Feeds:
Posts
Comments

No matter what you think about Hilary Rodham Clinton’s past accomplishments and future potential, she has provided us an example of bad behavior that can be a learning experience for all of us.

To remove the positive or negative association of Madam Secretary Clinton, I will use “Anne Chamberlain” as the name of a potential employee of your company. Anne held a very high position in your company for many years, with intimate access to your most sensitive proprietary and confidential information including product plans, marketing strategies, competitive analysis, and your internal decision making processes. After she resigned from your company, you find out that the entire time she held this high position she was using her personal email account for most of her business emails, both within your company and with customers, partners, and even competitors. She used her own personal servers under her own physical control to manage and handle that email account. The result is that you have no access to any of those emails she sent or received.

When your CSO (Chief Security Officer) approached Anne, she said it was more convenient for her to use her own smart phone and her own email account. Her final response was “What difference at this point does it make?”

It makes a big difference.

While your company does permit BYOD (Bring Your Own Devices) to be used for both personal and business purposes, you do have strict security and data life cycle management policies. Your Life Cycle Management policy covers the rules about the creation, update, storage and destruction of all corporate records, including emails. These policies protect your company by enabling it to quickly and accurately find information to meet compliance, tax and other governmental requirements, efficiently run your business, manage contractual obligations, and respond to court discovery orders. Since you have no record of Anne’s emails, either sent or received, you will not be able to include them in support any such activity. Since Anne has refused to allow your IT department access to her personal servers, if a court ever found out that she was storing required documents on those servers relevant to some court or government request, the court could confiscate and search the servers. Since Anne’s servers are probably not following your data life cycle management policies, there are likely emails on that server which should have been deleted that may now be publically exposed as a result of the court action.

You also have a concern about the security of Anne’s emails. You have seen some reports that surmise that her server was hacked, perhaps by a foreign cybercriminal group, and that some of her emails may have been sold to your competitors. Again because you have no access to her servers, you have no way to determine if they were hacked and what, if any, damage it may have caused. You do know that her servers were not maintained to the same security levels as your own email servers.

Anne has promised to give you all of her business-oriented emails. Since there are thousands of these emails, you are concerned about how long it will take her to complete what is to her a low priority task. Worse, she is deciding what is a business-oriented email. While she may get 95% of it right, she will likely miss some emails that may be critical to your company later. A court may decide that you failed to disclose some emails and your company, not Anne, will face the consequences of that.

What do you do?

You really can’t outlaw personal devices for business use. It won’t happen; your employees and contractors, and probably you too, are really dependent on smart phones and tablets. Providing a corporate device is expensive and, like Anne, most people do not want to carry two devices that perform the same functions. But you can require some fairly simple procedures:

  1. Require all business-related emails to be done on your corporate email account. It is really easy to set up a second email account on a smart phone or tablet. On my iPhone and iPad I have a personal email account, my own company’s account, and separate accounts for each company I am working with at any time.
  2. Require that your company’s email account have your approved email signature block on each outgoing email. Again, it is easy to set up a separate signature for each email account on a device, including logos and the “fine print.” If you have a very complex corporate signature block, your IT department can set up a single image for the majority of the signature area and provide simple instructions for the common smart phone environments. If nothing else, this provides a clear signal to the person writing the email that they have the correct email account.
  3. Require that all outgoing emails on your corporate account are automatically forwarded to the employee’s corporate account. This ensures that you have a copy of all of those sent emails. In general this also makes it easier for the employee; they don’t have some outgoing emails on their tablet, some on their desktop, and some on their smart phone.
  4. Require that all emails be deleted from personal devices after a relatively short period, probably thirty days. They are still available to the employee through your email server, but it is one less place you need to search for necessary documents and it reduces the possible loss if a personal device is lost or stolen.
  5. Update your security and life cycle management policies to include personal devices.
  6. Include a section on the importance of protecting and managing company data and your email policy in your new employee orientation, and as part of your annual training session on security and ethics.
  7. Why did no one notice and report Anne’s behavior? Everybody should be looking for internal emails that come from an employee’s personal account. The easy thing to notice is that the signature block is “Sent from my iPhone” instead of your corporate signature. It is also easy to note that the sending email is from Anne.Chamberlain@me.com.

This stuff is, unfortunately, important. Email is one of the main vectors for cyber attacks. In today’s environment, most corporate communication is done through email. If you lose control of your email traffic you have lost control of your company.

