February 5, 2013 By Dan Lohrmann
Notifications sent from social media companies. Some people love them – others want them to go away.
Is your inbox filling up with reminders for you to logon - or miss out? Has guilt or curiosity been used to get you to come back? Lately, I’ve come to discover that emails can be helpful, annoying, rude and even fake.
Do any of these social media emails look familiar?
“Priscilla tagged you in 3 photos on Facebook.”
“Your friends (insert names) are waiting to see their posts on your timeline.”
“Saralee commented on Priscilla’s photo of you.”
“You have 3 connection requests, 10 tagged photos and 2 pokes waiting on Facebook.”
Perhaps you welcome these regular notifications. But as an infrequent Facebook user, I must admit that they’ve become rather annoying to me lately. On the other hand, my wife and daughters appreciate them, so it seems that everyone views these messages differently.
But I’m not alone in wondering about the default setting for sending these notifications. In fact, you can even ‘like’ this message which proclaims - Facebook: stop sending me emails.
And frustration is not only about Facebook’s email notifications. Google+, Twitter and LinkedIn have their own share of both helpful reminders and pushy messages. For example, this article discusses the Google+ birthday reminder feature:
“Many find Facebook's birthday reminders silly. Either they're overlooked entirely or lead to a post attack that clutters up someone's Wall (or Timeline). The folks behind Google+, on the other hand, might've just figured out how to make birthday reminders better (or less annoying, at least).”
On the negative side, this article points to the downside of Google+ suggestions to friends:
I understand that your goal is to get everybody using Google+ and I know your reasons behind it. But I’m pretty put off by being asked on EVERY SINGLE SEARCH QUERY whether or not I’d like to ask my friends about something. It’s like the Facebook share button on a porn site. There are things that I don’t ever want to talk to my friends about, even if they’re not embarrassing, so please stop asking me.
Whether these messages annoy you or not, you’d better make sure that they are, in fact, genuine. There are true stories of fake social media messages which deliver malware. This article about a Facebook photo notification tells of one phony message.
“Be careful about opening emails that claim you have been tagged in a Facebook photo, because they may actually be malware, according to a security expert.
Sophos's NakedSecurity blog outlined the threat on Wednesday. The company's SophosLabs intercepted a "spammed-out email campaign" which was designed to spread malware.”
Can you tell real messages apart from fake ones? This blog test your ability to spot real Facebook messages from fake ones that download malware.
“Unfortunately, phishers are getting better at what they do, and spotting a fake isn't as easy as you might think. I've assembled four Facebook notifications that arrived in my e-mail inbox recently. Can you tell which are real and which are fake? (Click any image to see it at full size, or visit the accompanying gallery to flip through all four screens at full size.)”
Turning Off Notifications
Yes, you can trim down or turn off these notifications in Facebook, Google+ and Twitter.
This link can help you turn off notifications for your Google+ calendar.
Or, this Business Insider article covers turning off (or cutting back on) Facebook notifications.
There’s even a service to turn off the notifications across multiple platforms. For example, the Notifymenot service, which is described here, turns off notifications for multiple social media sites.
Turning Off Social Media Entirely?
But some are going much further. They are asking if it is even time to quit social media altogether? I’m not going that far, but here’s an excerpt from a thought-provoking article I read recently:
“…Almost a quarter of Americans say that they’ve missed out on important life moments in their quest to capture and memorialize them for social media. Think about that the next time you’re Instagraming your anniversary dinner at P.F. Chang’s. With the ubiquity of communications technology in our daily lives, it’s easy to convince ourselves that the digital world is where all the action is and that the effort we put into building our online empire directly correlates to IRL benefits such as scoring a new job or landing a new mate. In fact, over 90% of job hunters of all ages look for work online, but less than 5% are conducting offline job hunting activities such as attending networking events or setting up information interviews. And guess what? A full 70 – 80% of job vacancies are never posted, so all that job board scouring is likely for naught….”
I’m not going that far, but as I mentioned last year about this time, I know people who are giving up much of their online life, at least for a season such as Lent.
As for me, I’m just cutting back on the notices a bit. I like using social media, but my inbox is filling up with too many notifications. Now that the Super Bowl is over, I think it’s time to go on a notifications diet.
How about you? Do you like social media notifications?
