February 26, 2012 By Dan Lohrmann
How many online social networks have you joined? There’s the basic list (sites like Facebook, LinkedIn and Twitter) as well as conference interaction websites, Intranet sites at work, online magazine communities, professional association portals, security and technology topical sites (like ‘mobile security’ or ‘cybersecurity for government cloud computing’ within sites like LinkedIn) and so many more.
Whether we’re discussing work, home, family, sports, kids, church or all of the above, the logons can start to add up. They all want us to engage in new (or more) conversation. Once you’re engaged, it can be tough to disengage.
I’m starting to wonder if there are too many social media sites that I participate in. Is a backlash coming? One woman is even giving up Facebook for Lent.
But for the rest of us, an interesting trend is accelerating in which more and more groups are adding social networking “communities” or areas of interest at work. No, the idea is not totally new – we’ve had “birds of a feather” meetings at conferences for years. But the 2012 difference is that just about everyone is starting to create new online communities. It can become overwhelming to keep up, if you’re not careful.
Whether you’re involved with broad professional groups for accountants or computer scientists, or general interest communities on topics like keeping healthy or very specific sub-groups that discuss the latest trends in (whatever), it can be a challenge to decide when to “turn it off” or not join at all. Oftentimes, employees are placed on committees or into industry roles where “joining the discussion online” in expected. Students are sometimes even graded on their online interactions.
But at what point does joining a social network become a burden? Of course, I’m not the first to ask this question – nor will I be the last. A google search of “how many social networks are too many?” yields 112 million results. Here are some of my favorite excerpts:
NPR - How many social identities are too many? - “Okay, so you're on Facebook and Twitter, and you tweet and you blog and you think you're, oh, so courant. But faster than you can lay off half the staff of MySpace, up pops a new specialized social community like Beluga from Mobile messaging, with just a private group of friends. That's a cool one. And Instagram, for sharing photos; or how about Path, a so-called personal network, limited to just 50 friends; or Audioboo for sharing audio? Using any of those?
Well, if so, you - do you have a different personality for each one, different networks for all those different things? And how do you manage that? How do you decide where to post that snowman picture that you just took in the blizzard? Better for Facebook or Tumblr? Where do you post your Super Bowl commercial pick this year, Second Life or Twitter?
Confused? Well, it's just the beginning because things are going to get a lot more complex….”
Social Media or Social Burden? – “I have often been asked the question on my social networks ‘How do you get so many friends/followers/connections? Well – the truth is…I am famous and am hiding it from the world…not!
The fact of the matter is that I was/am hooked on social media. It is an addiction of mine….”
Over on the solution side and not just venting …
“When you see as many apps as we do at RWW, you begin to feel like it's all been done. So many of the everyday jobs for apps to do can already be done by at least one app (if not dozens). How many ways can you share photos with your friends? How many social networks and check-ins and restaurant-discovery services do we need?
Lately, we've started to see a new class of app emerge just for managing these tasks across their various apps. The idea of apps for our apps sounds ridiculous, but some of them are neat, and some are downright lifesavers. Here's a round-up of apps you should use if you want to bring your many social networks into one dedicated place….”
So what do I recommend? I’m not quite sure, but I’ve just been asked to join a few more professional “communities” this month and help create another “trusted environment to share cyber ideas with peers.” The trouble is that I’m not sure who will actually join or be interested in these sites that I can really trust. Can I truly “engage” in all of them? One troubling aspect that I’ve seen repeated is this: a group builds a new community portal that offers a different, unique or some type of ‘special’ set of trusted relationships that others don’t have – only to grow into irrelevance over time as the marketers or other expansion pressures demand more.
Don’t get me wrong, there are real benefits to many of these communities. The trouble is they are growing like ivy. From a security perspective, there is the logon / password /single sign-on angle. There’s also the questions around motives and hidden agendas. But I’m not going there in this piece.
The bigger issue is how do we share ideas with the needed levels of trust and openness? Conversely how do we ensure the right level of security and technology to not share with those who are competitors and/or are not in a “need to know” situation? Can we organize things better? Join forces or merge portals? Do more with less?
Understanding social networks can become a complex topic. There’s a lot of competition for our time at home and work. (I appreciate the fact that you took the time to read this rant.) I’d love to hear ideas from readers on how you make these decisions. I’m not sure that I know the answer on this one.
February 18, 2012 By Dan Lohrmann
Just in case you haven’t been paying close attention to tech headlines lately or you’ve been totally distracted by Jeremy Lin’s unexpected NBA exploits (also known as Linsanity) or you’ve become turned-off by the constant barrage of bad news related to computer hackers, this has been another bad week in the headlines for cybersecurity. Perhaps, somehow, you’ve missed the latest scary cyber news.
