Tuesday, April 30, 2013

Wednesday, April 24, 2013

Targets of Opportunity

#dbir

...Is one of the findings in #Verizon's 2013 Data Breach Investigations Report, which is chuck full of interesting data.  75% of the attack victims were selected because they had a weakness that an attacker knew how to exploit rather than being specifically chosen.  The difficulty of the initial compromise was low for 68% of the breaches meaning the attackers used basic methods or automated tools and scripts.  It also means that there are sloppy configurations, needless services and exposed vulnerabilities that are bringing this attention.

Overall, the report covers 47,000 reported security incidents, of which, there were 621 confirmed data breaches.  This is important since they focus on the 621 confirmed data loss incidents rather than the 47,000 reports.  There will probably be a ton of articles reporting the results but a good place to start is securosis.com with their How to Use the 2013 Verizon Data Breach Investigations Report.  This is a great primer for the document.

There is a pretty even distribution of industries hit from financial to retail and restaurants to manufacturing, transportation and utilities to government and defense contractors.  The overwhelming majority of attacks are perpetrated by outsiders at 92% of the confirmed data breaches with insiders at 14%.  Interestingly, for all reports (the 47,000 not just the 621 confirmed) insiders accounted for 69% of the incidents.  Typically this was due to carelessness rather than criminal misuse.  76% of the network intrusions exploited weak or stolen credentials and most often, the attack was driven by financial motives at 75%.

Some other interesting data for me was that 66% of the breaches remained undiscovered for months or more and 69% of those were discovered by outside entities.  So organizations are in the dark about their intrusions, and it takes an outsider to point it out.  It's like those people who drive away with the gas hose still hooked to their tank. 

I was also curious about breaches as a result of BYOD.  Not many.  In 2011 they only saw 1 breach that involved personally owned devices and only a couple more in 2012.  They will keep watching and do expect that it may increase but for now, so far so good.  Could be because while BYOD is a hot topic, most surveys indicate that only around half the organizations are digging in.

There is a ton more valuable data in the report and it is an easy, fun read for 63 pages of stats.  Right on page 2 they say, 'Some organizations will be a target regardless of what they do, but most become a target because of what they do.  If your organization is indeed a target of choice, understand as much as you can about what your opponent is likely to do and how far they are willing to go.'  Put it on your list.

ps

Related:

Connect with Peter: Connect with F5:
o_linkedin[1] o_twitter[1]   o_facebook[1] o_twitter[1] o_slideshare[1] o_youtube[1]

Tuesday, April 23, 2013

The Prosecution Calls Your Smartphone to the Stand

Or Bring-Your-Own-Defendant

A very real legal situation is brewing is the wake of the bring your own device phenomena. #eDiscovery.  You might be familiar with some of the various legal or liability issues that should be addressed with a BYOD policy, like privacy, the loss of personal information, working overtime or the fact that financial responsibility may dictate legal obligation. 

Now, technology law experts are saying that if your company is involved in litigation, criminal or civil, personal mobile devices that were used for work email or other company activity, could be confiscated and examined for evidence as part of the investigation or discovery process.   So if you use your personal smartphone for work related activities and your company is involved in a lawsuit, there may come a point where the court might subpoena your phone to see what relevant evidence might be contained.  During litigation, the organization itself may have the legal obligation to sift through your mobile device for related information. If sued, companies are required to make a good-faith effort to retrieve data - where ever that may be.  That includes your email, GPS history, text messages, cell phone records, social media accounts, pictures and any other info that could be pertinent to the case.  This is proprietary company owned data that resides on my personally owned device.  This is especially true of your corporate email co-mingles with your personal email - meaning delivered through the same email app or program.  In fact, according to this article, a judge recently sanctioned a company for a discovery violation because it did not search the BYOD devices during discovery.

Some people seem to lose all sense of daily human functioning when social networks like Facebook, Twitter and others are unavailable for a short period of time.  We've become so attached to our mobile devices and they have become the center of our lives...imagine not having that pacifier for a few days.  OMG, I've time-traveled the 1980's and have no way of announcing it to the world!!  What am I going to do now that I can't re-tweet that funny cat picture!  I'm so lost without you, oh electronic appendage.

As more organizations embrace or even require BYOD in the workplace, it becomes even more critical to be able to separate personal and work profiles.  It is important that the corporate data and apps do not mingle with the already present personal data.  Solutions like F5's Mobile App Manager provides a fully enclosed virtual enterprise workspace and creates a secure footprint on the device for enterprise data and access only.  MAM allows organizations to safely separate personal data and usage from corporate oversight and controls how employees access key corporate information.

ps

Related:

Connect with Peter: Connect with F5:
o_linkedin[1] o_twitter[1]   o_facebook[1] o_twitter[1] o_slideshare[1] o_youtube[1]

Wednesday, April 17, 2013

Most of the Time We Get it Wrong

A colleague relayed this story:

At a recent toastmasters meeting, they did a survey.

