Patience

Being friendly and approachable will have an impact on all qualities of a great cybersecurity consultant. It is something that Wendy Nather, from Duo Security, calls being a “master of social engineering”. Our space is unique. Not many roles work across every line of the organization like cybersecurity. You need to have patience and tact to work across diverse organizational teams. Get to know how all the pieces of the puzzle fit. Entrench yourself and lean how the organization works; that is the first order of business. I make an effort to schedule time with the leadership to learn about their pain points regarding my task. It is amazing how much you will learn in 15 minute blocks by doing this. 

 

Most importantly in all of this, you need to understand that change in any organization is not an overnight story. It takes many years to make visible and long lasting changes to a company culture. A consultant needs to consider this in their advice and deliverables. Strong, clear paths need to be set so that your client can be the nexus for the change you are proposing. Why? Because if the leader of change gives up, sure enough the rest will follow.

Ability to Align Security with Business, no, Mission Goals

Good cybersecurity consultants will help their client align their programs and projects with the mission of the organization, understand how to communicate with leadership, who after all own the risk, in ways that are culturally aware, and enable those leaders to make effective decisions.

A very important facet of being a top-notch cybersecurity resource is to remember that you can create a system so super secure it would be unbreakable and un-hackable and information could not escape. However, this system is probably going to impede mission success. After all, an organization needs information to flow. A great cybersecurity consultant will always balance between what is good security and what is good for mission success.

Businesses, above all, are about creating wealth through products and services. Public sector organizations focus around mandates and missions. It does not matter what sort of organization you are working within, but if you cannot look at the bigger picture and align their objectives to the overall goals and mission, you will be set to fail. An important factor in all of this is the culture, especially if processes need to change. Who do you engage? Who will be affected? Other people will be a part of the decision-making process and that mean you need to be approachable and friendly – there it is again.

The Dichotomy of Cybersecurity

A great Cybersecurity consultant is a highly sought after resource. Not just because there is currently a huge gap in available resources, but also because the role combines great technical skill with great management and a terrific personality. Finding someone with such all-round skills that can also fit into the organizational culture is like finding a needle in a haystack.

Certainly, anyone can appreciate why great tech and management skills are important, but in cybersecurity roles, I have found that you have to be very fluid. You have to understand the technical, as well as, the management goals. That is where your personality comes into play. Being friendly and approachable will mean getting some odd questions, but it will also mean that when something big happens, folks will not be afraid to come to you with it.

I have almost 40 years’ experience now in Intelligence and Cybersecurity roles, with the traditional long CV that goes with IT positions. The number one challenge in those roles is being able to be an interpreter. Any solid cybersecurity resource should be able to take the technical jargon and translate it into language that your leadership will understand to make the risk decisions you are looking for.

Fortunately, I have developed a risk model that will create that bridge right from the start of any initiative and have tested it on small and significantly large projects. It works and makes the perceived burden of progress reporting, begging for money to make further progress, ensuring cybersecurity goals are met and having to explain why if they haven’t that much less complicated.

With these skills, you can build trust with your leadership over time and that can turn into more honest, open and frank collaboration on future strategies, suggestions and requests. I will be back another time to write about the qualities you should want in a good cybersecurity consultant, but if you are that eager, get in touch now.

Cybersecurity Awareness Month

Remember, October is Cybersecurity Awareness month. With kids back to school it’s a great time to teach them how to deal with the negative aspects of being connected online. Parents and teachers alike share the responsibility to educate them how to be good cyber citizens. Also, don’t forget the seniors in your life; they’re even a larger target. I’m always available to answer questions or go to your location to provide education.

There’s great resources out there: https://staysafeonline.org/ncsam/about-ncsam/

 

 

Can We Talk?

Note: I published this piece several years ago. I’d certainly like to understand if anything has changed for the better in this regard.

An effective Information Sharing mechanism boils down to trust.

Like most, I have had the pleasure to meet people working the security industry across this country through number venues. Like many affiliations these days, while we only get to see each other at a conference or marketing even once in a while, we are typically connected virtually through discussion boards and close knit forums, which give us the opportunity to continue broad and specific discussions at our leisure.

Over time you get a good sense about the people you deal with on a day to day basis. Familiarity flourishes, giving you the latitude to establish trust in the people you are engaging. Trust is the foundation of any successful Information Sharing paradigm. Any effort to initiate a program for sharing information in and around Information security is doomed to failure unless it is initiated by and with people who have already established professional or personal relationships and trust each other.

There are two core facets to trust; first you have to be willing to receive and accept information and secondly you have to be prepared to share true and accurate information. This shouldn’t be too difficult in an industry that is inundated with codes of ethics, security clearances and the like. Do anything to set the precedent that you are untrustworthy and the matrix will become unraveled.

