The unfortunate reality is that many of us see that little lock icon or that “https” in our browser and we assume that our communications from that point on are secure. We’re comfortable performing bank transactions, logging into our favorite social networking site, or sending that personal email that we really don’t want anyone else seeing because we’re confident that no one else can see what we’re doing. As those of us in the infosec industry have known for a long time, however, you couldn’t be more wrong.

There are some very common, and in some cases very old, methods for subverting SSL and snooping on your communications. Today we learn from The Trustworthy Internet Movement that 90% of SSL “secured” sites are vulnerable to these attacks.

This goes to further underscore that we should all be practicing the age-old (and now cliched) principle of ‘Defense in Depth’, as well as assuming that everything that you do on the Internet can be spied on. This shouldn’t preclude you from engaging in sensitive activity online (does the fact that the waitress can copy your credit card information stop you from handing it over when you’re paying for a meal?). Rather, it underscores the fact that we must all be aware of the risks associated with the activities that we engage in, and understand that there is no silver bullet security measure protecting us.

It is also noteworthy to point out that the number of “unique malware variants” has now exceeded 400 million. Due to the burgeoning growth in smartphones and tablets, the susceptibility to data loss is a ubiquitous and constant problem.

With all of these data loss concerns, it’s more important than ever to have the most up-to-date security risk management. For a better idea of your information security, take our risk-free Security Assessment.

As I mentioned above, the primary failure in a situation where an organization is breached and the resulting event is seen as a catastrophic failure is in strategy and planning.  Failing to account for a breach in your strategic information security and risk management planning is a failure all in itself.  It’s at very least arrogant to think you can ever reach some mythical state absolute security in your organization, and in many situations it’s irresponsible.

Take his point to heart – a proper incident response plan can ensure that when a data breach does occur, you are responding in a methodical, practiced way instead of the chaotic responses that we see far too often.  It is the difference between containing an incident quickly and professionally, or having a minor incident turn into a catastrophic one due to the lack of a well-thought plan.

I would be remiss if I didn’t also pass along Rafal’s seven steps to make sure you’re prepared:

1. There are no absolutes – what you’re providing is a level of risk reduction to an agreeable, acceptable level for the task
2. Define tolerances to failure- make sure you’ve clearly defined your tolerances for everything from downtime, to security incidents to understand clearly when a failure happens
3. Strategies embrace failure – a good security & risk strategy embraces failure as one of the realistic outcomes, and plans for it, providing a pre-defined next-step in those failure cases
4. Define failure modes – incidents and breaches happen, but they’re not all created equal – make sure you have this pre-defined before you find yourself in the middle of a failure mode asking “how do we explain how bad it is?”
5. Define a recovery – when planning for a potential failure scenario define clearly what your steps are to recover from the various failure modes you’ve already defined, and execute
6. Test recovery methods – there is nothing worse than having a well-defined plan for recovery that you find out is non-workable in the heat of the moment – test, test, test and validate your strategic recovery methods
7. Validate sentiment – make sure that what you consider acceptable and reasonable, and a sound strategy which includes failure is acceptable by those that matter to you, namely customers, investors and the public

We all know that data breaches are bad for business.  It is also obvious that a breach can affect a company’s reputation, and they cost a lot of money for the organization to manage—$5.5 million according to a 2011 study.

So what don’t we know?  The simple fact that the bad guys are NOT going to ever stop.  Why is that? It’s because you have what makes them an incredible amount of money—DATA.  Forget about HIPAA, GLB and all the other acronyms, the value of the data bought and sold today is HUGE.  So, if we cannot stop the bad guys why attend the conference?  You attend because as an IT security professional you have a fiduciary responsibility to protect your employees’ and clients’ data.  As that professional, you are the one who stands in the face of cyber-criminals and says, “NO I will not allow you to win and—short of giving my life—I will do whatever it takes to beat you.”

The theft of data is no Saturday Night Live skit.  It is the difference between survival and failure.  Today’s aggressive attempts to attack companies’ information systems continue to grow not only in quantity but also in level of sophistication. IT professionals need the latest solutions, and an understanding of the practical, real-world processes that can be implemented to successfully protect companies and stay ahead of the threats.

Learn more about The 2012 Annual Information Security Conference and register to learn about the latest ways companies can protect their data from enterprise and insider threats.

Since the release of Verizon’s 2012 Data Breach Investigations Report, I can’t help but thinking that in most cases it’s not IT that will keep users safe, it’s a combination of management and best practices. The Verizon report revealed that 97% of data breaches evaluated by the telecom giant in 2011 were avoidable and did not require hackers to possess special skills, resources or customization. And it found that the majority (30% of breaches, impacting 84% of records breached) was the result of stolen login credentials.

Brian’s point, and the one that I make frequently, is that security today is much more about the processes and practices in place in your organization than it is about the technology in place. Today’s modern technology environments likely come with everything necessary to prevent the vast majority of attacks that you’re likely to see. Heck, the wireless router you pick up at your local big box store likely has firewall, IDS, and IPS technology built into it for less than $50.

So what differentiates the people that are compromised from those that aren’t? Process. Organizations that have processes that are backed up by policies and are built based on best practices are using the technology in ways that keep them safe.

