Category Archives: Opinion

Survey Says: Americans Concerned About Data Collection Practices

Well maybe not concerned enough to change their practices, but concerned.

When asked if their data is more secure, less secure or about the same as compared to five years ago, 70 percent said their data was less secure.  6 percent said it was more secure.

On the side of “gee, you mean I have to do something about it?”, 97 percent say they are asked to approve privacy policy notices, but only 9 percent say that they always read it and another 13 percent say they often read it.  That means that three-quarters of the users don’t read what they are agreeing to.  38 percent say they sometimes read the polices and 36 percent say they never read them.

Of those people who say that they at least sometimes read the privacy policies, on 22 percent say they read it to the end.

On top of that 63 percent said that they know very little or nothing about the privacy laws that protect them.

When it comes to being tracked, 72 percent said that all, almost all, or most of what they do on their phone is being tracked with an additional 19% saying that some of what they do is being tracked.  That leaves 9 percent who think that they are not being tracked. Hmm?

47 percent think the government is tracking them.

69 percent feel that their offline behavior including where they are and whom they are talking with – OFFLINE – is being tracked by the government.

84 percent say that they feel that they have little to no control over the information that the government collects and 81 percent feel the same way about information companies collect about them.

81 percent of the people think that the risks of data collection about them outweigh the benefits and 66 percent say the same thing about government data collection.

72 percent say they personally benefit very little or none from the collection of their data by companies and even ore surprisingly, 76 percent say that they don’t get much benefit from government data collection.

Certainly an interesting set of information, which could explain why there was so much support for privacy legislation in a variety of states.

You can find more information about the Pew report here.

 

 

 

 

 

 

 

 

Facebooktwitterredditlinkedinmailby feather

The Security Implications of the Federal Shutdown

O P I N I O N

The President says that the shutdown is about security and I think he is right, but not in the way he is thinking.

We have to take this agency by agency, but just look at the numbers.  The EPA, probably no one’s favorite agency for different reasons, says it is furloughing 13,000 out of its 14,000 employees.  Is it likely that some of those employees serve cybersecurity (or even physical security) functions?  Maybe the 1,000 people are all of the folks managing cybersecurity, but I doubt it.

TSA screeners are considered essential, so they are supposed to work even though they are not being paid.  Some number of them (TSA isn’t saying how many) have been calling in sick.  Given the horrible stats regarding TSA agents detecting contraband and the fact that TSA turnover is 80% or more a year in some cities, there is no way that this is not negatively impacting your security.  It is affecting my security less because I haven’t had to fly lately, but if I did, it would affect my security too.

Even if the TSA attrition rate is not climbing during the shutdown, they are not hiring anyone right now. That alone puts security at a disadvantage.  The TSA has 50,000 agents.  If you assume they have to replace only 25,000 every year, if the shutdown lasts a month and the stats don’t go up, they will have to replace about 2,000 people.  How easy will that be given that the government is/was shut down.  The TSA says that standards won’t suffer, but you can do your own math.

Many so called government employees are actually contractors.  It is possible that some companies are choosing to pay their employees to work at federal jobs even though they are not and likely will not be paid (historically, federal employees got back pay after they returned to work but contractors did not), but some companies do not have the resources to do that.  Combine that with the government issuing what they call “stop work” orders to contractors and you have to believe that there is an impact.  One stat I read tonight said that 40% of the federal labor force is contractors.  Assuming that is close to true, surely some of those people are not working as a result of the shutdown and probably some of them perform security functions.

Other parts of Homeland Security includes 187 departments and several hundred thousand employees.  At least some of them have been furloughed; others are working without pay, while others are looking for other jobs.

Who are the most likely to find other jobs?   Certainly it is not those with the least skills.  When it comes to cybersecurity, it is the ones with the most skills and likely, if they leave, they will get a pay raise.  And, they won’t come back.

So while the government will never admit how much the shutdown affected security, the longer it goes on, the greater the effect is.

