As Strong As Your Weakest Link

As the old saying goes "You are only as strong as your weakest link".  Interestingly, in the recent rash of data disclosures from Edward Snowden and his predecessors, the weakest link could well turn out to be of America's own making.

Outsourcing key data activity to contractors rather than keeping it in-house means your online security is only as good as their employees are; in keeping mum about what they discover about your operations in the course of their daily duties.

Consider the fact, expounded by James Sensenbrenner in a recent editorial, that there are some 500,000 employees of private firms with access to the government's most sensitive secrets.  And this is just the States.  There are surely more in other countries contracted to undertake similar surveillance.

Some regard the actions of Manning, Assange and Snowden as heroic and others consider them heinous, but which ever side of the the ethical debate you sit on, the fact remains that confidential data was accessed and shared with those it wasn't intended for.

It is a sobering realisation (or maybe reconfirmation) that it is the low level IT guy who poses your greatest threat. These techs seem to be able to rummage through systems and make discoveries that evade all of the so-called safeguards that the governments throw at them.

Consider for a moment what you might have accessed online or sent to others via email in the past year.  I would suggest that many people who would feel less than comfortable in having a total disclosure of their online habits revealed to the world without their permission.

But is there anything you can do to mitigate the risk that others can and do spy on what you do?

Part of the answer could well have been given by NSA whistle-blower Snowden.  In reply to an online discussion set up by the Guardian newspaper he said that:

"Encryption (of email) works. Properly implemented strong crypto systems are one of the few things that you can rely on. Unfortunately, endpoint security is so terrifically weak that NSA can frequently find ways around it".

So there you go.  Even encrypting your email can only assure safe passage between systems and if the systems themselves have a weakness an IT tech on a mission can crack it or share it. Not the most comforting of thoughts and if the technician in question has a thumb-drive (as Snowden is reported to have by Senator Saxby Chambliss of Georgia), then your data could be shared and leaked well beyond the boundaries of your network.

Am I alone in thinking that these revelations could well have profound implications for the future of the Cloud? The 'contracting out' of data storage from your own servers to a third party based in another country could well have become a far more difficult decision for businesses to make.

And if you wish to mitigate some of the damage your email might cause you could always try using encryption yourself.  Here is one suggestion: GNU Privacy Guard for Windows which is free software.  Mind you I cannot guarantee that a low-level tech at the NSA hasn't already cracked it.

Related articles

• NSA Leaks Show Low-Level IT Worker as Secrecy's Weak Link - Bloomberg
• NSA-proof encryption exists. Why doesn't anyone use it?
• NSA leaker: No chance of fair trial
• Encrypting Your Email Works, Says NSA Whistleblower Edward Snowden
• Establishment Assertions that Snowden is a Chinese Spy are "Predictable Smears" (+video)

Are You Feeling Cyber Secure?

What would you do if your network's defences were breached and your  precious user accounts, financial and customer data were pillaged?

Not only would your intellectual property be jeopardised but the chances are that just one such breach could put you on the road to ruin. Overstated? Not really when you consider how much your business now depends on the Net.

A  National Cyber Security Alliance and Symantec survey conducted in September of 2012 discovered that  77% of 1,015 small businesses (less than 250 employees) thought they were safe from cyber attacks.   In this they were somewhat deluded, as 83% of them had no cybersecurity plan, although their online business operations were increasingly using social media and the Cloud. (see infographic below)

Raphael Ouzan, founder of BillGuard in New York says:

“When it comes to cybersecurity protection, the biggest problem that small and medium-sized business owners often fail to address also happens to be the most critical: Awareness.
A lack of awareness by employees is the root cause of most of data leaks and other security incidents, and no matter how secure your data centre may be or how strongly communications are encrypted, the weakest link will always be the human beings interacting with the network."

Symantec offered seven tips that companies could and should adopt to make things more difficult for hackers and cyber-criminals:

1. Determine what it is that you need to protect.  Undertaking a security audit will pinpoint where you information is currently stored and used.  You can then beef up your defences as required.
2. Enforce strong password policies.  If you are serious about data protection then make sure your passwords are at least eight characters in length and contain combinations of letters, numbers and symbols. e.g. read!671DC. And do differentiate your passwords; don't use the same one for social media and online financial transactions for example.
3. Don't wait for a security disaster to occur. Plan in advance with a comprehensive Preparedness Plan which should:
    - provide information on the identification of possible scenarios
    - tell you which are your critical resource that need protection
    - identify what is the appropriate security that needs to be put in place
    - establish the regular routine of archiving of business-critical files using a suitable backup solution
    - timetable the frequent testing you need to ensure your disaster response is satisfactory.
4. Encrypt highly sensitive information on desktops, laptops, mobiles and removable media to protect your confidential information from unauthorized access.
5. Educate your staff by providing training and a develop Internet usage and data security guidelines and policies. These should include clear guidelines for the sharing of information with any of the team that work remotely and details what you are prepare to share with your partners.
   Using Wi-Fi connections  in public cafes with phone or tablets can be particularly risky so they need to be made aware of the exact name of their network and login steps.
   Clearly spell out what staff should do if they discover malware or suspect their data has been accessed by unauthorised third parties.  The same applies if they inadvertently leave their laptop or data device on public transport (and yes it does happen!). What course of action should they take? Who in your organisation should they immediately contact?
6. Makes sure that the security solution you have chosen is modern and up to date. The pick of the anti-virus crop do more than just look for viruses and spam; they scan files regularly for unusual changes in file size, malware programs and suspicious email attachments.
7. Make it daily practice to update your security solution (anti-virus software).  The best ones quickly respond to new viruses, worms, Trojan horses and other malware with new updates.

All of the above requires investment in time and also financially, but prudent risk management makes the above a necessity.

The founder of Flippa.com, Matt Mickiewicz, explains to the Washington Post's J.D. Harrison:

"Everything we do is online, so cybersecurity, and its inherent association with trust, is a high priority. It’s also a core competency of our team, so we tend to do the bulk of it ourselves. We use tools such as risk matrices, plotting likelihood against impact, to determine how much we invest in this space. Our resources are immediately assigned to anything with high likelihood and high impact."

So Most Expensive is Best?

Buying the most expensive antivirus product around may turn out to be a waste of money. A report, called Assessing the Effectiveness of Anti-Virus Solutions and carried out for he security firm Imperva by the University of Tel Aviv, suggests that poor detection means that free programs offer better value for business.

82 new malware files were tested through the VirusTotal system which checks files against around 40 different antivirus products; the initial detection rate was a big fat zero!

Imperva’s researchers concluded that two free antivirus products, Avast and Emisoft, were the “most optimal” of the ones they reviewed. McAfee also passed muster.

Imperva’s CTO, Amichai Shulman is quoted as saying “We cannot continue to invest billions of dollars into anti-virus solutions that provide the illusion of security, especially when freeware solutions outperform paid subscriptions.”

One product that looks promising is ZeroVulnerabilityLabs which addresses the security challenge from a different angle. You can try out their free program which they claim stops malware from exploiting a wide range of software vulnerabilities, whether they are known ones or not.

This free utility is part of a layered approach (users still need antivirus and other security mechanisms) to fight against the plague of exploit kits which are infecting thousands of users every day.

Related articles

• On cybersecurity, small businesses flirting with disaster, survey finds
• PNC Bank Offers Cyber Security Tips
• Report declares antivirus software a waste of money for businesses