January 29, 2013 By Dan Lohrmann
If ‘Internet connection speed’ was an Olympic event, the USA wouldn’t even get a medal. In fact, America would finish somewhere between 9th and 24th, depending on the exact event – I mean comparison. This assessment comes from a recent Akamai report on “The State of the Internet.”
According to this CNN article, which commented on the report, Hong Kong takes Internet speed title:
“The city was found to have the highest average peak connection speed of just over 54 megabits per second during the third quarter of 2012….
In the peak speed stakes, Hong Kong is followed by South Korea (48.8 Mbps), Japan (42.2 Mbps), Latvia (37.5 Mbps) and Romania (37.4 Mbps).
The United States straggled in in 14th place with 29.6 Mbps. The U.S. state with the fastest connection is still Delaware with a swift 10.9 Mbps, although the District of Columbia is catching up.”
Data Collection Methods
How is the data collected? Here’s an excerpt from the beginning of the Akamai report’s executive summary:
“Akamai’s globally distributed Intelligent Platform allows us to gather massive amounts of information on many metrics, including connection speeds, attack traffic, network connectivity/availability/latency problems, and IPv6 growth/transition progress, as well as traffic patterns across leading Web sites and digital media providers. Each quarter, Akamai publishes the State of the Internet Report. This report includes data gathered from across the Akamai intelligent Platform during the third quarter of 2012 about attack traffic, broadband adoption, and mobile connectivity, as well as trends seen in this data over time. In addition, this quarter’s report includes insight into SSL, the state of IPv6 adoption as measured by Hurricane Electric along with perspectives on the U.S. government’s IPv6 deadline, and observations from Akamai partner Ericsson comparing application traffic on 2G and 3G networks.”
This Internet data can be visualized in several ways at this website, which allows a wide variety of search parameters.
Any Good News?
Is there any good news coming? Perhaps.
Back in 2010, Newsweek ran this article asking: How fast will your Internet be in 2020? The article talks about the broadband situation in various parts of the country and what is being done to improve things going forward.
Meanwhile CNBC just reported that: Telecom firm’s spending on network gear is expected to be up in 2013, after being down in 2012. Also, network investments are expected to be way up in the USA, while flat in Europe.
The Federal Communications Commission (FCC) also track broadband speeds across the country. Ever since the Recovery Act grants to expand broadband access, this website has tracked investments. In addition this website has detailed progress on broadband connectivity in your state and zip code area.
Tracking Recent Cyberattack Sources
The Akamai report also listed sources of Internet attacks:
“China was found to be the single largest source of attack traffic -- 33% -- during the quarter. Attacks from the country doubled during the period, a statistic the report described as "somewhat surprising."
The United States and Russia came next in the top three. In all, the top 10 countries were responsible for almost three quarters of global attacks.”
The UK website TheRegister had this to say about China’s cyberattack numbers:
This is actually a little curious, since compared to other countries in the region, China's internet infrastructure is not all that impressive. China's share of attack traffic was up sharply from the previous quarter, too, when its packets only accounted for 16 per cent of all attacks….
Chinese customers' average peak connection speed was just 7.1Mbps, and only 3.9 per cent of Chinese had access to broadband faster than 4Mbps.
But China is a nation of 1.3 billion people, and while many have no access to the internet for now, more are coming online every day. By Akamai's latest figures, the number of Chinese with access to 4Mbps broadband increased 79 per cent year-over-year, and the number with access to connections at speeds 10Mbps or higher was up 70 per cent. Hopefully the number of cyber-attacks coming from China does not keep pace with the growth of its infrastructure.”
What About Your Current Connection Speed?
Getting a bit more personal, many people want to know what their current Internet connection speed is at home or work. In case you want to check your own connection speed, you can use this tool from Speedmatters.org.
I must admit, that my home and work Internet connection speeds were well above the listed top International averages, so I’m feeling pretty happy right now.
How about you? Any comments on Internet connection speeds in your part of the world?
January 22, 2013 By Dan Lohrmann
Is it time to change the way we think about work - life balance? I’m not sure, but I’ve become more open-minded on this issue. Allow me to explain.
Last week, I was speaking at an ISACA Detroit meeting, and an interesting debate came up at dinner. This conversation ensued after my presentation on: Why Security Professionals Fail – And Pragmatic Solutions to Help Succeed. The fun, yet challenging, discussion revolved around strategies for dealing with career burnout.
