As retailers continue to search for ways to reduce costs in order to stay competitive, while at the same time raising wages in response to political and societal pressures, shrinkage is an area ripe for revenue recovery opportunities. Recent National Retail Security Surveys and 2014’s Global Retail Theft Barometer Study estimate the cost of shrinkage to US retailers in the range of $42-44 billion annually (depending on which survey’s numbers you go with). Theft by associates and customers account for 75-80% of those losses…well over $30 billion annually. The remaining 20-25% is caused by administrative errors, damage to inventory, vendor fraud and other miscellaneous issues....Read More
Systems Alliance Blog
On Wednesday, the New York Stock Exchange was down for nearly four hours. As soon as trading was halted, speculation began to fly that the outage was the result of the exchange being hacked.
Reality turned out to be a little less interesting. NYSE realized that a botched software update was causing major glitches across its trading systems. Although this was a very high profile outage, it is commendable that NYSE’s IT staff was able to recognize the problem and roll the change back. This is a great example for how IT Change Management should be applied.
Not Every Outage Involves Hackers
With all the attention on cyber security, it’s easy to forget that human error and a lack of good IT governance are far more likely to cause an outage than malicious actors are.
Shooting yourself in the foot is a lot more embarrassing than getting hacked – especially since it can be avoided.
According to the Visible Ops Handbook from the IT Process Institute, "80% of unplanned outages are due to ill-planned changes made by administrators ("operations staff") or developers." ITPI dives further into these self-inflicted & unplanned outages noting that the majority of the time to restore services is spent figuring out exactly what changed because of a lack of effective Change Management.
Change Management Isn’t a Bad Thing
Many IT professionals have a very negative view of Change Management and ITSM frameworks like ITIL. They see them as administrative and bureaucratic burdens that prevent “real work” from being done.
Those true believers that feel like you have to implement every piece of the gospel according to ITIL aren’t helping the cause either. It is unrealistic to go from an undisciplined environment to having every ITIL process fully realized overnight.
Always remember that the Change Management process is there to reduce risk and ensure changes are well thought out. It can be as simple as making everyone agree to write down and discuss their changes and preventing unauthorized changes.
IT “Cowboys” Are Symptoms of a Bigger Problem
Small IT shops without mature IT processes often have one key staffer that keeps all the lights on. They eschew documentation and fix things based on their gut feelings. They’ve always got a magic bullet ready to restore services when the worst case scenario happens.
“Cowboys” in IT have had a good run but it is past time to send them packing. Not only do they often cause the very outages they’re fixing through human error, they tend to keep knowledge to themselves which prevents new staff from learning your systems and grinds troubleshooting to a halt when they’re unavailable.
It is an unacceptable risk to let critical production systems be run by cowboys who make changes outside of the Change Management process. The presence of cowboys is a symptom of poor IT governance where the organization is operating without a plan.
Write it Down!
Documentation is one area where many IT shops struggle. They don’t write down policies and procedures. They don’t keep their configuration information readily available and up to date. They find themselves flailing about when an outage happens because they don’t have any reference materials handy....Read More
You’re going to have a computer security incident. Whether it’s a virus, compromised website, or full-on system compromise, you’ll eventually be forced to react to a security incident in your computing environment. When you find yourself dealing with an incident, you don’t want to be left scrambling. That’s why it’s important to be prepared with an incident response plan....Read More
The New York Times reported yesterday that the FBI is actively investigating the front office of the St. Louis Cardinals for illegally accessing a rival team’s computer system. While this must be the strangest sports scandal since Deflategate, it is also the most high profile case of “high tech” corporate espionage that doesn’t involve a nation state actor.
Per the NYT, “the intrusion did not appear to be sophisticated” according to law enforcement officials. The Astros executive whose credentials were compromised previously worked for the Cardinals. Cardinals staff allegedly used his old password to get into a new system that he built in Houston.
This incident provides a number of lessons learned. The most obvious being to never commit a federal crime from your home computer unless you are interested in taking an all-inclusive vacation at the nearest federal detention center. Here are 3 more you should think about:
1. NEVER REUSE A PASSWORD
If you use the same password more than once and it gets compromised, the damage can be substantially worse. Let’s imagine a scenario where a hacker gets access to one of your accounts. That’s bad but at least it is contained to that website or application.
Now let’s say that your password is the same on every other system you use. Exploiting passwords stolen from one site against others is a very common practice amongst cyber criminals. Now your bank, online brokerage, social media accounts, luggage, etc. are compromised too.
Now let’s imagine a worse scenario. One of your employees just had their accounts broken into and they are now busy picking up the pieces. According to a 2014 study, “one in five Americans reuses the same username and password across their personal and business accounts”. That same study revealed that “73% of US Full-time workers admit to reusing the same batch of passwords online”. You probably are not feeling lucky right now.
2. ALWAYS CHANGE THE DEFAULT CREDENTIALS
According to media accounts, the database built for the Astros was designed by the same executive and was substantially similar to that of the Cardinals. While the credentials used to exploit this system were the executive’s old passwords, since they were known outside of the organization, this is analogous to leaving the vendor’s default password configured.
What’s the last piece of equipment you bought for your IT department? A quick Google search will reveal the vendor’s username and password to anyone with an internet connection. If you put it online and never changed that password, you are taking an enormous risk. According to a 2013 Verizon study “about 90 percent of successful breaches analyzed by Verizon started with a weak or default password, or a stolen and reused credential”. Changing those defaults is common sense.
The same goes for those logon passwords the IT department gives you. Do you really think that they haven’t used the same “P@ssw0rd2015” for the last 20 people who asked for a reset?
3. BE AWARE OF INSIDER THREATS
While many data breaches come from outside, insiders can be just as dangerous. People who know you and your systems probably understand their weaknesses. In the baseball hacking scandal, it was allegedly paranoid and vengeful ex-colleagues who broke the system. In a more famous case, it was an employee motivated by political views who leaked sensitive data.
Insider threats also include outside parties that steal credentials held by privileged individuals like your IT administrators and executives. Making sure that they are aware of how to protect their credentials is critical. The days of CEOs having passwords written on post-it notes must stop. Ensuring compliance with your IT policies and procedures is arguably more important for privileged users than it is for rank and file employees because their access to sensitive data is often greater.
The best defenses against insider threats are common sense best practices. That includes a logical separation of duties and insisting that network activity is logged and audited. Fewer than 60% of organizations are doing this today but it has been identified as a key behavior in quickly identifying malicious activity.
They Are Called “Best Practices” For a Reason
Jumping back to the baseball hacking scandal, the Houston Astros appear to be the second dumbest team in baseball, rivaled only by the team that “hacked” them, the St. Louis Cardinals. As Deadspin so blithely pointed out, “What makes the St. Louis Cardinals hacking scandal really great, aside from the fact that it involves the St. Louis Cardinals, is that it could not have happened if everyone involved hadn’t acted as stupidly as possible.”
If you’re reading this and aren’t sure about your organization’s IT security practices, maybe now is the time to start asking questions and reduce your risk exposure to avoidable problems.
Not sure where to get started? SAI can help.
Wondering what to do if you find yourself having to deal with a data breach? Standby for our next post from SAI’s CTO Josh Crone.
IT security has become a major concern for most organizations. Previously confined to the server room, high profile breaches and their hugely expensive consequences have catapulted these concerns into the boardroom. No one wants to see their name in headlines alongside Home Depot, Target, and Sony. The average cost of a data breach is estimated at $3.8 million dollars and it keeps climbing....Read More