They were asked what does each of the following words mean, when represented as a percentage?

  • Sometimes
  • Frequently
  • Rarely
  • Often
  • Usually

For example, my friend interpreted “Frequently” to mean “about 60% of the time”....more than half for sure.  I agreed.

We thought that we “knew” how these were interpreted by other people, but when they reviewed the survey, they found that people interpreted these words in such different ways as to make them all interchangeably meaningless.  The percentages are the range of what people 'thought' were the accurate occurrences.

Survey Word

(Equals)

Sometimes

10-60%

Frequently

30-95%

Rarely

1-10%

Often

50-90%

Usually

50-98%

Only “Rarely” seems to have a common understanding. 'Frequently' had such a giant range as to be completely useless, with some people thinking that it mean less than half the time and others feeling that it was a near certainty. 

With that in mind, from now on I will frequently write stories that are rarely covered often in the media and it will usually involve some stats that I'll sometimes understand. 

Perfect.

ps

Connect with Peter: Connect with F5:
o_linkedin[1] o_twitter[1]   o_facebook[1] o_twitter[1] o_slideshare[1] o_youtube[1]

Monday, April 15, 2013

Conversation with One of CloudNOW’s Top 10 Women: Lori MacVittie

F5 Sr. Technical Marketing Manager Lori MacVittie received CloudNOW’s prestigious Top 10 Women in Cloud award for her exceptional contributions to the cloud community. CloudNOW, an executive consortium of the leading women in cloud computing, presented the award during UBM Tech’s Cloud Connect—the premier technology event for cloud computing.

I've had the good fortune to have known and worked with Lori for almost 7 years and sat down with her to talk about cloud, convergence and application delivery.

Peter: First, Congratulations Lori on yet another award. If I remember correctly, this is the 2nd year in a row that your contributions, accomplishments, and thought leadership has been recognized by CloudNOW. How’d you get so smart?

Lori: I don’t necessarily think it’s being so smart myself that’s key, it’s being afforded a platform on which smart ideas – many of which are instigated by other, very smart people - can be promoted that made that happen. I won’t say I don’t have smart ideas myself, but there’s so many talented folks in the industry that it’s more a collaborative, bouncing-off-each-other process that’s critical to coming up with ways to solve new challenges.

Peter: Public, private, hybrid. Is there a clear cloud choice or organizations or does it depend on what they are trying to accomplish? What are the advantages and pitfalls of each?

Lori: Wow, that’s at least one if not two or three blog posts right there. I think it depends on what the organization is trying to achieve and what kind of applications are critical to achieving those goals. The reality is that hybrid is going to dominate the cloud landscape by virtue of sheer necessity. There’s too many needs that can’t be met by just public or just private that require a more integrated, business-driven approach to deployments. That means hybrid is going to win, hands down.

Peter: Some in the industry believe the term ‘cloud’ is starting to get a bit cliché due to potential overuse, misuse and abuse. What do you think? Has it lost some luster?

Lori: Did it ever have luster other than as link-bait? Seriously, like any new technology market the term is overused, hyped, and abused. It means different things to different people and more confusing, to different markets. It still has power, but it is losing its status as technology darling du jour to more up and coming technology that has infrastructure bling, like SDN.

Peter: Cloud Standards. The IEEE Cloud Computing Initiative has originated two working drafts (P2301 and P2302); The Cloud Security Alliance works together to define best practices in cloud security; the Open Cloud Consortium supports the development of standards among others. First, will there ever be standards and if so, what will that provide to both customers and providers? Will standards be the final keystone for those waiting in the wings?

Lori: Standards for what? Integration? Bridging? Brokering? Cloud management? We are so far away from standardization of cloud anything at this point that we’re going to have to wait and see. When customers start demanding support for a standard X or Y or Z as table stakes for being considered as a viable provider, then we’ll start seeing real movement around those standards. So in the meantime, we’re going to continue to see each provider and vendor offering up their own “standards” and maneuvering with partnerships and support of APIs. When we start seeing accepted – even de facto – standards around cloud we’ll know it’s reached maturity.

Peter: In your opinion, what are the biggest challenges facing cloud computing? Security? Availability? The misuse of the term? Standards? Confusion?