Why has it been so difficult, then, for the Government of Canada to initiate an information sharing program around Critical Infrastructure? Lack of trust.

Participants inside and outside the Government don’t trust each other. Internally, basic human instincts are dictating how people decide to engage each other interdepartmentally. A number of Government stakeholders are competing with each other with regard to the mandate. Careerism also takes its toll on the evolution. External participants will not share information due to the fact that the Department with the mandate has introduced clauses in their legislation that will not protect the proprietary information of the participants from disclosure. What kind of trust model is that? Is it unreasonable to be reticent if the security of the proprietary information of your company is subject to a simple Access to Information Request?

There are some models for this kind of collaboration that have been successful for a long time. I refer to the ITAC Cyber Security Forum, an industry-government policy roundtable that has been meeting at least quarterly since 2000. A great deal has been achieved by that group and they are a good example of thought leadership and information sharing. It is an excellent example for other likeminded groups. The collaboration that goes on around International certification providers, like that of the CISSP program at www.ISC2.org is another good example. While it’s not Canadian, the participants certainly put a Canadian identity to their contributions. Other virtual collaborative groups, such as the forum sponsored by Winnipeg’s Dan Swanson has Global reach in the Audit and Security spaces where there is no discernable cultural differentiation.

Associations like the Information Systems Security Assoc. (ISSA), Armed Forces Communications & Electronics Assoc (AFCEA), and the Federal Assoc. of Security Officials (FASO) all have the ability to drive this agenda. However due to the fact that they are regionalized and do not have the mechanisms in place to easily push a National agenda with cooperation between all the facets of Critical Infrastructure perhaps makes them ill-suited for the task.

The Crown has taken the opportunity to listen to the successes of other government bodies within the “trusted” community. They solicited advice from subject matter experts in Canada and abroad to listen and share their views on what would work best. There was discussion around the need for proper information management and categorization in the private sector, security clearances and the like that would facilitate a higher trust level.

Perhaps the truly workable solution is not one hosted or moderated by the Government. There are many public companies with the expertise and who share the Crowns concern that we need a better grasp of the security threats to Canada’s critical infrastructure. Many of these organizations are already set to participate, given they assisted the Crown stakeholders in the evolution that is Critical Infrastructure Protection in this Country. However, the Government of Canada should take a long hard look at what works. Perhaps a public/private/partnership will elicit the necessary mechanisms to make cross-sector information sharing, in the form of the US Information Sharing Analysis Centers or Infraguard possible.

It will take some investment, but anything is better than waiting another seven years for this part of a mandate to unfold.

Texting can be Dangerous to your Relationship!

We all lead busy lives. Many of us are, or have been, in relationships with partners with whom we don’t live in the same household. With that in mind, like any form of communication, texting has become a preferred means of communication. However, it can also creates problems in a relationship.

Although texting is a convenient technology and it’s usually faster and easier to send a text than to make a telephone call. It also affords some additional privacy, if you’re not in a position to make a call, depending on the subject matter of the conversation. However, you’re not getting the context of what’s going on at the other end–and that can create miscommunication.

Over the phone, you can tell how the person feels, through their tone, a pause, whether they are laughing or crying. With texting, you get none of that and it’s impossible to know how your significant other is reacting to what you’re saying on an emotional level.

Text messages can easily be misunderstood. It’s happened to me and I was astounded at how upset I got when I received a series of text and think it means something, but my partner meant something totally different.

Often fights and arguments ensue because of misinterpretation of text messages. It’s impossible to tell the difference between emotions like anger, sadness, sarcasm, sincerity within a text message. A person might be joking with their partner, and he or she interprets it as their partner being angry. Then texts or rather lengthy calls have to be exchanged to unravel the miscommunication.

The irony is that we see texting is a fast way to communicate, but when it leads to a misunderstanding in our relationships, it can take hours to undo the damage.

Another problem is while texting during an argument, continuing to text when a text message has created an argument.

In the middle of an argument, you can end up sending dozens of texts rather than doing the sensible thing and picking up the phone or meeting in person. Trying to resolve by text is easy to do, because it’s normal to be hopeful that you can clear it up in the next text, but it usually isn’t! You can end up spending hours texting back and forth when they should really just pick up the phone or meet in person.

The last thing you want to do is communicate by text in the middle of an argument. Just one bad misunderstanding coupled with intense emotions can lead to irreparable damage to a relationship.

Also, leveraging text messages to avoid conflict can also be concerning. I can appreciate that sometimes people are afraid to talk to their partner on the phone or meet in person when their partner is angry, because they think that will make things escalate, but texting often makes things worse.

