Author Archive for Jeff Reich

Page 2 of 3

Holiday Security – Manage Your Risks

Published on November 20, 2012 in Security. Closed
Posted by Jeff Reich

Welcome to the holiday season! Along with the holiday cheer, parties, presents and spending come some risks of which we should all be aware. Situational Awareness is a phrase that some might not recognize. Situational Awareness entails being aware of your surroundings and environment and adapting your behaviors to address the risks being presented.

One special area of interest is web sites. Some web sites will present offers that seem too good to be true. If you cannot confirm that you are visiting a web site that you know and trust, be very wary of entering any identifying information about yourself, especially items such as account numbers, social security numbers and credit card numbers.

Another problem that is related to web site scams is unsolicited email messages. My simple recommendation for this is that any email message that you receive and was not the result of a request on your part, asking for information or prompting you to click a link should be deleted.

In both of these cases, should any situation persist, at a minimum, you can report the offending web site or message to abuse@domain.com where domain.com is the end segments of the sender’s email address or of the web site in question. Should you believe that a crime has been committed, contact law enforcement. At Layered Tech, we manage inbound abuse complaints for most of the domains hosted by use and we take complaints very seriously.

One bit of data that the bad guys would like to get is your Credit Card information. I have already talked about being cautious on web sites and with email. The same cautionary tales apply to unrequested telephone solicitors. One of your better defenses against credit card fraud is to examine your charges often. I make it a point to examine all of my credit card charges at least five times per week. As soon as I see a charge that is suspicious, I notify the credit card company. Most are very willing to work with you on fraud issues.

If you do not have a Smartphone or Tablet, you may be receiving one this holiday season. Between apps that allow you to shop, bank and engage on social media, your device contains a treasure trove of data. Regardless of when you get your device, I recommend taking the following measures:

Lock it – Most devices have either a swipe pattern or PIN or password capability. Activate this feature as soon as you have your device. A longer password is better than a four-digit PIN and a complex swipe is better than a simple one.
Backup your data – Whether through your synchronization software or other means, do this often.
Hang on to your device – If they don’t have it, they can’t use it.
Determine how to find it – Using Find My iPhone, Where’s My Droid, Plan B, Lookout or similar apps will allow you locate, message and even wipe your device clean of data, should you lose it. Of course your data is still backed up if you followed the second step.
Report missing devices – Your carrier and local police department may be able to take steps to locate or prevent reuse of your device.

Knowing that you are aware of your surroundings and the value of your data allow you to be a happy and safe holiday consumer. Here’s to a great start to the holiday season this year!

Image Credit: 401(K) 2012

About the Author: As Chief Risk Officer at Layered Tech, Jeff Reich (@LayeredTechCRO, +Jeff Reich) drives the company’s security and compliance services and guides risk mitigation efforts for clients. With more than 30 years of experience, Reich is a well-known risk management and security expert in the industry. He holds CRISC, CISSP and CHS-III certifications and is an ISSA Distinguished Fellow.

How Much is Your Data Worth?

Published on November 1, 2012 in Security. Closed
Posted by Jeff Reich

Everyone knows that a lot of information about each of us is floating around various segments of the internet. The prevalence of online shopping, social media and portable computing has made us comfortable with this and in many ways that is a good thing for commerce, society and individuals. Many of us feel very confident in the controls that exist to protect data about us and in most cases that confidence is well founded.

October is Cyber Security Awareness Month and this is a great time to address this topic. Unfortunately, as a result of conditions, attacks and social engineering, components of our information slip out of the control of those that we trust. When this happens, those with motives less honorable than those of most of us will choose to take advantage of the situation.

This is when the value question comes into play.

What would you do if you were told that your information was being held and could be disclosed to others or, in some cases, withheld from your use unless a demand is met?
What can you do about this?

First of all, try to do all you can to limit the amount of data that you share with others. You do not always have to give everything requested to everyone requesting. Another technique that could help limit your exposure is being less than truthful when you do not have to be completely honest. Now, I am not suggesting that any of us lie, outright, but consider when and how data is used.

When you sign up for a service of some sort and you are asked for your “security questions” think about using answers that won’t allow someone to gather more information about you than is absolutely necessary. For example, many of you identify your city of birth in a public place like Facebook. With that information, that is rather available, someone could easily guess the answer to at least one of your security questions on another site. For that reason, rather than always entering your actual city of birth, consider mixing up your answers (of course, the more complex you make this, the more you need to track).

If you enter your city of birth as the North Pole, no confirmation will occur and as long as you remember that you used “North Pole” for that site, the chances of someone being able guess your answer will be greatly reduced. This is just one example and will be best used if you add your own creativity to it.

On the downside of captured data, recognize that at some point, some of your data will be taken hostage or withheld. Work on your plan to respond to that. Demand that your merchants and providers demonstrate that they meet or exceed industry standards and are protecting your data. In that vein, remember to not volunteer information unnecessarily. One example in that area is that most healthcare providers ask for your social security number when you start as a patient. I always decline to supply that and I have never lost the opportunity to use a healthcare provider that I wanted to use.

I believe that it pays to play close attention to your credit reports and related activity. The sooner that you notice anomalous activity, easier it will be for you to prevent further damage and repair what has happened.

Go have fun on the internet and let’s be safe and aware out there!

