A Business Technology Place

The Yin and Yang of Security Patching


My computer is working, don’t change anything.

As an IT manager I observe this behavior regularly with end-users and product managers of eCommerce applications. It’s understandable. When a computer system is working and doing its job then “updates” are sources for creating failure. Updates change code. Updates rock the boat.

If a computer security update hasn’t bitten you yet, then it’s probably just a matter of time. My experience is the number of system issues related to operating system updates is growing.  It’s hard to test all the dependencies of code updates against every combination of hardware and software that exists on computing equipment. A couple of examples I can point to in 2017 are Microsoft Edge no longer working after installing the Windows 10 Creators Update.  Then there was the issue of Microsoft Outlook unable to open attachments which was later resolved with another hot fix.  

But we all know security updates are necessary. Why would we risk our personal data to thieves? In a business setting, why would put our customer’s data at risk? Why would we put the reputation of our business at risk?

Therein we find the yin and yang of security updates. We don’t want to upset the balance of a stable system, but we need to update the system so that it can remain stable in the future.

In the name of audit controls and security principles.

In the business environment, audit standards require staying up-to-date with security patches. ISO 27001/ISO 27002 and SOC2 have controls specifically addressing vulnerability patch management policies and procedures. To meet the requirements of the controls, a discipline in process and procedure is required.  These standards are there to help nudge all of us to change because we all know we resist change.

Plug those security gaps or face the consequences.

The consequences of not installing security patches can be devastating. In the worst case of cyber theft reported thus far, Equifax was robbed of information for 143 million individuals. The attackers found a weakness because Equifax failed to patch a known security vulnerability in website code they use.

Now hundreds of millions of people are exposed to the whims of criminals. The reputation of a large credit bureau is blown. The two highest ranking security officials within Equifax are out of a job. Patching known security vulnerabilities is serious business.

Complementary forces at play.

The next time someone schedules a security update for a system or application, understand the potential consequences fully. Intruders are at the gates. They make a living on our resistance to change.  But if we support the change and work with administrators to report any malfunctions, we can all help to build a safer tomorrow.  That’s how another yin and yang can make a more complete whole.

Onward and upward!

Do you cover your webcam?

Do you cover your webcam with a piece of tape?

Over the past several years I’ve noticed that many colleagues in the office cover their webcams with a piece of tape. Maybe they’ve read about incidents of camfecting or maybe they are just paranoid of any intrusion to their privacy. It may seem like a Hollywood movie script but the threats are real. Hackers have used webcam images for extortion  and even government agencies have hacked webcam sessions in the name of state security.

There are other ways block the camera hole.Samsung-close-webcam-cover

This security concern isn’t new. Some manufacturers allow you to completely disable the camera in the system BIOS. That’s a good method to turn it off before the system boots, but you’ll have to reboot to turn it back on if you want to use the camera for legitimate purposes. You can also disable the camera through the operating system, but that would be susceptible to hacking for power-up. There are variety of webcam slide covers available to purchase from a retailer. These devices have a manual slide closure which makes it more convenient than a sticky piece of tape to close and open the camera hole for viewing and more visually appealing.

If you are paranoid about someone spying on you from your computer camera you should also be concerned about the onboard microphone that captures sound. Don’t forget your cell phone camera. It’s susceptible to hacking as well.

With all the security concerns why isn’t a webcam slider standard issue?

If we can buy webcam sliding devices on the market to cover the camera hole then why can’t manufacturers make this a built-in standard feature? My car with a sunroof has manual sliding cover in addition to the electric sunroof opener. When I open the roof the manual cover slides open with it. Then when I close the sunroof I can slide the cover to a fully closed position if I don’t want to see the sky through the glass sunroof. Why can’t built-in webcams for laptops and USB webcams have a similar slide device built-in?

This would solve a need and keep the choice to cover or leave the camera up to the operator of the device. Hack me or hack me not?

Onward and upward!


Rethink IT Compliance

Compliance initiatives are viewed from the wrong lens.

Every week I look at requests and responses for technology and security compliance matters. Typically, I communicate this information with compliance based personnel for a customer, the sales organization, or the lawyers. The focus of process is to get answers to check a box and then move forward with the sales process. Speaking candidly, most of the people in the communication chain don’t really care about the content of the compliance controls. The process serves as a means to an end.Peephole


Compliance controls are put in place for a reason and are well intentioned to make workplace environments safer for both customers and employees.  But I thought of three reasons why compliance controls cause angst and are often viewed negatively in a business environment:

  1. The compliance documentation is reviewed at the end of the sales process when it doesn’t influence decision making but becomes part of a check-list to get signatures on a contract.
  2. Compliance is viewed as a cost center and not an asset for winning business.
  3. The compliance documentation does not add value to the customer because documents are managed by a group that doesn’t use the product or service that is purchased.

Look at examples from other industries.

In the food and service industry it is required that restaurants post their health score inspections in a visible location. I look at these scores periodically and a low score has given me reason to pause and think before ordering to eat. In this example the health score acts like a compliance report and is posted in plain view so the customer can view it before making a decision to purchase.

While not a standard, a few car dealerships will put an inspection report inside of used vehicles on their lot. It shows a potential buyer what was discovered during an inspection and if the issue was repaired. This is a quick view grid that allows a prospective buyer to weigh the cost and value of a vehicle prior to purchase. For the dealer it becomes an asset that represents an investment in the product they are selling. The last used car that I purchased had one of these reports and for me it was the difference that made me a purchaser.

Rethink IT Compliance.

Taking the lead from my examples from the food services and automotive industry I think we could bring more value to IT compliance work by changing the lens and refocusing our view.

