Internet Theft and the Holidays

As many of you know, when I am not protecting people and their businesses, I’m often out taking pictures. My camera of choice has been the Nikon d300, which is over five years old now. As with all technology, when cameras age, they become increasingly unreliable and it became apparent over a year ago that my camera was experiencing legacy issues. The weather protection was weakening, the sensor was staring to fail and the batteries were draining faster and faster. If I am going to practice what I preach, it was time to ruthlessly eradicate legacy.

“Ruthlessly eradicate legacy” is one of my mantras when it comes to infrastructure management. Older systems take a surprising amount of resources to maintain and use. Modern technology is easier to update, cheaper to operate and easier for people to use. It also has modern features that can drastically improve capabilities. With servers, this means killing all that no longer get updates (Windows 2000, for example). With cameras, it means time to say goodbye to my old friend and look at other options.

This is not a camera post, however, so I’ll cut short the decision process and say that I settled on a d800 or d800E. For my purposes, there are no differences, so I went out looking for a good deal. After all, Black Friday is coming and now is the time to look for electronics. This, however, is where the story gets interesting.

In doing my research, there were indications that while camera accessories go on sale periodically, the high-end camera bodies and lenses I like only drop in price when a successor comes out. This means I’m stuck at the high end unless I buy used. Moreover, in the Nikon world, warranty is a huge factor and is significantly reduced when you buy used, so it only makes sense to look at that option if you are going to save over 20% off the purchase price.

Which is why, when I found a d800E on Amazon, I got a little excited. In fact, I got a little too excited. I almost got scammed.

The list price on a new d800E is $3,299.99 (which is why my d300 got to be five years old before I considered a replacement), but this camera listed on Amazon.com was just $1,836.73. 56% off is clearly a better deal than 20% … but the deal is a little too good. In fact, it’s so good that a lot of people are going to leap on the deal, so I had to move fast.

Or did I?

See, the deal was too good. I got suspicious. Luckily, the seller had a note in their little logo icon that said to email with questions, so I did… not before I did a bit of research, though.

Continue Reading

Even Superheroes Need Their Tools

Today is a sad, and dangerous day. As you may have heard, Hostess is looking to go out of business. While it is likely that some of their bigger brands (Twinkie, Wonder Bread) will live on, it is the end of an era. While I never personally consumed much of their product line, as my mother would not let me (You can’t have a Twinkie, here’s an apple), I mourn with the rest of my generation over the loss.

However, unlike the mainstream news media, I am also deeply concerned about the fate of others in the wake of this decision … specifically due to the lack of Hostess Fruit Pies!

See, I remember when The Flash used them to save the city from the Bureauc-Rat. They were an essential tool for Captain America in preventing alien invasion. Aquaman used them to stop a shark invasion. Iron Man’s technology alone wasn’t enough to foil a bank robbery. And Spider-man used them to prevent the destruction of homes. In fact, there have been over 200 times that Hostess has helped save people.

Without this powerful tool, how will we ever survive?

Fortunately, most of our super heroes have contingency plans. DC heroes team up to become the Justice League to solve big problems. Marvel heroes team up to form the Avengers, first fighting among each other and then solving problems. Even the independents work up a good crossover now and then when they have to.

The question is, do you?

In IT in general and in Security in particular, we are highly dependent on a complex web of relationships and dependencies. This can be as simple as needing Microsoft to release their patches so we can protect ourselves. (Which you should do, as this month’s fixed some important issues.) Or it can be as complex as having systems dependent on Dell’s management appliances which are dependent on third party technologies.

Do you know which technologies you are dependent upon? How would you react to their sudden unavailability or to a problem in their supply chain? Do you have a contingency plan or will you have to figure things out in the moment?

Sadly, most people I talk to are in the latter category.

When you choose your vendors, it’s not enough to know if they can do the job today. You also have to know if they’ll be there for you tomorrow and to have a plan in case they’re not. All too often, I see companies who waste far too much time assessing vendors based on the “ideal” technology and no time at all looking at how it integrates into operations and loosely-coupling their technology to other systems.

