Cyber war continues
Cyber war and security recent postings:
- CIOs worry more about cyber threats with mobile computing Cyber threats are now a much greater concern with the expansion of the use of mobile devices and services. At the same time online criminals…
- Anatomy of a Chinese Cyber Attack Cyber Attack — How the Chinese do it… A Chinese cyber Attack (a Stuxnet-style attack) frequently makes its first entry into a company’s secure network…
- Fraud is on the rise CIOs need to address fraud issues with better security For the last three years it has been reported that estimated fraud losses that are doubling…
- Cyber war breaks out – slows Internet Cyber war pushes need for more security The recent cyber war between Spamhaus and Cyberbunker with commercial Denial of Service Attack (DDoS) pushed the Internet…
- CIOs Worry More About Cyberthreats CIOs face more cyber threats Cybert hreats are now a much grater concern with the expansion of the use of mobile devices and services. At…
Cyber attacks are more extensive as the criminal element moves in
Cyber attacks and threats to networks and enterprise data are not going away. Risk is always with us, but the focus on security has expanded from physical security to cyber security.
The type and sophistication of cyber attacks are shifting and so are the people launching the attacks.
Initially cyber attacks started out with individuals infecting computer networks with viruses, but now the criminal element is involved. In 2011 there was an increase in denial-of-service attacks by hacktivists, like Anonymous, and, more recently, foreign-based cyber criminals have targeted automated clearing house (ACH) transfers and used diversionary denial-of-service (DoS) to attempt account takeovers.
Over the past five years there have been some big changes. There are websites where you can buy the tools you need. In fact, users can purchase 100,000 fraudulent bank cards that are guaranteed to work.
The targets are not limited to the United States, online fraud attempts have jumped significantly in Europe and Asia as well.
Just as banks continue to be targets for criminals looking for big scores, the crooks are not deterred when some tighten their defenses. They just move on to other banks. And just as bank robbers of the past were reticent to give up techniques that worked, today’s thieves are reluctant to develop new tools.
The Zeus family of malware is still the gold standard, a trojan horse botnet that came to light in 2007.
IT Infrastructure is key to enterprise visibility
Visibility is essential to manage, analyze, and secure the complex system that is the IT infrastructure. Traditional approaches to network, application, and security management are breaking down in the face of trends including convergence, mobility, and consumerization of IT. With the growing volume of data, and with the mobility of users, devices, and applications, monitoring tools such as systems used for application performance management (APM), customer experience management (CEM), data loss prevention (DLP), deep packet inspection (DPI), intrusion detection systems (IDS), intrusion prevention systems (IPS), network performance management (NPM), network analysis, and packet capture devices, are struggling to provide accurate and timely analysis.
This is because traditionally tools would directly attach into the production network through TAPs or through mirror/SPAN ports. However it can be costly to proliferate tools wherever critical data exists in the infrastructure and can lead to several challenges.
Worldwide, enterprises and public sector organizations leverage their IT Infrastructure in their remote locations and distributed processing centers, data centers and headquarters, or primary locations to:
- Gain pervasive and intelligent visibility for real-time insights
- Reduce expenses by simplifying operations and centralizing monitoring
- Eliminate contention among tools and IT departments for access to data
- Optimize tool performance for greater ROI
Web Design on 32% of sites has design flaws
Web design flaws were the focus of a recent Janco survey. There were 10 major design flaws that impacted web sites when they are viewed on the smaller displays of SmartPhones and Tablets.
Janco reviewed 1,045 major sites and found that 32% (335 out of 1,045) of them had at least one of these top 10 flaws.
- Look and feel is not consistent across devices – Pages were designed for a desktop and have not been adapted to meet the requirements’ of SmartPhones and tablets
- CSS style sheets lacking – Style and formatting information is contained within the body of the pages. For example the font sizes may be good for a desktop but without the proper use of css styles it is too small in smaller displays.
- Images are not scalable – Images are of a fixed size, as the device changes the image do not in proportion to the page resulting in pages that are difficult to view on the smaller screens if SmartPhones
- Pages have too much content and are too busy – Page content often is not focused and tries to cover too many “bases”
- Pages take too long to load – Pages have not been optimized to improve load times
- Text is too small – The text is too small and when the page is magnified on the smaller display the user has to scroll in order to view the page
- Layouts do not adjust according to device the pages are viewed on – On multi-column pages, on smaller devices, the layout is not adjusted to show one column at at time.