If this describes you, here is a mini-sample of the top news stories that the security industry has been hammered with over the past week:
Wall Street Journal – Chinese Hackers Suspected In Long-Term Nortel Breach
Excerpt: “For nearly a decade, hackers enjoyed widespread access to the corporate computer network of Nortel Networks Ltd., a once-giant telecommunications firm now fallen on hard times.”
Excerpt: “Jennifer Youngblood, a CIA spokeswoman, said on Friday night: "We are aware of the problems accessing our website, and are working to resolve them."
Anonymous claimed responsibility for shutting down the homepages of the Department of Justice and FBI last month in retaliation for the US government closing the controversial Megaupload filesharing websites.
Alabama state and Mexican mining company websites were also hacked on Friday. Web pages linked to Anonymous claimed responsibility for both attacks.”
I could go on, but I’m sure you see the trend. The chilling truth is that cyber headlines, often involving major breaches, are relentless. I keep thinking that things can’t get worse – but they somehow do. Over the past few years, we just kept hearing more and more frightening stories about hacker successes and sensitive data lost.
Bad FUD Defined
Competent security pros can easily keep your attention and can scare just about any audience with a well-selected sampling of these headline stories. Recent hacking incidents and the millions of dollars or reputations lost often make CNN and Fox News. Security professionals call an extensive focus on these stories “FUD,” which stands for “Fear Uncertainty and Doubt.”
Yes, other industries use this term as well – but in the security and technology circles, regularly repeating FUD headlines is viewed as a bad thing. Why? Aren’t these just factual news headlines from reputable sources? Yes, but used too often or as the main message in speeches, FUD can escalate the negative views of the security industry by not offering cyber solutions that work over time. FUD often creates opposite extremes – either a sense of hopelessness or an unsustainable excitement that blocks out all other discussion.
Put another way, FUD might be compared to the sports crazes of Tebowmania or Linsanity - the topic gets super hot and takes over all coffeepot discussions, but after a while, people get sick of talking about it. Eventually, the pendulum swings the other way. Perhaps the tide has already turned for FUD, because like an addictive drug, it takes more and more FUD to have an impact in 2012.
Truth be told, I have long been a critic of FUD, which can contribute to reason #1 that security professionals fail. I have seen FUD offer a short-term bounce to security programs around the country which can later become a “haven’t you fixed that yet” mentality from senior executives 6-12 months later. Our cyber defense goals need to address long-term strategic answers that improve cyber defense over years and not just day or months. A common joke in the security industry is that you want the CISO job right after a major FUD incident. You get the $$s and support – after the last person was removed.
Good FUD as a Starter
Now allow me to also offer some positive aspects to a small slice of FUD. True cyber stories that are hot off the press are great conversation starters - like as an appetizer before the main course for dinner. Remember – FUD almost always works for a brief moment. Audiences are usually intrigued by hot stories of cyber breaches or worse, especially if there is some new twist or a different channel that was used to gain unauthorized access. Advice: just don’t make the FUD the main point of your speech or end with “and your next if you don’t follow my advice.”
But while FUD usually works great to get a speech kicked-off or as an icebreaker with a person who knows very little about security, it should not be used as the main course. Just as financial advisors know what to say to clients after a bad day with big stock market losses, smart cyber pros will use that “teachable moment” to move onto what actions their company can (and needs to) take now. Advice: have that elevator speech ready for the next FUD to hit. Also, get to know “the rest of the story” so that you can keep the conversation going beyond the headline that is so popular.
One more point in the “good FUD” category: keeping track of the latest FUD is important for your career. Security pros need to be well-informed when asked “what happened” by friends and colleagues at home and work. You are the resident “expert” so a puzzled look about yesterday’s headline hack, while occasionally ok, is not an effective way to build confidence in your abilities. Advice: When this happens and you’re caught off-guard, read up on the incident quickly, because others will ask as well.
FUD Can Also Get Ugly and Personal
I remember a major breach that occurred back in the 90s that taught me a lesson. I was at a training conference on how to configure network firewalls and security controls. As I was eating breakfast before class and reading a front-page Washington Post article about a major breach to a colleague, he turned to me and said, ”Oh my gosh, that’s my website! I was sent here to this class to make sure we weren’t hacked.”
My two-day friendship ended when he was called away and never came back. I later heard he was fired.
