Sony PlayStation Network Hack

This came across my desk yesterday and looks like the Sony PlayStation Network was hacked according to Wired.com.  Details are trickling in, but it’s believed that over 70 million credit cards were compromised as part of this hack.  Here’s the official response from Sony.

–Kevin

LOCKBOX SFT, the easiest to use and most secure file transfer service

RSA Security Breach, SecurID Data Stolen

RSA recently reported that its networks were breached and data was stolen regarding their SecurID tokens.  You can find stories about this pretty easily, but this link I found was the most helpful in terms of what customers can do now.

http://news.cnet.com/8301-27080_3-20044775-245.html#ixzz1H59sv1C4

–Kevin

LOCKBOX SFT, the easiest to use and most secure file transfer service

LOCKBOX Passwords iPhone App Was Released!

Our iPhone passwords app called LOCKBOX Passwords was release last week.  Check it out on the Apple AppStore at http://itunes.apple.com/us/app/lockbox-passwords/id420857097?mt=8&ls=1.  If you have lots of passwords to remember, and want to keep them organized and highly secured, this app is for you!

–Kevin

LOCKBOX SFT, the easiest to use and most secure file transfer service

Make Your Own Secret Sauce: Guest Post on Sources of Insight

Not related to security, but still might be an interesting read for some of you.  Here’s a guest post I wrote for the Sources of Insight site on “secret sauces”.  Enjoy,

http://sourcesofinsight.com/2011/03/14/make-your-own-secret-sauce/

–Kevin

LOCKBOX Passwords iPhone App Releasing Soon

Just wanted to share the news that over at LOCKBOX we will soon be releasing our iPhone app that lets you store your most sensitive passwords in a highly secure and safe way.  Sure we know that there are lots of similar apps, but this one has extended security features that help protect your data even if it is lost or stolen.  We also focus specifically on protecting passwords and being the best at it, whereas other programs try to do everything under the sun (passwords, credit card numbers, bank account, etc.).

More news to follow,

–Kevin

LOCKBOX SFT, the easiest to use and most secure file transfer service

Impacta donates 10% of its 2010 revenue to local charities

2010 was another great year for Impacta and I am proud to announce that we just gave away 10% of our 2010 revenue (top line) to local charities, like the Seattle Humane Society.  It is my personal opinion that in times like these, charities need as much help as they can get in order to keep doing the great work that they do — so whether its financial, time or skills that you contribute, everything counts.

Thanks to everyone for helping us make this a truly great year, big surprises to come in 2011!

–Kevin

Top 3 Things Obama Wished He Had Known in 2010 About Data Protection – What You Can Do To Not Be the Next WikiLeaks Featured Story

Checkout our data protection post about the WikiLeaks fiasco and how it could have been prevented.

http://blog.golockbox.com/2010/12/13/top-3-things-obama-wished-he-had-known-in-2010-about-data-protection-%e2%80%93-what-you-can-do-to-not-be-the-next-wikileaks-featured-story/

Enjoy,

–Kevin

LOCKBOX SFT, the easiest to use and most secure file transfer service: http://www.golockbox.com

Microsoft releases case study of LOCKBOX SFT

Microsoft last week released a great case study of our LOCKBOX Secure File Transfer (SFT) and data protection solution (www.golockbox.com), and how we leverage Microsoft Azure to bring a fast, reliable and secure solution to our customers.  Microsoft did a fantastic job describing the business problems we are solving, how we solved those problems and ease with which we were able to solve it using Microsoft technologies and platforms (Azure, WCF, ASP.NET, IIS7, SQL Server and more).  Check it out at http://www.microsoft.com/casestudies/Case_Study_Detail.aspx?CaseStudyID=4000008570.

–Kevin

LOCKBOX SFT, the easiest to use and most secure file transfer service: http://www.golockbox.com

Shaking my head again … the Microsoft security patch MS10-070

Microsoft earlier this week released an important patch that addresses the MS10-070 security issue which affects nearly every ASP.NET Web application, and I have to say I once again find myself shaking my head with disappointment.  But not at Microsoft.