The last word:

The US Federal Records Act at the time Madam Secretary Clinton served as Secretary of State did not categorically prohibit federal government officials from using personal email accounts. The Act applies to all federal agency employees who are not within the White House itself and requires the comprehensive documentation of the conduct of official business by regulating the creation, preservation and disposition of agency records. If an employee used her personal email account, she was required to forward that communication into her agency’s official records system. Secretary Clinton could have done that by having her personal device automatically forward all outgoing emails to her US DOS email account, and having her personal server forward all incoming emails to her US DOS email account. She did neither.

By coincidence, Anne Chamberlain was the name of the wife of Neville Chamberlain, Prime Minister of the United Kingdom from May 1937 to May 1940. Prime Minister Chamberlain’s reputation is largely damaged by negotiating with Adolf Hitler to sign the Munich Agreement, and for failing to prepare his country for war. The Munich Agreement permitted Nazi Germany’s annexation of portions of Czechoslovakia, although, strangely enough, the Czechoslovakia government was not invited to the negotiations. The majority of inhabitants of these areas were German-speakers, so it is clearly logical that Germany should take over their control.

An argument someone else may be using today.

Comments solicited

Keep your sense of humor.

Walt.

WS2003Windows Server 2003 (WS2003) was first released in, surprise, 2003. It replaced Windows Server 2000. Microsoft has released several derivatives including Windows Compute Cluster Server 2003, Windows Storage Server 2003, Windows Small Business Server 2003, Windows Home Server, and Windows Server 2003 for Embedded Systems.

WS2003 mainstream support ended in July 2010. On July 14, 2015, Microsoft will officially end extended support for WS2003. Microsoft will not release any updates, including security updates or patches, after this date.  At that point you can pay Microsoft for security fixes for WS2003, but it is very expensive and not delivered promptly. Most antivirus solutions will not be supported on WS2003 after 7/14/2015 meaning that there will be no signature updates for new vulnerabilities. Considering the rate at which new malware opportunities are discovered in all flavors of Windows platforms, any WS2003 systems you have in production will quickly become vulnerable. As one data point, there were 37 critical updates for WS2003 in 2013, 10 years after the product’s release. WS2003 will not pass any further security or compliance audits. Expect stiffer fines and other penalties if you experience a data breach where a WS2003 system is part of the application environment.

This should not be a surprise. Microsoft has published its support policy and product end of life chart on its web site for over ten years. There are a lot of servers still running WS2003 out there. A Microsoft survey in January 2014 showed about 22 million WS2003 systems in use. A large number of those are in small and medium sized businesses. Many of these SMB companies do not have large IT staffs or budget to make any kind of a migration.   There are probably at least 10 million WS2003 systems still in use today. Even many Fortune 500 companies are still dependent on WS2003, and most will not have migrated by the deadline, especially as it seems to take about six months to make the migration off WS2003.

Microsoft introduced Windows Server 2008 in 2008 as the successor product to WS2003. However, Windows Server 2008 is not the best destination for your WS2003 systems. Microsoft will end mainstream support for Windows Server 2008 on the same day that it ends all support for Windows Server 2003, July 14, 2015, while extended support ends in January 2020. If you need to move off Windows Server 2003 in any of its flavors, you are better served to jump to Windows Server 12. Windows Server 12 was generally available in September 2012 and released R2 in October 2013. Mainstream support for Windows Server 12 is scheduled to run until January 2018.

Microsoft provides assistance. Perhaps as an indication of their sense of urgency, the first thing you see on that Microsoft page is a count down clock telling you, down to the second, how long you have. Microsoft is, not surprisingly, pushing migration of your WS2003 servers to the cloud powered by Microsoft Azure. In some cases, that may make sense, but only if you want to make a significant change in your operations and procedures. Moving to the Cloud should be a business decision, not a technology decision. Like a lot of things involving cloud computing, the end point is often a better place to be, but getting there under a deadline can be risky. You should at least look at the material Microsoft provides to help in discovering which of your applications and workloads are running on WS2003, assess those applications and workloads by type, importance, and complexity, and choose a migration destination for each. For some of those workloads and applications, moving them to the Cloud may be the easier and less risky solution.

Your IT department probably has some good reasons for not migrating:

  • Your current server hardware may not support Windows Server 12.
  • Some of your mission-critical applications may not be supported on Windows Server 12.
  • You do not have sufficient financial or IT resources to make the migration while simultaneously keeping your IT environment running.
  • Unfamiliarity with Windows Server 2012.