The lesson – scary FUD headlines are real and can become very personal. I know several security pros – both leaders and analysts – that were “overcome by events” that were probably outside of their direct control. Nevertheless, we ignore FUD at our own peril.
All of us in the security industry are aware of the unexpected challenges that a career in cyber can contain. If management is looking for a scapegoat after a major incident, FUD can lead to changes that may not be well thought out or even helpful to defending the enterprise. Still, these cyber headlines can derail impressive careers if “perception becomes reality.” After the cleanup, management may say you should have known or stopped the incident from happening. Advice: develop a good relationship with your government agency’s Public Information Officer (PIO) who is trained to deal with the press. Work together as a team during cyber incidents. Sure, we want to stay out of the news, but prepare for the worst.
Bottom line, FUD is a complicated topic. FUD can be your friend or your worst enemy. It can light a fire under cyber initiatives, or end a career. It can influence decisions in the middle of a crisis. Regardless of the story, FUD is important to master – and that’s not just hype.
Any FUD stories to share?
February 7, 2012 By Dan Lohrmann
It’s that time of year when my email in-box starts filling up with invitations to events surrounding the RSA conference in San Francisco. Whether from vendors, current friends, former colleagues or other security pros who just want to connect, the new offers seem to get more creative every year. There are huge parties, forums, get-togethers, breakfasts and even totally separate conferences (or one-day workshops) running at the same time or before the event.
Of course, the assumption – no, the strong expectation – is that you’ll be in San Fran that week. If you write back that you’re not going this year, the surprised response is always some rendition of “Is everything ok?” Some of you are probably wondering that about me now – no, I'm not going in 2012 and yes, everything is fine.
Now, before I go on, I need to say that this is not a promo for RSA. Yes, I’ve been, and it’s an excellent conference with an unparalleled number of industry exhibitors, training seminars, exciting keynotes, new announcements of products, award ceremonies, etc. More than that, it is almost like “reunion time” where you can get together with friends from around the world from the Department of Homeland Security (DHS) to leading companies in Europe. Speaking at RSA is a huge honor. If you’ve never been – it’s worth going at least once, if at all possible.
Which is where I’m heading with this piece - it’s not possible for the vast majority of state and local government employees to attend RSA or other large conferences like Black Hat.
Most state and local government cyber pros are forbidden from traveling out of state on business, unless given a “special exception.” In the majority of government cases, training conferences don’t qualify for this exception – unless you are presenting and the conference is paying the travel expenses. Of course, government employees cannot accept gifts or trips from vendors, which means that many of the best security conferences are out-of-reach for many government security staff who could often benefit from the training.
(Side note: this same training problem exists for other government professionals in many different fields when the economy is bad and revenues down.) Every state is different, and there are a variety of variations on this theme. Nevertheless, online training, web conferences and local training are now the norm.
What’s to be done locally?
There’s an age-old phrase that I learned way back when I started my career at NSA in the mid-80s. It starts with the question: Who’s the expert?
Answer: The guy from out of town.
Since perception is often reality, there’s an element of truth to that popular statement. But what about cybersecurity conferences? Are all of the good security conferences out of town (or out-of-state)? I think not.
So what’s the solution? If you can’t bring the people to the conferences … bring the conferences to the people. This is what’s being done all over the nation. Here are a few examples:
SecureWorld Expo Events: These 2-day security conferences have been going on in major US cities for almost a decade. I always look forward to the Detroit event (which is close to Lansing). We’ve been able to get 50+ state employees to that event each year, and we can often get discounted (or free) tickets for government employees. I know the great professional team running these events, and I’ve had the opportunity to speak at SecureWorld events around the USA. I highly recommend attending and encourage active participation in your part of the country.
Government Technology Magazine Events – These events are run by the Center for Digital Government (CDG), and they are very well done – often with a local flavor and great nationally-known keynote speakers. In Michigan, we’ve been holding an annual Michigan Government Summit for years, in partnership with GovTech. What sets these events apart is the state-local collaboration that occurs before, during and after the annual events. The process of building the agenda with state/local IT leaders is almost as helpful as the event itself at fostering cooperation.
Many of these events have a track or even an entire day on cybersecurity. In 2009, we held a one-off cyber summit in partnership with CDG. And the second afternoon of the GovTech conference focused on cybersecurity in 2010.
Which leads to my last idea on this conference topic and starting home-grown technology events. If there is nothing going on in your area, build it yourself. Last year, we launched Cyber Security Awareness Month for the nation at the Michigan Cyber Summit. Each year, our Michigan State Police partners hold a great event in Grand Rapids called the Great Lakes Homeland Security Conference.
