what is going on in the cyber war world of today is dangerous to the future or even the existence of any organization.

Some recent findings repoted by Ponemon, with my brief interpretation.

• The average cost per lost record of a data breach in the US is almost $200.
  Note this is the cost for every record that is misplaced, miss-sent, or deliberately stolen that contains protected information.  This protected information includes information covered by government privacy laws, financial information (e.g., PCI compliance) or medical information (e.g., HIPAA compliance).
• Over half of surveyed CEOs report cyber attacks every day.
  Fortunately, most of these attacks are foiled.  But it only takes one success to negatively impact your business.
• 60% of employees circumvent the security features on their mobile devices, while 68% of US businesses allow employees to have their own mobile devices in the workplace.
  When properly secured, personal devices like smart phones, tablets and laptops can greatly improve the productivity and satisfaction of your employees.  If they are not secure, then any emails, downloaded files, even photographs on those devices are potential breach risks. These devices are lost and stolen every day.  The Ponemon Institute reported that each week over 10,000 laptops are reported lost at 36 of the largest U.S. airports, and 65% are not recovered.  Other reports show that each adult loses on average four smart phones.  How much of your data is on these devices?
• 94% of healthcare organizations had a data breach involving protected data.
  With the “strongly encouraged” universal use of electronic medical records and the sharing of these records among a variety of health care providers, insurance companies, and government organizations, each data breech can potentially involve millions of individual’s protected data.
• 77% of UK companies’ IT organizations use live production data for testing and development.
  What are they thinking?  Almost by definition, testing and development processes expose data to significantly increased risk since that data is being handled by new or modified untested software.  Development environments are usually unstable, with constant changes in server usage, storage devices and network infrastructure.  The focus is on getting the job done quickly.  Security, if even considered, is secondary.  Often a company will outsource some or all of its development and testing activities to third party organizations.  These organizations, while good at what they do, are also more concerned about getting the job done than securing test data.  I know of one case where a US company outsourced its development to a company in India, which outsourced all testing to a company in China.  The US company was not even aware of the Chinese connection.  They were providing tens of thousands of live data records to these companies to use in testing.

A recent Ponemon Report is their 2013 Annual Cost of Failed Trust Report: Threats & Attacks.  This is the first of this series that provides an “extensive examination of how failure to control trust in the face of new and evolving threats is placing all global enterprises at risk.”  This survey covered over 2,300 mostly Global 2000 enterprises from Australia, France, Germany, the U.K. and the U.S.

The primary focus of this report was the cryptographic keys and certificates that organizations use to provide trust for electronic communications.  These keys form the security basis for Internet commerce, smart phones and other mobile devices, and, of course, Cloud Computing.  These cryptographic keys are all that protects the data you send and receive over the Internet.  Making the risk higher is the fact that most organizations have no way to even detect attacks on these keys.  This report is the first attempt to quantify the scope of these attacks and their impact.

The cost of these attacks is significant, with about US$400M at risk in each of these Fortune 2000 organizations.  The easiest exploit for cyber criminals is weak cryptography.

Protecting these keys and the infrastructure around them is not easy.  Enterprises reported that they have on average almost 18,000 separate keys and certificates deployed across their IT infrastructure or in the Cloud.  Over half of the organizations did not know what the actual number really is.  45% believe that failing to securely manage these keys and certificates directly leads to the erosion of trust.  The risk is compounded by the potential of compromised Certificate Authorities, the companies that issue these digital certificates.  Every respondent reported at least one trust exploit over the last two years, and the prognosis for avoiding future attacks is grim at best.

While this particular survey was focused on Fortune 2000 companies, no organization is safe.  If you are using the Internet you are at risk.

Ponemon also reports that 80% of CEOs think having a reputation for protecting customer data improves their brand and marketplace image.  These security risks, when properly handled, can become a marketplace differentiator for your company.

Are your CEO and CFO aware of these reports?  Are they concerned about the consequences of lax security?  They should be.  If they aren’t concerned, then you should probably be updating your résumé.

The last word:

Think social media does not matter?  This week a hacked tweet sent the market into a “flash crash.”  The U.S. Dow Jones Industrial Average dropped about 150 points in a matter of seconds after a faked Associated Press tweet about an imagined attack on the White House.  It was not even people reacting to the tweet, it was computer programs reacting to the content of the tweet that caused the drop.  But it took real people to realize it was a fake tweet and reverse the “tweetfall.”

During the recent Boston Marathon aftermath, we saw news media using social media to pass on totally erroneous and sometimes made up information.  This was all people “in the know” who demonstrated their incompetence in real time through social media.

Bad social media is, well, bad.  Do it and you can hurt your company.