One person at the table said something to the effect, “We’ve stopped trying to promote work-life balance at my (private sector) company. We now encourage “career-life fit.”
My response was: “Huh? What’s the difference?” Little did I know, I just opened up “Pandora’s Box.”
It turns out that there is quite a bit of difference, and the potential need for change comes from work situations such as:
- Emergencies: when you need to work long hours for many days in a row? (For example: malware outbreaks, emergency management incidents, etc.)
- Education: you go for that graduate degree or special certification to get ahead.
- Career path choices: dealing with seasons in your career when you need to work long hours for extended periods (for example: doctor’s going through internship.)
- Promotional considerations: you “go the extra mile” in your office to gain a positive edge on the competition.
- Seasonal changes that meet your life needs. (For example, you are very busy working long hours for part of the year like tax season, to gain fewer hours in other seasons.)
- Job changes: your new job requires you to always carry a pager – but you like the extra ‘on call’ pay and/or overtime pay when you are called in.
There are plenty of other examples and situations that don’t reflect “balance” of time at home and work. What is fairly obvious is that all of us go through various seasons of our lives and have different needs. In addition, different employees have very different views on what gives them satisfaction and enjoyment in life.
New Name - Or Not?
There is a formal movement to change the way we think about these topics. This article on Work-Life Balance vs. Work-Life Fitness explains some of the questions to ask in this different work/life fitness approach.
“To achieve work/life fitness, consider the things that you need to do and the things you want to do. What are your professional goals? Do you want to get married and have kids? Do you want to travel? If you have an important deadline coming up or are striving for a promotion, then you may find work/life fitness despite devoting more time to work. Remember, the ratio of work to life that you can take on while maintaining work-life fitness may shift as you progress into different life phases.”
This dialogue also brings up another question: What about the difference needs of men and women? An article from Forbes entitled: Real Men Don't Need Work Life Balance, addresses this question:
“In organizations, while it is acceptable for women to demand flexible work or plan their maternity leave, men seeking similar arrangements or paternity leave is still rare. When it comes to gender neutral programs, such as job sharing, men experience a higher level stigma in the use of such arrangements. Research shows that 48% of men felt that using the arrangements was not a real option. So creation of policy does not equal its utilization.”
How relevant is this topic to the 2013 workforce? Very important! In fact, this issue is often listed as more important than pay to most employees. The Glass Hammer went further with this discussion, while moving to new terms that address employee “fit” within their organizational needs for everyone.
“Women were more likely than men to cite work life fit as their reason for staying with their employer – but both ranked it as the highest reason (72 percent of women compared with 62 percent of men). In fact, women and men prioritized similarly when it came to why they stayed in their jobs on the next most popular reasons as well: benefits (61 percent of women and 59 percent of men) and money (57 percent of women and 62 percent of men).
But, what may surprise you is that people without children were more likely than people with children to cite work life fit as a key reason for staying in their jobs (67 percent compared to 65 percent).”
What’s The Answer?
So where is this trend heading? How do we deal with unequal scales for men and women or for parents and singles? The New York Times ran this piece that recommended moving away from questions about “where you are going” and to “how will I get my work done” discussions with your boss.
I also think that most of the government employees that I know, who are in either security or technology professional fields, take this work/life issue very seriously. They value their family time and they sacrifice higher pay in the private sector for a government jobs that may better meet their personal situations and commitments.
Still, the new millennial generation is now demanding this same level of attention to work-life fit in both the public and private sectors. I expect that topic will become even more heated over time.
So What Is Work - Life Balance Called Going Forward?
Back to that dinner conversation, and I was beginning to understand the new way of thinking after about fifteen minutes of discussion. That night, I went home and did some research. I found this article which offers Work-Life Balance - By Any Other Name. Here’s an excerpt:
“When a 2008 Sloan Network poll asked readers to choose their favorite term, 46% preferred "work-life balance." Twenty-five percent picked "work-life integration," and 8% liked "work-life juggle" best.
But alternatives have sprouted up everywhere: Cali Williams Yost, author and work-life consultant, promotes "work-life fit"; Cathy Benko, former chief talent officer at Deloitte, opts for the similar term "career-life fit;" Catalyst, a research organization working for the advancement of women, advocates for "work-life effectiveness;" Jodie Benveniste, director of Parent Wellbeing and author, created the phrase "work family flow;" and Paul Nyhan, Seattle Post-Intelligencer family reporter, favors "work-family rhythm."