The second may be the most serious, and may take the longest to fix. In the worst case, you may need to migrate to a different application.

In the meantime you may be able to mitigate some of the risk by restricting access to your WS2003 servers. Products like the Unisys Stealth Solution may help. It can completely isolate your WS2003 systems from the outside world, allowing communication only from the specific systems and users you permit. Since the protection is based on user identity, not specific network location or device identity, the rights of an individual change automatically when their role changes. As Unisys says, “You can’t hack what you can’t see.”

If you do not have the resources, get help. There are many companies out there with experience in migrating off WS2003. You do not have to go it alone.

The last word:

Windows Server 2003 is potentially as serious a security problem as Windows XP. Hopefully you are well past getting rid of that OS from your entire IT environment as have all of your business partners who share any proprietary, financial or customer protected data.

If you are running Windows Server 2008 you should start planning to move them to Windows server 12.

The keys to a successful operating system migration are planning and testing. These exercises can feel like a huge drain on your resources, and each migration can itself cause new problems. But you have to do it; you cannot afford to be vulnerable.

Comments solicited.

Keep your sense of humor.

Walt.

New Shoes

(This is another special posting by Suzy. I hope you enjoy it.)

Today Mother was taking her to get a new pair of shoes. She was a petite, fine boned girl who looked younger than her seven years. Mother kept her hair in a short bob with deep bangs framing her ocean blue eyes that today were sparkling with excitement.   A new pair of shoes was a very important event. Her feet were very narrow so that her shoes had to be specially ordered, making them expensive, and her family didn’t have much money.   Her father had a job, but was often sick so there were many payless weeks. Today Mother and Lois would take the trolley to 69th Street to get her shoes, then the subway and el to visit with Aunt Louise so she was wearing her good navy blue dress and a fluffy sweater MomKate had knit.   She slipped on the coat her mother had made and put the muff string under her collar. She liked her muff on these very cold days. It looked like a drum made of bunny fur, open on both ends so that when she put her hands in the muff, the cuffs of her coat sealed the ends from all the cold. She twirled around to show how pretty she looked. Well, except for the very worn shoes, but she would have her new ones soon.

They walked a block down to the Pike then several blocks to the trolley station. She kept dancing around on the platform, which annoyed Mother who thought she should stand still, but the cold was coming up through the cement and into her shoes. Her feet were too cold to stand still. When the trolley arrived Mother gave her little help up to the first step. They moved to the middle of the car. Most of the seats were still empty because this was only the second stop. They chose a bench and sat facing the direction they were going. Mother didn’t like to ride backwards. She got to sit next to the window where she could brace her feet on a small ledge while watching the houses go by. The closer they got to 69th Street the fuller the car became until there was only one seat left. Mother made Lois take her hand when they got to the Station because there were so many people, some going to other trains or trolleys or out to the shops like they were. They crossed the street and walked half way up the hill to Mother’s favorite store, Lit Brothers, where they had ordered her shoes. As soon as they got inside, Mother almost dragged Lois through the first floor to the shoe department. Mother was in a hurry so that they could catch the next subway train and have as much time as possible with Aunt Louise. The clerk brought out the box and carefully unwrapped the shoes. Nestled inside the tissue paper was a dark brown pair of maryjanes. Lois hopped up on the chair and the clerk sat on the special stool in front of her. After removing her worn, right shoe he gently slid the new shoe onto her foot and asked how it felt. It was so pretty with a bit of room for her toes to grow, but the side of the shoe hugged her foot around the arch and heel. He repeated with the left shoe and helped her off the chair to walk a short way to confirm the shoes fit well. Both Mother and the clerk pushed down on the tip of the toe to be sure that there was some grow room. Lois was all smiles as she looked at her feet in the mirror to see how pretty the new shoes were. Mother pronounced herself satisfied, paid the clerk, and they left. Lois carefully watched where she put her feet. There would be no scuffmarks on these shoes or dark spots from stepping into something on the sidewalk.