But good social media can make a very positive and measureable impact on your company.  Look at the ABC drama Scandal.  Sure, it has sex, violence, high-level political intrigue, and some very interesting characters.  But the way ABC has embraced social media with this show is a significant reason why it has its high ratings, and therefore high advertisement revenue.  So far, Scandal has generated more than 2.8 million tweets, 25% more than American Idol.  Most of these tweets occur during the show.

Social media engages people, and makes the product a “must have,” or in the case of Scandal, “must see.”

Comments solicited.

Keep your sense of humor.

Walt.

Taste Trip

(This is another special post by Suzy. I hope you enjoy it.)

One of my favorite ways to enjoy a road trip is to try the local restaurants. Independently owned or local chains are best. If caught short, or pressed for time, there are always reliable, national chains. But the fun really begins when you take the time to stop for a meal at the local place. Some of the best, and worst, food I’ve ever had was at some of the most diverse places we have we have found “on the road.”

In April 1957, when I was in fifth grade and my brother, Jim, was four years old, Uncle Sam moved us from San Diego to Philadelphia. Actually Daddy’s orders had us going to Guantánamo Bay, Cub, and we were to follow as soon as housing there was available for us. Housing for U.S. military dependents was at a premium, and assigned by military rank and size of family. We never actually made the move to Cuba, but that’s another story.

Jim was at the stage many children go through where only one kind of food will do. Some kids choose chicken strips or nuggets, some grilled cheese sandwiches, others peanut butter and jelly. Jim liked cold cereal–Frosted Flakes were at the top of his list. It didn’t matter if it was breakfast, lunch or dinner; it was cold cereal. Moma would try to have him opt for oatmeal for a little variety and he would refuse. At lunch she would suggest a sandwich or soup and he would turn it down. At home, she would make dinner and he had the choice of eating what was served or waiting for the next meal. Since the next meal would be breakfast anyway, he would asked to be excused from the table and would wait for cold cereal in the morning. On our trip across the country this created a bit more of a challenge. Breakfast, obviously, was uneventful. Lunch a bit more difficult as the chains we know today were fewer and further between in the Fifties. We would stop at a local burger joint or a cafe. At the cafe, he could insist on cold cereal because they usually served breakfast as well as lunch, and sometimes dinner, so they had cereal. On the other hand, a burger place, especially those that were a box with a window or where the waitress would come to the car, didn’t open till lunch, so they never stocked cold cereal. We ended up at a cafe. That took longer and Daddy would spend the entire meal consulting his watch. He was granted only a limited number of days travel time for any move, so every mile we traveled each day was important.

The number of miles we could go in a day seems small now, but the Interstate system was in its infancy and the U.S. highway system went through every village, town, and city. Moma always had trouble reading a map, so unless we went into a one-road-through town we would often miss a critical turn and end up with an unscheduled sight-seeing trip. Then, attempting to relocate us on the map and read the up-coming street sign as the other cars guided our choices would cause frustration in the front seat.

One of Daddy’s requirements for a place to eat was that it be on the far side of any metropolitan area so that he and Moma could take a breather after navigating a strange town. Hence, we would pass up likely looking stops because they were at the onset of our passage through town or in its busy center.

When we finally picked a place we would need to figure out the menu. Not everyone wanted cold cereal. I never was a fan of mayonnaise, especially the gelatinous cream colored style that came in industrial size jars with wide mouths. I’m sure that you are familiar with the really flavorless kind they would scoop out with a spatula and smear in a thick coat on the bread. Yuck! I would scour the menu for something I recognized, but that didn’t say “mayo.” My eyes would light on an item, Moma would read the description, then remind me of something there that I disliked. Daddy would say that if I ordered it, I would eat it. Again he would be looking at his watch. Some of the foods I tried this way I was hard pressed to make myself eat again for a very long time. Others, like the broasted chicken and fries in a basket, have never been equaled.

Dinner was even more of an adventure. One of Daddy’s criterion for a motel was that there be at least one place nearby where we could get dinner and hopefully breakfast, or one to do each. Motels at the time didn’t feel it necessary to feed their guests. Some did include a cafe attached, but not all. Motels didn’t include breakfast, neither cold nor hot. We spent one night in Williams, Arizona. The motel was about a block away from The Steak House. That dinner set the standard for steak houses as far as I was concerned. As Daddy told the hostess that there were four of us, my eyes were drawn to a glass case filled with various cuts of uncooked, deep red beef with little signs describing the cut, behind which was a butcher shop. After we were seated, the waiter brought a tray of raw beef selections, in case we hadn’t noticed the display, I guess. Being cautioned that I could point, but not touch, I made my selection. When the entrées arrived at the table each piece of meat had a small color coded plastic steer standing in its center to tell us the degree of done ness. I still remember how delicious that meal was.

