nCircle Patterns Blog

Last week a hacker by the name of 'Tama Tough' claimed he was going to release the full source code for Symantec Corp's flagship product, Norton Antivirus software. With open-source software, all the source code is always available for everyone to see, but in this case Tama Tough was threatening to disclose the commercial closed source code.

The ramifications of this threat, especially since there is an implied disclosure of source code, were huge. For example:
- If the code was published any secrets in the code could have become a problem for Symantec
- Access to source code means cyber criminals could add malicious code and compile it into a product that mimics the look and feel of the original but is designed to do a number of very bad things that are is almost impossible for end users to detect. (Beware of buying software from anything other than a trusted source because the deal with not be a good deal for you.)
- The raw logic of the program would have been exposed and, given this knowledge, an expert would probably find new kinds of vulnerabilities

Even though the disclosure didn't happen, the security implications of an intellectual property breach are enormous. This threat is a wake up call for everyone - when was the last time you reviewed your source code security protection?

If it's been a while, here are a few questions to help you get started:

- Do you know every single place this source code exists; both in operation and backups?
- What safeguards do you have in place to protect your source code and how would you know if it was taken?
- If your source-code was stolen, what is the plan to keep the business operational and your customers safe?
- Finally, do you have a plan to manage the crisis of public perception an event like this could cause considering the 24X7 news cycle and social communications channels?

If you don't have clear, specific answers to all of these questions, you have just been put on notice. Symantec just reminded all of us that it's time to revisit the security protection around intellectual property. If you've got that under control, spend some time looking at business continuity and crisis communication plans to make sure they include this scenario and involve support, sales and marketing and legal teams.

This is a tabletop exercise you really need to work into your schedule in the near future. It is the type of event that requires a companywide response and the more prepared you are, the better chance you have of containing the damage.

The problem with being a successful business is that you become more attractive to a better class of cyber criminals. It's the classic good news / bad news problem. The good news is that your intellectual property is recognized as having significant value. The bad news is that now you are attracting the attention of more sophisticated cyber criminals.

Be proactive and be the hero and leader when this type of event happens; be reactive and be the goat. Your move.

So here's the deal; just because you are a non-profit organization doesn't mean you don't have to be concerned with the threats on the Internet. Last I checked, not-for-profit also means not-for-loss. In fact, as a non-profit you may be a more attractive target for some kinds of attackers, especially 'hacktivists' if they believe your organization is 'bad'.

For example, earlier in 2011, PBS was the victim of a LulzSec attack. You can read about the drama connected with the attack, but the point I'm making is that your business model and it's relative level of altruism doesn't affect the security or insecurity of your computer systems.

While this may sound completely obvious, all too often I hear something like, 'Oh, I don't really have to lock those systems down because there is nothing on them to steal'.

Here's the problem with that line of reasoning: even if you have nothing to steal in terms of information, the systems and applications they run can be attacked, controlled and then used for criminal purposes. Your computers and computer network can be used as a weapon by the bad guys.

In fact, it's very common for organized crime to compromise as many connected computer systems as they possibly can. Once they get them all under remote control the bad guys wait for the perfect time and then use thousands of compromised computers to pull off a distributed denial of service attack on a targeted business. If attacked company pays the attackers a fee and they will stop the attack. It's a very common form of cyber extortion.

If I were a non-profit, I would do a quick scan with PureCloud just to see where my security stands. There's no excuse for lousy security anymore, if you are able to shop online, you have the skills to run PureCloud. And, at the very least, you will know if you have a security problem that you need to address.

Everyone should scan your their networks and secure their systems, and not just the ones with confidential information on them.

Take security seriously, your business and the entire Internet will thank you.

PWC just completed and published what they call the Global Economic Crime Survey and for those of you paying attention, there should be no surprises. For those not paying attention, these reports do well in how one goes about socializing the craft of IT risk management.

Some highlights:

- 34% of respondents experienced economic crime in the last 12 months (13% increase from 2009)
- Almost 1 in 10 who reported fraud suffered losses of more than US$5 million
- Cybercrime now ranks as one of the top four economic crimes
- Reputational damage resulting from cybercrime is the biggest fear for 40% of respondents
- 40% of respondents don't have the capability to detect and prevent cybercrime
- 56% of respondents said the most serious fraud was an 'inside job'
- Senior Executives made up almost half of the respondents who didn't know if their organization had suffered a fraud

Getting hacked sucks but ignorance just makes it suck even more.

It is no longer just an IT thing as the report points out and you really will need to socialize surveys like this on a regular basis. Cadence is key because you need to keep these issues top of mind but not be a pest.

There is just no excuse anymore. You have tools like benchmark.ncircle.com, you have free reports like the one above, its up to you now.

If I sell you a cheeseburger and you give me five dollars, once I give you a cheeseburger we have completed our transaction. You have less cash and I have l fewer cheeseburgers. This straight forward physical transaction is not how digital information transactions work.

When you read this blog post, I still have the blog post. When you purchase a digital image, I still have the image. If you were to pirate or steal any of my digital information this information, I still have it. This is the crucial difference between physical transactions and digital information transactions.