They just made it to the subway and seated themselves when it began to move. They were looking forward to seeing Aunt Louise, who wasn’t really her aunt, but her godmother. Her mother and Aunt Louise had lived on 2 Street and gone to school together. They and their husbands had dated as a foursome before both men had gone to the Great War. When the men came home Aunt Louise had married Uncle Ed, moved northward in the city. Mother, Katherine, had married Ted, and they found a house in a southwestern suburb. The foursome still enjoyed each others company and got together whenever they could, which was less often than Mother and Aunt Louise would have liked. Lois always liked to be with Aunt Louise with her constant smile and jolly laugh. Everything at Aunt Louise’s house seem to be fun while her own home was more serious, especially when her father was sick, which he was more and more often. The only problem at Aunt Louise’s house was Jimmy, her son. He was three months older than she and believed that meant he could decide what they would do when they played together. He was always teasing her about something, often until she wanted to cry. But she would never give him that satisfaction.

The warmth of Aunt Louise’s kitchen was welcoming after the walk from the bus stop in the cold wind. The aroma of the hot lunch Aunt Louise had made drew them in as well. First thing Lois did was to pirouette before Aunt Louise to show off her new shoes. Aunt Louise liked them a lot, which pleased Lois. As soon as the tea was ready they all sat at the kitchen table. Aunt Louise always made her fell so grown up. Today she had made a cup of half hot tea and half warm milk and sugar. Lois sat up straight and tall the way Mother liked and tried not to make any crumbs. Jimmy seemed to be eating as fast as he could and urged her to hurry. He had made plans to go ice-skating and didn’t want to make his friends wait.   Aunt Louise said how Jimmy should take Lois with him, to which he made a face.   Lois tried to beg off. After all, she hadn’t brought skates nor was she dressed for skating. Actually, she had didn’t own any skates and she was dressed for visiting not playing.   Aunt Louise would have none of it. She insisted that Jimmy take her with him and even had a spare pair of clamp on ice skates Lois could use. It would also give the two mothers a chance to visit without the noise of the children. Aunt Louise found an old pair of Jimmy’s trousers for Lois to slip on under dress. The mothers made sure that the children were all bundled up and shooed them out the door.

Jimmy took off at a run to get to the corner where he told the other kids he would meet them. Lois had to run to keep up. It was an up hill walk to the pond. They all put their skates on and Jimmy took the time to be sure that Lois had hers on properly. The others had skated before and raced all around the edge. Lois gingerly skated in little circles as she learned to balance and turn, speed up and slow down to a stop. Soon she began to feel comfortable and began skating in larger and larger circles. By then the others were just about back to where they had started and began yelling at her. She couldn’t make out what they were saying, but she knew she was getting better and skating more surely. Then she felt as much as heard a cracking sound and there was nothing under her feet. Everything was dark and murky. Next thing she could see was a hand, then an arm, and Jimmy’s face. He was urging her to grab his hand. The other kids had his feet. All the clothes had trapped enough air that she had a little buoyancy. That would soon disappear as her clothes absorbed the cold water. She stretched as hard as she could and managed to reach Jimmy’s hand.

Soon she was free of the water and on the ground next to the pond. Two sets of hands were removing the ice skates. Then they were pushing her up and telling her to run. She didn’t want to run. All she wanted was to get rid of the wet clothes and get warm. They were all shouting at her so she began to edge away. Jimmy began pushing her. Turning she tried to get away from all the shouting and pushing. She couldn’t run fast enough to escape. Jimmy kept pushing. She tripped and fell, so he began to roll her down the hill. The snow stuck to her wet clothes till she began to look like a snowman. When they needed to cross the street several sets of hands pulled her up and shoved her across. Then they began to chase and shove her again. Jimmy was shouting for Aunt Louise before he even opened the back gate. As they reached the porch Aunt Louise and Mother had appeared at the kitchen door.

They grabbed her. Mother began pulling off her wet clothes while Aunt Louise ran for towels. As the big warm fluffy towels were wrapped around her she saw her pretty new shoes were now all wet, stained, and wrinkled. All she could do was cry because she knew they would never be pretty again. Jimmy kept telling her to stop bawling while he stuffed her shoes with newspaper. She seemed to be the only one upset about the once pretty pair of maryjanes. Both mothers were busy praising Jimmy for getting her back so quickly and it was all his fault. He was the reason they had been ice-skating, that she fallen through to the cold water that soaked her beautiful new shoes. He was the one who had pushed, shoved, and rolled her all the way back to Aunt Louise’s house. And here she was crying in front of Jimmy. What had begun as a joyfully entertaining day was now in ruins as were her lovely new shoes.