I’m constantly visiting companies with networks that employ expensive technologies that don’t meet my clients’ needs, while cheaper and better  technologies remain unused. This isn’t just annoying, this is potentially catastrophic to the business. For a case study, look at Hostess. Specifically, look at the strike document. In 2009, technology was not refreshed, which helped to put them into the position they’re in today. Granted, they had other problems. However, whether we’re talking flow-improvement like Document Management or monitoring and control like Anti-malware or UTMs or DLP, technology serves as a multiplier.

If you choose the wrong technology, it will multiply your problems. If you don’t choose the right technology, the firms that do will multiply their profit and leave you in the dust.

When most people hear that we do assessments, they think vulnerability scans and penetration tests. And yes, we do those. However, most of our clients find a lot more value in our vendor assessments, disaster recovery assessments and strategy assessments. These focus on security AND the business. After all, security means nothing without a business to protect.

If Hostess had learned that lesson in their first restructuring attempt, perhaps they’d have lasted longer and a contingency plan of liquidating the entire company would have stayed … a contingency plan. As for me, I’m going to take a long lunch and stock up on fruit pies. After all, you never know when Spider-man might come-a-calling.

And if you haven’t downloaded our very own RJS Smart Security comic book yet, click here!

Controlling the Security Story

This is a hard article to read. For those that don’t want to read hate speech, I will briefly summarize.

On Tuesday, November 6th, the United States of America held a vote, the results of which upset a few people. Many of these people chose to express their feelings online, and were documented doing so. Because many of the individuals involved took no efforts to hide their identities, some of them were traced. Then, in a move that surprises me, Jezebel’s reporters started contacting schools to find out if the schools were aware of the situation and how they were dealing with it.

In most cases, the schools cited policies of not releasing information about minors… which I can’t fault. However, the hidden gem was Dr. Rick Brooks of Jackson Christian School, who said:

Addison’s words clearly do not reflect the values that we espouse and teach at Jackson Christian School, and are not representative of our broader school community. As such, we have visited with him about his actions and his attitude, and have disciplined him accordingly. As is our school policy, we will not share information about specific discipline cases.

Though we find Addison’s action and words deplorable, we hope that our continued encouragement and teaching will help him further avoid the mistakes of youth, and will help him to mature as a young man. I hope that you will be able to look beyond what he has done, and toward the man that he can and will become from this unfortunate learning experience.

And that, I think, is worth discussion.

People make mistakes. People grow and change. As adults, one of our social tasks is to help the young turn into people we can later respect. As employers and employees, we like to think we’re here to make money, but if that were the case, the world would be nothing but multi-level marketing. No, we need more. For many of us, we need to help others and tell stories. We love stories. In fact, the more business owners I work with, the more I find who are in business to help others … be it their customers or the employees.

Hate speech is one form of story-telling. Reporting is another.

But wait, isn’t this a security blog?

If we want to make money, we have to tell a story that’s good enough to get people to let us help them. If what we care about is helping others, we have to know when they need to be helped. If what we care about is stories, we have to know which stories are being told. Fundamentally, we have to know what’s going on.

It seems reasonable that most of these schools learned about what their students were saying after the first article was published. Basically, they learned the story that others were telling about them. They did not get to influence the narrative and were stuck in a reactive mode. Some did better than others, but if they had been listening to what others were saying, odds are the speech would have been addressed before the election.

And that is where DLP comes in. It’s marketed as Data Loss Prevention, but that’s not what it is. DLP is a story tool. It helps you identify what sorts of information exists on your network and lets you know when it leaves. It’s traditionally used for boring stuff like keeping social security and credit card numbers off the internet (sarcasm). However, like most security technologies, it can be used creatively. In this case, monitoring for a few keywords would have let the schools know quickly what students were saying (at least from the school networks). When running in non-blocking mode, it can collect data, so you can easily identify people that need improvement.

Similar internet-facing technologies can scan specific websites on a periodic basis to report the stories being told about you. This can help you identify the narratives and take corrective action for People, Processes and Technology before the story spins out of control and you’re stuck with no option but reaction.

Security technology is all too often viewed as “blocking” or prescriptive. When used properly, security technology enables the business. It helps you learn more and learn faster. This gives you control of your business, so you don’t have to keep finding your way in a world of constant attacks and errors.

Filed under: Security News