We Were Hacked!

Verizon’s Data Breach Investigations Report

Each year Verizon releases a report summarizing IT security breaches and across multiple industries. The Data Breach Investigation Report, is well written, easily readable, and free to download.

Below are several highlights and our additional guidance.

“74% of all breaches include the human element” – In other words, user actions are fully or partly responsible for 3 out of 4 security breaches. The attack surface of a multinational organization is considerably different from a home user, but both are fair game for bad guys. Review your particular threat model and implement baseline security controls appropriate for your environment.

“Three primary ways attackers access organizations are stolen credentials, phishing, and exploitation of vulnerabilities” – Use two-factor authentication wherever possible. Don’t respond to emails from people you don’t know. Never provide your username and password via phone, email or text message; even if you know the company. (Microsoft will NEVER send an email or phone call requesting your sign-in credentials.) Apply all security updates and patches to your computer, phone, and tablet on a monthly basis.

“The top vector for attackers to obtain credentials, implement a phishing attack, or exploit vulnerabilities is via web applications.” – Basically, the web browser is the primary way for an attacker to gain access to your system. We’re not here to tell you what browser to use. Whatever browser you use, install these two extensions, Privacy Badger and uBlock Origin. Also be sure to clear your browser cache frequently.

“The median click rate for email phishing campaigns is 5.8%” – A random email sent to 100 email addresses, will be opened by 6 people ! If you don’t know the person, delete the email. If the message is truly important, the sender will find a way to reach you.

“Devices and media are still more likely to be lost by internal actors than stolen by external ones.”– 80% of mobile devices are lost, not stolen.

“We’re too small, no one wants our data.” – If I’m a bad guy, do I spend my time trying to hack large companies with armies of super smart IT folks deploying robust security techniques and procedures? My time is better spent on small and midsize organizations with minimal IT staff and who usually don’t understand the value of their data. To paraphrase Jeff Foxworthy, “You know you’re a risk if the security plan consists of enabling Comcast’s firewall, copying QuickBooks company files to a USB drive, and taping passwords to the bottom of the keyboard .”

Just Delete It

The FBI, Microsoft, and Google Will Never Call Or eMail You

This is a nicely done single page computer security refresher from the FBI.


Of particular interest is the note in the lower right:

Note: The FBI does not send mass emails to private citizens about cyber scams. If you received an email that claims to be from the FBI Director or other top official, it is most likely a scam.

Replace FBI in that note with ‘Apple’, ‘Dell’, ‘Microsoft’, ‘Google’, etc., and it still holds true. Those companies will never contact you directly via email, browser pop-up, phone, text, carrier pigeon, etc., regarding a security issue. If you think they are contacting you directly with a legitimate communication, they aren’t. Please delete the email, don’t take the phone call, and dismiss the browser popup.

IT Axioms

Things I’ve learned in 30 years of IT

  • User convenience wins over IT security
  • Security and compliance are not the same
  • Security and privacy are not the same
  • Authentication and authorization are not the same
  • Trust and verification are not the same
  • If you have ‘nothing to hide’, you have everything to lose
  • Build a 10 foot security wall and users buy a 12 foot ladder
  • A backup is as good as the last tested restore
  • To understand how a decision is made, follow the money
  • Don’t confuse activity with productivity
  • If a user says something isn’t important…it is
  • A missing $50 cable can delay a $1M project…details matter
  • Complex projects take 2x the time of the estimate
  • Technical debt is easy to add and difficult to remove
  • A software sprint is anything but
  • MDM solutions don’t find 10% of your devices
  • Customers don’t pay for documentation
  • If every user is special…no one is
  • If everything is urgent…nothing is
  • Important and urgent are not synonyms
  • An end user problem is not my emergency
  • This will only take a minute…won’t
  • Anyone claiming 100% compliance…won’t pass an audit
  • If you can’t measure it…you probably don’t understand it
  • Complex IT system fail gradually…then suddenly
  • Managing people is convincing you my emergency is yours
  • Work-Life balance does not apply at end of quarter
  • If you have a quota…the number is the number
  • No good deed goes unpunished
  • A manager who is ‘here to help’…isn’t
  • A feature and a bug are all about perspective
  • Your initial project estimate is a client’s final price
  • In a training class of smart IT people…sit next to the quiet one
  • Junior IT people…mouth shut and ears open
  • Smart IT people sit in the back of the room
  • Open source is free…unless you’re the maintainer