We each have an important set of metrics in our heads, and we are keeping score. We have an unseen (virtual) time clock that we’re punching. We want fair treatment. We want a boss and coworkers who understand. And we want the flexibility to change our minds, given different life situations and work roles.
I hope your management agrees – no matter what you call it.
January 14, 2013 By Dan Lohrmann
The European Network and Information Security Agency (ENISA), which is a part of the European Union (EU), recently issued a report that describes the current global cyber threat landscape. The excellent report “is based on publicly available data and provides an independent view on observed threats, threat agents and threat trends. Over 140 recent reports from security industry, networks of excellence, standardization bodies and other independent institutes have been analysed.”
In my view, the comprehensive approach used to create this PDF document makes it worth taking the time and energy to read throught the entire document in detail. The extensive coverage of topics includes definitions and activity in these areas of: “Drive-by exploits: Worms/Trojans , Code Injection Attacks, Exploit Kits, Botnets, Denial of service, Phishing, Compromising confidential information, Rogueware/Scareware, Spam, Targeted Attacks, Physical Theft/Loss/Damage, Identity Theft, Abuse of Information Leakage, Search Engine Poisoning, Rogue certificates.”
After coverage of these threats, the EU report covers major threat trends, including:
“The Emerging Threat Landscape
- Threat Trends in Mobile Computing
- Threat Trends in Social Technology
- Threat Trends in Critical Infrastructures
- Threat Trends in Trust Infrastructure
- Threat Trends in Cloud Computing
- Threat Trends in Big Data”
The coverage of each area includes specific topics and whether activity is up, sideways or down. One such area is “Trust Infrastructure,” which many in the U.S. cover under the “Trusted Identities in Cyberspace.”
Emerging Threat: Trust Infrastructure
1. Denial of service (an effective technique to attack trust infrastructure components and achieve impact by blocking access to relevant components, e.g., handshaking with SSL servers65)
2. Rogue certificates (compromising trust relationships will be key in generating fake trust within components of trust infrastructure but also other systems using them)
3. Compromising confidential information (data breaches will have an impact in trust infrastructures, e.g., by providing valuable information to launch an attack)
4. Targeted attacks (spearphishing and APTs will remain a significant concern in this area)
As Bill Jackson points out in his compelling blog over at GCN, European wording used may be slightly different than in the USA, but the cyber protection work is very similar on both sides of the pond:
“Among the programs under way, the administration is launching an initiative to use commercial cloud services to authenticate third-party credentials for accessing government sites, called the Federal Cloud Credential Exchange. The U.S. Postal Service will be operating an FCCX pilot.”
Again, I urge readers to take the time to read this latest European report and William Jackson’s GCN blog. It is clear that these cyber attacks against critical infrastructure are a continuing (and growing) global problem. It is good to see the comprehensive report coming from Europe.
What are your thoughts on the trends identified in this report?
January 7, 2013 By Dan Lohrmann
Just when I thought I was turning the corner on Internet security awareness & cyber safety, along comes an eye-opening situation that hits so close to home that I am forced to rethink the road ahead - again.
The key questions that I’m reassessing as we head into 2013: Am I saying the right things about cybersecurity? Are the most important messages getting through? Are people (even the ones who know and like us) hearing what we say? Am I genuinely listening to them – first? Allow me to explain with a personal story.
My daughter Katherine and my wife Priscilla received new smartphones as gifts over the past few months. Without a doubt, they both love their new white, light-weight iPhone 5s. They had seemingly never-ending holiday conversations about their new devices - with Katherine showing her mom all of the wonderful features, functions and helpful apps. But that conversation is for another day.
This tale is about mobile device security – or lack thereof.
It all started when Katherine was in our kitchen trying to help her friend Carli with her new iPhone 5 that she also got for Christmas. Carli’s WiFi was not working properly.
(Note: Katherine has unofficially become the resident “expert” because she received her while iPhone 5 back in November as a birthday present.) She now knows everything there is to know about smartphones - kinda.
Katherine to Carli: “You turned off the 4-digit security PIN that I configured for you!”
(Dad, who was in an adjacent room, suddenly became interested in this unexpected security conversation and puts the magazine down.)
Carli to Katherine: “The screen lock is such a pain. And if I lose my iPhone, whoever finds it won’t be able to call me and return it.”
