More Content - Including Podcasts

Friday, December 16, 2011

Hacking Motivations - Where Following the Money is Going

Was a time, way back when I first got into IT, that the primary motivation for hacking was notoriety, infamy, and the occasional retribution for public flaming.  That said, there were certain financial motivations and corporate espionage aspects in those days also.

And really, the prime motivation for people to do anything is always money. As they say on the innumerable crime procedural dramas, "follow the money."

What is interesting is how things are evolving, or more accurately, being exposed, these days with respect to where following the money takes you.  We always assume hackers are targeting personal financial and health data for the purposes of identity theft.  More recently, cyber-terrorism concerns are on the rise with SCADA attacks coming to the forefront in the US and elsewhere. And these are absolutely valid, as well as the continued and large risks of corporate information being accessed or destroyed for corporate espionage or disgruntled employee revenge.

But consider a BBC Radio 4 documentary exposing how UK private detective agencies are using hacking skills to expose potential news stories that they are bringing to certain nameless major media outlets.  And if you think that activity is limited to those rascals over in the UK, I encourage you to replace your head in the sand immediately to continue your blissful ignorance.

How does this change what we do as security and privacy professionals?  Again I'll go to my standard refrain of the urgency and priority of IT security and privacy policies and governance in each of our organisations.  But what this "new" information gives us IT security professionals is additional support tin our budgetary discussions.  If we want to do our jobs, and do them well, the reality is we are competing for each dollar (particularly this time of the year) with every other IT service related initiative and operational need.  We need to make our business case concise, and tailor our plans to address the highest risk areas first.  If you work somewhere with a relatively low probability for natural disaster or civil unrest, then your local media is going to be busy trying to get stories that make them money.

Can they make money off revealing information about your organisations operations or strategies? Then that is what they will be interested in doing, and don't doubt they are already looking for ways in.

Thursday, December 15, 2011

Social Media - It's for Everyone, But Not Everyone is for Social Media.

Recent events in the professional hockey world have me thinking about SoMe at work.  Now, while I do daydream about hockey occasionally at work, this is a more direct (please hear me out) connection than you'd think.

Chicago Blackhawks winger Dave Bolland recently got caught up in the atmosphere of a live interview, and made a series of disparaging remarks about the top players on my home team. "So what?" you say, "professional athletes talk trash often." And I'll be the first to agree.  What got me thinking here though, is how quickly a few comments, thrown out without forethought or apparently malice (see article about Bolland "recanting" his comments the next day) went from radio to Twitter, Facebook, and numerous other social media channels.  The net result? Well, Bolland will have to play the Canucks on January 31. He also now has cemented a reputation for himself, that may be great with his fans, and for whatever reason, this kind of behaviour seems idolized in the celebrity world.

Now picture an employee at any public or private institution with access to a computer, and no corporate controls (read: policies more so than firewalls) around social media. What kind of damage could that employee unleash with a flippant comment about the organisation, a competitor, or worse, a valued partner or customer?

And how do you repair that damage once done? Once the post goes out on LinkedIn, Twitter, YouTube, Facebook, or any other popular channel? It's been clearly illustrated that companies that try to back-track and battle back against negative social media just look like Goliath, no matter how wronged they have been. Hey, they are the 1%, as the OWS gang would say.

The best defence is a plan. Like with all privacy and security matters, you need to understand the risk, and take the reasonable steps to mitigate.  Are we going to have 100% prevention? Nope.  But if you have social media policies drafted up (like these shared by, and a workforce educated about the use of SoMe at & about work, you have a mitigation plan.

Wednesday, December 14, 2011

Medical Education Networks Must Be Good Neighbours

This story makes an understated point for us managing medical education and research networks.

While we may not operate or support the systems on the clinical networks, we operate immediately adjacent to them.

As our educators and researchers bring devices closer between these networks, we need to illustrate leadership, good faith, and act as responsible neighbours and ensure systems under our management are as protected as possible, and users as educated as possible. This in turn lightens the load for our colleagues managing the clinical networks immediately responsible for patient care.

Malware shuts down hospital near Atlanta, Georgia