Several nights after Williams, we stopped in a larger city. I was tired of beef. Jim still wanted cold cereal. Moma tried to convince him that a “real” dinner would be better. The waitress took pity on our parents and assured Moma that she could get a bowl of cereal for Jim. She then turned to me. I brightly told her, “The loin lamb chops, medium rare, please.”

Daddy sighed, “But this is cattle country.”

“Is that the most expensive thing on the menu? Did you choose by the price?”queried Moma.

I was now embarrassed and, therefore, became stubborn insisting that I really did want the lamb. I’m not sure that I even remembered what lamb tasted like. After the waitress left with our orders, I got a history lesson on animal husbandry and land use in the West. The emphasis of the lecture was that it was best to eat locally grown and prepared foods. Especially when traveling. Yes, our parents were locavores even before the term was invented.

Eventually we arrived at our grandparents’ house. Living in Philadelphia, Grandmom shopped at the corner grocery two blocks south, the local butcher two blocks north and one west, and the bakery two blocks south and three west. Dairy was delivered several times a week to the little insulated box at the back door. Food was done in either American or German style. Grandmom enticed Jim to try baked beans. When he declared he liked them, she saw that he got them every dinner. To this day, he laughs at how often she served him baked beans over the years.

Somehow our parents survived the eating trials we presented and we learned how to eat a variety of foods in different styles. Traveling still provides some of the best eating experiences. We did find a few treasures of comparable quality and preparation on our current trip. Wichita has a place called “Scotch and Sirloin” that offers super tender and well seasoned beef, without viewing the raw selections. In Des Moines, it was “Irina’s Russian Restaurant.” They carried over fifty selections of vodka and some very nice wine. The waiter told us that the area of Russia that Irina emigrated from had a similar climate to Des Moines, so she could get very similar foods and ingredients. However that works, the meal and service were a treat.

Eating on a road trip is great, except, maybe, when you are in the middle of “nowhere” and are hungry. More often the problem is that there is too much good eating.

The last word:

My family also did a lot or road trips, often without the urgency of getting there in not quite enough time. I do remember that in the fifties, Dad believed that a good way to pick a good inexpensive place to eat was to follow the truckers.

Today when in Europe, I look for bicycles in front of small places. Sometimes you can’t communicate well, but you always get good food, good service, and a few laughs.

Comments solicited.

Keep your sense of humor.

Walt.

Your Journey Is Unique

I was listening to a recent Q&A session with Pat O’Day, CTO of Bluelock.  Bluelock provides mid-size and large enterprises flexible IT infrastructure solutions with its virtual datacenters in the public Cloud.  He made a number of interesting points, but one of them really stood out as a nicely succinct way of saying something I have been talking about in these postings: “The journey is different for everyone.”

Years ago I worked with two customers about the same size in the same line of business, doing the same things with IT.  In fact they were running on the same mainframe hardware, using essentially the same software products.  While there were many IT lessons that could be shared between these two companies, their business focus was just different enough that the way they handled hardware and software upgrades and disaster recovery were not the same.  Lessons learned in these areas at one customer could not be applied to the other except at a very high “something to think about” level.

It is the same with your journey to the Cloud.  Your business needs and goals will have a significant impact on your final Cloud destination and the path to get there, or at least they should.  Beware the sales person who tells you his company just moved your biggest competitor to the Cloud, and they can do the same thing for you.  Maybe they can; but, if they don’t start with finding out exactly why you want to move to the Cloud, what benefits you are looking for, and what your strategic plan is for market, product or geographic expansion, then I would be very hesitant.  They have a plan, and they can probably execute it perfectly, but it may not be “your” plan, you probably will end up in a suboptimum place, and the journey may be more difficult than necessary.

Most companies are just contemplating Cloud Computing or in the process of moving to the Cloud for the first time.  They may have successfully moved to virtualization, and now feel ready to begin their journey.  True, virtualization is an important step.  But virtualization is a technology change.  While it can be a real challenge for some applications, it is something that most IT shops can do themselves or easily contract for outside help.  Carefully done, it can be invisible outside of the IT organization – everything works just as it did, just less expensively and with more flexibility.  There are some significant operational changes necessary within the IT organization, but again there are best practices and you can get help.

The Cloud, however, is not product like VMware; it is a concept.  It is a concept that can be implemented in dozens of different ways, and each way presents opportunities and risks.  Those opportunities and risks probably vary among different applications in the same IT shop, and it may be difficult to predict them if your staff lacks significant Cloud knowledge.

While this may be your first toe in the Cloud exercise, your chosen Cloud Service Provider (CSP) has done dozens, hundreds or perhaps thousands of these journeys.  They do have the expertise and experience to do it right and get you smoothly into the Cloud.  If, and it is a big if, they really understand your situation and priorities.