The other problem with texting is expectations that a person’s significant other–or even someone they’re casually dating–will respond immediately to their text.

Now the expectation is that is that we’re supposed to be available 24-7 to our significant others, and respond immediately to their text messages. People get angry or think their partner is upset with them when a text isn’t returned promptly. ‘You didn’t respond to my text until an hour later!’ But we are not always available.

This is compounded by the unreliability of the technology, and the occasional text that doesn’t arrive until a couple hours later. There are some couples that like to stay in touch during the workday, but when there’s a delay in responding it creates conflict.

Some good advice is to not text at all unless it is a short positive message that can create bonding. Instead at some point during the day pick up the phone and say ‘hello.’ For extremely emotionally charged topics, it would probably be best to not text at all. It’s amazing how that alone can restore some stability.

I’m sure people have broken up over text messages, but it takes two to tango. If your significant other wants to text about important issues in your relationship, you can say ‘sounds important, let’s talk about it tonight, I don’t feel comfortable discussing this via text.’ Think before you text.”

Ontarians are at risk and we don’t know how!

Up to four Million of us in Ontario could have had our identities stolen and we still don’t know exactly what that data comprised. It’s about time that Departments and Ministries were held accountable by the public. Some finger pointing by Ann Cavoukian simply isn’t enough! Oh, by the way, if you live in the Ottawa South Riding, as I do, you’re impacted! The very least the Province should be doing is providing potentially impacted constituents with identity theft insurance to mitigate the risk they created!

http://www.itbusiness.ca/it/client/en/home/News.asp?id=68433

City of Ottawa Pension Breach – Poor Contracts? Say it ain’t so!

There’s been a great deal of chatter around the recent City of Ottawa pension fund data breach.

The City hired Towers Watson to conduct a fund review and, while in the process of transferring the data, unencrypted I might add, to a new computer system, they discovered the hard drive was missing from a safe.

The identifying information of approximately 800 former City of Ottawa staff, including police officers, firefighters and their beneficiaries were impacted. Not a huge disclosure for anyone who keeps up on such incidents, but significant to the 800 former City employees who had their names, birthdates, social insurance numbers and pension amounts lost.

Now while Towers Watson has done its due diligence and sent letters indicating they will compensate these pensioners with a credit monitoring service, it is seemingly stalling until September to provide an update. This event occurred in May; six full months is required to investigate?

It’s important to understand that this breach did not occur in Canada. I know, we all like to think our private information is stored, in a secure fashion, within our own borders, but that was not the case for this group of 800, or for many other Canadians either.

The hard drive in question was being stored in the Philippines.

Again, the chatter in the security community is rife with the normal discussion around contract details and clauses that protect the client from these incidents, and so on. I have seen, read, written, counter proposed and laughed at 1000’s of these contracts over the years and one thing they fail to protect us from is insider abuse.

Having a mitigation plan, or a compensatory set of clauses in the event of an incident might help the two parties (the City and Towers Watson in this case) sleep better at night, but I bet the 800 impacted pensioners aren’t sleeping so well right now. Not with the worry of identity and possibly pension theft to mull over.

Some have indicated that in this age of evolving openness, transparency and the “age of networked intelligence”, that the important aspect is the need for “accountability”.

To a certain extent, that mantra is correct, but I would suggest that the City is fully accountable. They were the ones who decided to sign off on a contract with a vendor who has let this Personally Identifiable Information go across, not only the Canadian and US borders, but to the Philippines.

What verification and due diligence was there to ensure that the resources in the Philippines were trustworthy? All this rhetoric around open Internet is one of the base causes for breaches of PII in the first place. I’ve always stood my ground on the concept of keeping the data in Country when and if you can. There is absolutely no reason why the City of Ottawa could not have found this service in Canada. If they could not, the data could have been kept in Canada.

For the sake of argument though, if they had no other choice but to go outside the country, the due diligence from a privacy and security perspective should have been commensurate with the sensitivity of the data, as should have the mitigation plan and contract details. That said, we all know how poorly the City of Ottawa writes contracts! As a CISM for a Canadian Financial Firm, I face these challenges daily and I am sick of the spun stories, clauses and promises to keep data safe, only to see a meteoric rise in breaches!

Here is a link to the US government news release yesterday announcing US participation in the Asia-Pacific Economic Council’s cross-border privacy-rules system:  http://www.commerce.gov/news/press-releases/2012/07/26/acting-us-commerce-secretary-rebecca-blank-announces-us-participation. I wonder how this stacks up against the Canada-US border deal that was the subject of news stories a few weeks ago, for example this one, titled “Border privacy pact puts personal info at risk, says privacy watchdog”:  http://www.vancouversun.com/news/Border privacy pact puts personal info risk says privacy watchdog/6863413/story.html. The immediate subject of that concern is the “Border Action Plan: Joint Statement of Privacy Principles”, as announced in a Public Safety Canada news release at: http://www.publicsafety.gc.ca/media/nr/2012/nr20120628-2-eng.aspx.

