Since the Internet places our public and private sector resources on the same global network as those that seek to harm us, we are always open to an attack.
By Andrew Serwin
It is not the norm for corporations to be the focal point of a war fought between nation states, but today’s threats place us in exactly that situation. The reason these threats implicate both the public and private sector is that the cyber-domain is under attack by an organized public/private sector threat, and until we recognize that fact and address it, we will continue to fail to protect it.
The truth is that unless corporate America—the private sector–works with the public sector, we may not be able to stop a cyber-event that could be as destructive as Pearl Harbor or 9/11.
The Internet as we know it started as a public sector project that quickly morphed into what it is today: a large, interconnected network that never turns off and connects an unimaginable number of different devices in the public and private sectors, including those that control our financial system, critical infrastructure, and a variety of other devices in different industries.
These devices are central to our everyday existence, particularly when one includes mobile devices and the ever-increasing number of networked control devices. Since this always-on world of connectivity places the public and private sector resources of the United States on the same global network as those of nations and others that seek to do us harm, you cannot “raise the drawbridge” against cyber-attacks. If you are part of the cyber-domain, you are constantly open to a potential attack.
Organized groups are always trying to find and exploit an information imbalance (one side of a conflict has superior information regarding the weaknesses of the other) and create an asymmetric threat. If that superior information relates to the weakness of another party, it can be used to create an asymmetric threat, which targets and exploits another’s weaknesses.
The best example of this contrasts 9/11 with Pearl Harbor. Pearl Harbor involved an organized, but symmetric threat. It was the Japanese military attacking another nation state’s military. And while Japan exploited an information imbalance, it was a fight between combatants with roughly equal resources.
For 9/11, Al Qaeda did not need an organized military. It simply needed utility knives, training and, most importantly, information about how our system of air travel worked. By creating this information imbalance, they were able to perpetrate a devastating asymmetric attack on the United States.
The lesson of 9/11 was not lost on the public sector, which realized the nature of the threat and took steps to address it. Consider recent Executive Orders, the words of General Keith Alexander, the director of the National Security Agency, and a recent speech by Defense Secretary Leon Panetta.
In 2005, President Bush issued Executive Order 13388, “Further Strengthening the Sharing of Terrorism Information to Protect Americans”, with the goal of sharing information about terrorism among key stakeholders in the public and private sector. In 2010, President Obama reaffirmed the need for public sector and private sector cooperation and information sharing with Executive Order 13549, “Classified National Security Information Program for State, Local, Tribal, and Private Sector Entities.”
In a recent presentation, Secretary Panetta illustrated the true nature of the threat: state-sponsored activity that is increasing in intensity and has the potential to disrupt our way of life. “A cyber-attack perpetrated by nation states or violent extremist groups could be as destructive as the terrorist attack on 9/11,” and Panetta also believed that “such a destructive cyber-terrorist attack could virtually paralyze the nation.” Panetta continued, “We know of specific instances where intruders have successfully gained access to these control systems,” and “We also know they are seeking to create advanced tools to attack those systems and cause panic, destruction and even loss of life.”
The critical point is that the examples Secretary Panetta uses are not attacks on the Department of Defense or other public sector resources. They are attacks on the financial institutions and energy sector by the government resources of another nation state.
This threat is not limited to the financial and energy industries. Terrorists can attempt to hack a Supervisory Control and Data Acquisition (SCADA) device that controls a water supply? Or they can try to disrupt the medical services in a large area by attacking the systems of a large hospital chain or major health insurer. The threats are nearly endless and span a multitude of businesses.
In sum, we face a new, more diffused threat: organized well-funded attacks by entities that are state sponsored or part of organized crime networks. These actors seek to create information advantages that can be turned into asymmetric threats, and these threats are a clear and present danger to our society.
The only chance the private sector has to combat these threats is to organize itself and utilize technology tools to address these concerns. It also includes the doctrine of Information Superiority and increased information sharing.
Andrew Serwin is the chair of the Privacy Security and Information Management Practice at law firm Foley & Lardner LLP and the executive director of the Lares Institute.
