IT and Boards

An article in the WSJ suggests that boards are getting more interested in cybersecurity. Actually the line just below probably says it all:

Facing threat of regulation

I doubt most boards are remotely able to carry on a meaningful conversation in this area. They don’t know what questions to ask and in general, they aren’t really interested. Likely, the reports they receive are just done to show that they’ve reviewed the matter.

Cybersecurity is hard.


Much is being written about the Equifax data hack. You can read about it here or here or here if you’ve not yet read much about it.

I saw a post on Twitter the other day that cracked me up.

Screen Shot 2017-09-11 at 10.34.40 AM.png

One report in the NY Times suggested that Equifax doesn’t even know who is impacted.

Here is the deal, Equifax’s business is to gather this information and sell it to 3rd parties. When you need a loan or want a new credit card, the company extending credit to you goes to this company, or ones like it, to check on your credit. They gather this information from lots of different places and you have no options to tell them to stop doing this. They are creating this database of information about you and you have no control on how they protect this most sensitive information.

We are the ones impacted by their lack of security. We are the ones further impacted by the huge delay in telling us. What was stolen is about us and it impacts us. Equifax might take a stock hit, but not much more.


This company needs to be put out of business. The class action law suit should put them out of business. There should even be clawbacks on executive compensation and stock options.  

A year of credit monitoring is not even meaningful punishment for this poor stewardship and lack of property security protection.

Company and organization leadership teams need to take the protection of confidential information seriously.  There need to be examples, like here, where the company is put out of business because of their lack of proper attention and focus. Probably the CIO will be fired, but really, the board and the senior leadership team should be fired.


Complexity of our Devices

I’ve been thinking lately that our devices are getting so complex that we no longer are sure about how to manage, secure or protect them.

My wife’s phone recently went nuts and started flashing the LED for alerts but that setting was not turned on under settings. Another friend’s phone started acting strangely and randomly and the vendor ended up giving him a new device. His phone was an iPhone 6 which is awfully old to be getting a free exchanged unit. My wife’s Apple Watch battery/system was so poor that the battery ran down every day mid-afternoon with everything turned off. She had to charge it twice a day. Apple support said it was within specifications. Right.

Our home networks are vulnerable and we don’t even know what we need to do to harden. Apple TV can support multiple streaming sources, but nothing is simple and they each authenticate differently. We have devices to open our garage doors with who knows what security. What about our cars?

Apple and Steve Jobs used to talk about removing and simplifying. Matthew May writes about subtracting and eloquence in his books (well worth the read).

Unfortunately, companies continue to make things more complicated.

Our ice maker has a light to remind us to clean the filter. I have no idea how to clean the filter.

Turn it Off

Just finished reading the book The Seventh Sense: Power, Fortune, and Survival in the Age of Networks by Little, Brown and Company. Lots of great content about networks and their impact and implications on everything. There is this great quote about how to really, really secure your computer:

Robert Morris Sr., a cryptographic and security genius who towered over NSA code-breaking programs for decades in the last century, compressed his lifetime of experience cracking machines into three golden rules of computer security:

RULE ONE: Do not own a computer.

RULE TWO: Do not power it on.

RULE THREE: Do not use it.


This is hilarious but it goes with my prior post. The footnote indicates that he might not have actually said this, but it is attributed to him by multiple sources.

The book is about how connections are having significant and unstoppable changes to everything: government, military, commerce, social, etc. Everything is changing and we don’t understand this fully yet. Consider the following:

This new set of forces, invisible to many, is now applying a merciless and grinding pressure to the familiar structures of an older age. The struggles of our cherished institutions—the U.S. Congress, the military, the news media, our universities, our once-inclusive capitalism—to achieve the very aims that they once elegantly and efficiently met is visible evidence of this shift. Repeated government shutdowns. Years of unwinnable war. No news source we feel we can rely upon. Expensive, debt-funded degrees that don’t fit our modern economy. An ever-more-skewed distribution of profits. Pull your focus wider to encompass Europe, the Middle East, and Asia, and you find similarly vexing struggles as nations try to dig their economies out from financial landslides or resist nationalism and unrest. Power is now passing with a rippling, ripping energy from old, once-useful people and institutions. If this passage has so far wiped out only encyclopedias, telephone companies, and taxi medallions, it is merely because it is just beginning. Buried underneath these failures and the impending collapse of many institutions is a common force.

The title of the book about the seventh sense, is really then, “the ability to look at any object and see the way in which it is changed by connection.”

Also some great material on AI and what that really might mean.  Not AI as we traditionally think about it but really just fast access to lots and lots of data and the associated correlations.

Really good ideas. Recommended.

Securing our Assets

pabloI’ve about reached the point in believing that we have no chance in securing our personal information technology assets (home network, computer, mobile phone, tablet) etc.

There are simple steps we can all take to secure our equipment and network, but they are likely just not enough. I’ve done several communications sessions with family and friends and others to discuss how they can best protect their equipment. I wrote about that on my security page.  I just keep reading about more risks, threats and how organized those who want in are and what capabilities they are bringing to bear to get access where they don’t belong.

Is it time to start disconnecting more? Should we have a computer at home that only occasionally is connected to the network, even if that helps at all? Updates now require network connections so it is almost unavoidable.

Keep all the firmware and software up-to-date on all our devices and that requires network connectivity again. But are all these updates secure, tested and safe? Of course they aren’t all safe. We are unsafe with the flaws in our existing devices and we are unsafe with the updates that add more flaws or new flaws. What to do?

Maybe a simple mobile phone that only does calls and text messages? But that can be hijacked and listened to as 60 minutes has told us.

All our technology (Watch, tablet, laptops, Kindle, Apple TV, Netflix, etc.) require network connectivity. What to do?

What about our parents and friends who are not that computer literate?

I want to watch Stranger Things on Netflix and that requires a lot of technology on my end be up-to-date and working. What to do?


Compromised Email

A friend of mine had his security compromised a few days ago when someone managed to steal some information from him and cause further damage. He called and wanted to know things he should do.

I told him to assume his home computer, or all of them, was compromised and I encouraged him to use a different platform (a chromebook in this case) to start resetting his passwords and revalidating his information. Leave his likely compromised home computer alone for a while. Turn it off.

He started down this path and then re-logged into his email account (gmail in this case) and changed the password.

I wasn’t with him at this time but a few minutes it occurred to me that he ought to look at the filters or rules that he had put in place to process his email so I sent him that message. I don’t know why I thought of this as I don’t recall thinking of it or reading about this before, but I just thought he ought to look at his filters. He looked.

Someone, had put a filter in place to block certain inbound emails and send them elsewhere.

So, his email had been compromised and the perpetrators had been clever enough to put filter rules in place to further hide the compromise as long as possible. Amazing. I had never considered this before and I’m still thinking about its implications.

If you get your email or computer compromised, you really need to start over on a new platform and then methodically regain control of your accounts. And, turn on two-factor authentication wherever you can.

Be careful out there.

Security Talk for Friends

Screen Shot 2016-04-10 at 5.23.37 PM.png

The security risks that we are all facing individually and as households are getting so severe that I’ve decided to prepare a presentation and give to a gathering of friends. I’m going to talk about basics of passwords, 2-factor authentication, best practices with your endpoints and your home network and finally best practices when traveling.  The key point that I’m trying to get across is that we need to trust less and we need to be proactive in managing our security and privacy.

I did this 1.5 years ago with family and heard a lot of good feedback, however, my 4-year old nephew who was on the floor playing with dinosaurs at the time, rolled over and announced in a loud voice that this was boring!

Copies of this material and some other resources are posted on the security page above.