These efforts outline a set of privacy principles, which of course translate into security controls, that are intent of committing to protecting privacy and ensuring safeguards are in place. There are a dozen of them, all grand to read and give me that warm and fuzzy feeling I need to help me sleep at night.

However, the devil is in the details. While the Governments of Canada and US may consider this a step forward to helping the economic flow, here in Canada I’d suggest we get our legislative ducks in line and provide some additional oversight and prescriptive controls to ensure that Canadian infrastructure, critical or otherwise, enables itself to participate in such grand partnerships.

Then, when it comes time to prepare and review contracts, they will be solid enough for the ink. Moreover, 800 pensioners wouldn’t have to worry about their future!

Time to Change your LinkedIn Password

While LinkedIn indicates that it is still investigating,  I can attest from even more reliable sources, that anyone using LinkedIn should immediately change their password. They have suffered a breach of over 6 Million accounts. Here is my experience yesterday, where my Gmail account is noted on my LinkedIn profile, attempts were made against that account yesterday, resulting in Google forcing a password change (they monitor for account breaches). I don’t believe in coincidences, so that password was changed as well.

One particular piece of advice, NEVER use the same password for multiple accounts!!! I cannot repeat that enough, especially for cloud based services; NEVER!!

From LinkedIn, one of the best ways to protect your privacy and security online is to craft a strong password, to change it frequently (at least once a quarter or every few months) and to not use the same password on multiple sites. Use this as an opportunity to review all of your account settings on LinkedIn and on other sites too. Remember, no matter what website you’re on, it’s important for you to make sure that you protect your account security and privacy.

Here are some account security and privacy best practices that we recommend for our members:

Changing Your Password:

• Never change your password by following a link in an email that you did not request, since those links might be compromised and redirect you to the wrong place.
• You can change your password from the LinkedIn Settings page.
• If you don’t remember your password, you can get password help by clicking on the Forgot password? link on the Sign in page.
• In order for passwords to be effective, you should aim to update your online account passwords every few months or at least once a quarter.

Creating a Strong Password:

• Variety – Don’t use the same password on all the sites you visit.
• Don’t use a word from the dictionary.
• Length – Select strong passwords that can’t easily be guessed with 10 or more characters.
• Think of a meaningful phrase, song or quote and turn it into a complex password using the first letter of each word.
• Complexity – Randomly add capital letters, punctuation or symbols.
• Substitute numbers for letters that look similar (for example, substitute “0″ for “o” or “3″ for “E”.
• Never give your password to others or write it down.

A few other account security and privacy best practices to keep in mind are:

• Sign out of your account after you use a publicly shared computer.
• Manage your account information and privacy settings from the Profile and Account sections of your Settings page.
• Keep your antivirus software up to date.
• Don’t put your email address, address or phone number in your profile’s Summary.
• Only connect to people you know and trust.
• Report any privacy issues to Customer Service.

Medical Device Security Trends

In Canada, the following article (two sources noted below) makes me reflect about where exactly is the demarcation point between the integrators responsibility to integrate a security and private Electronic Medical Record solution and the physician’s responsibility and accountability for the security and privacy of the information they process on a day to day basis.

I’ve long observed that doctors are often irritated with the myriad of privacy and security consideration that IT solutions bring into their practices. However, in making the decision to adopt an EMR solution, you frankly have no choice. To point the finger at your vendor and suggest that they are responsible end to end simply won’t work. Docs have to enforce their  share regarding the people, process and technology within their practice, otherwise security and privacy incidents affecting patient data will continue.

Ensure you have a solid security and privacy policy, Ensure you educate and inform you staff about it. Ensure you have hard disk encryption on any storage device you use to manage patient data. Don’t use personal web-mail addresses and the like, Think about two-factor authentication, etc. The list goes on.

Doctors, take a long look and have a hard think about the risks you assume when you use a smartphone, like an iPhone or Android just because of the cool medical apps. Think twice about using it or an iPad for processing practice or patient data, as they have no real inherent security mechanisms. If you intend on using them, look at solutions like Mobile Active Defense, to provide the secure means to properly leverage these assets in your practice.

https://www.infosecisland.com/blogview/11439-Medical-Device-Security-Trends.html?sms_ss=linkedin&at_xt=4d522413a31748fa%2C0 or,

http://www.software.co.il/wordpress/2011/01/medical-device-security-trends/