The last word:

Moma-1929Dad-S-1930This story is part of Suzy’s family lore. The girl Lois is Suzy’s mother, and Lois and Jim married in 1942, literally the night before he left to fly off US Navy aircraft carriers in the Pacific Theater.  These pictures are from approximately the time of the story.

Comments solicited.

Keep your sense of humor.

Walt.

BMC-QualysThe world is fair; it just is not centered on you or your company. My last blog discussed yet another company who failed to protect their customers’ data and who faces a serious loss of reputation and expensive fines. The Identity Theft Resource Center reported 783 data breaches in 2014, up 27.5% over 2013. These are just the major breaches that get reported in the media or required notification to government agencies. In most cases these breaches involved exposure of information that increased the risk of identify theft to the company’s customers. The Ponemon Institute estimates the cost to a company of such a breach averages over $200 per lost record, plus any government or compliance fines. In January, Experion reported that almost half of the companies they surveyed reported at least one security incident in 2014. Cybercriminals and cyber-terrorists stole slightly over one billion records in 2014. I expect the 2015 number to be substantially higher.

As I have reported before, most of these attacks target known vulnerabilities. As anti-malware software keeps getting better, almost 80% of vulnerabilities have patches available on the day of disclosure. The obvious question is, “Why are so many companies still getting successfully attacked?” The answer varies from “We do not really care” to “It is hard.” Customer abandonment will eventually fix the first group of companies. For the rest, it is hard. It is hard to keep up with all of the patches and sometimes even harder to keep track of where everything is in your IT environment, especially as you move to the Cloud. It is hard to schedule the time to do the updates without impacting your customers or your internal operations. Sometimes the internal IT structure interferes with different organizations having seemingly contradictory priorities: “keep us up” vs. “keep us secure” vs. “reduce IT costs.” Target fell into this bind, and is still paying for that mistake.

The primarily reason the attacks that make the news are so large, impacting millions of people, is that companies are very slow to actually detect that they are being attacked, and then doing something about it. On average, it is taking companies six to nine months from the time malware is introduced into their IT environment until they have resolved the problem.

I had the privilege of talking to a couple of BMC executives in advance of their February 25, 2015, announcement of a new joint platform called the Intelligent Compliance Solution. Intelligent Compliance merges the security capabilities of Qualys into the remediation and operations management software provided by BMC. The result makes staying secure much easier and provides timely warnings of vulnerabilities and policy violations.

BMC is an American company incorporated in 1980. It’s name is not an acronym, but simply the first letter of the three founders last names: Scott Boulette, John Moores and Dan Cloer. Today it is a $2 billion company with about 6,000 employees specializing in transforming the IT digital enterprise. BMC products and services support about 20,000 companies and address six principles of digital transformation: an intuitive user experience, actionable intelligence, adaptive automation, optimized infrastructure and cost, agile applications, and compliance and risk mitigation.

Qualys is an American company founded in 1999 that provides cloud security, compliance and related services to about 7,700 companies. Qualys tag line is “Continuous Security in a Unified Cloud Solution.” Gartner Group has given Qualys a “Strong Positive” rating for these services for the past five years.

At the high level, what this partnership provides is the security scanning of Qualys feeding vulnerability information to BMC, where the vulnerabilities are matched with the appropriate software patches for automated remediation.

The bottom line:

  • Reduce the window of vulnerability by reducing time from detection to resolution.
  • Improve IT operations performance by correctly applying the appropriate patches automatically with minimal or no impact to customers.

Morningstar Inc. was an early user of the result. Michael Allen, Morningstar Information Security Officer, said, “With Intelligent Compliance we now have an integrated solution to automate our information security processes, greatly reducing time and cost.” Intelligent Compliance benefits reported by Morningstar include:

  • Reduced audit risk by decreasing configuration compliance audit cycle time from two months to five days.
  • Reduced audit and patch time by 97%.
  • Reduced compliance audit time from five days to twelve minutes per system.
  • Provided 100% SOX compliance.

Intelligent Compliance moves towards a concept of continuous audit. Instead of doing an audit every year or every quarter, Intelligent Compliance is auditing constantly, reporting vulnerabilities and security policy violations. It leaves audit trails so you know who did what where, and you can prove it when the actual auditors arrive for a formal audit or you need to do forensics.

The last word:

Both BMC and Qualys have historically used partnerships to expand their market and capabilities, so it seems, at least in retrospect, obvious that they would consider bringing the security scanning and monitoring capabilities of Qualys to the business service management of BMC products and services.