Katherine to Carli: “Yes, they can. There’s an app to find it. I showed you….”
Carli to Katherine: “But…, Mrs. Lohrmann, help – you told me you haven’t enabled a PIN for your iPhone either…. ”
Priscilla to Carli and Katherine: “You’re right. I haven’t enabled the PIN…. Yet. I’m not sure if it’s really needed or not. But don’t tell your dad, I’m still deciding….”
(Dad – who is listening in the other room – now enters the kitchen….)
Dad to all: “What did you just say?”
I’ll stop the rewind of this conversation at this point. I can tell you that, although everyone was in a good mood, laughing and polite, the “passionate discussion” continued for the next 10-minutes before Katherine and Carli were late and headed out the door. We all decided to continue the dialogue “later.”
But over the past week, I’ve been thinking quite a bit about that holiday interaction. My guess is that most readers can probably relate to a similar situation in their lives at either home or work.
After that conversation, I’ve started to reconsidered the effectiveness of what I personally say to family members about personal online security as well as what our enterprise messages are working (or not) for state employees.
Not that we haven’t been through this discussion before. Priscilla and I talk about online safety quite often as it relates to our children. We agree on the vast majority of steps we take with security on PCs, Internet access controls and filtering. It’s just that the conversation and examples keeps changing as technology evolves and the kids get older.
And my thoughts often move towards work, where the same concerns and questions apply. Yes, we’ve already reinvented awareness training for employees in the past year to focus on the new online challenges and mobile situations. We did listen to employees and heard that the old training was out of date, boring and irrelevant. But now I’m worried that we’re still not doing enough. Or, perhaps, we’re falling behind in our messaging – again.
Christmas Presents Showing Up at Work
It’s that time of year when technology Christmas presents start showing up at the office. With the advent of BYOD, telework, and mobile computing, our enterprises must once again pass the test of new “stuff” show showing up all over the place. This means our infrastructure and security teams rebuild architectures to ensure enough available Internet bandwidth and having hotspots to handle the load.
Meanwhile, we must think through, again, how staff will access data, keep personal information private and a host of other topics. Once we figure out what the IT organization will do and what the employees will do, we communicate with staff.
What Do We Do – and Say?
In response, we offer revised policies, compliance regulations, new awareness training and new approaches like testing whether employees click on bad links. Every little bit helps, but can we do more?
Stacy Collett, a writer for Computerworld, recently wrote an excellent piece with five techniques on: How to talk security so people will listen (and comply!) Here’s an excerpt:
“To be sure, employees are not involved in every type of corporate security breach (see Top 10 threat action types), but user behavior and non-compliance are implicated in many, including mobile malware, social network schemes and advanced target attacks. These are increasingly aimed not at CEOs and senior staffers, but at people in other job functions such as sales, HR, administration and media/public relations, as criminals try for ‘lower-hanging fruit,’ the Symantec report says.
Against such an onslaught, the stereotypical wall poster of security tips hanging in the breakroom is useless, says Julie Peeler, foundation director at the International Information Systems Security Certification Consortium -- also known as (ISC)² -- a global, non-profit organization that educates and certifies information security professionals. ‘Security training is not a one-time event. It has to be integrated throughout the entire organization, and it has to come from the top,’ she says.”
Veteran security pros will, of course, agree with Julie Peeler. For decades, we’ve been saying that good security encompasses everyone, everywhere, all the time. You never know where the next threat or incident or major attack is coming from.
So how do I plan to address this - today? My gut tells me that I need to start by looking in the mirror. Lead by my example. So what are my 2013 security resolutions?
- To keep watching and analyzing our state government culture
- To learn the new ways our people are using technology
- To listen to the business more
- To keep refining the security and privacy messages we are delivering to employees
- To offer enabling security that truly helps
Back at home, my daughter Katherine has enabled complex security on her smartphone. She’s become an ambassador to her friends and an ally in marketing key personal security messages.
Meanwhile, my wife Priscilla has agreed to hear again what Apple recommends for security, to discuss available options for her iPhone 5 and to do what’s best.
And I’ve agreed to listen - first.
Building effective virtual government requires new ideas and hard work. Security professionals need to be enablers of innovation. From helpful Internet training to defending cloud computing architectures to securing mobile devices, Dan Lohrmann will cover what's hot and what's not in protecting your corner of cyberspace.