You need to know exactly what applications you are taking to the Cloud, in what order, and what process change must accompany that journey.  You need to be concerned about organization-wide issues such as backup, life cycle management, security, and auditability during the journey.  In short, you need a plan.  Your plan, based on your unique business needs and goals.  It is best if you have the plan before you select your CSP as very few of them provide all of the Cloud’s capabilities.

Many companies move to the Cloud to save money.  Often this is the most important reason as they start their journey.  Sometimes it takes them a while to figure out exactly how much they are saving, especially since they are paying for something significantly different.  No longer are you paying for specific Intel processors in a box with so-much memory, but you are paying for access to exactly the amount of performance that you need.  Same with storage and network – you aren’t buying, you are paying for it as you use it.  Capital expense has migrated to operating expense.  This requires a different skill set in your IT department.  The people who used to run around keeping your network performance up or balancing utilization across a dozen different applications do not need to do that anymore; your Cloud Service Provider is handling that, probably better than your own team ever could.  Now you need people who are paying more attention to your strategic objectives and finding new ways to use these new capabilities.  Most companies do save significant money moving to the Cloud, but their real benefits are often in terms of agility.  They now can react this afternoon instead of next month to even severe demand increases and decreases caused by opportunities or setbacks.

Think about what this kind of agility is worth to your company.

The last word:

I always ask the company’s senior management about their tolerance for risk.  Just like some people are willing to take large personal investment risks to get high potential returns, some companies are willing to take risks for real gain from the Cloud.  I’ve noticed that, like people, the older a company is the more likely it is to have a low tolerance to risk.  It has an engrained culture and set of processes that have proven successful for decades, and change is expected and planned for, but tightly controlled.  I have seen a number of Cloud journeys interrupted by a C-level executive simply because of perceived risk.

As you plan your journey to the Cloud, take this factor into account and keep your senior management team well informed of the risks and opportunities.  It is far better to find out early that your plan needs to be modified.

Comments solicited.

Keep your sense of humor.

Walt.

How Goes the War?

Here we are at the end of first quarter 2013.  How goes the cyber war?  Are we winning?  Can we announce a withdrawal anytime soon?

The US Civil War was 150 years ago.  There was a clear enemy and a clear end, at least to the military and governments involved directly and indirectly.  Almost always you could recognize the enemy; they wore uniforms.  There were, of course, exceptions like spies under a variety of terminology, but they were a very small percentage of the total fighters involved.  Seventy-five years ago in World War II, it was very much the same.  Vietnam provided a different model of asynchronous warfare.  When you try to take big military organizations against enemies composed of individuals and small groups with a loose affiliation, your biggest problem is separating the enemy from the general population.  Even if the majority of the “general population” is in fact trying to destroy you, including women and children, you lose in the public opinion and press theater when you hurt “innocents.”

We have tried to win the “hearts and minds” of countries harboring significant numbers of enemy agents.  These people want to destroy our culture, finances and government.  We, and others before us, have failed to win those wars.  Usually, the losing side simply declares victory and wanders off.  The fighting continues, sometimes not really impacting us every day, but the war goes on.

In addition to the guns and bombs crowd, we are increasingly being attacked via cyber warfare.  In some cases, the same groups are attacking us with both guns and computers.  Conspiracy theorists are probably having a great time explaining how activist groups, identity thieves, religious groups and governments are working together.  While I think all of these groups really are individually “out to get us,” they often can’t even get their own activities coordinated let alone work with different groups with different rationalizations.

Two BBC articles in the past week give an indication of “how goes the war.”

The UK government is launching a new initiative to fight cyber threats.  It includes experts from GCHQ, MI5, police and business.  These experts will create a secure web-portal to allow access to shared information in real time.  Visualize a secure Facebook, if you can.

MI5 is the British intelligence agency working to protect against threats such as terrorism and espionage.  Like the difference between the US agencies FBI and CIA, MI5 deals with threats inside the UK and MI6 deals with threats outside of the UK.  James Bond belongs to MI6.

GCHQ is the Government Communications Headquarters, a British intelligence agency responsible for providing signals intelligence and information assurance to the UK government and military forces.  GCHQ has been around for a long time, originally established after World War I.  At this point it works to secure the communications and information systems of the UK government and critical parts of UK national infrastructure.  GCHQ is also the organization that recently admitted to emailing plain text password to people who register on its careers web pages, violating a number of best practices on password management.  As I post this, the official GCHQ web site has been “currently unavailable” while “undergoing routine planned maintenance” for over 24 hours.

Throughout history, human kind has developed forts and cannon.  The stick is a cannon.  The shield is a fort.  When someone builds a better cannon, others will build a better fort.  Sometimes for centuries one side or the other is more effective.  Against a persistent enemy, the fort has to win every time; the cannon only has to win once.

