The year is 1995.  Viruses and Trojans are running rampant in computer networks.  They are being used to hack networks and create data breaches at an alarming rate.  Centralized anti-virus management consoles are providing technology and business leaders with a false sense of security.  While no outbreaks are being detected, systems are frequently out of date or not connecting with the console but nobody is watching those statistics.  Only outbreaks are monitored.

Fast forward 20 years.  The year is 2015.  Viruses and Trojans are running rampant in computer networks.  They are being used to hack networks and create data breaches at an alarming rate.  Centralized anti-virus…..you get the picture.  Not much has changed in 20 years.  I urge you to do a full audit of your current anti-malware strategy.  The last 3 data breaches investigated by Integrity’s team had a malware component used to hack the victim. Each thought their anti-malware strategy was solid.  They were wrong.  Are you?

Information security is all about the technology right?  Wrong. Oh, it’s all about the people right?  Wrong.  Well if not people and not technology, then what?  I’ll give you a hint. The first two are part of the equation.  The thing that is most often overlooked is process.  People, Process and Technology.  If you’re missing any of the three, your information security program is bound to fail. 

If you’re missing the process component, you’re most likely missing the risk management functions which are critical to your business.  Risk management is what ties information security people and technology to the business.  Have you seen organizations throw money at security technology and still have massive breaches?  Have you been in a department where it’s impossible to get funding for any security expenditures?  Are you a CEO who’s having trouble finding value in the people and technology requests to address security?  It is because proper risk management isn’t accomplished.

Read more: Risk Management: The Most Missed Step in Information Security

Nothing in this world is free.  Everything has a cost.  Parents, did you know that most of the “free” online apps your children use have actually been paid for with their privacy?  Apps like Instagram and Facebook use a tracking identifier placed on their mobile device to identify your children and their behavior.  This information is then provided to their “affiliates” to provide them with ads that are tailored to their preferences or what they assume their preferences are.  All of this information is stored in consumer databases.  They may even have given some apps the permission to read text messages or emails.  The free Google Docs terms of use say they can index files stored in their services.  That’s a lot of private information that’s not so private any more. 

I don’t allow my children to use most of these online services but I’m not saying you shouldn’t let yours use them.  I simply want you all to know that “free” isn’t really “free”.  While there isn’t an immediate exchange of currency, there is an exchange of “goods” for “services provided”.  You might want to take a look at the terms of use for some of these apps and determine if you want to trade your child’s privacy for their free use. 

Every single information security breach investigation that the team at Integrity was a part of in 2014 had a malware component.  This isn’t to say that the hack was the result of the malware attack.  It just means that the security breach was aided in some way by the malware.  How in the year 2015 is a statistic like this still possible?

Quite simply, finding mismanagement of the anti-malware tools and a lack of security monitoring is common in security breach investigations.  In all cases we investigated in 2014, the anti-malware tools were either not configured properly or not updated on a regular basis.  Couple that with the fact that no one was checking to make sure the tools were working properly or looking for malware detections and you see the problem.  Folks are betting the farm on a flawed system. 

Lots of money is spent on technology each year.  However, if you don’t have the right people and process behind the technology, your risk of getting hacked and being the victim of a security breach rises exponentially.  People, Process, Technology.  There’s a balance to be found.  Do you have it?

This article I found at Nextgov.com is a great reminder that the cyber espionage and surveillance that was once reserved for the movies is now a real threat.  If you are a corporate executive or IT administrator you should assume you are being watched and tracked.  The cyber security rules are different when you are on an international trip.  An abundance of caution is needed. 

Read this article and think about how it applies to you.  Should you use burner phones or “dummy” laptops and tablets?  Should you disable wireless LAN capabilities and force only trusted wired connections?  Is the government of the country you are visiting hostile to your company, your industry or your home country? 

There is a balance between paranoia and preparedness when it comes to cyber security and cyber espionage.  Don’t assume the stuff of fiction and movies isn’t in the real world.  As Mark Twain said, “Truth is stranger than fiction, but it is because Fiction is obliged to stick to possibilities; Truth isn't”.

Just a reminder to join us for the ISSA chapter meeting on 2/23.  FBI Special Agent Jordan Loyd will be presenting on the state of information security and an update on some breach investigations here in the Midwest.  Visit http://desmoines.issa.org for more info.  Lunch orders must be placed by 8:30am Monday morning.

Register Here:  http://www.eventbrite.com/e/february-2015-meeting-of-the-des-moines-issa-chapter-tickets-15741556419

For years, CNET had been a trusted source for technology news.  Every technology professional in the mid to late 1990’s and early 2000’s used CNET for research and downloads of utility software.  Somewhere along the way CNET lost their path.  I won’t go into my thoughts on their reporting of the news.  I only want to caution you on the use of their download section.

Much of the software has additional bloatware, adware, spyware or other “x-ware” type of behavior bundled with it.  This is concerning to me.  I’ve tried to use a few utilities found there only to find tons of other things attempting to install in the background, some of them unannounced.  I don’t like that.

My advice to you is to never again download a piece of software from CNET.  It’s obvious that quality control or review is not a priority.  It’s obvious that they are most interested in advertising or linking revenue.  If you want to gamble that a download from CNET won’t lead to some malware infection be my guest.  That’s a bet I’ll pass on every time.

Contact Information

Birmingham Office

205.568.5506


Des Moines Office

515.965.3756


Kansas City Office

913.991.8724