Attacks of All Sizes

The news media as well as people I talk with usually focus on the large scale attacks.  They are aware from the news that Home Depot, Target, and P.F. Changs were breached and credit card data is at risk.  These attacks are great to make public to raise public awareness, although as I previous wrote about does little to change behavior.

What people often don’t think about is the fact that your local hardware store, grocery, and Chinese restaurant are not necessarily safe.  They could also be the target of a smaller scale attack.  They are just too small to be discussed on Fox news and CNBC.  Attacks on these size businesses often go unreported and not documented.

So my question for any organization out there, did you spend more money on security than Home Depot, Target, or P.F. Changs?  Why would you be safe and not them?  The malware used for these larger attacks was tested somewhere on a small scale first.

Thinking About Security at Retail

I found myself in a very familiar place this weekend.  The same place I find myself most weekends to purchase this or that.  The same place I have spent a good deal of money at over the years…Home Depot.  I went in to take my kids to the regular building event they have on the first Saturday of the month.  While there I was thinking about a few things I needed to grab.  WD-40, a GFCI receptacle to fix that issue in the garage, and some wood for my son to further develop his handyman skills.  Right before we checked out I looked at my wife and said, oh crap they were just hacked.  We then had to decide if we would complete our purchase or leave and go to Lowes which is right across the street, who happens to carry the exact same stuff at the same or similar prices.

This is not the decision you want your clients contemplating about your brand.  It is hard enough to get a client in the door.  Once they get there you have to make sure the environment is right, you have the right products on the shelves, the staff is friendly and helpful, and the experience is an easy one.  You can work for years perfecting your brand and the client experience, however, hackers don’t care.  In fact they look for companies who have done just those things so they can take advantage of you.

We live in a new and complex world where cyber security is as important as brand marketing.  We can solve the threat from credit card theft by all of us switching to cash, but we know that isn’t about to happen.  So what is your cyber security plan?

Franchises and Reputation

There are reports from the financial industry that Dairy Queen may be the latest company to be the victim of cybercrime.  DQ says that they have no reports of this, however, most of there stores are franchises and there is no established process in place to report a security breach.  So it is possible several of the franchises are the source of this activity by thieves.

This story demonstrates a problem with national or franchise brands.  If the above story ends up being true the franchisee will not be named in the headline of the story, rather the parent company Dairy Queen even though they were not directly responsible in this case.

I am not trying to call out DQ specifically, rather I think this demonstrates an issue with franchises.  If I go to a McDonalds in Orangeburg, SC and get a bad meal I say that McDonalds was terrible, not the local guy who owns it.  It may change my opinion on the whole company.  I went to an Applebee’s years ago and they gave my son moldy applesauce, we have not been to another Applebee’s since.  You remember the experience you had with the parent brand not the franchise.  

You have to control your brand weather it is in food, hotels, coffee, or security.  Your brands name is on the line.  Starbucks does not franchise for this very reason, they want to protect their quality.  If you are a franchisor you have to establish clear security practices and subject each office to an assessment as part of the agreement.  The requirements for security need to come from the top down.  IT security is as important as any other area of the business as a breach will be very costly.

Rescue From CryptoLocker

For about a year now the CryptoLocker has caused chaos in the computer world.  This particular piece of malware, once installed, encrypts your personal files and demands ransom to unlock them. Users were faced with the decision to pay the ransom, restore from a backup, or lose the data.

Our team has worked to implement security measure to aid in the prevention of this infection.  Now, two security firms have teemed up and have figured out how to decrypt the data affected by this malware.  Users can go to, enter their email address, and send them one of the encrypted files.  The site will then send you a program that can decrypt the data.  This service is free for anyone who needs to unlock the data.

Supporting Article:

Not Responsible for Lost or Stolen Items

Have you ever walked into a hotel or your local gym and seen a sign that reads “Not Responsible for Lost of Stolen Items”? Businesses post these signs as a way to reduce their liability. By posting the signs the argument can be made that they warned you and you chose to proceed with staying at that establishment, therefore making you the negligent one. That logic has a fundamental flaw, however.

