Tag Archives: cyber security

Cybersecurity for CEOs: The Game Has Changed

I’m honored and humbled that my colleagues have asked me to join them to speak on a panel Cybersecurity for CEO’s “The Game Has Changed” Atlanta Georgia World Conference Center June 21-24 for National Apartment Association.


Chipotle says payment system was hacked

Unauthorized activity detected from March 24 through April 18

Chipotle Mexican Grill Inc. said on Tuesday that it detected unauthorized activity on its payment system this spring.

The company did not have details about the extent of the hack, and how many restaurants or customers could have been affected. CFO Jack Hartung said during the company’s earnings call on Tuesday that the hack affected the company’s credit card systems from March 24 through April 18.

Chipotle Mexican Grill Inc. said on Tuesday that it detected unauthorized activity on its payment system this spring.

The company did not have details about the extent of the hack, and how many restaurants or customers could have been affected. CFO Jack Hartung said during the company’s earnings call on Tuesday that the hack affected the company’s credit card systems from March 24 through April 18.

Hartung said the company immediately began an investigation, working with cyber security firms.

“We believe the actions taken have stopped the unauthorized activity,” he said.

The news put a damper on an otherwise strong first-quarter earnings report for the Denver-based burrito chain.

Chipotle reported 17.8-percent same-store sales growth in the quarter ended March 31, along with improved profit margins. The numbers were unexpectedly positive and led to a spike that at one time put Chipotle’s stock price above $500 a share for the first time since February 2016.

After Chipotle revealed news of the hack, the stock price fell below $480.

Just another day at the office.


DHS Cyber Incident Response Plan Focuses on Infrastructure Risk

The National Cyber Incident Response Plan describes how stakeholders in numerous areas can properly react to cybersecurity threats.

The Department of Homeland Security released a refreshed version of its National Cyber Incident Response Plan (NCIRP), with a strong focus on how the US can react to cybersecurity threats to critical infrastructure.

The NCIRP as previously published on September 30, 2016, with a national engagement period that went until October 31, 2016.

“The NCIRP describes a national approach to dealing with cyber incidents; addresses the important role that the private sector, state and local governments, and multiple federal agencies play in responding to incidents and how the actions of all fit together for an integrated response,” the US Computer Emergency Readiness Team (US-CERT) stated on its website.

Public and private partnerships are critical to address major cybersecurity risks to critical infrastructure, the NCRIP executive summary explains. Furthermore, the plan “sets common doctrine and a strategic framework for national, sector, and individual organization cyber operational plans.”

Several guiding principles outlined in the Presidential Policy Directive (PPD)-41 also helped DHS and other agencies create the NCRIP:

  • Shared responsibility
  • Risk-based response
  • Respecting affected entities
  • Unity of governmental effort
  • Enabling restoration and recovery

“While steady-state activities and the development of a common operational picture are key components of the NCIRP, the Plan focuses on building the mechanisms needed to respond to a significant cyber incident,” according to the NCRIP.

The plan also differentiates between a “cyber incident” and a “significant cyber incident.” The former is when the “confidentiality, integrity, or availability of computers, information or communications systems or networks, physical or virtual infrastructure controlled by computers or information systems, or information resident” are potentially jeopardized.

Significant cyber incidents on the other hand are events that potentially result in “demonstrable harm” to national security interests, foreign relations, US economy, public confidence, civil liberties, or public health and safety.

The DHS Office of Cybersecurity and Communications will also conduct and oversee NCIRP reviews and maintenance in coordination with the DOJ, Office of the Director of National Intelligence, and Sector Specific Agencies.

“The revision process includes developing or updating any documents necessary to carry out capabilities,” the NCIRP explained. “Significant updates to the Plan will be vetted through a public-private senior-level review process.”

The Healthcare Information Management Systems Society (HIMSS) previously commented on DHS response plan, saying it supported the overall principle of cybersecurity education and readiness being shared responsibilities.

HIMSS did point out that all dimensions of potential cybersecurity threats should be considered. For example, IT infrastructure and assets can exist in terrestrial, sea, air, and space. The NCIRP should therefore address all dimensions to help create a flexible response plan.

“The complexity of threat and asset response may be significantly compounded, especially when multiple dimensions are in play— including in the private and public sectors (e.g., underwater data centers, undersea Internet cables, satellite communications, and over-the-air communications),” HIMSS wrote to DHS.

HIMSS also said in its October 2016 letter that a better definition of what qualifies as a cyber incident was necessary. Large cyber threats that could potentially impact public health and safety are a top concern for HIMSS, the organization explained. HIMSS said it is already working to ensure that the healthcare industry understands how to properly prepare for such threats.