- Images do not have alternative text – If images do not load quickly no alternate text displays.
- Adobe Flash is used and non function on Apple devices – Apple’s Safari does not support Flash so this content cannot be viewed on iPads and iPhones
- Menuing systems are not conducive to variable size devices – Long horizontal menus do not display well on smaller screens and vertical menus in multi-column pages do not work well.
IT Infrastructure is key to CIOs leading enterprises in their management processes
CIOs and other members of the IT management team could be the reason their companies’ management processes may not be working. There are many recent changes in the business and operating environments that need to be addressed on an on-going basis:
- Expectations for governance oversight
- Globalization of markets and operations
- Changes and greater complexities of business
- Demands and complexities in laws, rules, regulations, and standards
- Expectations for competencies and accountabilities
- Use of, and reliance on, evolving technologies
- Expectations relating to preventing and detecting fraud
If the managers, the CIO and IT management team have good demonstrative behavior, everybody down the line will copy that. People need to operate by example, if the CIO does not follow the rules or address issues like those above then that is viewed as acceptable behavior.
An effective management process needs to be the right tone from the IT leadership team. Though the effectiveness of management process is difficult to quantify, it can mean the difference between successful companies and struggling ones. Firms that sell products overseas, for example, are at a “competitive disadvantage,” if they don’t have good management process control outcomes. It’s like fire prevention. You don’t know how many fires that you’ve stopped.
A lack of good management processes leads to poor internal controls. This in turn presents opportunities for fraud, even among some of the most trustworthy employees.
For example, having good internal controls means segregating the bookkeeping and accounts-receivables duties. That means not having one person in charge of authorizing, posting and having final custody of live checks. Bad controls, for example, would be if the accounts-receivables clerk is responsible for all those things, which can be the case in small businesses.
Companies need to be particularly mindful of former employees in business units as well as within the company as a whole. When employees move departments, their access to sensitive data can increase. Equally important is an employee who changes positions in the company. Simply by keeping old passwords active, CIOs are enabling a good person to do bad things.
Critical Success Factor in Web Implementation is Personalization
Personalization is recognized as a Critical Success Factor (CSF) for both e-commerce and non-commerce sites. Companies with an online presence are learning that they need to take action to learn more about their customers in order to increase customer loyalty, gain new followers and outshine the competition. More than 60 percent of the companies surveyed are prioritizing investments over the next year that will enable a more personalized Web experience.
There are several benefits companies can realize by creating a more personalized website experience. Cited by 69 percent of survey respondents, improved website engagement is at the top of the list. When businesses employ website personalization techniques, the visit becomes a two-way interaction. Instead of solely clicking or pushing his or her way through the site, the user is enticed or pulled through the site via personalization, thus increasing website engagement.
The second benefit, according to 62 percent of survey respondents, is improved brand image. Visitors think highly of businesses that anticipate their needs and appeal to their individual interests. Finally, coming in third and fourth, 44 percent of respondents cite improved lead generation and decreased customer or website abandonment rates.
In order to provide a personalized Web experience and realize these benefits, companies need information about their visitors. Yet there are gaps identified when it comes to the information companies are currently able to collect. These gaps primarily exist around location, which inhibits the ability to offer visitors a personalized Web experience.
Happy employees make happy customers. Employee satisfaction and engagement are correlated to business outcomes.
Ponder for a moment the last person you hired. After you selected them, did they work out as intended? Or did they turn into somebody totally unlike what you thought when you interviewed them?
The most important aspect of any business is recruiting, selecting, and retaining top people. Research shows those organizations that spend more time recruiting high-caliber people earn 22% higher return to shareholders than their industry peers. However, most employers do a miserable job selecting people. Many companies rely on outdated and ineffective interviewing and hiring techniques. This critical responsibility sometimes gets the least emphasis.
Finding the right employees, providing them with the tools they need to do their jobs, keeping the good ones happy, and keeping them around is the job of the whole organization — even the CIO. Yet employees report significant dissatisfaction with the technology provided to them at work: the technology expectations gap. And that gap is more pronounced in Europe than elsewhere. With technology tools front and center in the minds of many employees, the CIO can play a critical role in steering the right course to attract and retain the company’s key assets — the workforce. That role requires close collaboration with HR to embed technology into the corporate culture, to enable and promote the use of technology across the organization, and to constantly evaluate the attitudes of the workforce in order to accommodate an ever-changing workforce.