Having a sign that says they aren’t responsible is not enough and does not let them off the hook. Proper steps still have to be taken to ensure the security of the guests. Working locks, security guards, security camera’s, etc. all have to be installed and working. If you can prove negligence the hotel is very much on the hook for the damages. The sign should actually read “We have taken all necessary precautions into account and diligently tested all of our security and locks to ensure proper working order. We ask that you use these items in the proper way. If you choose to not use them as designed, you will be responsible for any loss”.

Physical security is more straight forward than cyber-security. A security guard can patrol, test access, and verify nothing suspicious is happening. If he sees something out of the ordinary he can immediately take action and resolve the situation. Cyber-security is more nebulous. There are many ways into a business thorough everyday usage than a single point of entry. Firewalls left with open holes, browsers not updated, users willing to give away personal data…the list goes on.

So when I get to my next hotel and hop on the free wireless internet, I most likely will be presented with a terms and conditions page that will basically say “Don’t use this for anything illegal and whatever you do will be your responsibility. We just provide the access”. That is not the case though. A hotel has a fiduciary responsibility to secure the wireless. They let me know when I booked my hotel that internet was included. Therefore they made it a selling point and a reason for me to stay at the hotel. They made it part of the transaction. What steps have they taken to ensure my safety? Is the wireless setup for isolation mode? When was it last tested? What is the name of the firm that tested the security?

If I were to make a reservation at the Bates Motel and they let me know there was a psycho working there and I chose to stay, it would be my fault. But if they advertise a safe room, with a soft bed, television, and showers anything that deviates from that plan violates our mutual agreement.

Free wi-fi is great and adds value to offer it to your guests. But you have a responsibility with that goes along with it.

Password Confusion

Recently a software leader published an article that discussed the possibility that maybe shorter passwords were better than longer ones. This goes directly against all research previously that longer passwords were the key to user security online.

I believe this just adds to the confusion users experience when trying to be more secure. It also can confuse the argument when businesses are considering what their password policies should be.

I think this is an example of someone trying to get noticed and come up with an off the wall idea to get attention. In a world where some people want to be noticed by publishing their every move on Twitter, making their pictures public on Facebook, and videos of anything and everything cluttering the internet this isn’t a real surprise. The advice is to reduce your security and make access easier.

Businesses need to ignore this type of advice and focus on best practices for security. Access to corporate networks should never rely on a single password rather two-factor authentication needs to be deployed. Hard drives should be encrypted to deter theft and minimize the impact when a theft occurs. Wireless networks need to use the strongest standards possible and time should be taken to test the security.

I remember in the not to distant past when a prospect I was meeting with told me if they were to purchase a firewall it would only get the attention of a hacker so they chose to not purchase one. This was the advice of their IT professional.

Disney and Fingerprints

I have written on this topic before but after fresh from a week in Orlando it has renewed my aggravation.

While attempting to enter Disney World this week we were once again asked for our fingerprints. We refused of course but while entering one park we were told we could not enter without giving up our fingerprint. Only after a supervisor heard this did they let us in.

Do they not realize that our fingerprints are our identity? The only thing in this world that is all mine. Names, social security numbers, addresses, credit cards can all be changed. But not my DNA, I am stuck with it. Why would I want to turn that over. Newsflash, Disney security is not safe. No company is 100% secure and the fact that they even ask for this information bothers me. They are asking us to trust them with our identity. Here is a brief flow chart of how they want the transaction to enter Disney works to better demonstrate this.

Step 1 – Tickets Purchased at Gate with Credit Card – They now have my name, credit card, CVV code, and zip code.
Step 2 – Enter Park – Disney employee asks for my ticket that I purchased in step one then asks for my fingerprint to tie it to my ticket in a database.
Step 3 – Tie Ticket to Mobile App on Phone

These two steps take about 5 minutes from start to finish. Here is what Disney now has on me:

1. Name
2. Zip Code
3. Credit Card
4. Strip Data
5. CVV Code
6. Fingerprint
7. Mobile Phone Access

This is just absurd. Many unsuspecting tourists perform this same routine daily. I am afraid one day I will read Kreb’s one morning and hear that this database has been stolen. Can you imagine the fallout on that one?


Get every new post delivered to your Inbox.