How many times have you been in a meeting only to have a participant’s phone ring or vibrate? This is a common occurrence and to many, this is the type of interruption that drives them nuts. While smartphones have changed our lives, mostly for the better, there are still times when we don’t seem to follow common ‘mobile etiquette’, leading to others perceiving us as rude.
Here’s six cell phone etiquette tips you should practice to ensure you show respect to your peers, and people around you while on your phone.
- Watch what you snap – Almost every phone has a camera these days, and we can’t help but take pictures of nearly everything. While it is convenient to take pictures with your phone, there are times when it’s not a good idea, such as in a meeting, for example. In general, if you are supposed to be paying attention to something, don’t take pictures.
- Indoor voices – It’s not uncommon to hear someone practically yelling into their phone on a busy street. This is often because they think that they can’t be heard by the person on the other end. The vast majority of modern phones have powerful enough microphones and noise cancelling technology to enable users to talk with an indoor voice, even while out on the busy street. If the person you’re talking to can’t hear you, try cupping your other hand over your mouth and directing the sound towards the phone.
- Darn you autocorrect! – Most phones use touchscreen keyboards as their input for text. This can be quite inaccurate, so OS developers created autocorrect, which usually picks the wrong word, leading to some potentially embarrassing situations. When typing on your phone, be sure to always read over what you have written before you hit send.
- Resist t
he beep – One of the more annoying things about smartphones is that every time a notification sounds people rush to check it. This can be seen as rude, especially if when you are talking with a customer your phone goes off and you cut off from them to check it. It’s a surefire way to lose the sale! When you’re in meetings, or talking with customers/employees, ignore your phone until you are free to answer/check. If you are expecting an important call, excuse yourself before turning your attention to your phone..
- Pick the right notifications – Your phone has numerous notification levels. You can set the phone to vibrate, ring, or for lights to flash, etc. If you are in a meeting, it’s best to set your phone on silent, as even vibrate is enough to distract these days. Really, the only time your phone should be on ring is when you have it in your pocket, or are in a loud location and unlikely to hear it.
- Turn it off every now and then – smartphones bring the ability to be always connected, which can be both good and bad. Sometimes being constantly connected leads to higher stress, and increased work hours at the expense of your personal life. You shouldn’t be too afraid of spending a bit of time away from your phone every now and then. Just be sure to let people know that you won’t be answering calls or texts.
Polite use of your smartphone will go a long way toward ensuring you are seen as a person that others want to do business with. What are your etiquette rules in regards to phone use? Let us know.
If you would like to learn more about how to leverage smartphones in your business, please contact us today.
For many, social media is a deeply ingrained part of daily life. For companies it’s become an integral part of their marketing and communications strategy. Because of this, the security of these services is something users expect. 99% of the time. However, there are breaches that can cause trouble for users.
It only took one month for the first major security breach of a social network, and this time it happened to Twitter. On the first of February, Twitter announced on their blog that slightly over 250,000 accounts had been compromised.
At this time, Twitter doesn’t know who is responsible for the attack but according to the blog post they know that, “The attackers may have had access to limited user information – usernames, email addresses, session tokens and encrypted/salted versions of passwords.”
Yes, the hackers did get access to passwords, although the company noted that they got the ‘encrypted/salted’ versions, this means they didn’t actually get the passwords themselves. To get the account passwords they would have to decrypt the information first, something many hacker’s don’t bother with.
What does this mean for my company? If you or your company has a Twitter account, you would have already have received an email if your account was breached. While 250,000 sounds like a high number, keep in mind that there are over 72 million active accounts (users who post more than once a week).
While this is a drop in the proverbial bucket, it’s still a security threat that you should act upon. At the very least you should take steps to change your password. You can do this by logging into Twitter and pressing the cog in the top right of the tool bar. Select Settings followed by Password. Enter your current password, followed by a new password and verify it. Press Save changes and you are done.
It is a good idea to pick a completely new password, one with numbers, letters and if possible special characters like !, $ or ^. At the very least, it should be different from any other passwords you use.
Looking to learn more about the security breach or if Twitter is right for your business? Give us a shout, we’d be happy to talk social media with you.
Published with permission from TechAdvisory.org.