By Andy Marken
We recovered from Heartbleed and now Bash vulnerability/shellshock emerges as the next great "discovery" that's going to cause massive data breaches (think Sony Entertainment).
Every enterprise breach will bring out the hordes of lawyers and their John Doe lawsuits to recover millions for as yet unnamed injured parties who put their information into someone's database somewhere and used their ABCDE/12345 passwords to protect "their stuff."
Then, they put all that stuff into someone's cloud because it was the cheapest choice in town or better yet, was free!
Oh yeah, and there's little to no security enabled on their smartphone, tablet, notebook that they use for the office, home, school.
We've just built a world of free choice and convenience for ourselves and a wallowing pond for hackers, whackers, cybercrooks and smart/creative/mischievous kids to play in.
Jeez folks, admit it ... you s****ed up!
More Targets – As compute technology moved out from the data center to include nearly everyone and everything on the planet, the "opportunities" for hackers, whackers, cyber bad guys/gals have exploded. New devices and apps have become a rich feeding ground for people who want to make their living dishonestly as well as really smart folks who just want to have fun at our expense.
In the system days, everything was under the management/control of an IT (information technology) department somewhere.
Then we got our PCs and if those IT folks couldn't deliver the things folks wanted, they bought it on the open market.
Enter the wonderful world of personal devices and BYOD (bring your own device) and people went nuts loading up on cheap/free neat things that let them work/play exactly the way they wanted.
Now we have operating system (OS) and app holes, issues, problems because people don't really write software today, they use Lego components to build the stuff.
The building blocks let all of us get things put together faster so it can be shoved into the marketplace to be loaded, used, shown around, bragged about.
Any problems/shortcomings will be worked on/fixed on the fly.
Of course, regular folks blow-off updates/patches because hey, you're too busy working, having fun.
Unguarded – The BYOD (bring your own device) craze has opened the gates to organizational data because people use their device for business and pleasure and don't follow even the most basic of security measures.
Everyone forgets – or chooses to ignore – what General Benjamin W. Chidlaw, head of what was to become NORAD (North American Radar and Defense Command) said back in 1954, "Simply put, it is possible to have convenience if you want to tolerate insecurity, but if you want security, you must be prepared for inconvenience."
Seems like we opted for convenience and aren't willing to live with insecurity.
At this year's amazing Black Hat conference, 88 percent of the hackers queried believe their data and privacy were vulnerable to attacks.
Here's what they do/recommend for pretty good security:
- Update devices regularly, faithfully
- Secure your devices regularly
- Take your nude/questionable selfies out of their clouds
- Only post the stuff you want people with no lives to spread around.
- Put your families, your stuff on your home/personal server cloud, protect it
Yes, Shellshock sucks because about 50 percent of web servers run Apache--an open source solution that (simplistically stated) is the underpinning of the Internet (wired, wireless).
All the dedicated volunteers and white hat hackers are working their behinds off to solve that problem at the source and they will.
The open source community is very smart and thinks there is a place for utopia online.
But it's tough to get there because too many people are lazy, incompetent and ignorant so stuff happens.
That's where the headline-making, big data breaches come in and where the lawyers leap into action.
Bigger, Better – Organizational data breaches have become both bigger and more frequent to the point they have almost become white noise – heard so much that they are unheard. Most of the vulnerability and breaches are made possible by human error and that's difficult to overcome.
Last month, the Ponemon Institute reported that 43 percent of U.S. companies had security breaches in the last year. I'll bet another 43 percent swept it under the table or didn't even know it happened.
Security breaches are happening with boring frequency. They also more visible: Target (100M records), eBay (150M records) and Sony Pictures.
Then there's the Korean Credit Bureau which had 70 percent of South Koreans ages 25-65 records purloined.
Of course, there are also the organizations that don't realize they've been penetrated.
24x7 Monitoring – Security solution providers, governments and large corporations spend billions every year to monitor their networks in the hope of stopping malware and breaches from penetrating the billions of computing/communications devices in use around the globe. It's a constant game of cat and mouse.
While wily hackers get blamed for this stuff, Experian's data breach resolution group says that 80 percent are caused by plain old employee negligence or dumb actions.
You know, password Post-Its on the monitor, people being spear-phished, innocently giving out a password, lost USB file, mishandling files, visiting the wrong sites or just being careless/not thinking.
