nCircle Patterns Blog: January 2012 Archives

January 24, 2012

It's 10 p.m., Do You Know Where Your Source Code Is?

blog-curfew.jpg

Last week a hacker by the name of 'Tama Tough' claimed he was going to release the full source code for Symantec Corp's flagship product, Norton Antivirus software. With open-source software, all the source code is always available for everyone to see, but in this case Tama Tough was threatening to disclose the commercial closed source code.

The ramifications of this threat, especially since there is an implied disclosure of source code, were huge. For example:
- If the code was published any secrets in the code could have become a problem for Symantec
- Access to source code means cyber criminals could add malicious code and compile it into a product that mimics the look and feel of the original but is designed to do a number of very bad things that are is almost impossible for end users to detect. (Beware of buying software from anything other than a trusted source because the deal with not be a good deal for you.)
- The raw logic of the program would have been exposed and, given this knowledge, an expert would probably find new kinds of vulnerabilities

Even though the disclosure didn't happen, the security implications of an intellectual property breach are enormous. This threat is a wake up call for everyone - when was the last time you reviewed your source code security protection?

If it's been a while, here are a few questions to help you get started:

- Do you know every single place this source code exists; both in operation and backups?
- What safeguards do you have in place to protect your source code and how would you know if it was taken?
- If your source-code was stolen, what is the plan to keep the business operational and your customers safe?
- Finally, do you have a plan to manage the crisis of public perception an event like this could cause considering the 24X7 news cycle and social communications channels?

If you don't have clear, specific answers to all of these questions, you have just been put on notice. Symantec just reminded all of us that it's time to revisit the security protection around intellectual property. If you've got that under control, spend some time looking at business continuity and crisis communication plans to make sure they include this scenario and involve support, sales and marketing and legal teams.

This is a tabletop exercise you really need to work into your schedule in the near future. It is the type of event that requires a companywide response and the more prepared you are, the better chance you have of containing the damage.

The problem with being a successful business is that you become more attractive to a better class of cyber criminals. It's the classic good news / bad news problem. The good news is that your intellectual property is recognized as having significant value. The bad news is that now you are attracting the attention of more sophisticated cyber criminals.

Be proactive and be the hero and leader when this type of event happens; be reactive and be the goat. Your move.

Posted by Tim Keanini on January 24, 2012 5:18 PM | | | | Comments (0) | TrackBacks (0)

January 17, 2012

Not-For-Profit also means Not-For-Loss

blog-not-for-loss.png

So here's the deal; just because you are a non-profit organization doesn't mean you don't have to be concerned with the threats on the Internet. Last I checked, not-for-profit also means not-for-loss. In fact, as a non-profit you may be a more attractive target for some kinds of attackers, especially 'hacktivists' if they believe your organization is 'bad'.

For example, earlier in 2011, PBS was the victim of a LulzSec attack. You can read about the drama connected with the attack, but the point I'm making is that your business model and it's relative level of altruism doesn't affect the security or insecurity of your computer systems.

While this may sound completely obvious, all too often I hear something like, 'Oh, I don't really have to lock those systems down because there is nothing on them to steal'.

Here's the problem with that line of reasoning: even if you have nothing to steal in terms of information, the systems and applications they run can be attacked, controlled and then used for criminal purposes. Your computers and computer network can be used as a weapon by the bad guys.

In fact, it's very common for organized crime to compromise as many connected computer systems as they possibly can. Once they get them all under remote control the bad guys wait for the perfect time and then use thousands of compromised computers to pull off a distributed denial of service attack on a targeted business. If attacked company pays the attackers a fee and they will stop the attack. It's a very common form of cyber extortion.

If I were a non-profit, I would do a quick scan with PureCloud just to see where my security stands. There's no excuse for lousy security anymore, if you are able to shop online, you have the skills to run PureCloud. And, at the very least, you will know if you have a security problem that you need to address.

Everyone should scan your their networks and secure their systems, and not just the ones with confidential information on them.

Take security seriously, your business and the entire Internet will thank you.

Posted by Tim Keanini on January 17, 2012 7:18 AM | | | | Comments (0) | TrackBacks (0)

January 11, 2012

Survey Says!

blog-48percent.png

PWC just completed and published what they call the Global Economic Crime Survey and for those of you paying attention, there should be no surprises. For those not paying attention, these reports do well in how one goes about socializing the craft of IT risk management.

Some highlights:

- 34% of respondents experienced economic crime in the last 12 months (13% increase from 2009)
- Almost 1 in 10 who reported fraud suffered losses of more than US$5 million
- Cybercrime now ranks as one of the top four economic crimes
- Reputational damage resulting from cybercrime is the biggest fear for 40% of respondents
- 40% of respondents don't have the capability to detect and prevent cybercrime
- 56% of respondents said the most serious fraud was an 'inside job'
- Senior Executives made up almost half of the respondents who didn't know if their organization had suffered a fraud

Getting hacked sucks but ignorance just makes it suck even more.

It is no longer just an IT thing as the report points out and you really will need to socialize surveys like this on a regular basis. Cadence is key because you need to keep these issues top of mind but not be a pest.

There is just no excuse anymore. You have tools like benchmark.ncircle.com, you have free reports like the one above, its up to you now.

Posted by Tim Keanini on January 11, 2012 3:43 PM | | | | Comments (0) | TrackBacks (0)

Bio

Blog: Patterns
Author: T.K.

Tim Keanini began his professional career as a musician, but has spent the past 20 years in electronic gaming and information technology. He has applied patterns found in music, gaming, and information technology to strategies successful in enterprise risk management. As CTO at nCircle, Tim's technical vision for the company has been shaped by his intimate understanding of both the "gaming mindset", which always takes into account an active opponent, and his respect for the ever-changing and complex nature of each customer's IT operations.


Search

   

Recent Posts

   

Archives

   

Categories