When we choose to make something digital, we change it from a rival good, something physical, to a non-rival good. The implications of non-rival good transactions on commerce and society are profound because our transaction models are based on rival goods.

So far, as a society, we have been trying to wrap non-rival goods into a rival transaction model in order to prove that digital goods have clearly changed hands. As evidenced by almost all forms of digital copyright protection, this approach has been a complete failure.

Extreme attempts at managing digital transactions the same way we manage physical transactions have been so far off the mark that they are either completely unusable or ridiculously expensive. The Stop Online Piracy Act (SOPA) manages to incorporate both these attributes.

There are other ways to solve this problem. One strategy is to provide free content to everyone and offer high resolution or higher value content for a purchase. You can try to charge for the lower resolution / value content but once someone accesses this content they can stream it out of the country and monetize it in other markets where US the laws do not apply. This is why digital media has been wreaking havoc on the outdated commerce models based of newspapers, record companies, cable companies and Hollywood movie studios.

SOPA is another misguided attempt to reach for a rival solution in a non-rival world. The hard truth is that there is no way to completely stop online piracy. There will always be loss, there will always be theft. It's pointless to seek a new, perfect digital transaction model that has the same attributes and non-rival commerce.

The laws and rules that support digital media commerce should seek fairness and balance. We should be designing digital commerce systems should for optima, not maxima.

SOPA won't work. It's too late to put the digital genie back into a physical transaction bottle. The Internet ecosystem will eventually reject arbitrary boundaries and correct itself.

If SOPA is representative of our best collective efforts to solve the non-rival goods problem it's going to be one hell of a ride before we collectively figure this out.

Reference: photo by Leandro Ardissone

In a recent blog post in the New York Times Bits Blog, Nick Bilton makes a strong claim that privacy is on its deathbed, but I see this problem a little differently. Perhaps privacy seems dead, but it's also possible that it's in the process of being reincarnated.

Yes, Facebook is 6 years old and 800 million users strong but statements about how hard it is to protect personal information and achieve some level of anonymity has been discussed over 20 years. Anyone remember the Anonymity FAQ on ftp.uu.net back in the day? #datingmyself

Online privacy is more understandable as a verb than a noun because it is incredibly context sensitive. In reality, online privacy isn't a single thing, it's a process.

Part of the reason that online privacy is so difficult to pin down is that the concept of 'public' and 'private' in the information space are much trickier than they are in the physical world. Within a community, social norms are defined and redefined over long periods of time resulting in a collective understanding of things public versus private. But, when you have cross communal mashups and cultures, who stabilizes the norms and at what frequency? It's fairly common online for information set A to be public in one context but private in another.

In my opinion, the only way to understand privacy is within the context of the online 'game' an individual chooses to play. I'm using the term 'game' as a frame for players, rules, payoffs, winning, losing, etc. In this context, the term game can apply to almost anything including national laws, commerce and online dating to name just a few.

When looking at privacy through the lens of the individual, we often talk about consequences shaping a persons' behavior. Consequences are a major factor, but today they apply very late in the game.

To change behavior, you have to first think about the value propositions behind why people share information because, unlike the physical world, once information is disclosed online there is no way to un-disclose it.

Information is, by its very nature, connected to other information creating a directed graph that can be traversed. This giant set of networked information is makes it so easy to find information you may not want to be found. The rule of unintended consequences says that the individuals most likely to find things you would prefer to remain private are generally not playing your game. They are likely to be playing a completely different game with an entirely separate payoff.

I don't have any answers to this enormous problem, but I do know that it's going to get a lot worse before it gets better. There is just too much money to be made by selling information about you to make significant change possible in the near term.

When we finally have real privacy solutions, individuals will have be able to authorize and control access to their metadata. This will require a completely different approach to privacy and will affect the business models of every major Internet brand.

Until then, my best advice is to behave as if your privates are showing. Work very hard to disclose only information you know you can protect or that is feasible to recover.

When you purchase a house you order an inspection. Would it make sense to tell the inspector to assess just the outside or the front of the home?

Or, if you were buying a car, would you have a mechanic check the things only on the driver's side?

That would be nuts, right? You would just be putting a rope around your own neck.

Why then, do people think that it's ok to assess only Internet facing devices when they scan their networks?

There was a time when security scanning was so expensive and so complicated that companies could only afford to scan interface facing devices. But those days are gone and there is no longer any excuse for half measures with security scans.

Historically, bad guys used to 'push' attacks at internet facing devices and firewalls were very effective at blocking those bullets. Today, local networks are exposed to a wide variety of attack vectors that never even touch the firewall.

For example, these days an attack can be 'pulled' in via internal users browsing the Internet. Firewalls offer no protection against malware infections that come through a web browser.

The path to better security is knowledge, and the player with the best knowledge wins. Your task is to have more knowledge about your own network than the bad guys. That means you need to scan your whole network, especially devices behind the firewall.