This solution will not protect you from every cyber attack, but it should significantly reduce your risk and free up some of your IT staff to work on additional security issues plus work on enhancing IT to better support your business.

Comments solicited.

Keep your sense of humor.

Walt.

Anthem Mayhem

AnthemOnce again a company that we trust with our health and personal information has betrayed that trust. Cybercriminals were able to hack into an Anthem database that contained up to 80 million records of current and former customers and company employees. The information now in the hands of criminals includes names, Social Security numbers, birthdays, postal and email addresses, and employment information including income data.

Anthem stated that no credit card or medical information was compromised, but the information that was stolen is sufficient to launch successful identify theft attacks against every one of the tens of millions of compromised individuals.

Anthem noted the intrusion on January 29, but based on analysis of the cybercriminal infrastructure likely used suggests that the attackers first gained a foothold into Anthem’s servers in April 2014, nine months before Anthem noticed the attack. One link in the chain of establishing the Malware at Anthem went through China. Whether that is a significant fact is unknown at this time. Anthem immediately notified the FBI.

Since admitting the attack, Anthem has been sharing information about the attack including IOCs (indicators of compromise) with HITRUST, the Health Information Trust Alliance, and NH-ISAC, the National Health Information Sharing and Analysis Center. These groups disseminate information about cyber threats to the healthcare industry. So far, these IOCs have not been discovered by other health care organizations. It appears that this attack was focused against Anthem.

Clearly, Anthem is not paying attention to the security of their customers’ data. None of this data was encrypted. Anthem has contracted with Mandiant, a cybersecurity firm, to evaluate their security systems and identify solutions. Seems to me they are a year late with this kind of analysis.

The brands impacted by this breach: Anthem Blue Cross, Anthem Blue Cross and Blue Shield, Blue Cross and Blue Shield of Georgia, Empire Blue Cross and Blue Shield, Amerigroup, Caremore, Unicare, and Healthlink. It can also impact anyone holding a BlueCard. A BlueCard enables members of one Blue Cross / Blue Shield plan to obtain healthcare sevices while traveling or living in another service area. Blue Cross / Blue Shield Federal Employee Programs are also impacted. This information is linked through a single electronic network throughout the US and 200 other countries and territories.

What should you as an individual do if you think you were impacted?

  • You may receive an email apparently from Anthem. These emails are not from Anthem and are scams attempting to get your personal information. Do not click on any link in such an email.
  • You may also receive a phone call apparently from Anthem about the attack. These calls are also not from Anthem. As always, do not give out credit card or Social Security numbers over the phone on any call you did not initiate. Hang up.
  • According to Anthem you should receive a letter in the mail “in the coming weeks.” That letter will advise you of the protection(s) being offered.
  • Take whatever identity theft services they offer.
  • Continue to monitor all of your financial accounts, including mortgage, investment, and loan accounts.
  • Consider putting a security freeze on your credit reports at each of the three reporting companies, Equifax, Experian, and TransUnion. Since most businesses will not open a new account without first checking your credit history, if they can’t access your credit history they are quite likely to deny someone getting credit in your name. It may cost you a few dollars, but it really does stop most identity theft. Availability and cost vary by state. If you want to request credit, you can lift the freeze enough to let a specific request be accepted.

If you are responsible for the personal information of your customers, employees or contractors, how vulnerable are you? You should not guess the answer. Find out, before you become the next Anthem.

Anthem will have some very stiff fines as a result of this breach. Between 2009 and 2013, HIPAA has levied fines of more than $25 million for data breaches. But this attack impacts more than twice as many people as all of the 2009-2013 breaches involving fines combined.

In 2014, Columbia Medical Center was fined $4.8 million for a data reach involving less than 10,000 people.

The last word:

Sometimes personal data is “released” on paper. Hundreds of documents from the Philadelphia Adult Probation and Parole Department were found in early February strewn across several streets in part of Philadelphia. These documents contained names, addresses, birthdates, Social Security numbers and signatures. The best guess as of this writing is that one or more boxes of information fell of a truck on the way to a nearby recycling center. The documents were not shredded.

Comments solicited.

Keep your sense of humor.

Walt.

In December, SingleHop asked nearly 200 bloggers for their predictions for Cloud Computing in 2015. They published their favorite predictions in their blog and asked that the contributors share their picks with our readers.