Facebook is about to make a change to its privacy controls and make it so that ANYTHING that you have on their system is no longer yours. In essence they are saying WELCOME STALKERS. When there will be an “Alliance” with Google nothing about you, your family, and your job will be private.
If you thought that the NSA data collection process was scary – this would even scare George Orwell.
Facebook is pulling the plug on a setting that allowed people to prevent others from finding them by name using the Facebook search bar, the company said. The setting was actually removed last year for people who weren’t using it, but it was left in place for those who were.
Not any longer. The setting will disappear for all users in the coming weeks, Facebook said. People still using the setting will see a notice on their homepage alerting them that it will soon be going away. Less that 10% of Facebook’s 1 billion-plus users were still using the setting, according to a Facebook spokeswoman.
Its disappearance means Facebook users will no longer have a way to prevent people from finding their Timeline on the site.
BYOD guidelines are just being defined, but one warning must rise above the din: never, ever, try to gain unauthorized access to an employee’s pri…
… Articles Archives Register CIO Roundtable Company Who we are Customers Downloads Advertizing Rate Sheet Testimonials Privacy Payment Options Terms and Conditions Return Policy Site Map Blog Top 10 Lists BYOD …
What is HIPAA
What is HIPAA snd what does the FTC rule mean
… Articles Archives Register CIO Roundtable Company Who we are Customers Downloads Advertizing Rate Sheet Testimonials Privacy Payment Options Terms and Conditions Return Policy Site Map Blog Top 10 Lists What …
Compliance Mandates – Security Manual Template Version 8.0 Released
… Articles Archives Register CIO Roundtable Company Who we are Customers Downloads Advertizing Rate Sheet Testimonials Privacy Payment Options Terms and Conditions Return Policy Site Map Blog Top 10 Lists Internet …
Companies should also weigh the vulnerabilities associated with various cloud computing service and deployment models
… Articles Archives Register CIO Roundtable Company Who we are Customers Downloads Advertizing Rate Sheet Testimonials Privacy Payment Options Terms and Conditions Return Policy Site Map Blog Top 10 Lists Cloud …
The HIPAA Privacy Rule provides federal protections for personal health information held by covered entities and gives patients an array of rights…
… Articles Archives Register CIO Roundtable Company Who we are Customers Downloads Advertizing Rate Sheet Testimonials Privacy Payment Options Terms and Conditions Return Policy Site Map Blog Top 10 Lists HIPAA …
Cloud Computing Service Level Agreement – Reaching agreement on the terms of service of a negotiated SLA for public cloud services can be a compli…
… Articles Archives Register CIO Roundtable Company Who we are Customers Downloads Advertizing Rate Sheet Testimonials Privacy Payment Options Terms and Conditions Return Policy Site Map Blog Top 10 Lists Cloud …
Security Issue Trends
… Articles Archives Register CIO Roundtable Company Who we are Customers Downloads Advertizing Rate Sheet Testimonials Privacy Payment Options Terms and Conditions Return Policy Site Map Blog Top 10 Lists Security …
PCI Compliance Security Issues
What’s needed for PCI compliance is a comprehensive, high-quality security policy. To that end Janco has a security policy template available for immediate download. Take a look at what’s included when ordering today from the company that’s helped thousands since 2009:
- Section I: Easy-to-understand, step-by-step process for achieving PCI compliance that’s been exclusively authored by payments experts with a focus specifically on merchants and service providers seeking clear and concise directions for PCI DSS certification.
- Section II: Detailed set of high-quality Policies and procedures developed specifically for PCI compliance as required by the PCI DSS standards themselves.
- Section III: Comprehensive PCI DSS information security manual as mandated by the PCI DSS standards for PCI compliance.
- Section IV: Certificate of compliance to be self-awarded upon meeting all requirements for PCI compliance.
- Section V: PCI security awareness training material for training all employees on important security issues, threats, concerns, and best practices.
Infrastructure is key to data center management
Data Center Management Issues – Your data centers are stuck in a rut. While 90 per cent have had an upgrade in the last three years, the data center you have isn’t the data center you want.
If you want to build for tomorrow, you shouldn’t start from here
The hidden problem is the invisible glue: your network. It was hell to set up. It’s difficult to change, and maybe you don’t have the skills.
Many clients tell us that many of your networks have hardly changed since the day they were installed.
But now you need flexibility and the ability to scale up and down.
And you can’t start from scratch. How do you solve the problem practically? Do you rip and replace, or can you network the data center you need from the data center you already have?