Just my two cents.

 

 

Facebooktwitterredditlinkedinmailby feather

Cybersecurity is not an IT Problem

O P I N I O  N

People sometimes ask why IT can’t fix the cybersecurity problem.  The reason is pretty simple.  Cybersecurity is not an IT problem.

IT can make systems very secure.  Only problem is that employees won’t be able to get their job done.  No mobile.  No WiFi.  No personally owned computers.  Really long complex passwords.  You get the idea.

Several British companies have decided that the way to improve security is to implant a microchip in the hand of several hundred thousand employees instead of giving them a badge.

After all, what could go wrong?

Kind of like your cat.  After all, the pet door that is supposed to open with your cat’s chip always works, right?

If an employee wants to go to the bathroom, wave your hand in front of the bathroom door.  If you have already taken a bathroom break this morning maybe the door won’t open.

What happens when your “badge” stops working (I am sure that those of you who have a work badge or have gone to a hotel have never experienced that)?

Who pays for the medical bills if there are complications?

What happens when you change employers?

And, of course, you can’t turn it off on the weekends or at night.

Can you opt out?  Your cat didn’t have a choice.

Now the PR Spin.

KPMG said it was not considering microchipping it’s employees and would, under no circumstances, consider doing so.

So while, apparently, some employers ARE considering microchipping their employees, think about this:

  • Equifax couldn’t patch all of their servers
  • Target didn’t isolate a server that a refrigeration vendor used to find out what cooler needed repair from their credit card system
  • Home Depot wasn’t PCI compliant when they were hacked;  their lead security engineer was a convicted felon (Ricky Joe Mitchell was convicted of sabotaging his former employer) and it has been widely reported that when the security team asked for more funding to improve security they were told that Home Depot was in the business of selling hammers – how does this help us sell more hammers.
  • It seems that every week we hear about another company that “accidentally” allows anyone on the planet to download the content of their Amazon S3 storage buckets containing userids, passwords and all kinds of confidential information.

If businesses cannot handle the security basics, microchipping their employees is not going to help.

99% of the time, security is about the basics.  Every now and then it requires heroic efforts, but those times are relatively few.

This issue is gonna be with us for a while.  A long while.  Anyone who is hoping for a silver bullet solution – I have a bridge in Brooklyn for sale cheap.

SORRY!

Information for this post came from Slate and The Guardian.

Facebooktwitterredditlinkedinmailby feather

In Honor of Election Day

First of all, if you haven’t already voted, please vote!

Time did a nice piece on election security (see link at the end).  In a somewhat self-serving statement, Homeland Security Secretary Kirstjen Nielsen said that she FELT confident that this year’s election would be the most secure election we have ever had.  Ignoring for a moment that the paper ballots that we used for the first 150 plus years of our country are probably way more secure than what we are doing now and while I appreciate her feelings, they really don’t give me a lot of confidence.

That being said, we probably have improved the security of the election process since the last presidential election.  If she had said that we have the most secure election we have ever had since 2016, I would probably agree with her, but that would not offer a good sound bite.

Secretary Nielsen said that no matter that the U.S. Intelligence community and law enforcement officials sounded the alarm last month about ONGOING efforts by Russia, China and Iran to influence our elections, that is different.  Her view of election security is limited to hacking of voting machines, not changing the outcome of the election.

While my rant above is possibly a bit harsh, it does point out something that is important.

We need to be concerned about changing the outcome of the election, whether that is by hacking voting machines, spreading disinformation or voting early, voting often, as it was said about Chicago under Mayor Daley.   What matters is that this is our election and not Russia’s.  Or China’s.

It is good that we haven’t seen any sustained effort by foreign powers to hack voting machines.  That, to me, is the absolute hardest way to change the election.  Maybe hacking the central tabulating system at the County or State level might make sense, but hacking individual machines – that is a lot of work.