SH_CloudPredictions

My prediction did not make their favorite list, possibly in part because it was a prediction of a serious cloud-based problem in 2015. The Cloud has so far been a fairly safe place to play. For the past four years I have reviewed the Verizon Risk Team annual security report and various Ponemon Institute reports. While the Cloud has been involved in some serious security breaches, the Cloud was not a contributing factor: the breaches were due to companies’ failure to properly protect their networks and data. I believe that for many organizations, the additional security expertise provided by Cloud Service Providers and existing cloud management software actually makes the Cloud safer than their own data centers.

I recently reported on Websense Security Labs 2015 Security Predictions. One of their predictions nicely supports my submission to SingleHop: Sometime in 2015 one of the Cloud-based collaboration tools will be hacked and a company’s confidential and proprietary information will be stolen. Two factors are driving this prediction:

  1. Hackers are becoming much more targeted, going after specific companies for a specific purpose. That purpose could be financial, such as selling your information to a competitor or holding your data hostage. It could an act of hacktivism, someone who does not like what or how you do business. It could also be part of a government attack at your country’s economy.
  2. These collaboration sites provide a place for hackers to hide their command and control infrastructure. Your company is probably watching the places you visit in the Cloud, but will not flag traffic to and from places like Google Drive, Microsoft Office 365 or the like, especially if your company supports using those collaboration tools. The hackers do not have to deliver malware to your desktop in order to capture your information.

The last word:

Unfortunately, neither Microsoft nor Google have stellar security reputations. If your company uses collaboration services, make sure your security team is monitoring for news of successful hacks through these services. The best thing to do is to encrypt any confidential or proprietary data that your employees and contractors store in these collaboration spaces, and periodically review the cloud-based documents for violation of your encryption policy.

Comments solicited.

Keep your sense of humor.

Walt.

Morning

(This is another special posting by Suzy. I hope you enjoy it.)

Slowly she became aware that the sun was brightly gleaming through the window, but the house was still quiet. Surely, it was late enough that she should be able to hear someone in the kitchen making breakfast. Looking at the window she could see thick ice on the glass. Grandmom said that the glazing was from Jack Frost’s breath when he peeked in the window during the night. Carefully she stuck her foot outside the covers. Brr, the air was cold. Grandmom usually came in and put her clothes on the radiator to warm, but the radiator was empty. Nothing to be done about it. Throwing back the covers she slid her feet over the edge and reached for the floor slipping down the last couple of inches. The carpet felt cold to her toes. She tugged at the top dresser drawer. It was a wide drawer and she had trouble making it pull out evenly and it jammed before it was open wide enough for her to slip her hand in and reach her under clothes. With the heel of her left hand she banged on the drawer, freeing it and she tried again to open it. She had to do it twice more before she could reach in and get her panties, undershirt, slip and socks. After neatly draping them on top of the radiator she walked over to the armoire and opened the door on the right where the longer things were hung. Not remembering any plans to go out today she tugged at an everyday dress until it came off the hanger and added it to the other things on the radiator. The radiator was putting out lots of heat, which was in contrast to the cold she could feel seeping in through the window. She reached her hand to the glass and tried to warm a spot on the window large enough to look out onto the street. Yesterday they had had a big snow. No cars seemed to be moving and so it was very quiet out there, too. It was the morning after a big storm and the sky was a brilliant blue and the sun so bright on the snow that it was hard to keep her eyes open and she had to look away. The adults must be very busy because no one seemed to have heard her walking around and come to check on her. She reached for her underclothes and quickly dropped them. They were too hot. She could see funny wiggly marks on her panties. She wondered if they were beginning to melt and grabbed for all the clothes she had put there. It felt so very good to put on the warm clothes. She hadn’t realized how chilly she had gotten. She put on her shoes and carefully went through the steps to tie the laces into bows. She was in the middle bedroom, so when she opened the door she looked back and forth down the hall, but still could not see nor hear anyone stirring. Well, that would mean the bathroom would be empty so she went in, moved the stool to the basin, climbed up and washed her face in the cold water. That was a real waker-upper.