This UK initiative is part of the fort mentality.  “Let’s put our heads together and figure out how to stop these <insert appropriate word here>!”  Other governments, including the US, have built similar organizations.  Most often as forts, sometimes as cannons.

As often happens with governments, it is amazing how fast they can work to solve important problems.  After all, the cyber war has been going on for only a little more than 30 years.  See Clifford Stoll’s The Cuckoo’s Egg for an early victory in 1989, primarily because Stoll fought like a cannon, not a fort.

I am guessing that this “secure web-portal” will become a frequent attack point for the UK’s cyber enemies.

The second article is about “the biggest attack in history” against the Internet.  This turns out to be a disagreement between two organizations that is having an impact on services like Netflix, and could easily expand to impact banking and email systems.  At least five national cyber defense forces are investigating the attacks.

What is the disagreement about?  The two protagonists are a spam fighting organization and a popular commercial web site hosting firm, both well known and established organizations.

Spamhaus “tracks the Internet’s spam senders and spam services, provides dependable real-time and anti-spam protection for Internet networks, and works with Law Enforcement to identify and pursue spammers worldwide.”  Sounds like one of the good guys.  One of their prime weapons is the “blocklist” – a list of “bad” web sites.  You can set up your browser to not allow access to any blocklisted web site.  Companies can set up their company-wide edge defenses to prevent anyone in the company from accessing any blocklisted web site.

Cyberbunker is a Dutch web hosting company that claims to provide “your bullet proof datacenter … secure, reliable, untouchable, online.”  Like hundreds of other companies around the world, they are a Cloud Service Provider (CSP) providing the benefits of Cloud Computing to hundreds if not thousands of companies and other organizations.  Cyberbunker brags that it will host anything with the exception of child pornography or terrorism-related material.  Also, sounds like one of the good guys.

Spamhaus added some of Cyberbunker’s customer’s sites to their blocklist.  Sven Olaf Kamphuis, who claims to be a spokesman for Cyberbunker, said that Spamhaus was abusing its position, and should not be allowed to decide what goes and does not go on the Internet.  Spamhaus has alleged that Cyberbunker, in cooperation with criminal gangs in Eastern Europe and Russia is behind this distributed denial of service (DDoS) attack.

So, two bullies fighting in an alley; why should we care?  We need to care because this attack is impacting other companies and government agencies, and like poison gas, these kinds of attacks are hard to contain.  By the very nature of the design of the Internet, they easily leak out and impact nearby “innocents,” and everything is “nearby” on the Internet.

Arbor Networks, a US firm which specializes in protecting against DDoS attacks said it was the biggest attack they had ever seen, three times bigger than the previous largest (in 2010) according to Dan Holden, Arbor Networks director of security research.

This attack should raise two concerns:  the attack itself, and the question Cyberbunker asked about who should control content on the Internet.  Countries, like China, have fairly successfully restricted Internet access inside their country.  Other countries, like the US, routinely monitor the Internet for “restricted words” potentially scaring people into limiting their own Internet activities.  The US might claim this is part of “protecting the people of the US against terrorists attacks,” but the line between protecting the people and protecting the government (as China is trying to do) is very hard to define.  I would certainly hate to think of anyone like New York Mayor Mike Bloomberg (of large soda drink “fame”) being in charge of what you could do on the Internet.

The last word:

Two things to remember:

1. In the end, the cannons always win over forts.  No war is won by defense.
2. “Rules of war” have no value.  No war has ever been won by playing by the rules.  Any nation that insists on playing by the rules will lose when opposed by a force that does not care about rules.

In my view, this war is going very badly.  What do you think?

Comments solicited.

Keep your sense of humor.

Walt.

It’s bad enough; don’t make it worse

I received “one of those” letters this week.  An insurance company who provided long term health care insurance for me had “inadvertently emailed a document containing information relating to your insurance relationship with us, including your name, address, date of birth, Social Security number, and salary information, to another individual at” a company I no longer work for.  They went on to indicate that the recipient did the right thing: notified the insurance company plus his own management and deleted the document.  They apologized profusely and indicated they “remain committed to protecting the privacy of personal information.”  They also offered to provide me with two years of an identity theft protection program provided by a reputable third party.

The people I know in that receiving company’s HR department are ethical people.  When they received such a document, I believe they did exactly the right thing.  They are trained in ethics every year, as is everybody in that company, and the company takes business ethics very seriously and makes that fact known to everybody: employees, contractors, and partners.