Microsoft did the right thing: they acknowledged the issue, released details about how to implement controls to reduce the impact of any current attacks, started developing a patch, tested that patch to minimize any applications breaks from the patch, and released it out-of-band from its regular patch cycle to help protect their customers ASAP.

(Here comes the disappointment part) … And like clockwork, several sites and individuals released details (automated tools, step-by-step instructions, YouTube videos etc.) on how to exploit un-patched ASP.NET applications, waving around the “we are helping to protect customers by promoting awareness of this issue by demonstrating the actual risk” flag.  I am not going to start up the is-this-really-the-most-effective-way-to-raise-awareness debate, that discussion has been beaten to death, but I do want to share these two short observations:

  1. Yes, awareness is definitely raised, but was the overall risk increased?  That is, by spreading these videos, tools, etc. and raising that awareness, was the overall risk to Microsoft’s customer’s and their customers increased?  Think about it this way:  imagine we quantify the danger level of the Internet from 0 to 100, where 0 is “safe, not dangerous” and 100 is “very dangerous”.  By releasing these automated tools and videos so that now anyone can start hacking into un-patched ASP.NET Web applications, is that danger level needle now leaning more towards 0 (safe) or 100 (very dangerous)?
  2. These individuals and teams obviously have the technical skills and deep expertise to put together automated tools and steps to exploit this vulnerability.  Very few people have this ability and I’d even go as far and say they are truly gifted.  Imagine the amazing things they could do if they spent that same neural energy creating automated tools and steps to prevent vulnerabilities instead of exploiting them?  As a business owner, I just see an amazing talent pool going to waste.

Anyhow, if you are running an ASP.NET Web application it might be worthwhile to take a look at the MS10-070 patch if you haven’t already.  Have a great weekend everyone.

–Kevin

LOCKBOX, the easiest to use and most secure file transfer service: http://www.golockbox.com

3 Top Ways to Lose Your Best Security People

National Public Radio (NPR) reported several weeks ago that the United States government was seeing a shortage of qualified ‘cyber (security) warriors’, that is professionals who are skilled enough to effectively protect the US digital infrastructure from cyber attacks.

The original article lives here: http://www.npr.org/templates/story/story.php?storyId=128574055.

The article glanced at the general problem and what the US government was doing to recruit professionals in the future.  It might have been the brevity of the article, but I hope the US government has also incorporated into its overall strategy how to acquire and retain those good security people, since retention seems to be one of the roots of the problem. In my experience as a security manager, retaining people is somewhat of an individualized art. Some people want more money, some people want more responsibility, some want less, promotions, etc  – it just depends on the individual.  There is however a science side and I’ve found that there are some universal mistakes you can make to almost guarantee a loss of your best security people, and my top three are:

  • A**hole driven security
  • Wrong team strategy/charter
  • Making it all about security

Top Way to Lose Your Best Security People #3: A**hole Driven Security

In my experience one sure fire way  to drive away your best security people is to incorporate and internalize the tactics of what I call “A**hole Driven Security Teams” tactics.  I adapted the concept from Scott Berkun’s blog post, but the idea is simply this: a security team that is led by one or more individuals exhibiting high a**hole-like tendencies and tactics.  This one is going to need further explanation.

In an information security setting there are generally two players. A team that creates the risks, such as an IT or product development team (Team A) and a team that is responsible for mitigating those risks, such as a security team (Team B).  Ideally, Team B will help to identify those risks and work with Team A to understand those risks, and then close the loop by creating strategies to reduce those risks.

Now if a disagreement arises (as it often does), for example Team A feels that the mitigation steps required by Team B are unreasonable, there are two general approaches I’ve observed. The first approach (Approach #1) is the approach discussed above, the non-a**hole driven approach, where Team B will works cooperatively with Team A to identify, understand and reduce risks. Many if not all of the best and most effective security people I’ve known work in this fashion. The second approach (Approach #2)  is the a**hole-driven security team approach where compromise and cooperation tend to be least favored and tactics like the following are used by Team B:

  • Try to defame and discredit someone in Team A, often to upper management, their partners and in a behind-your-back fashion;
  • Use embellishment phrases and words during mediation, such as “confidence crisis” and “catastrophic errors” to overstate their authority/charter/or discredit a team or individual they oppose;
  • Escalate through the opposing team’s management chain, un-announced and in a non-mutual manner; and
  • When their their tactics are exposed and found unjust, they mysteriously go into radio silence.
  • More …

The best security people I know just don’t work in this fashion.  Office politics are a reality of any professional setting and when great security people find themselves embedded in an a**hole driven security team I’ve observed two very clear effects.  The first is those best security people stay and become a**holes themselves and produce a now larger, more dense collective. And the second is they leave for other teams and companies that favor Approach #1 over Approach #2.