Lori: Integration and portability. There is no such thing as “cloud security”, only network, application and data security applied in the cloud or in the data center. :-) The biggest challenge facing cloud is that it requires a new way of looking at application deployment challenges and ultimately that trickles down to how we architect at the network, its topology. That’s a bigger challenge than simply giving up control of infrastructure; after all, we did that when we adopted managed hosting. Cloud is forcing us to rethink how we architect from the network up, and that’s harder than anything else because it’s a paradigm shift (there’s a phrase we haven’t used in a decade or so, but it’s the one that fits best – and probably better now than it did then).

Peter: You presented on two topics at Cloud Connect – ‘App Delivery in the Cloud’ and ‘Managing Hybrid Cloud’. Can you give a synopsis of each?

Lori: Let’s see. On the first one: successfully delivering applications and managing access in a cloud computing environment is about balancing control with flexibility: integrating processes and leveraging the power of standards like SAML to extend enterprise governance over cloud deployed applications while distributing control into the cloud to enable consistent control over delivery policies. Managing hybrid cloud. It’s all about integration. Integrating processes, integrating networks, integrating resources. Once you do that, the management is easy. Okay, maybe not easy but easier, which is a good thing considering the state of infrastructure integration today.

Peter: How does some of these new technologies like SDN (Software Defined Networking) and NFV (Network Function Virtualization) fit into the Cloud equation?

Lori: SDN is really about enabling elasticity for scale and flexibility in topology at the network layer. In that respect, it affords cloud a very dynamic foundation on which to deploy value-added services at the application layer that can address some of the challenges with cloud noted above with respect to thinking differently about how we deploy infrastructure services in a topologically-hampered environment. NFV continues to be of most interest to service providers, and their goal is fast, flexible, programmability in the network that enables rapid development and deployment of new services that increase ARPU by offering new value and competitive advantages. As far as cloud goes, NFV could be layered atop SDN to provide a layer of elasticity and dynamic provisioning for value added services, but right now service providers are more concerned about services than they are the core network (because they rearchitected that when IMS and similar architectures became popular).

Excellent stuff, Lori! Thanks! You can connect with and follow Lori on DevCentral or Twitter

ps

Related:

Connect with Peter: Connect with F5:
o_linkedin[1] o_twitter[1]   o_facebook[1] o_twitter[1] o_slideshare[1] o_youtube[1]

Wednesday, April 10, 2013

Ride The Crime Coaster

Now that would be a fun amusement park ride - the Crime Coaster - with the hills and valleys designed based on crime statistic charts.  You can even get a digital photo of yourself as you fly thru the Tunnel of Turmoil.  Muuhahahahahahahahahah! 

With all the dire warnings of how cybercrime is the nation's top priority, I was wondering how other crimes have been faring.  And NO, this is not a for/against 'gun control' rant but for instance, is burglary loosing its luster to smashing a server's window?  Since cyber crime is a billion dollar business will the door-to-door thief change tactics?  Probably not for now but as physical, non-cyber crimes drop, does digital crime go up?  Or, since 'stealing something' is the ultimate goal, as more available methods (like cyber) to accomplish the goal become available, does all crime go up?  I should also note that crime stats should be taken with a grain of salt since law enforcement can only comment on the crimes that have been reported to them.  Crimes like car theft are often reported due to insurance claims while other crimes, like domestic disputes, are under reported due to embarrassment or other hindering factors.  Add to that, different jurisdictions have various scales of classification, penalties and measurement. Plus, the recent report that says few companies report that cybercrime results in big losses only adds to the confusion.

According to the FBI, violent crimes in the US are down for the 5th year in a row.  Granted, for now, cybercrime is probably more property related than violent but that could change.  Cities like Los Angeles, are reporting that crime - violent and property- is down significantly even though, overall, LA is much higher than the rest of California and violent crime in LA occurs at a rate higher than in most communities of all population sizes in America, according to neighborhoodscout.com.  Most criminologists agree that several factors are contributing to the decline.  We have one of the highest incarceration rates in the world; there has been an increased police presence; there are security cameras everywhere; the aging population; and programs to help both the youngsters and those in need can all be attributed to the decline.

So while our physical bodies and personal property in the material world are safer, our identity, privacy, passwords, infrastructure, and other digital collateral are more at risk than ever.  On a daily basis, companies are getting probed and breached yet might not know or simply might not report it.  I bet, however, if someone threw a rock smashing their lobby window, a couple Five-O's will be on the scene taking statements.  The company, local employees and the police will have a BOLO issued and everyone will be on heightened alert.  There might also be additional security measures taken, tempered glass, CCTV, key card entry and other physical protection mechanisms.

We readily deploy layered security for our physical property with locks, alarms, dogs, cameras, window bars, weapons, panic rooms, etc all within the context of what we are trying to protect.  We should do the same for our digital assets.  Imagine if we took the same safeguards (or paranoia in this case), albeit with different technologies, to protect our bits and bytes.  Yes, there will still be breaches but maybe things like D/DoS, SQLi and other well known vulnerabilities can be greatly reduced since we do have the technology to protect against such attacks.  It just has to be deployed. 