But I am going to take advantage of that offer.  Not because I’m concerned about identity theft, but to send a strong message to that insurance company.  I already use LifeLock, check one of the free credit reports every four months, and monitor all bank accounts weekly and credit card accounts monthly.  The insurance company already had to air its dirty laundry to several State governments as well as the US federal government, and potentially foreign countries.  They had to determine exactly whose information was compromised.  I know it was not just mine because over 50% of the current and past employees I have talked to have received the same letter.  Primarily, I’m going to add the cost of those two years of protection to the money they have already paid.  As I have mentioned before, the Ponemon Institute reports that the average cost to a company who had a data breach is over $200 per compromised individual.

I can’t fault the insurance company’s response.  They are doing the right thing, and it is costing them real dollars and probably some lost business.  But they did this one to themselves.  It was a stupid mistake – no other word is appropriate.  Not only did an employee do something stupid, and they will periodically do that, but the insurance company did not have the appropriate safeguards in place to prevent or at least flag this data breach before the data left its control.

Over half of the people I have talked to who received the same letter have not worked for the company for years.  All of our insurance terminated the day we left the company.  The insurance company has no responsibility to deal with any of us except under unusual circumstances that would require special processing.  Why is our information merged into the active employee database?

It is still true that the main threat is from the outside.  In the last 12 months there have been many serious data breaches, including the stealing and then posting on the Internet over six million passwords for LinkedIn users, and over 450,000 passwords for Yahoo users.  Why should you care about the liberation of social media passwords?  Because people tend to be lazy.  If one of your employees had one of those stolen passwords, it is fairly easy for someone to figure out that the employee works for you.  Odds are, your employee uses the same password or a very similar password to access your corporate information (e.g., ends with “2” instead of “3”).  It is a matter of minutes for someone with that information to break into your system and cost you significant loss of money, reputation, or intellectual property.

There are enough evil criminals out there attacking your system and your information; don’t add to the danger by having poorly trained employees, badly written software that fails to check inquiries for reasonableness, or insufficient and ineffective edge protection tools.  These edge protection tools monitor what is actually leaving your site over the Internet and are able to prevent or flag messages with suspicious information in them.

You probably provide annual ethics training to your employees.  You should definitively provide annual security training to your employees, emphasizing their responsibility in protecting your sensitive data and the costs to your company and your customer when they violate your security policy. Your security policy should be required reading and always available to every employee and contractor, and part of every contract with a partner where any transmission of sensitive data is involved.

The last word:

Speaking of deliberate attacks, a couple of days before I received that letter, my wife received an email indicating we had added a new payer to our E-Z Financial bank account.  (Yep, it had a real bank name you would recognize, but that bank had nothing to do with this so I won’t mention it and use “E-Z Financial” instead.)  The payer name was clearly a name we did not recognize, and it requested we click on a link if we had not done this.  My wife was suspicious for several reasons, primarily because she didn’t know we had an E-Z Financial bank account.

A quick inspection of the email seemed to say this was a real email from E-Z Financial; the link back started out as online.EZFinancial.com, which certainly looks valid.  We do not have an account with them. But that was not what triggered my concern, since someone could have opened an E-Z Financial account in my name, probably not to give me money.  I went to the bank’s web site and sure enough on their security alert page was an example of this email.   What was wrong with the link was a period instead of a forward slash.  The link was actually

online.EZFinancial.com.73716221993037644.kb5.is-an-account.com /po/index2.php?billerid=702255558758&cancelaction=505875555933249&r=417206213755550114683771584

Please do not try this link in your browser.  I have modified it some, but probably not enough to make the scam fail.

URL, the “easy to read” address of a web site or page, can be quite long and complex, but is actually fairly simple to take apart.  For example, if you go to Amazon’s web site and click on “Today’s Deals” you end up at

http://www.amazon.com/gp/goldbox/ref=cs_top_nav_gb27

Scan after any leading “http://” to the first forward slash “/”.  Then scan back past the previous period and then back to the beginning or next period to get the domain name.  In this case the domain name is “amazon.com.”  That is the web site.  Everything after that first slash just means a particular page perhaps with parameters on the web site (“gp/goldbox” is a particular page on amazon.com, and “ref=cs_top_nav_gb27” is a parameter passed to that page).

On the scam link, the domain name is not “EZFinancial.com” but “is-an-account.com.”  The stuff before that is called a subdomain, but is owned by “is-an-account.com,” not “EZFinancial.com.”   I tend to be suspicious of strange domain names.

When you go to a web page, it is a good thing to look up in the URL window at the top of your browser and see where it really is.  Some browsers, like FireFox, actually highlight the domain name for you just for this reason.  If it isn’t what you think it should be, close the browser window, make sure your virus check software is up to date and do a full scan of your system.

Comments solicited.

Keep your sense of humor.

Walt.