“As the federal government’s decision to fund two grants for the NH-ISAC indicated, coordination across the healthcare community is becoming increasingly important in the fight against cyberattacks,” the letter stated. “Collaboration with the NH-ISAC and other stakeholders, particularly on threat identification and incident mitigation, will have a significant impact on public health and safety.”


New Post: GoDaddy Support

Hi Subscribers!  Please accept my sincere apology for the above email pushed out to all users recently.  GoDaddy disabled one of my security plugins which allowed unauthorized emails to be posted.

I wish I could write in Latin like that.  It gets me inspired to learn a new language.

I worked with GoDaddy to fix and avoid unnecessary emails being sent to my valuable users.  Thank you for your support and comments.

The Digital Age Blog

Employees: The Weakest Link in Cybersecurity


From day one, we have said that employees are the weakest link in the cybersecurity chain for an organization. In a recent webcast, Michael Gelles and Robert McFadden of Deloitte Consulting LLP highlighted just how big of a threat “insiders” are to an organization’s cybersecurity well-being.

Insider Threats

The term “insider threats” often refers to individuals who use their knowledge of or access to an organization and its systems to deliberately perpetrate wrongdoing, whether fraud, sabotage, theft or a violent act. These individuals may be current or former employees, contractors, or employees of third-party service providers.

However, insider threats are not all the same. There are three types of insider threats:

  • Malicious Insiders: These are the least frequent, but have the potential to cause the most damage due to their insider access. Administrators with privileged identities are especially risky.
  • Exploited Insiders: This refers to employees who may be tricked by external parties into providing sensitive data that shouldn’t be shared.
  • Careless Insiders: The type of insider seen most frequently within an organization. This person may be a new employee who doesn’t know their organization’s policies or an employee who is aware of the organization’s policies but has become complacent about them.
Insider Threat Statistics

In a study titled  “The Widespread Risk of Insider Threats” the following data was collected:

  • 97% of insider threat cases involved an employee whose behavior a supervisor had flagged, but that the organization had failed to follow up on.
  • 92% of insider threat cases were preceded by a negative work event, such as a termination, demotion, or dispute with a supervisor.
  • 90% of IT employees indicate that if they lost their jobs, they’d take sensitive data with them.
  • 59% of employees who leave an organization voluntarily or involuntarily say they take sensitive data with them.
  • 51% of employees involved in an insider threat incident had a history of violating IT security policies leading up to the incident.

Let’s take a moment to review the above statistics. I think it’s safe to say that we are our own worst enemy. There are two trends we can take away from the study. One, we aren’t doing a good enough job (statistics actually show that we aren’t doing this job at all) of monitoring the activity of our employees. With the evident threat of cybersecurity issues being in the limelight as of late, you would think this would be a major priority of managers and high-level executives. However, this leads us to our second trend that we can identify. If an employee has a negative experience at work, such as being flagged for their suspicious work behavior, statistics show that nine out of ten cases could lead to an insider threat occurrence. That has to be an extremely daunting area of concern for managers and executives to analyze. How do you manage your insider threats without unintentionally creating an insider threat?

The Stakes

The stakes of becoming the next big breach in the news are higher than ever. Cybercriminals are making very lucrative careers out of breaching networks and stealing personally identifiable information. As we become an increasingly information-based economy, securing your network and sensitive data are more critical than ever to any organization’s survival. In 2015, it was estimated that 58% of all data security threats came from the extended enterprise (employees, ex-employees, and trusted partners). Statistics also showed that an insider attack costs a company over $400,000 per incident and approximately $15 million in annual losses per company. Some incidences have gone on to cost a company more than $1 billion.


Whether you are dealing with a malicious, exploited or careless insider, they all end with unauthorized users having access to your company’s sensitive data. Below are “12 Steps to Future Proofing Your Internal Security” from IS Decisions:

  1. Educate Users: More training in more innovative, engaging ways, as well as the right technology to grow awareness.
  2. Use Technology: The majority of IT professionals will be spending more on security technology in the near future, with technology and tools being the most common element of any insider threat
  3. Consider Partners & Supply Chains: When we say users, we do not just mean immediate employees. Anyone who has access to your network has to be subject to the same process and restrictions, or there is little point in having them in place.
  4. Include a Post Employment Process: As we can see from the statistics above, this one is extremely important! Ensure that a process is in place that makes sure ex-employees can no longer access the organization’s systems or data as soon as they have ceased employment.
  5. Consult External Sources: Analysts, media, and organizations dedicated to cybersecurity (like WatchPoint) can help you gain an objective view of how to structure your insider threat.
  6. Stay Up-To-Date: The technologies and thinking involved in combating insider threat are evolving as quickly as the threat itself, so it is imperative to stay informed.
  7. Educate Senior Management: Senior-level management should be just as educated as lower level management and employees about insider threats and cybersecurity in general.
  8. Get C-Level Commitment and Buy-In: The commitment to enforcing your policies must go to the top of an organization so that it can be properly enforced at all levels.
  9. Implement Greater User Access Restrictions & Control: The more restrictions there are, the smaller the surface of attack.
  10. Generate User Alerts: Generating alerts is especially useful when a user’s activity triggers suspicious behavior, so users learn to know what is and what isn’t good
  11. Take a Multi-Layered Approach: Biometrics (fingerprints), two-factor authentication, etc. all make it harder (but not impossible) for an unauthorized user to access sensitive data.
  12. Be Transparent – Externally & Internally: A good internal security policy is one that is transparent and properly communicated to all employees. But you should also ensure that you communicate your approach to security externally as well.