Most of us look at these breaches as being driven by hackers bent on making billions by selling and reselling the data to folks who can turn the data into even more cash.
But the Black Hat survey found most hackers don't do it for the money.
Numbers Game – Whether it's a kid who just wants to test his/her skills, a cybercriminal in Russia or a spam service provider in Florida, the goal is all the same – entice someone to give you the information they need to penetrate and take control of your device and your organization's network/data. And "we" make it too easy for them.
In fact, only 19 percent said they had any financial gain from their endeavors.
Fifty-one percent said it was for the fun, thrill of it.
I guess it must be exciting to know you developed something that has taken over hundreds/thousands of computers, tablets, smartphones (bots/proxies) that send out bogus messages or ads to other devices (true, that can produce a steady income for them).
One percent wanted to make a name for themselves and 29 percent described it as "their moral compass," whatever the hell that is.
Fun or not they have really honed their skills and could make them more valuable employees to organizations ... but Snowden is a bad example.
Okay they shouldn't be held up as shining role models for your kids to emulate.
But still, what should you do to make it less easy to tap into your info?
First of all, assume the hoodie wonders have tapped into your data and if not ... they will!
Some security folks (including those who make the virus, malware and security products you buy/use) privately feel we're fighting a losing battle because the holes are so numerous and the kids/bad folks are getting better and better.
But jeezz, you can make 'em work for your stuff!
Uphill Fight – Malware and security solution providers including Eugene Kaspersky, who heads one of the largest solution providers in the world, agree that they are always one step behind on-line problems because it is almost impossible to determine how, when or why an online infection or breach will occur.
Understand that your smartphone and tablet (and all smart devices) are really damn robust computers that handle email, photos, contacts, account information and personal data so...
Change your password(s) – yes plural – for all the sites you visit/devices you use and make them really strong, even tougher to remember than those old CompuServe email addresses your grandparents had.
Of course your mind can't handle all that garbage, so use a password manager like LastPass or Password Safe or make up a word using symbols and numbers.
Now we know it's a pain in the behind, but do what IT/security folks have been begging you to use for a long time ... two-factor authentication.
Regardless of the device you're working with/playing with:
- Don't ignore the software updates for all of your devices; they're sent out for a reason.
- Don't share anything more than you want to lose on Facebook, LinkedIn, whatever
- Don't be so quick to download all those neat free apps that come to you. Lots of them have "added features" that aren't there for your benefit.
- Don't be so quick to click on a message, email, social media link – if you don't trust them, delete it
- Put security software on all of your devices that blocks the garbage and lets you shut it down if the device(s) are lost/stolen.
- Don't be so quick to tap into that free WiFi, they can give and take.
- If you're banking/buying online, make sure to use SSL (SecureSockets Layer) encryption.
I'm a firm believer in Andy Grove's (former head of Intel) now famous/infamous statement, "only the paranoid survive."
He was referring to the business of business; but your devices, your data are your business.
I don't use cloud storage any more than I have to because:
- All of the cloud services are fighting each other for customers so they're racing to be the lowest price in town, which means something has to give and it might as well be security.
- None of them, to my knowledge, are making money with their service, which is a business model that sucks and if they close their doors there goes your data.
- Hackers, whackers and cyber bad guys/gals don't find it as profitable going after onesies, twosies as they do a big crowd gathering which is "the cloud!"
That's why I have a home cloud, a big (20TB) home networked storage solution.
Minimize Cloud Footprint – While cloud storage services and social media storage/posting is enticing because of the fame, notoriety and low cost they offer; the more of your data that is out in the virtual world the more vulnerable your data and you are to penetration and theft. Personal and home storage solutions, combined with care about what you post and where you click, make it more difficult for your information to fall into the wrong hands.
Ours came with software RAID (redundant array of independent disks), which basically means that (depending on the level 0-5), I can distribute the data across the drives so if one fails (they do ya' know!), then the information can be recovered.
To keep peace in the family, we have a combination of "public" and private spaces (all password, two-factor authentication-protected). Sure, I'd love to know what they have in their spaces, but I'm not smart enough to hack 'em.
Even with all of this protection, I wouldn't do something stupid and follow Sir Laurence when he cried out, "God for Harry, England, and Saint George!"
Besides ... someone might have hacked his iPhone!