This isn’t to say that you’re 100% safe if you have good processes and practices – there’s always the chance that there is someone out there determined enough to try to get in, and a determined enemy is your worst enemy. However, based on the data that we have, good policies and best practices will go a long way toward keeping you safe.

If you’re not sure if you have the right policies and best practices in place, take a moment and take our risk-free Security Survey.

Unfortunately, being victimized by malware or a virus today often times means much more than just frustration and lost data.  Today, those with malicious intent are able to use those infected machines as part of a distributed network of attackers.  These sophisticated Distributed Denial of Service (DDoS) attacks aren’t new – but they’re gaining in prevalence and popularity.

The number of denial-of-service attacks in the first quarter of 2012 grew 25 percent compared with the same period of 2011, and was nearly equal to the number in the last three months of last year. Not only has the number of DDoS attacks not dropped from its seasonal high, but the volume of junk traffic being created by them has spiked dramatically—the company reports that it has fended off more malicious traffic in the first three months of 2012 than it did in all of 2011—9.5 petabytes of raw data, and 408 trillion network packets.

It’s important to understand the risks and liability involved so that you can ensure that your security strategy includes tools and tactics for not only detecting malware, but for detecting rogue machines on your network that may be infected and engaging in these types of attacks.

If you’re not sure if your security posture is sound or you think you should be doing more, take a moment and take our risk-free Security Survey.

Angie, however, stuck to her belief and, in fact, paid her own way to the NAID conference that year because I told her that I didn’t see the ROI and couldn’t justify sending her. At that time, in April of 2002, there were no electronic members of NAID and she was a true trailblazer, even coming up with the industry’s vernacular, “Digital Data Destruction.”

Angie was also the thought leader a decade ago in what has become a global industry. In addition to inventing her own hardware and software for simultaneous hard drive wiping, Angie also shared her insights and became an educator and spokeswoman for the importance of digital data security. Along the way, she headed the NAID Rules Committee for Digital Data Destruction Certification. So many of the terms that she coined have become part of the industry’s lexicon that sometimes I forget that she was the first to use those terms! Angie created many of the standards and protocols here at Reclamere that are now followed nationally.

When I implored her to keep that information to herself to protect it as a trade secret or a strategic advantage, Angie was determined to be an educator and enlighten document destruction companies. I continue to learn from Angie’s generosity and what we do and how we help others is defined by it. I feel so fortunate to be her business partner. The 30 families that draw a livelihood from Reclamere are truly blessed to be working for a company that Angie and Joe Harford lead. Congrats and well done!

NAID is an international trade association for companies that specialize in data destruction.  From their web site: “NAID’s mission is to promote the information destruction industry and the standards and ethics of its member companies.”

“This is an important day for me and for the company that I helped to found,” explained Keating.  “NAID is such a vital part of ensuring that the data destruction industry adheres to a strict code of ethics and employs processes that ensure that client data is destroyed in an effective manner.  In the 21^st century, nothing is more important to a company than its data, and NAID’s mission is to make sure that those of us in the industry responsible for destroying that data at the end of its life are doing so in a manner that is consistent, verifiable, and effective.”

“I consider it a great honor to be elected to their Board of Directors,” Angie continued.  “Reclamere has been a NAID member company for 10 years, and as the first IT asset management company to join, this is a partnership that we have always valued and promoted.  I look forward to being able to continue to bring awareness of NAID, to expand membership, and to taking a leadership role in the on-going effort to improve the data destruction industry.”

Angie will serve a two-year term.

About Reclamere

Established in 2001, Reclamere, Inc. is a leader in Data Security and IT Asset Management.  Headquartered in Tyrone, Pennsylvania, the firm specializes in secure data destruction, incident response and risk management, as well as a variety of other proactive and reactive services targeted at securing data throughout its entire life cycle.  For more about the firm, visitwww.Reclamere.com.

###

Facebook has taken a stand against what it calls a “distressing increase” in reports of employers demanding the Facebook passwords of employees and job applicants. One such report came from the Associated Press this week, which detailed cases of interviewers asking applicants for Facebook usernames and passwords, a clear invasion of privacy if we’ve ever heard of one. Employers examining applicants’ and employees’ activity on social media networks isn’t new—but typically it is restricted to what information users have made publicly available to everyone. Facebook said it could seek policy changes or file lawsuits to prevent employers from demanding passwords.

Employer access to employee data has always been a contentious issue, and many are arguing that requesting social media credentials is taking things too far.  It is always important to note, however, that employers can and will use any means at their disposal to attempt to vet potential and current employees – it only makes good business sense. No matter how this issue pans out, examples like this one serve to further emphasize the fact that we should all be cautious about what information we are posting online.

What are your thoughts?  Should employers be able to request your social networking credentials?

The question is, how does a company grow to be a verb?  Well, quite simply put – you never settle for delivering second best, you deliver on every promise, you own and make right every mistake, and without exception you stay the course.  The business world is not an easy place to be or to compete.  If it was easy, we would all own a business.  It is a world where you can make a difference, create value and live a wonderful life.  Reclamere has chosen that path and I am proud to be part of its past, current state and hopefully its future.

So when I ask clients what they do with computer equipment and data, they tell me – “We have it Reclamered.”