You might think you can't afford to scan your whole network. You might think you aren't technical enough, or that you need to be an expert to complete a comprehensive security scan and fix all the problems it finds. All that has changed with Purecloud.

If you can order holiday gifts online you're enough of an expert to operate PureCloud successfully. And, until December 16, you can scan your entire network for free. Check it out.
http://purecloud.ncircle.com

No business should assume they are too tiny or obscure for a cyber attack. In fact, smaller businesses are a favorite target for cyber criminals because they usually don't have the cyber security safe guards of larger organizations. That's the bad news.

The good news is that you don't have to be a security or a technology expert to protect your business from cyber criminals. You do have to change your mind set about security and get educated . You also have to think like a cyber criminal to protect your business from cyber criminals.

Start by thinking about your data. How would your business be hurt if a cyber criminal had access to your customers' credit card numbers or online financial data? How about confidential product and partner information? Could your business survive if you lost access to your website or email?

Next, think about where this data resides on your network. If you don't know where your data is (and data isn't always where it's supposed to be) you can't protect it.

Now consider minimizing the number of systems that contain critical information, the cyber security equivalent of circling the wagons. This allows you to concentrate the greatest levels of protection on areas where a data breach could have the most serious consequences.

Finally, spend some time creating security policies or adapting free templates for your unique business. Take the time to explain the reasons behind the policies to your employees and keep them updated on security issues. The easiest ways for a cyber criminal to get access to your network is to steal user credentials or hack a password.

Remember, cyber criminals are opportunists on the look-out for the equivalent of a smash-and-grab robbery. Make sure your business isn't an easy target.

A recent study by the National Cyber Security Alliance and Symantec found that 85% of small companies think their company is cyber-secure but many fail to take even basic cyber security precautions.

It's easy to think you are secure. But how do you know you are secure? What evidence do you have that your cyber security is at least as good, and hopefully better than, other businesses your size?

The first thing every business should do is to think like an attacker. The ugly reality is that organized crime has been cultivating specialized hacking skills in order to target small businesses because they typically have fewer security controls in place than larger enterprises. It's definitely not a fair fight.

The same study also identifies the average annual cost of cyber security attacks on small and medium sized businesses at $188,000 dollars. What's more, statistics show that 60% of businesses will close within six months of a cyber attack.

Facing this grim reality is critical. The odds are stacked against small businesses that just think they are secure. If you aren't sure your network is secure, you need to step up your game.

How about this for a Siri session:

User: Is my network secure today?
Siri: You have 5 critical vulnerabilities that need your attention
User: Fix them, rescan, and send me a report.
Siri: Will do.

:-)

Before Siri was an Apple product offered in the new iPhone 4S, it was the product from the mind of Tom Gruber, CTO and VP of Design for Siri.com. It is Gruber's definition of ontologies within an Artificial Intelligence context that is frequently quoted:

"An ontology is a specification of a conceptualization"

Gruber has done such great work over the years that I feel I need to say something today about Siri and its application of ontologies and Semantic Technology.

At a high level, what makes Siri a long term success in my opinion is that it facilitates both the demand as well as the supply side of the equation. The demand side being how the user experiences the role of a personal assistant but this is enhanced greatly by the fact that the supply side is a massive data aggregator of sources; the corpus as whole forms all things interesting to a person needing assistance. It is through ontological models and reasoning engines that this is all connected so it is again the case that the whole is great than the sum of all the parts.

Some of you may have seen the work I have done on ontological reasoning for risk ranking and scoring. I've also been a big evangelist [and pain in the ass at times] for the W3C Semantic Technology stack to be the basis of IT Vendor Interoperability. If you believe otherwise, I'm always up for a good argument; maybe we will both come away learning something new.

The work that Gruber has done in the application of Ontological reasoning for commercial application has finally hit mainstream but he is not alone. Others have leveraged these unique capabilities and they include the BBC, Best Buy, Overstock.com, New York Times, Amdocs, the Library of Congress and US Department of Defense, to name a few. Other commercial companies are also using it for a competitive advantage like Seevl , and Attune , and don't forget the most important one, nCircle who has been leveraging the power of ontologies since 2001. If you wonder how nCircle is able to scan a network so precisely or how nCircle IP360's Focus query engine is able to infer and synthesize relevant information from terse search terms, it is all about leveraging domain ontology.

User: Please compare my security metrics to my peers
Siri: You need nCircle Benchmark silly. Go to https://benchmark.ncircle.com/

:-)

On November 15th of 2011, Amazon will start shipping a new tablet called the Kindle Fire or Fire for short. It is inexpensive and introduces a new architecture for web browsers with Amazon Silk.
This video explains most of it.

Look carefully at the details given at 1:49 in the video when they talk about the 'split' architecture. Ummm...you mean to tell me that everything I do with Silk will be there for Amazon to mine and analyze? Wow, clear cache? Too late!

With all this information on the consumer think about the precision they can achieve with marketing to that buyer; IMO they should be giving these away. Spend more than 'x' per year and the Fire is free? Sounds like a retailers dream come true. :-)