Breach Etiquette: Target's Responsibility

Just as retailers were in the throes of the holiday madhouse, Target – the second largest retailer in the US – was breached. Forbes recently posted an article outlining seven lessons that could be learned from the way Target handled the situation.
The link to the Forbes article is here – Target’s Worst PR Nightmare: 7 Lessons From Target’s Well-Meant But Flawed Crisis Response – but what do you think?
What I always find surprising in these cases in which consumer portal sites are breached/hacked is that there’s always so much talk about how to handle the consequences. But what about an explanation of what will be done to prevent this from happening again? The same issue happened last year with the PlayStation Network, when millions of credit-card numbers and customer information was exposed. Another scenario was the ObamaCare website: The site went down because it wasn’t properly architected and stress tested. We heard a lot about “why” but not a lot about the “what” is being done to prevent it from happening all over again.
Obviously, when you open your business to the world, you’re now exposed to a world of attacks. You can only do your best to prevent a hacker’s attack. However, your best must include an ongoing and robust test plan, executed by an experienced team that keeps up with the latest technologies, methods of attacks, and the ever-changing demographics of user communities and methods of access.
TxMQ has expert infrastructure architects, portal architects and load-testing expertise to help companies address these issues through cost-effective, consulting engagements.
Find out more. Email our consulting leaders in confidence, [email protected], for more information.

Cyber Security: 10 Tips For Small- To Mid-Size Businesses

I’ll start with a personal story about cyber security. Quite a few years ago (I won’t bore you with all the detail), my personal trainer’s email was hacked by a slightly saavy and jealous, ex-client’s boyfriend and personal emails between me and my trainer were distributed in a malicious manner to everyone in my trainer’s email network.
Needless to say, the backlash of this saga was incredible. My trainer escaped relatively unscathed, but the beating I took on it served as a lesson to me for the rest of my life. Don’t put anything into words via email or text that you wouldn’t say directly to someone’s face. Words on paper cannot be forgotten and it’s apparently incredibly easy to hack into someone’s “safe” network, download documents and use them as a weapon against said person or company.
When we went to the police with the breach, they scratched their heads, looked at us dumbfounded and essentially told us there was nothing we could do. It wouldn’t have mattered if there was. Reputations were already smashed, relationships and friendships were ruined and that sense of security and invincibility became an abstract thing of the past.
So this may sound like an exaggerated personal problem, but it happened and it was a traumatic event. Now imagine it’s your company and all your secure files. It’s your employees’ social security numbers, your business-banking routing numbers, your personnel files.
TxMQ attended an this morning titled “The Virtual Reality of White Collar Crime” where the discussion was about cyber attacks. The numbers are staggering.
There are an estimated 1 million cyber attacks per day. That breaks down to 50,000 attacks per hour, 840 attacks per minute and about 15 attacks per second. And they’re coming from all areas of the world.
Trends of late have seen organized cyber crime move from aiming at large, hard targets such as banks and financial institutions to softer small- and mid-size businesses.
Why?
Because it’s easier to hack into the SMB space. There are hackers who only focus the hard targets. They beat their heads against the wall until they chip away a brick, they move that brick and get one name and contact info. Then they start all over again, beating their heads against the wall to remove just one more brick, then one more, then one more. A painstaking process…
Now think about the SMB environment, where it’s much easier to export data and multiple files. Chip one brick away and all of a sudden you have the names and personal info of a thousand people. These professional services providers hold deeds and financial records, personal information and trusts.
Fact: 60% of small- and mid-sized businesses that suffer from a cyber attack go out of business within 6 months due to the cost of recovering from the attack. The average cost to recover from a cyber attack is $5.5M. Be proactive.
Fact: Cyber breach represents the largest transfer of wealth in US history. Businesses lose $250 billion a year to cyber breach and lose another $140 billion in downtime from the attack. That’s almost $400 billion per year. Process that for a moment.
And the truth of the matter is, it’s not even a matter of if it happens, it’s when. Within the past year, my personal credit card number has been stolen and used overseas three separate times.
Here are 10 recommendations for how small- and mid-sized businesses can protect themselves against a potential attack:

  1. Employee Background Checks
  2. Signed Security and/or NDA
  3. Written Policy as Part of Employee Handbook
  4. Provide Meaningful Education & Training (make sure what you have works)
  5. Secure Your IT Infrastructure
  6. Establish Password Policy
  7. Protect CC and Bank Accounts
  8. Test Your Systems
  9. Conduct Exit Interviews
  10. Take Immediate Action

Unfortunately, laws are reactive in nature, not proactive. While cyber crime is still being scoped and defined by the justice system, it’s happening all around us every day.
Get your systems reviewed. How likely are you to get hacked? Call TxMQ or a security firm to be proactive in your approach to protecting your company data.
Can you survive a cyber attack? If you’re a small- or mid-size company, likely the answer is no. And if you do survive, what’s the extraneous cost to your reputation, customers and most of all you?

