Equifax

Much is being written about the Equifax data hack. You can read about it here or here or here if you’ve not yet read much about it.

I saw a post on Twitter the other day that cracked me up.

Screen Shot 2017-09-11 at 10.34.40 AM.png

One report in the NY Times suggested that Equifax doesn’t even know who is impacted.

Here is the deal, Equifax’s business is to gather this information and sell it to 3rd parties. When you need a loan or want a new credit card, the company extending credit to you goes to this company, or ones like it, to check on your credit. They gather this information from lots of different places and you have no options to tell them to stop doing this. They are creating this database of information about you and you have no control on how they protect this most sensitive information.

We are the ones impacted by their lack of security. We are the ones further impacted by the huge delay in telling us. What was stolen is about us and it impacts us. Equifax might take a stock hit, but not much more.

 

This company needs to be put out of business. The class action law suit should put them out of business. There should even be clawbacks on executive compensation and stock options.  

A year of credit monitoring is not even meaningful punishment for this poor stewardship and lack of property security protection.

Company and organization leadership teams need to take the protection of confidential information seriously.  There need to be examples, like here, where the company is put out of business because of their lack of proper attention and focus. Probably the CIO will be fired, but really, the board and the senior leadership team should be fired.

 

Compromised Email

A friend of mine had his security compromised a few days ago when someone managed to steal some information from him and cause further damage. He called and wanted to know things he should do.

I told him to assume his home computer, or all of them, was compromised and I encouraged him to use a different platform (a chromebook in this case) to start resetting his passwords and revalidating his information. Leave his likely compromised home computer alone for a while. Turn it off.

He started down this path and then re-logged into his email account (gmail in this case) and changed the password.

I wasn’t with him at this time but a few minutes it occurred to me that he ought to look at the filters or rules that he had put in place to process his email so I sent him that message. I don’t know why I thought of this as I don’t recall thinking of it or reading about this before, but I just thought he ought to look at his filters. He looked.

Someone, had put a filter in place to block certain inbound emails and send them elsewhere.

So, his email had been compromised and the perpetrators had been clever enough to put filter rules in place to further hide the compromise as long as possible. Amazing. I had never considered this before and I’m still thinking about its implications.

If you get your email or computer compromised, you really need to start over on a new platform and then methodically regain control of your accounts. And, turn on two-factor authentication wherever you can.

Be careful out there.

Security Talk for Friends

Screen Shot 2016-04-10 at 5.23.37 PM.png

The security risks that we are all facing individually and as households are getting so severe that I’ve decided to prepare a presentation and give to a gathering of friends. I’m going to talk about basics of passwords, 2-factor authentication, best practices with your endpoints and your home network and finally best practices when traveling.  The key point that I’m trying to get across is that we need to trust less and we need to be proactive in managing our security and privacy.

I did this 1.5 years ago with family and heard a lot of good feedback, however, my 4-year old nephew who was on the floor playing with dinosaurs at the time, rolled over and announced in a loud voice that this was boring!

Copies of this material and some other resources are posted on the security page above.

Mark

 

 

 

 

Phishing Boom

Have been reading about and experiencing an increase in phishing attacks and an increase in their sophistication. Wikipedia defines phishing as:

Phishing is the attempt to acquire sensitive information such as usernames, passwords, and credit card details (and sometimes, indirectly, money), often for malicious reasons, by masquerading as a trustworthy entity in an electronic communication.

There was a good article published late last year which talks about why they are getting more dangerous and I highly recommend you take a look at it. Phishing emails are harder to spot, they come from trusted sources, they know a lot about you and the people you are around and they have specific targets in mind to steal from you. They no longer are impersonal emails about a package delivery. Now they are related to your job function and they may reference people you know. This article is spot on.

An article published last October told of how to spot these emails. I recommend you study this message and then pass it along to friends and family. You might think you’ve got this figured out, well then help your co-workers, family and friends figure it out too.

About 18 months ago I did a security ‘talk’ to my family and I covered topics like passwords, computer updates, phishing and other related ideas. I think I need to do it again and I was thinking about doing an afternoon session for whoever wants to attend where I go to church. If you are informed, tell someone else. This stuff is dangerous.

Change

pablo (2)

Seems to me that lots of change is about to happen in corporate IT. There has been chatter for years about everything moving to the cloud and disk drives are dead or everything must be mobile or the like and most of those brash predictions are just nonsense. They might be true in a corner or in a niche or in some limited applications, but in general, they are nonsense. Few things in IT change overnight or even in a year. Many times is takes decades.

WSJ just posted an article about things we’d like to see die (fax machines) and it is mostly about right. The bulky ERP on the list is right and wrong. Yes, we’d like them to go away and magically be in the cloud, which means someone else’s computer, but it just can’t happen quickly for big organizations. The shift to some of these platforms is really, really, really hard.

However, this time it feels like change is happening. Incrementally. Here are some thoughts:

  1. There is going to be turmoil and turnover in applications used and deployed in the coming years. It is likely that apps installed and put into production last year will be replaced by different applications next year. There are new SaaS solutions appearing weekly and some vendors are integrating lots of functions into a suite (ServiceNow, Salesforce.com, WorkDay, etc.).
  2. Data growth will continue with no real slowdown in sight. Storage is cheap and the engineers want to save everything forever. The data scientist types will want the data saved forever too.
  3. Turmoil will continue with hardware and software vendors. The current wave of M&A activity will continue. Suites gobble up small application companies. Infrastructure companies gobble up other infrastructure companies. Others just won’t make it. The hype cycles will continue.
  4. Security or information protection is getting harder. No easy end in sight.
  5. Lots of stress in IT. Do all of the above, spend little or less, keep everything secure and be faster.

What else?