We thwart criminals and protect our personal physical property with a vast array of mechanisms and we feel/are secure...maybe we should take that same focus, fear and fever in protecting our digital self.  Then, as you peel off the pixilated mask you'll hear, '...and I would've gotten away with it, too, if it hadn't been for those meddling firewalls!'

ps

Related:

Connect with Peter: Connect with F5:
o_linkedin[1] o_twitter[1]   o_facebook[1] o_twitter[1] o_slideshare[1] o_youtube[1]

Tuesday, April 2, 2013

Mobile Threats Rise 261% in Perspective

A new report from ABI Research indicates that the number of unique mobile threats grew 261% in just two quarters.  As mobile functionality grows so does the vulnerability threat vector as mobile malware is starting to target certain systems.  This is certainly a concern for those organizations rolling out BYOD initiates.  You've heard athletes and coaches talk about giving 110%, which is obviously impossible, but some of the recent mobile malware growth numbers are huge, like on the order of 1700%

To gain some perspective, I wanted to know what else in the world is growing at 261%.  Here's what I found.

Real Estate: According to this article, the Guangzhou City Housing Authority in 2012 said, Guangzhou hand house prices rose to 14,044 yuan from 3888 yuan, or up to 261%, while the national the national urban average house rose 143% - if I understood the article correctly.

US Household Debt: This article from June 2012, reported that household debt as a percentage of disposable income from 1989 to 2004, for the first four income quintiles and the top two deciles, the increase in debt per family was 261%, 170%, 131%, 90%, 103%, 93%.  So during the credit boom the poorest families increased their debt, proportionally, the most.  It has now dropped to 2004 levels of around 110% on average.

Mobile Ad Impressions: TechCrunch wrote back in December 2011 (Dec 30th, specifically), that mobile ad impressions on the new (at the time) Kindle Fire grew 261% on Christmas Day 2011.  Mobile ad network Millennial Media reported that as consumers opened and used their new Kindle Fires, ad impressions increased even more. As millions of consumers unwrapped new Kindle Fires, Millennial saw an average daily growth rate of 113 percent.  On December 24, impressions grew 32 percent; and on Christmas day in particular, impressions on the Kindle Fire grew 261%.

mCommerce: Research by IMRG Capgemini e-Retail Sales Index showed that there was solid growth in Internet retail sales in October 2012. British shoppers have been said to spend £6.7billion online and October 2012 saw 261% growth year on year.

Weather/Rainfall: Rainfall in New Delhi during February 2013 was 261% above normal.  Apparently during that month, the active wet spells were a result of stronger than normal westerly winds in upper levels along Delhi latitude.  An official was quoted saying, 'The low level wind anomaly over northwest Bay of Bengal and northeast Arabian Sea was southeasterly which facilitated enhanced moisture convergence over Delhi and adjoining areas.'

Gaming Casinos: A survey of 3,035 New England residents found that more than twice as many Massachusetts residents visited Twin River and Newport Grand Casinos as Rhode Island residents in 2012, continuing a six-year trend that saw the number of visits from Bay State residents to the Lincoln-based casino skyrocket by 261%.  This may change soon however once Massachusetts opens three resort-style casinos.

Payday Loans: Larger banks started to jump into the lucrative payday loan business in 2010 and 2011 since, they can loan $100 for a $7.50 fee, an annualized interest rate of 261%.  As the banks like to point out, it is less than the 400-plus% charged by many payday lenders.

The 1970s: While That 70s Show kicked off the careers of a few actors (T Grace, A Kutcher, M Kunis and others), the 70's was a period of high inflation with overall prices rising 261% during the decade.  According to How Much Would £10 Have Bought You Over The Years?, during the 70s £10 would have bought one of the very first baby car seats for a new family, or a food mixer for a budding chef.

There were a couple others like ACCESS Bank posts 261% profit growth, shares of Time Warner Cable have risen 261% since the spinoff from Time Warner in 2009, and the fact that an income of $30,000 is 261% of the poverty level to qualify for certain provisions of the Affordable Care Act.  261% of anything is a significant jump in growth and clearly the rise mobile malware is no exception.  Hopefully comparing it to other areas that had the same growth helps in understanding the significance today and maybe my blog will have a 261% increase in readership.  I thought about playing 2-6-1 for the Daily 3 lottery but that was drawn on March 30, 2013.

ps

Related:

Connect with Peter: Connect with F5:
o_linkedin[1] o_twitter[1]   o_facebook[1] o_twitter[1] o_slideshare[1] o_youtube[1]

Posted via email from psilva's prophecies