The stairs in Grandmom’s house were steep so she always held onto the banister, except for the third step. It creaked, so she would step to the wall side. It was a game she played with herself, to go all the way down without the steps making a sound. Reaching the bottom step she looked over to the sunroom. Grandmom usually sat in the corner seat to watch the big kids walk to school, but Grandmom wasn’t there. It felt late, so maybe the kids had already passed, or maybe this wasn’t a school day. It really didn’t matter. Cheerfully she turned to look for Butchie, the black cocker spaniel that lived in this house. He always greeted her in the morning. He was so funny. As he came into the living room he was wagging his tail so hard that the entire back half of his body went from side to side with abandon. Then he tried to get so close that he knocked her over and she bumped into the coffee table and they landed in a heap together on the floor.   She scratched behind his ears the way he liked, then they both got up and started for the kitchen. She caught a glimpse of herself in the dinning room mirror. Grandmom would tell her she looked like a ragamuffin. She hadn’t run a comb through her hair and it was sticking out randomly. Hair could be done later. Now, it was time for breakfast.

Still no Mom or Grandmom, but that was okay because she knew how to make a scrambled egg. She had watched Mom and Grandmom lots of times. She took an egg from the dish in the icebox. That’s what Grandmom called it, even though it had a motor on top. The only ice was the cubes in the tray in the open freezing shelf.   Not wanting to break the egg too soon she carefully carried it to the counter and set it on the dishrag so it wouldn’t roll. Then she got the little cup Grandmom used to scramble eggs and the cooking fork. Grandmom had a cute little frying pan just big enough for one egg, which she took from the cabinet and put on the stove. Kneeling on a chair, she thumped the egg against the edge of the cup, but it didn’t crack. She tried again. Why had she been so careful carrying it when it wouldn’t break anyway? She hit it more sharply and half the egg and shell went into the cup and the other half fell onto the drain board. She lowered the cup into the sink and pushed the spilled half into the cup then fished out the two shell halves. It was half scrambled already. Mom always put a slosh of milk into the egg with salt and pepper before scrambling, so she climbed down and went back to the icebox. Grandmom’s milk came in glass, quart bottles with long necks. That made them easier to carry. She needed to shake the bottle because the cream had separated. The little paper lids didn’t stay on well once the bottle had been opened so she put her palm across the top of the bottle. She knew she had to pour slowly and carefully because it would be easy to get too much milk with the egg. She was so careful that it seemed to take forever for the milk to come out and then it splashed. Oh well, everyone said that it was good to drink lots of milk.   She shook some pepper onto the egg milk mix and watched it float. Then she shook a little salt. Then a bit more. It seemed to gather in the center of the pepper island. Maybe a bit more. Then the salt began to sink and take the pepper with it. She guessed that was enough so she picked up the cooking fork and stirred it around quickly to beat up the egg. A bit splashed onto her hand and the drain, but not much. She still had to turn the fire on under the pan. She remembered to push the knob in and listen for the clicks before turning it clockwise. The flame whooshed up and then settled down as she kept turning the knob. After taking the flipper from the drawer next to the stove she moved her chair over in front of the burner and poured the egg into the pan and began moving the mixture with the fork before she remembered that she had to wait for it to lighten a little and begin to stick together. It didn’t take long to cook, which was a shame because it was fun to move the liquid egg in the pan and watch it firm up. Time to put it on a plate. Oh yes, a plate. After turning off the flame she climbed down and walked over to the cabinet with the dishes and took out a plate. Having moved the egg to the plate she moved the chair back then took the plate in both hands and carried her breakfast to the table.   Where was everyone? This was no fun, sitting by herself to eat. Grandmom always trimmed half an orange so it would be easy to eat. Where was everyone?

She needed to find them. Where could they be? Doing the wash? She slid off the chair, put what was left of the egg down for Butchie to eat. She could get the dish later.   Opening the door to the cellar she listened for the washing machine. She couldn’t hear it nor could she hear any voices, but she started down the steps to be sure. One, two, three, four, oops… In slow motion she began to tumble and bounce down the steps. They went on and on and she was still tumbling. It should hurt, but it didn’t. She just kept falling and falling.

“Come on, Sleepy Head, time to wake up.”

That was Grandmom.

“Let me slip your clothes under the covers. It’s chilly out here so put them on before you get out from under.”

It was just now time to get up.

“The storm is over. There’s lot of snow and sunshine outside. After a nice, warm breakfast we’ll get the sled out. Your Mom and Granddad can go down the hill with you.”

Everyone was home.

The last word:

Suzy always likes the first day after a snowstorm. The sun shining on fresh white show after a period of gray skies over a gray landscape cheers her up.

Comments solicited.

Keep your sense of humor.

Walt.

Follow

Get every new post delivered to your Inbox.

Join 122 other followers