Time says that 44 states and the District of Columbia did participate in a three day exercise this past summer to put election systems to the test.  Part of the exercise was to test the Fed’s ability to share hacking data with local election officials.  All that seems like a good thing.

Since the Feds, under President Obama, declared election systems critical infrastructure, over the objections of many local officials (fearing that the feds were saying that they were not doing a good job), the Feds created an Information Sharing and Analysis Center or ISAC for Election Infrastructure as a formal way to share information all around.  Another good idea.

1,300 of the 8,880 local election jurisdictions are participating in this system.  Why the rest are not is scary.  Maybe these should publish their membership list so the voters can vote on that!

The Feds have developed a threat detection system that they use called Einstein.  All Federal Internet connections use it and while it is not perfect, it is way better than was was being done before.  Einstein has a cousin called Albert (cute huh?) that the Feds have given (or sold, it is not clear) to 43 states to help them detect threats.  These two are similar in function but completely different implementations.  Still both achieve the same goals – look at Internet traffic and try to ferret out the bad guys.  See this article in Fedscoop for info on Albert.

The Feds also offered to conduct a penetration test of election infrastructure for the states.  Only 21 states asked for help.  While some states do their own pen tests, if you can get another one for free, exactly why wouldn’t you accept?  Unless you were worried.

DHS is also doing remote weekly scanning for 36 state and 94 local governments and providing them with vulnerability reports.

The fact that everyone has not asked for help is just an indication that, for politicians, ego often wins.

Oregon solved the problem (as does Colorado).  Oregon uses paper ballots.  Hack that from Russia! Of course there are counting machines, but hopefully they are not on the Internet.

I do believe, in spite of the above, that we have IMPROVED the security of election systems somewhat since 2016, but there is a long way still to go.  The ExpressPoll-5000 voting machine still uses a root password of “password” and a master administrator password of “pasta” .  That’s got to be pretty secure, no?

And of course, we really have not done much about the disinformation campaigns, which are way easier than hacking a voting machine and, apparently, pretty effective.

The Cybersecurity 202 newsletter talks about disinformation campaigns like Twitter “news” that says that Immigration officials will be at polling stations to check citizenship status which might deter legal immigrants that don’t want to be hassled or hacks to local election or news sites.  We have also seen disinformation email campaigns telling people to go to the wrong place to vote.  DHS says check your information source, but sometimes that is easier said than done.

What do you think?

Information for this post came from Time.

 

 

 

Facebooktwitterredditlinkedinmailby feather

U.S. Election System Under Attack

O P I N I O N

Christopher Krebs, The Undersecretary for the National Protection and Programs Directorate (NPPD) of DHS said individuals voting rights were safe despite persistent attacks on the voting infrastructure.

He said, that by law, if you show up to vote and there is a problem with your registration,  you have the right to request a provisional ballot.  It can take time and be disruptive, but if you are persistent, you can get a ballot.

Krebs says that they haven’t seen as persistent an effort by the Russians to compromise this year’s election as they saw in 2016 – that statement by itself seems at odds with what his boss, the President has said.

DHS is planning to launch an initiative to manage the risk.

I agree that if you are willing to create a scene, you can get a provisional ballot, but is that really where the risk is?

Certainly, it is possible that an attacker could try to delete voters from the voting rolls, but that seems like a hard way to effect the outcome of the election.  After all, how do you know how that voter will really vote.

Much more likely and not mentioned by Krebs since DHS isn’t doing much about it, is the likely attacks on campaigns web sites and email of candidates and their teams.  When the President says that there is no evidence that Russian interference in 2016 didn’t change any votes, I have no idea how he can prove that.  If what he means is that the Russians didn’t cast any fraudulent ballots one waay of the other on behalf of a voter, I believe that.

If, however, he means that the relentless social media attacks for and against different candidates, illegally funded by Russian controlled front companies recently indicted by the federal government didn’t change people’s choices as to who to vote for, that is completely unprovable and likely just wrong.