Microsoft Officially Ends Windows XP Support: Security Issues Arise

The end of extended support for Windows XP is official.  As of April 8, 2014, Microsoft will no longer develop or release security and/or updates for the ever-popular and overhauled Windows XP SP3 operating system. Microsoft has done the same for W95 & W98 in the past. Current data suggests that Windows XP is still running on 31% of desktops worldwide and is celebrating its 13th birthday, which is many years beyond its life expectancy.
Microsoft XP is just not built for the new digital world.
As well, Microsoft Vista will be end-of-life on April 11, 2017 and Windows 7 is scheduled for end-of-life January 14, 2020 – well within the 13-year-run XP has enjoyed.
What does this mean for Windows XP? It means no safeguards against viruses, spyware or intrusion from hackers, no updates, no patches and no support. Windows XP will not be able to support the latest and safest web-compatible versions of Internet Explorer or the latest hardware advances.
Web developers globally will be ecstatic to see XP-only IE 6, 7 and 8 go away.  Not to mention that you can’t upgrade from Windows XP to Windows 7 – instead, it must be installed from scratch with the average enterprise migration taking 18-24 months from business case to full deployment.

What are the implications?

A lot of software that only runs on XP will not run. After April 8, 2014, you will lose send/receive email, network/internet access, network printing services and data transfers from removable media. Attackers will exploit the security code and essentially Windows XP will have “zero day” vulnerabilities forever. There are many out there who argue there’s anti-virus software that can block attacks and clean up infections if they occur, but who can say for sure or want to take that risk?
Can the APIs Used By AV Companies Be Trusted? Will Microsoft’s DEP (Data Execution Prevention) key to XP’s security be overcome by attackers?
All very good questions, indeed.
All is not lost, however. One can always look to White List solutions and/or Linux! Stay tuned!

Five Security Issues To Consider In The Mobile Age

Secure Midleware Integration Hero Banner

Mobile applications are the new technology trend. As with any technology trend, there are exciting new business opportunities that emerge. But first, a bit about what exactly is a mobile application? Mobile applications are generally classified as one of three types:

Native Applications
Built using a device-specific software development kit (SDK) to exploit the capabilities of the device

Web-Browser Applications
Built using the fifth revision of Hypertext Markup Language (HTML5) enhancements for web applications

Hybrid Applications
Built using a library (often client-side JavaScript) to allow coding for a “generic” mobile function (that accesses device-specific capability) without the need to make different calls for each platform (such as native) and sometimes provide a runtime container

With these classifications in mind, here are the five major security issues to consider for the new Mobile Age.

1. Prepare Yourself For Success

Every environment now has a backup-and-restore plan in case of emergencies. But what most companies do not have is a success plan. SO it’s important to consider: What do you do if you do succeed? Some mobile apps go “viral” and a sudden wave of transactions may cause your network to become overloaded. But with broad technology offerings from IBM, including DataPower appliances and cloud services, you can build a plan for failover or fail-up.

2. Bring Your Own Device

Many employees already use personal phones for calls at night or for email while traveling. Why not extend this ability to other mobile applications and data? The security of mobile devices is a priority for business and IT leaders. Two challenges stand out: (1) The ability to terminate access to the server-side of the mobile app, and (2) The loss of information that may remain on the device when it “goes rogue.”

As an organization, if you don’t own the device that’s running the application, you may not be able to stop an application request from being generated on the mobile phone. That means you may receive a lot of traffic from clients that is no longer valid. If you have the technology to identify and correlate incoming requests from legitimate people, devices and applications, your strategy’s sound. However, the case is often different and you may need an application-level appliance at the application endpoint that’s capable correlating granular service-level agreements.

3. Adapt And Survive

Web-application-savvy business leaders are already prepared to filter web requests to provide differentiated quality of service. Gating traffic, however, may become more visible to your mobile users because mobile users are more aware of response time. Delays may lose the attention of the audience you’re looking to keep.

In application design, there must be the awareness of how to reduce the amount of “bad load” or “bad users” on your application, and at the same time respond quickly to validated traffic that’s driven to your businesses. This is where the defense and strategic use of DataPower appliances and IBM products can provide application efficiencies. Thea ability to differentiate, balance and distribute requests can truly yield operational advantages.

4. Mobile-First And Good Service Design

Mobile applications can help organizations enter new markets, retain and extend participation from current users of services and attract new users to services. If the goal of going mobile is to reach a larger audience and access new markets, user-interface design may be the most important aspect to consider. If you’re not trying to win over the eyes of the new market, but instead trying to get a core piece of information across to your mobile audience, then service design and the ability to deliver information quickly and securely may be the most important aspect for your company. Good service design includes understanding your own application-integration infrastructure and being able to leverage this infrastructure from a mobile device.

5. Location, Location, Location

Mobile access and mobile applications challenge the notion that there’s a boundary between the outside and the inside. Mobile employees need “unplugged” access as they travel. More customers need access to more information and they want this information faster than ever before. Mobile devices are great for providing information “on the go,” but because of their smaller screen size they’re limited in their abilities. Technology is evolving though, and there are now such things as “notifications” that can indicate when a message is incoming or that an application update is available.

The reality of life on the internet is that there are endless “moving parts.” The mobile user has a short attention span that demands an almost immediate response. It’s the job of the mobile-application developers and designers to catch and keep the attention of the customer. Applications must be more intelligent and must work with traditional IT security systems so that your operational staff can shut down access or rate-limit access

The world’s getting smarter: Join the world and learn more about WebSphere DataPower appliances and IBM Worklight. Contact TxMQ vice president Miles Roty at (716) 636-0070 x 228 or [email protected].