Image Credit: garethjmsaunders

ConSec ’12 Recap

Published on September 26, 2012 in Events and Security. 1 Comment
Posted by Jeff Reich

ConSec '12 Consumerization of IT – Are You Keeping Pace? Earlier this month, I attended ConSec ’12 Consumerization of IT – Are You Keeping Pace? in Austin, TX. This year marks the tenth bi-annual gathering and it was a three-day event that offered attendees a choice of one of four optional workshops followed by two full days of sessions in three tracks. This regional conference targets attendees from Texas and the four surrounding states. Vendors were clearly visible in the exhibit area. The uniqueness that helps contribute to the continuing success of this conference is the hosting. Volunteers from four organizations act as planners, schedulers, marketers, logistics experts and hosts.

Without a third-party conference facilitator, this environment creates a level of intimacy and trust that does not exist in all conferences because you know that practitioners are doing everything for the conference. The focus of the attendees is around security, compliance or business continuity and that trust is important to them.

The organizations involved here are the Capitol of Texas Chapter of the Information Systems Security Association (ISSA), the Austin Chapter of the Information Systems Audit and Control Association (ISACA), the State of Texas Department of Information Resources (DIR), and the Capital of Texas Chapter of the Association of Contingency Planners (ACP).

For the workshop day, each of the hosting organizations facilitated a Bring Your Own Device (BYOD), all-day workshop. The four workshops were well attended by a specialized subset of the attendees for the remainder of the conference.

For the two days of the conference, three tracks were established, each focusing on Information Security, Business Continuity Planning or IT Auditing. Attendees registered for the sessions that they wanted to attend but were not limited to stay within any given track. Four general sessions were spread out over the two days, with internationally known speakers for each and 21 specialty breakout sessions were offered in the three tracks. The conference concluded with a final general session that was associated with yet another organization, the InfraGard Central Texas Chapter.

I picked up great and fresh information on the risks around BYOD, how to deal with the fear of BYOD destroying the enterprise, security and privacy in the mobile world and remembering that it is still most important to protect the data appropriately. I had the privilege of co-facilitating the Information Security workshop and presenting a session dealing with Security and Compliance in the Cloud. In addition to delivering content to the attendees, I was also an avid attendee and learned a lot during the sessions that I joined..

The key take-away from this conference is that you can find great value in a regional conference. The long-term benefit from encounters such as this, with multiple volunteer organizations, is the trust that you can develop with organizations and people. When your job is providing compliance or security to your clients and partners, you need to be able to depend on your trust network. The force multiplier for the value can come from having diverse organizations work together on offering a quality deliverable for a common purpose.

—

Where Are You on HIPAA Compliance?

Published on September 13, 2012 in HIPAA Compliance. Closed
Posted by Jeff Reich

Healthcare information and the push to adopt Electronic Health Records by 2014 can be very intimidating. The Medicare and Medicaid programs provide incentives to eligible professionals, hospitals and critical access hospitals as they adopt, implement, upgrade or demonstrate meaningful use of certified Electronic Health Record (EHR) technology. For many healthcare professionals, this is a daunting and scary proposal. Firstly, it can change the way a practice is conducted. Secondly, the cloud or internet can be a very confusing place. The prevailing notion of the cloud is that is it an unsafe place over which you, as a user, have no control.

THIS DOES NOT HAVE TO BE TRUE!

Healthcare software companies can help professionals and hospitals through this. Find a solution provider that can deliver the services that you need, not simply the one that they want to sell to you. As with any industry where privacy and security are paramount, you should insist that within a cloud-based, multi-tenant service, you have all of the transparency that you want for:

Control of your systems and data
Integrity of your systems and data
Availability of your systems and data

This can be delivered in a variety of ways but all must be verifiable and compliant. While the concept of compartmentalization might be new to some, the defense and government industries have been using it for years. Simply put, this means that data are to be placed in classification buckets or compartments and people, by means of their background and job function, have access to the compartments needed by them. As important, this concept ensures that those with no need to access a certain compartment do not have access to that.

As you determine how you are to adopt EHR, keep these values at top of mind. When these criteria are met and your business objectives are achieved, you will be sitting pretty in the HIPAA, HITECH and EHR world.

Image credit: The National Guard

Inherent Trust in the Cloud – ISACA Update

Published on August 30, 2012 in Cloud Computing and Security. Closed
Posted by Jeff Reich

I attended the ISACA Silicon Valley chapter 2012 Summer Conference, Enabling Trust: Business in the Cloud, on August 23^rd and 24^th. Some of the organizations presenting included Qualys, SurveyMonkey, EMC Consulting, StrongAuth, Allgress, PwC, Apollo Group, iStreet Solutions, Check Point Software Technologies and Layered Tech.

ISACA Silicon Valley Chapter Along with some lively panel discussions, the conference offered an eclectic mix of speakers from different points and perspectives within the cloud. Layered Tech was privileged to be the only Infrastructure as a Service (IaaS) provider presenting and that allowed me to offer the view of the cloud as a framework that can have inherent trust along with appropriate controls. This was the first presentation that I delivered where a majority of the attendees acknowledged using the cloud – all but one, in fact. This indicates that more of us are recognizing that the cloud is here and now our job is to better identify the components and how they interrelate. We may be at or near the tipping point of recognition of cloud computing as a valid means to leverage virtualization and the economies of scale.

I was interested to hear, through much of the conference, that some still consider the only options to be Public Cloud vs. on-premise facilities. With the offerings of compliance and security-centric providers and the utilization of strong security tools, many of which were discussed by the presenters, we can demonstrate that hybrid and community clouds have a role to play in cloud options and can be made to be as secure, if not more secure, than many traditional on-premise facilities.

I will be presenting more extensions of these views at ConSec’12 – Consumerization of Enterprise IT-Are You Keeping Pace? on September 17-19 in Austin, TX. I hope to see you there.