For the last year and a half DHS has not processed the security clearance requests of state and local voting officials so that they can receive classified intelligence.  A few officials have gotten their clearances, but many more have not.

All in all the administration is picking and choosing their talking points to make things look better.  Overall, they have done very little to improve the situation as compared to 2016.

When Krebs said that they have not seen Russian interference at the levels of 2016 this year, he should have added the word YET.  This is still early and likely the Russians will increase their efforts in that direction.

I have no clue which side they plan to attack; but which ever side it is, it will be to further their own interests, not ours.

Stay tuned, this is far from over and we don’t have an effective strategy to counter it.

Information for this post came from FCW.

Facebooktwitterredditlinkedinmailby feather

To Cyber War or Not to Cyber War – That IS the Question

O P I N I O N

To butcher a very famous quote, are we at war or not?

It is clear that the Chinese and Russians are at war.  We have some pretty clear information about what they have been doing and what they have stolen.

What is much less clear is whether WE are at cyber war.

For the most part, the government has played down the hacking by foreign powers.  While they have not said why, it is likely partly due to being embarrassed about the loss of billions of taxpayer dollars of research on defense programs like the F-35 and, more recently, Sea Dragon.  It is partly because they do not want to scare people and partly due to the fact that U.S. businesses depend on people using the Internet and if they are scared about that, they will spend less.

During World War II, the government was pretty clear about what was going on (minus a lot of classified details, but those details are not really needed to get the point across) and what every loyal citizen needed to do to help the war effort.

But here is the rub.

According to a recent Verizon security report, only 14% of respondent organizations had implemented even the most basic cybersecurity practices, while 32% said that their organizations sacrifice mobile security for business expediency.

One result of this is that Internet of Things cyber attacks have spiked 600% in one year (see here).

It appears that, in the absence of being forced to improve security, most companies (i.e. 100%-14%=86%) have made the business decision to worry about cybersecurity after the horse is out of the barn.

Laws like the new California privacy law, which allows individuals to sue businesses after a breach, even if they cannot show economic damage, could, possibly, change that.  Assuming California doesn’t change the law (not surprisingly, businesses are not happy about that part of the law).

If we take a modest breach of say, 500,000 records – small by today’s standard – and multiply that by the midpoint of what the law allows consumers to sue for – say $425 – that creates a potential liability in that breach of a little over $200 million.  Add to that, of course, the cost of dealing with the aftermath of the breach.

At the point at which a company is in the boat of having to write a check for a quarter billion dollars – well, enhancing security may seem like the better choice.

Up until now I don’t really blame U.S. businesses for ignoring cyber security.  First of all, the odds of getting caught are low.  Then, you may be able to get away with not saying anything about it.  Some countries in the EU have reported that the number of breaches reported to them in the month of June – the first month after GDPR went into effect – was equal to the total number of breaches reported in all of 2018 prior to the law going into effect.

Why were so many breaches reported in Europe in June?

Not because Europe was under some new form of attack.

Rather, it because willfully not reporting a breach could result in a fine of the larger of 20 million Euros or 4 percent of your global annual revenue.  That is a pretty strong inducement.

SO what do you think?  Should U.S. companies HAVE to meet security standards?  Financial institutions, doctors and hospitals and recently, sort of, defense contractors, have to.  What about the rest of U.S. businesses?

If we are in a cyberwar, what is our responsibility as U.S. citizens to do about protecting ourselves and our country?

Right now people don’t worry about their credit cards being stolen.  Why is that?  Because they have either very little liability or no liability if the card is misused, because of the law.  I am not suggesting changing that law, but the law does impact behavior.

I say that we are seriously losing the cyberwar to the Chinese and Russians and others – and not doing very much about it.

Why?  because it is inconvenient and, truthfully, many people say that it is not their problem.

What do you think?

Please post your thoughts here.

 

 

Facebooktwitterredditlinkedinmailby feather