Top Way to Lose Your Best Security People #2: Having the Wrong Team Strategy/Charter

You would think that after a**hole driven security teams there are no other more toxic ways to lose your best security people, but there are.  Whereas a**hole driven security is in-your-face and fast-acting, this next one is not so apparent and slow-moving where you sometimes don’t even realize it’s there.  The next way to lose your best security is having the wrong team strategy/charter.

I’ve seen security teams make their group’s charters something like, “If people in this company don’t hate you, you aren’t doing your job” or “We can stop products from shipping.” Granted, those are reasonable team charters to have, but … ah, forget it …  I was going to tippy-toe around this one, but I’ll just say it then: that is just stupid and foolish.  Why would you ever make your team’s charter akin to “we throw pies in the faces of our colleagues”?

Yes, a security team’s objective may very well to make sure products and services meet some minimum security bar, and in the process may make other people’s lives more difficult, delay product ship schedules, etc., but when they write that on their flag and wave it around guess what eventually happens?  Those teams get ignored and/or met with hostility.

Stick your best security people in a team like this and they too will be ignored and/or met with hostility by they very teams they need to work with. Those best security folks can’t get their job done effectively, job satisfaction continually drops and over time they will leave.

Top Way to Lose Your Best Security People #1: Making it All About Security

The first two top ways to lose your best security people focused on a security team’s outward facing actions. This last one however focuses on the inward facing actions of a security team, especially by team managers.  I kept this one as the last top way to lose your best security people, because I feel that even if you get the first two right, this last one can still break you in the long run and you’ll lose your security superstars.

One of the first arguments established in the book How to Win Friends and Influence People, by Dale Carnegie, was the need for people to feel important, to understand what is important to them and to be acknowledged them in some way. Security people, especially the best ones, are no different.  This is management 101.  What is not so 101 is that as a security manager, if you want to retain your best security people, you need to be acutely aware of what is individually important to each of your best security people, and here’s the twist — it may not be about security!

It’s only natural to think what’s important to a security team, must also be important to the members of the security team right?  Well that’s not always the case, and this lesson came to me when I had a post project conversation with one of my past team members, we’ll call him John.  It was several years ago, but it went something like this:

  • Kevin: “Hey John, great job on the penetration test you lead for Customer X. They are super happy with the findings and impressed with your remediation plan you created.  Nice work!”
  • John: (Pause) “Thanks Kevin, …”
  • Kevin: “You don’t seem to be as excited, what’s up?”
  • John: “Well, I wanted to get some experience learning how to write code, hopefully next project I can get an opportunity …”

I learned a really important lesson from this conversation, actually two.  First, what might be important for the team, might not necessarily be individually important to the members that make up that team.  In John’s case, he was happy that our team delivered and exceeded our customer’s expectations (it was all his work anyways), but what was really important to him deep down was the opportunity to grow (to learn to write application program code).  That’s the ‘understanding what’s important’ part of Dale Carnegie’s book. The second is reward and acknowledge based on what is individually important to your best security people.  That’s the ‘feeling important’ part.  For the record I am not advocating that security managers should start stroking the egos of all their reports.  That’s disingenuous and people will see through it.  What I am advocating is if you fold in what’s important to each of your best security people with what’s important to the team and what’s important to your company, it’ll go a long way in retaining your best security people.  If you don’t, well you know what will happen eventually.

Alright, those were my top 3 ways to lose your best security people: a**hole driven security teams, the wrong team strategy/charter and making it all about security.  What are your top 1-3 ways?

–Kevin

LOCKBOX, the easiest to use and most secure file transfer service: http://www.golockbox.com

Follow

Get every new post delivered to your Inbox.