My point is that there are plenty of excellent opportunities to learn and be trained right where you are. Look around. Google it.
Sure, RSA is fun and unique. If you really want to go, brush up on your Toastmasters skills and try to become a speaker at a breakout session (but submit a proposal early - it's tough to get accepted). It is always fun to travel, and I’ve been blessed to speak at events around the world. Nevertheless, some of my best experiences have been at security and technology conferences near home. Best of all, you get to sleep in your own bed and stay near family.
I'd love to hear about your experiences or ideas for cyber or technology training. Feel free to leave a comment.
January 30, 2012 By Dan Lohrmann
Major technology vendors announced the formation of the Domain-based Message Authentication, Reporting and Conformance (DMARC) system today. This new email authentication framework should reduce the number of phishing scams that try to trick users into thinking emails are from someone else. Participating vendors, many of which provide free email services, aim to make spoofed domains in messages a thing of the past.
Leading technology companies like Google, Microsoft, AOL and Facebook are participating in the system – which is explained and can be examined in detail at DMARC.org. Here is a quote from the new website:
“DMARC standardizes how email receivers perform email authentication using the well-known SPF and DKIM mechanisms. This means that senders will experience consistent authentication results for their messages at AOL, Gmail, Hotmail, Yahoo! and any other email receiver implementing DMARC. We hope this will encourage senders to more broadly authenticate their outbound email which can make email a more reliable way to communicate.”
Coverage of the press announcement was widespread today with numerous headlines all over the Internet such as:
USA Today – Tech companies team up to combat e-mail scams
Information Week - Google, Microsoft Say DMARC Spec Stops Phishing and
Tech Crunch - DMARC Promises a World Of Less Phishing
Here’s an excerpt from the Tech Crunch article:
“The move follows an announcement in November that Google, Microsoft, Yahoo, AOL, and Agari were authenticating emails from Facebook, YouSendIt, and other e-commerce companies and social networks.
DMARC said the anti-phishing initiative has actually been going on for the last 18 months.
According to Google, about 15 percent of all e-mail comes from members of DMARC, but by published their DMARC records, these records can not be domain spoofed. This makes the anti-phising group much more effective at stopping criminal gangs from using phasing to dupe unsuspecting users.”
Are there any downsides to DMARC? Not really, in my opinion.
However, as many at Slashdot pointed out in their comments today, this system still doesn’t stop unwanted spam from within gmail or yahoo (or wherever) – it only ensures that the email is not from a fake domain. The benefit is tied to ensuring that the domain is genuine – which is a huge step forward – but not a complete solution. So as the critics point out, we still need to be careful to esnure that you are reading a message from the correct user. For example: there are mutiple people with the same name in Yahoo mail.
Nevertheless, I agree with the major vendors that this is an important step forward in fighting phishing attacks.
What are your thoughts on this announcement?
January 25, 2012 By Dan Lohrmann
The Federal Trade Commission’s website at www.onguardonline.gov remained down for a second day after it had suffered a security breach. According to Government Computer News (GCN.com), the group Anonymous hacked the site in protest over proposed anti-piracy laws and recent anti-piracy arrests.
Here’s a quote from GCN's story:
"The OnGuardOnline.gov site, intended to give people cybersecurity advice, was hacked early Jan. 24, with the home page replaced by the Anonymous logo, a rap song and a message threatening more attacks if anti-piracy legislation in Congress — which has stalled after a massive online protest Jan. 18 — were to pass.
FTC, which operates the site with several other agencies, took it offline after the hack...."
Since the protest last week, many legislators have backed away from Stop Online Piracy Act (SOPA) because of the public outcry and pushback from many technology companies.
Meanwhile Computerworld ran an article that said the European Union’s proposed privacy rules could hinder the Internet. Here's an excerpt:
“The rules, proposed by E.U. Justice Commissioner Viviane Reding, include the so-called "right to be forgotten," allowing Internet users to have data about them deleted if there are no legitimate reasons for retaining it. The proposal would require companies with more than 250 employees to appoint data protection officers, and it would require companies to report data breaches within 24 hours.”
This new hacking trend is not slowing down, and ushers in a new cyber chapter in my view. If “hacktivists” can manipulate public opinion and get the results that they desire (like stopping new legislation), we will surely see more of this behavior in the years ahead when developments don't match the goals of various online groups.
What is your view on these developments?
Building effective virtual government requires new ideas and hard work. Security professionals need to be enablers of innovation. From helpful Internet training to defending cloud computing architectures to securing mobile devices, Dan Lohrmann will cover what's hot and what's not in protecting your corner of cyberspace.