I Saw Lincoln

(This is another special posting by Suzy. I hope you enjoy it.)

“Sit down by me and listen, child.  The weather is nasty, and your Mother is well enough not to need you for a bit.  So, sit with me awhile.  I want you to know what I saw on a fall day just like this one.  Someday it will be important that you know.”  He was thinking of when he had been a young man, recently back from his war, and newly married to his Sally.  His fingers rubbed the arm of his rocker where he now spent most of his days.  He had worn the finish away and grooves were forming where his fingers kept traveling.  He had heard this youngest grandchild tell her brother that he looked like Santa Claus.  Well, all of his hair was white now, and his beard soft and hanging down his chest.  So much had changed.  He had had six children.  His darling Sally had been gone more than twenty years now.  He couldn’t do the farm chores any more so his son ran the farm for him.

“I’m going to start my story in November of 18 and 63, when I was 28, your grandmother and I had just married. It was after the harvest.  First one I’d been home to help with after going to Mr. Lincoln’s War. We heard that the cemetery for the boys who had died at Gettysburg was to be dedicated on the 19^th.  Since we had family along the way, we decided to be there for the dedication. My sister, Sarah, and her husband and children lived in Rogues Harbor.  We took the train to Ligonier where A.J. met us and drove us to their farm.  Sarah always had a whip for a tongue.  She told me I was uncaring for not having visited sooner.  She had married five years earlier, moved southeast of Pittsburgh with A.J. and then President Lincoln’s War had come.  I had joined the 134^th Pennsylvania Volunteers, and been voted Sergeant, so kept the Company records.  After my Company was disbanded and we had gone home, it was time I was married, and I didn’t know how much longer my Sally would wait. I did know that there would be time enough for visiting after the harvest and the wedding.  We’d been married on Wednesday the fourth. Sister had not been able to come home for the wedding and was eager for news of our father. Her husband, A.J., was as fine a fellow as you could know.  He kept telling me how I needed to stay a farmer.  It would be a secure life for us and any family we might have.  They were a good-looking couple, even though at thirty the hard work of being a farmer’s wife with three young daughters was beginning to wear on her.  My Sally loved Sarah’s little girls and wanted a family of her own as soon as we could.  We went to church with them on Sunday.  Monday afternoon we got on the train and rode to Gettysburg.  There we stayed with Aunt Meg, who had been recently widowed.  Her mother had come to live with her and the children.  They had taken in a boarder after Uncle Will died.  He was one of the men helping with the reburials for the new cemetery.  When Gen. Meade left after the battle at Gettysburg that July, he had not taken the time to see the dead buried.  In the heat the bodies began to swell and rot.  Aunt Meg said that the stink had been terrible.  Young Will, then 8, said that he and some of his friends had gone to the battlefield and seen some of the bodies explode.  Some in town began to sicken.  The town’s folk hurriedly buried the bodies.  Those on our side and Rebs, too, just to get them covered.  Mr. David Wills, the biggest banker in all of Gettysburg, went up to Harrisburg to see Governor Curtin.  After he understood how serious the problem was, Governor Curtin set up a commission to raise money to buy land for the cemetery and cleanse the bloody field.  Body by body they took the dead from their graves to identify each of them so they could be reburied with others from the State from which they hailed.  It was grim and dirty work.  That is what Aunt Meg’s boarder had been doing.  Mr. Wills had wanted it done by October so that the cemetery could be dedicated and open as a memorial before the freeze.  He had asked Mr. Edward Everett, a scholar and well know orator to give the Dedication Address.  Mr. Everett had a reputation as an impressive speaker with a fine and sonorous voice.  He had told Mr. Wills that he would need more time to write a speech appropriate to such a solemn occasion.  The date of 19^th of November, a Thursday, had been chosen.  President Lincoln had been asked if he could come and add a few words after Mr. Everett’s address.

“All week the weather was glorious.  We had had a freeze, but the ground wasn’t solid yet.  The trees had given up most of their leaves. Some of the oaks still held onto leaves that had gone all dry and brown.  The air smelled clean.  Our cousins told us it was much improved over the last several months.  Sally and I were ever so glad that we could stay with family as more and more people kept arriving in town.  Gettysburg was about as big as New Castle so had plenty of shops.  On Wednesday, Sally said that she wanted to see them and Cousins Nan and Peggy thought it would be a lark to show them to her.  I, of course, was to be their gentleman escort. The war was still going on and though there were no armies in the area, many dignitaries were coming in for the ceremony.  Who knew whom the Rebs had sent to cause havoc during such an event.  As we approached the shops the sidewalks became more and more crowded.  Women of the town were doing the errands that were the day-in and day-out of their existence.  There were many important looking carriages rushing through the streets.  We saw a few soldiers and many policemen, mostly standing in small groups while they talked and watched.  Then, there were the men and boys who had been to the war.  You could pick them out by the way they walked and dressed, and many by their grievous wounds.  That afternoon it began to rain lightly so we returned to the house.