Customers are increasingly going to be scrutinizing companies on their approach to security, so it helps to be able to show them that you have the right attitude about keeping their data safe.


5 cyber security mistakes that might make you vulnerable to hackers


cyber_security_2Very few of us fall for the old Nigerian prince email scam these days, and even fewer will click on a pop-up ad inviting us to “win $1 million” by playing a simple game. We’ve come a long way in terms of learning the do’s and don’ts of cyber security, but that doesn’t mean our days of online vulnerability are completely behind us.

Over 6 million internet users were attacked by malware in 2015. As we become savvier to the tricks they’ve pulled in the past, hackers begin to up their game by catching us where we least expect it. Although we’d like to assume that all of those users who were attacked in 2015 were prime targets, or perhaps people who are a bit less tech savvy than the rest of us, the fact is that many of them were normal internet browsers like you and me who actually know a thing or two about online safety.

There are additional risks these days, and even some of the tech-savviest internet users create cyber security risks without knowing it. To help avoid online attacks, here is a list of some of the top cyber security mistakes internet users are making in 2016.

1. Storing passwords in a browser

According to a recent survey, 59 percent of millennials store passwords in their browsers on a regular basis. It may be convenient to easily access your most-used accounts without typing in a username and password each time, but it also puts you at serious risk for an online attack.

The first step in keeping your passwords safe is to create a strong password that uses numbers, symbols, and both capital and lower case letters. You’ll also want to use a different password for each site. Once you’ve got a solid password for each of your online accounts, avoid storing them in your browser! If you’re like me and tend to forget things easily, try using a secure password storage system or software such as “KeePass, LastPass, Dashlane, 1 Password, RoboForm”  to keep track of your logins.

2. Purchasing locked devices

Prices for phones, laptops, and tablets can be high these days. The good news is that the market for selling used electronics online is getting bigger and more easily accessible. The bad news is that scammers have begun to use this second-hand marketplace as a means for duping consumers into paying more for devices that they’ve already paid for.

If you’re looking into purchasing a used device online, it will be important to ensure that it is unlocked. There will be different processes for checking iOS and Android devices.

For iOS devices, you’ll also need to ensure that the former user’s iCloud account is taken off of your device. If it’s not, you’ll need to take the necessary steps to remove their account from your device before they have a chance to lock the phone.

3. Connecting to unencrypted Wi-Fi networks

The ability to hop onto free Wi-Fi at your local coffee shop or the university library sure does make working on projects or simply browsing much easier on the go. The problem is, hackers are starting to take advantage of society’s reliance upon public Wi-Fi connections.

Do your best to avoid Wi-Fi connections that don’t have password protection when you’re out and about. Checking for the password of the official Wi-Fi at your location of choice will also help you avoid logging into a network set up by hackers looking to view your online activity.

To be extra secure on public Wi-Fi, stick to HTTPS sites while you’re browsing and look into using a virtual private network. It’s also best to avoid installing new software while using a public Wi-Fi network.

4. Ignoring security software updates

We’re all guilty of clicking out of software update notifications when they pop up on our screens. Although taking a few minutes to update your device’s security software may seem like a burden in the middle of a big project, it will be worth your while when it prevents an online attacker from installing malware on your device.

Be sure to install security software updates each time you receive a notification. If you’re connected to a public Wi-Fi network or really don’t have the time to do it when the notification pops up, set a reminder to install the new software later. The longer your device runs without up-to-speed security software, the more vulnerable you become to cyber security breaches.

5. Clicking on links in emails

Most of us receive emails from banks, utility companies, and other organizations with links to view account activity online. Although these are typically from a trusted source, you can never be too sure. A well-written email from a seemingly credible source could send you a link that installs malware on your device when clicked.

Next time you receive a link in an email, leave your email account and look for the actual site in your browser to avoid clicking on a malicious link. For example, even if the link goes to your bank of choice, it’s best to leave your account and log in through a trusted portal.

Have you been making any of these common cyber security errors? If so, it’s about time to take action and implement the provided tips to protect yourself from online attacks.

Share your experiences in the comment section.