Computer Security

No one would dare drive a car with a rope tied around their lap, but you’d access your life’s savings with 4-digit PIN. Neither action makes sense. Good passwords are a minimum requirement.

A recent article, How Biometrics Is Becoming the Security of the Future, made me think about digital security. While biometrics are convenient, they are really just an access method and doesn’t invalidate the use of a good password. I don’t know of single biometric tool that isn’t tied to password. So if your password is “p@ssw0rd”, you still have poor security even though your face or fingerprint is unique.

My rules for passwords are simple.

Lock your devices with solid passwords. Your smartphone and your PC are your digital twin and probably have access to your entire financial world. Why would you leave them wide open for someone to grab and gain access to almost everything about you?

Use a password locker. A password locker enables you to have a master password that access your other passwords. Why is this so important, because then you can use really good individual password such as 15 characters or more with lots of non-standard characters for your passwords for every account. There are free ones, but I think it might be worth the price of a couple of latte’s month to protect yourself and gain the integration features found in the paid versions.

Use two-factor authentication. I have 2-factor on all my important accounts or require it when I make major changes to account such as updating passwords, addresses, or transfer funds. I use an authentication application on my smartphone to provide me the 6 digit code where it’s allowed. In other cases, I just have the system text me the 6 digit code. Two-factor proves you have control of the device.

Use strong passwords. Strong passwords are not that hard to come up with. If you are using a password locker, most have strong password generators. I set mine so the characters are password characters are easy to read. So it avoids putting “1’s” next to “l’s” or “0’s” next to “O’s”. I know I’ve spent 5 minutes trying get serial numbers entered when I have a lot of similar looking characters. Another great trick is us longer passwords that are phrases. I find song titles from my youth relatively easy to remember.

Use shared passwords via a password locker. This is probably controversial, but we provide support for some older relatives. I also share access to household accounts like utilities, drug stores, and groceries with my spouse. In the case of the relative, they write the password on a post-it stuck to the refrigerator where anyone coming in sees it. Even then, they get stuck. Having secure access to the account and password, we can help them. In the case of shared household activities, it means we can back each other up and don’t end up texting passwords to each other. Where there is a family feature, we do use it, but until all accounts have family sharing, we’ll be using shared passwords.

Change the passwords. Change is hard. About the time I get comfortable with a password, it seems it’s time to change it. I’m less hard core about this requirement, but if you even suspect something is going on, be sure to change your password.

Lock your accounts down. If you can, lock up the features of your accounts that can rob you or take control of your accounts. I’m not old enough to use my 401k, so they are locked for withdraws. Most other accounts, don’t allow significant changes without additional confirmation. Also, the change in law lets you lock your credit reporting accounts so no one can open loan or charge without you unlocking them. They can still report on you, but it protects you. Spend some time getting to know the features of your major accounts.

Audit everything. While you are in locking, you should turn on your audit features. For example, I get get an email or text if someone makes a foreign charge or charges over $500 on my credit card. It takes 5 seconds to read and delete if it is OK. If it’s not, I can contact the credit card company in seconds to stop the problem before it becomes my problem. The only draw back, it is really hard to buy a gift for my spouse when traveling because she gets the alerts. I can live with it.

No matter what anyone tells you or how great your biometrics are, you still need good passwords. I think a password locker is helpful and certainly better than pad of paper, post-it notes, or Excel spreadsheet. After that, it is up to you to use it, set good passwords, and monitor your account statuses. Access anywhere is a great super power and with great power comes the responsibility to use it with care.

I hate it when corporate security is correct!

My laptop runs slow due to encryption.  I can’t use public file sharing sites like dropbox, google drive, etc.  Only some of the mobile functionality is enabled on my smartphone and it is not evenly distributed by operating system such Blackberry, iOS, and Android (due to security).  I don’t even know what we do with Windows Mobile OS?  All of this overhead, oversight, and security is cramping my style and agility and they are correct!

“When everyone is out to get you, paranoia is only good thinking. – Dr. Johnny Fever – WKRP in Cincinnati.

Corporate Security was correct in their thinking.  It looks like there are not just individual criminals and some less than ethical corporations out to get our corporate secrets, but the Chinese Government is actively working to steal them.  I found the NY Times article below unnerving.

I fully understand why governments feel they have the right to protect themselves from other governments.  And I’m willing to acknowledge that technology is part of warfare, but it appears China has bonded its defense strategy to its corporate strategy.  To me, a line has been crossed.  If you want to read the full Mandiant Security report, it is available, but I don’ think you sleep any better at night.  (http://intelreport.mandiant.com/).

Chinese Army Unit Is Seen as Tied to Hacking Against U.S.

On the outskirts of Shanghai, in a run-down neighborhood dominated by a 12-story white office tower, sits a People’s Liberation Army base for China’s growing corps of cyberwarriors.

:

Mandiant’s report does not name the victims, who usually insist on anonymity. A 2009 attack on Coca-Cola coincided with the beverage giant’s failed attempt to acquire the China Huiyuan Juice Group for $2.4 billion, according to people with knowledge of the results of the company’s investigation.

As Coca-Cola executives were negotiating what would have been the largest foreign purchase of a Chinese company, Comment Crew [Chinese Army Hacker Unit] was busy rummaging through their computers in an apparent effort to learn more about Coca-Cola’s negotiation strategy.

http://www.nytimes.com/2013/02/19/technology/chinas-army-is-seen-as-tied-to-hacking-against-us.html?pagewanted=all&_r=0

It appears to me, that if you are going to approach cloud for your corporate assets, you better be very sure that your cloud provider is as focused or even more focused on security measures as your own company.

Losses due to hacking have big dollars associated with them. According to HotForSecurity site, recent reports showed hackers earned $12.5 billion in 2011.  The top 5 incidents that were known are below.  I’m sure many others went unreported.

  1. $171 million – Sony
  2. $2.7 million – Citigroup ($4B in total losses)
  3. $2 million – Stratfor
  4. $2 million – AT&T
  5. $1 million – Fidelity Investments, Scottrade, E*Trade, Charles Schwab

http://www.hotforsecurity.com/blog/top-5-corporate-losses-due-to-hacking-1820.html

I can’t say what other cloud providers do or don’t do.  I can say that IBM, we always take security very seriously and push it down to the seemingly innocuous layers not just in the cloud data centers, but throughout the company.  And yes, that even means my laptop, iPhone, iPad, etc.  Keep in mind, it only takes one nasty e-mail or one invaded file from shared site to start the rift in your corporate security.

Yes, I still believe the future is cloud – IaaS, PaaS, and SaaS.  We just need to make sure we do it responsibly.  Later, I’ll discuss what we are doing at high level with our two public cloud solutions – SmartCloud Enterprise and SmartCloud Enterprise+ – to make them secure for enterprise computing including SAP.