GRAPE January Security panel recap
This past week I attended a great panel discussion on Internet security hosted by GRAPE - Grand Rapids Area Professionals for Excellence. The panel was titled "Internet Reconnaissance: How Secure Are You?" and featured speakers with expertise in data center security to cyber war and from Microsoft to Symantec. Each panelist spoke about their own areas but it all boiled down to the fact that security is still a lot of work, regardless if you're a one person company or a multi-million dollar organization.
Edwin Alanouf from Symantec noted that their research shows that information growth for a "modern" company is growing at a 50-60% rate year over year. Meaning this year you will probably produce 60% more "information" than you did last year simply because technology is enabling you to easily create and store more and more "stuff". The question then becomes once you have all this information how do you protect it? How should your techniques for backing up and recovering that data change? What's the cost of losing that data or of it getting into the wrong hands either inadvertently or by force?
Brendan Newell from Microsoft brought up that today the operating system is less of a risk that it was 5 years ago. Microsoft and Apple have both made huge strides to improve and quicken their response time from the acknowledgement of a bug or security hole to a patch being available. Today the threat lies in the business software that companies rely on to run and the people that are using those various software tools. Businesses are now starting to use tools that are outside of their control and outside of their firewall. Edwin Alanouf referred to this as the "consumerization of IT".
This software is no longer limited to desktop applications either. Businesses are beginning to rely on the cloud storage and applications, mobile devices and social networks to get work done faster, cheaper and more efficiently. Businesses and IT departments now need to take into consideration how the information they are producing flows across the internet and their employees, customers and partners, and ensure that this data is always secured, protected and backed up.
Many "cloud" applications are secure. We built Secure File Exchange because sending sensitive files over email isn't secure and we wanted to make it easy for people to do that. Google Docs is a great Office suite alternative and it all runs over SSL so the information is encrypted between you and Google's servers, and backing up files offsite to a service like Carbonite is easier than ever. The one weak-link in all of these are the people using them.
The big take away from the panel discussion came down to something we all use and think about, passwords. Richard Stiennon, author of "Surviving Cyberwar”, brought up the topic of the Gawker password leak and how it resulted in his most commonly used password being leaked to the web. There's a little irony in an IT analyst using the same password in multiple places, but we're all guilty of it. Richard then brought up the increased interest in out of band authentication technology where a user is authenticated by something they know, their user name and password, and something they have, such as their mobile device. (Plug: check out Authly, wink wink). This helps solve the problem of an easily guessed password. A user could login with my username and password, but if they don’t have the one time passcode that instantly arrives on my cell phone, then they are blocked from any further access. Slick right?
Overall the panel discussion was interesting with a lot of insight into what to be aware of but lacked on next step action items for people to leave with. So I figured I'd put some down:
- Start using a password manager tool - this will help you have complex passwords unique to each site without having to think, Kevin Mitchell from IServ listed a few that I didn’t catch, but I really like 1Password
- Backup all the time - Carbonite has a great tool for the desktop and network to back up to the cloud
- Practice recovery - backing up is only half of the solution, if you can't recover your data then you're not going to have a happy boss when something does go wrong
- The largest one I guess is to just be aware of security - Don't send sensitive things over un-encrypted channels (ftp, email, or non SSL browser connection) and really examine and question those "Update your software now" pop up windows