  1. Present a summary grid of IT compliance elements at the beginning of the sales process with prospective buyers. Rather than viewing the document as a check-list the Sales organization would view the information as part of a selling tool and they would be more engaged with the content of the compliance process.
  2. Present compliance work as an asset and differentiator rather than thinking about it as a back-office cost. Let customers know that the company has made an investment in controls mitigation and best practices. This becomes not only an asset to the product and service that is sold but speaks to the culture of the organization doing the selling.
  3. Allow the end customer to see the list upfront. This should be a simple one page document that shows the tests, policies, and initiatives related to compliance and regulatory controls. This allows the customer to place a value on the process and possibly influence their behavior to move to the next step of the buying process.

This could be done in such a way that it doesn’t expose detailed secrets about what vulnerabilities exist in the security control findings. Remember, it should be a one page grid summary. Things like what policies are in place, what standards are used as the basis for security policies, are routine scans and penetration tests performed, etc. If the customer has a compliance group and they want to see more details or examples then you could provide that later in the process.

Onward and upward!

Photo credit: Iwan Gabovitch via creative commons.

Desktops in the cloud

Is it time to put your business desktops in the cloud?

The concept has an appeal to IT managers. Why shouldn’t it? Reduced total cost of ownership, automatic upgrades, and on-demand variations for OS/browser are a few appealing features. But are we really ready for desktops in the cloud?

I think we’ll get there. But we aren’t ready just yet.

  • Habits – computing usage habits and familiarity with screens and processes are hard to change. Most of the users with desktops/laptops under my IT management are very attached to their local drive storage. Saving to a network drive isn’t the path of least resistance because it’s not the default (but could be) and may not be available (laptops in local mode). Laptop users are in the habit of using their devices even with not internet connectivity. That would have to change.
  • WiFi availability – A recent trip down I-95 and I-10 in Florida reminded me that we still have areas on the grid that don’t have good access to the internet. My phone was flipping between 4G, G, E, and no networks. It’s getting better as providers enhance their networks, but until we have more wide spread access to full internet access I don’t think we can see wide-scale adoption of a mobile cloud computing desktop.
  • Data location – Storing data in the cloud is a concept that hasn’t reached happy place with security policies and risk management offices. I fill out a couple of security questionnaires each week and must answer about the security of PII and PHI data. The most common security controls call for no local storage, encrypted storage, and disabling portable storage media. That seems to fit into the cloud storage model well. But the complexity is that cloud storage means another facility and another group of employees that could have physical access to the data. The risk management office asks many other questions about physical security of the building and standard operating procedures for employees. Once the data is stored in the cloud, how can an IT manager vouch for the procedures at the hosting site?
  • Industry machine – Desktops and laptops are a big industry. Don’t underestimate the lobby and influence of the major players if they feel a cloud computing desktop will cut into their sales and profits.

None of these concepts are difficult to overcome and I think they will be overcome. Google has already started creating a variation in the home market with the ChromeBook. I think the cost benefits will ultimately draw IT managers to introduce cloud computing in the business environment as well.  They just need to solve for user habits, accessibility, data location, and availability of equipment.


The Weakest Lock

What entry point to your electronic data is the least secure?
The Evernote announcement of forced password resets last week started an email discussion between a colleague and I about password security. I was impressed with the precautionary measures of Evernote and their transparency to admit they detected suspicious network activity. Although they found no evidence that password files were compromised they chose to communicate their findings and force the password resets of all their users. In a blog post and email Evernote states “As a precaution to protect your data, we have decided to implement a password reset.” That’s a small price to pay for a little insurance and peace of mind about my the information in my account. I gladly reset my password and then moved on with my other daily activities.

My email conversation was about password security and authentication measures to access data. Some time ago I started using one of the online password services called PassPack to help me manage passwords for all my accounts. I setup a randomly generated password for most sites, which means I can’t get access to these sites without first signing in to my password manager. Extra security does comes with extra overhead.

Are gestures a good idea for authentication?

Are gestures a good idea for authentication

The email conversation on the topic captured a thought about the weakest entry point.

“Follow up on Bob’s random password use. I use LastPass and have considered having it randomly generate passwords for everything. That would create a complete dependency on LastPass, and I’d want to export / backup the list at times. But then what password guards LastPass? That one password would become the weakest lock.”

For me, PassPack requires both a username / password combination as well as an additional encryption key which is a full phrase/sentence. But conceptually the thought in the email is correct. A single authentication to get access to a group of credentials is the weakest lock or the most impactful lock. If someone were to gain access to my master list of authentication credentials then it really doesn’t matter that each of the sites I use have a different password.

The balance between security and usability.
Yancey Vickers from Red Clay Interactive wrote about the convenience of password manager programs and OpenID in her post One Password to Rule them All. She discusses some of the tradeoffs between added password security and usability. People have a different tolerance for how much security they use in their authentication process. I suspect that the level of overhead I take to sign-in to to a password manager to retrieve a password is not acceptable to most people.

What about mobile devices?
The email goes on to read:

“Then I think about our smart phones. That may be the weakest lock because if you get into my smart phone you can get into a lot of stuff to either gain access or socially engineer others to gain access. For the longest time that was just a 4 digit pin. Now it is a gesture.”

I hadn’t thought about this before the email. But my friend is right. The security requirements for my company issued phone are not the same as those on the company issued laptop. There is no multi-character password requirement, expiration date, or VPN program on the phone. A single pin, or gesture, allows access to corporate email. That does sound like the weakest lock.

Do mobile devices warrant tighter security? Would people use a mobile device if they had to key a password composed of capital, non-capital, numeric, and a special character? What if they had to authenticate with a VPN service after unlocking the phone? The standards seem to vary by device.

The Weakest Lock.
One password to rule them all, One password to find them,
One password to bring them all and in the mobile device bind them.