“Thursday morning it was still very damp and warm enough to keep the fog hugging the fields and trees.  The rain had stopped, but the sun was playing peek-a-boo from behind the clouds that lingered.  Mr. Lincoln had arrived the evening before and a crowd was gathering in town to walk with him to the gathering.  We did not wait for them, but found our way the field to pick a place where we would be able to seen the platform and hear all of the speakers.  We heard the crowd before we saw them.  Aunt Meg’s border was with us. Soon the crowd was all around us, like the tall wheat in the field just before harvest. Mr. Lincoln arrived on a horse and took his place on a chair at the center of the stage.  He was a very tall man.  Seemed to hang over his horse with his feet below the animal’s belly.  He was still wearing a black ribbon around his hat for the death of his son.  He did not seem very good himself, but looked pale and tired.  Just as the band began to play to start the Ceremony the sun came out and began to warm us.

Mr. Everett began to speak with great dignity.  His voice rolled over the crowd and his hands punctuated his words.  For two hours he held us in his thrall.  We all applauded and many cheered when he finished.  Mr. Lincoln rose, they shook hands, Mr. Everett sat, but as Mr. Lincoln turned to the front the band began to play, so Mr. Lincoln sat again.  After the hymn someone shouted:  The President of the United States.  You could hear a rustling in the crowd as we all prepared to hear another speech. Then there was a hush that fell over everyone and Mr. Lincoln put on his glasses then began.  He had a high thin voice and sounded like he came from the back woods.  His words, though, were clear and sounded as if he were a preacher.  After all the years where people were arguing about why we should or should not fight, after all the pages of newsprint, after so many had been wounded or killed, Mr. Lincoln told us simply why we had fought, still fought this horrible war.  We could all see that Mr. Lincoln suffered the same hurts this War had brought to all of us.  He spoke of the heroism of the soldiers having made the ground we were on sacred.  A few began to clap.  Others hushed them so as not to interrupt the President.  As he camp to his conclusion his voice became louder and more commanding:

we here highly resolve that these dead shall not have died in vain—that this nation, under God, shall have a new birth of freedom—and that government of the people, by the people, for the people, shall not perish from the earth.

“Then he was done.  He sat down.  The crowd began to applaud.  It had not been three minutes that he spoke, but we were all as moved by his words in that short time, as we had been by the whole two hours we had listened to Mr. Everett.  We gave cheers for the president and for the Governor.  As we began to quiet the choir sang the dirge and then a Benediction was said over the crowd and we went our ways speaking in hushed voices as if we had just left Church.  It was about four in the afternoon.

“We spent another day with Aunt Meg and her family before returning home to begin our life here.  The cemetery was not done when we left.  Aunt Meg’s boarder told us that they were only about half way through unburying, identifying, and reburying the dead, but would soon stop until the spring.  I hear that every once in awhile, even now more than sixty years later, a farmer will find more of those poor boys when he plows his fields in the spring.  Then their bones will be taken to the cemetery to be with the others.

“No, I won’t be taken there.  My battle was Fredericksburg in Virginia and Uncle John was at Vicksburg in Mississippi, which happened the same days as Gettysburg.  We will both stay here, on the south corner of the farm, near the road where the sun shines.  Yes, child, I am finished and you may go.  But, someday, remember that I saw Mr. Lincoln.”

The last word:

My Great Grandpa, c 1910

Around 1560, an Italian couple Simonio and Lyndiana Bernacotti made the first modern wood-encased carpentry pencil.  Benjamin Franklin advertised pencils for sale in his Pennsylvania Gazette in 1729.  But making pencils was painstakingly slow, and thus pencils were very expensive.  However, by 1850 the manufacturing process was automated; erasers first appeared in 1858.  By the start of the US Civil War (“Lincoln’s War”), pencils were cheap and common. With the high literacy rate in the US at the time, the Civil War became the first war were the common soldier could write letters, and the War Department and Post Office Department made sure that the mail got through to the soldiers, often in only weeks.

This story is fiction, but it is based on family stories and about three-dozen letters written in pencil from my Great Grandpa and his brothers in the Army to and from the family back in New Castle, Pennsylvania.  We also have Great Grandpa’s Civil War Journal.  Suzy spent many months transcribing 130 year-old letters written in pencil on, by then, crumbling paper.  Spelling was not high on their priority list, with at least three different spellings of their last name.  But it makes fascinating first person reading.

Oh, and the “youngest grandchild” was my Mother.

Comments solicited.

Keep your sense of humor.

Walt.