Top 10 Best Practices
Best Practices – Reputational risk is the exposure that your company will lose potential or existing business because its trustworthiness has been called into question. A recent study placed economic values on their corporate brand or reputation ranging from less than US$1 million to more than US$10 billion, with the average coming in at US$1.56 billion.
Most major enterprises assign high value to corporate reputation and its protection that their annual reports contain special sections dealing with this topic. With today’s widespread use of social media and other sources of instant news and communication, a company’s reputation has never been more vulnerable
Janco has found a these 10 best practices in organizations that were most confident in their ability to prevent and mitigate IT-related reputational risk
- Have a central focal point for all issues associated with reputation management. Ultimate responsibility for reputational risk, including IT-related items, should rest with one person
- Conduct frequent reputation risk assessments. Risks change all the time and companies need to understand what “new” ones can impact them
- Have an incident communication and response process in place. Once an event occurs it is too late to think about how to respond, have a plan and responsibilities in place so you can be proactive
- Consolidate compliance management and reputation management activities. Measuring reputational and IT risk management strategies against compliance requirements is essential.
- Have a social media policy in place. Establishing the “rules of the road” is a first step in ensuring that the risk to the reputation of the enterprise’s is minimized
- Understand the impact of social media on the organization’s reputation. In addition to recognizing its potential for negative reputational impact, social media should be leveraged for its positive attributes.
- Monitor your supply chain to see how your organization is viewed by everyone at every level. Organizations must require and verify adherence of third-party suppliers to corporate standards.
- Do not assume everything is okay. Organizations should continually evaluate reputational and IT risk management results against strategy to find and eliminate potential gaps.
- Invest in programs that minimize risk – invest in prevention. For optimal reputational risk mitigation, companies need to fund critical IT systems as part of their core business.
- Communicate to everyone that reputation is important to the organization. After an event get back to suppliers, customers, “potential” customers, employees and other as quickly as possible to show that the organization places a high degree of importance to its reputation.
When a business continuity plan is non-functional
Failed Business Continuity – This morning about 2:00 AM MST one of the largest providers of cloud services went down. As I write this it is 11:30 AM MST and the service is still down.
It seems that their entire network – both the east coast and west coast is down. I talked to their corporate office and at this time they have no idea as to when they will be back up and at the same time the person I talked to said he did not know what their business continuity plan was since this was a nation-wide failure in their network.
They should have followed the 10 commandments that we published earlier.
- Analyze single points of failure: A single point of failure in a critical component can disrupt well engineered redundancies and resilience in the rest of a system.
- Keep updated notification trees: A cohesive communication process is required to ensure the disaster recovery business continuity plan will work.
- Be aware of current events: Understand what is happening around the enterprise – know if there is a chance for a weather, sporting or political event that can impact the enterprise’s operations.
- Plan for worst-case scenarios: Downtime can have many causes, including operator error, component failure, software failure, and planned downtime as well as building- or city-level disasters. Organizations should be sure that their disaster recovery plans account for even worst-case scenarios.
- Clearly document recovery processes: Documentation is critical to the success of a disaster recovery program. Organizations should write and maintain clear, concise, detailed steps for failover so that secondary staff members can manage a failover should primary staff members be unavailable.
- Centralize information – Have a printed copy available: In a crisis situation, a timely response can be critical. Centralizing disaster recovery information in one place, such as a Microsoft Office SharePoint® system or portal or cloud, helps avoid the need to hunt for documentation, which can compound a crisis.
- Create test plans and scripts: Test plans and scripts should be created and followed step-by-step to help ensure accurate testing. These plans and scripts should include integration testing silo testing alone does not accurately reflect multiple applications going down simultaneously.
- Retest regularly: Organizations should take advantages of opportunities for disaster recovery testing such as new releases, code changes, or upgrades. At a minimum, each application should be retested every year.
- Perform comprehensive recovery and business continuity test: Organizations should practice their master recovery plans, not just application failover. For example, staff members need to know where to report if a disaster occurs, critical conference bridges should be set up in advance, a command center should be identified, and secondary staff resources should be assigned in case the event stretches over multiple days. In environments with many applications, IT staff should be aware of which applications should be recovered first and in what order. The plan should not assume that there will be enough resources to bring everything back up at the same time.
- Defined metrics and create score cards scores: Organizations should maintain scorecards on the disaster recovery compliance of each application, as well as who is testing and when. Maintaining scorecards generally helps increase audit scores.