Improving security on the ‘Internet of Things’

Mark Stanislav’s title is “Security Evangelist.” Online Tech has previously provided him a virtual pulpit from which to preach and his barnstorming tour continued last week in Las Vegas, where he spoke at the recently concluded DEF CON 22 Hacker Conference.

Stanislav and Duo Security colleague Zach Lanier presented “The Internet of Fails: Where IoT Has Gone Wrong and How We’re Making it Right,” described as a dive into research, outcomes and recommendations regarding information security for the “Internet of Things,” or IoT.

IoT refers to the interconnection of computing devices – everything from heart monitor implants to remote home thermostats – that transfer data without human-to-human or human-to-computer interaction. Essentially, anything that can be assigned an IP address and given the ability to transfer data over a network is part of the IoT.

Last year, Stanislav co-hosted two sessions in a three-part Online Tech webinar series on encryption, participating in both the Encryption at the Software Level and Encryption at the Hardware and Storage Level presentations.

In Las Vegas, Stanislav and Lanier’s presentation was about the rapid – and sometimes haphazard – growth of the IoT and the security risks associated with it. ABI Research estimates 30 billion devices connected to IoT by 2020.

The presentation drew the interest of the folks at Dark Reading, who featured the duo’s new security resource, BuildItSecure.ly, which was launched in February. After struggling with their approach to smaller technology vendors with bugs and trying to handle coordinated disclosure, Stanislav and Lanier decided to change the process and dialog that was occurring into one that is inclusive, friendly and researcher-centric.

The loose organization of security-minded vendors, partners and researchers is focusing on “improving information security for bootstapped/crowd-funded IoT products and platforms” that may be tempted to choose a quick launch and profits over security.

When launched at BSides San Francisco earlier this year, the mission of BuildItSecure.ly was defined as:

Provide the information, resources, guidance, and community necessary to help small commercial and independent developers, makers, and inventors of hyperconnected, pervasive computing devices make security-conscious design decisions. Additionally, incentivize independent security research and reporting/coordinated disclosure of vulnerabilities/flaws in those very same devices.

Five more researchers have joined the Duo Security colleagues to populate BuildItSecure.ly with links to presentations and technical guidance on web application security, mobile application security, cloud security, network security and industry standards.

“All the researchers basically are doing this — one, because they want to help some people; two, because they are getting research done and not being sued for it,” Stanislav told Dark Reading. “They already have opt-in from these vendors.”

“We’re going to have researchers looking at pre-production hardware, doing assessments against them… and actually making the device better before they go to people’s hands rather than after.”

Vendors, researchers and content creators are encouraged to get involved with BuildItSecure.ly’s efforts to enhance IoT security.


Download Mobile Security White PaperRelated content:
Mobile Security: Are Most Apps Safe?
Webinar: Encryption at the Software Level
Webinar: Encryption at the Hardware and Storage Level


Resources:
Dark Resources: Small IoT Firms Get a Security Assist
Duo Security: BSides San Francisco: Announcing BuildItSecure.ly

facebooktwittergoogle_pluspinterestlinkedinmail
Posted in Cloud Computing, Mobile Security | Tagged , | Leave a comment

Russian hackers steal more than 1 billion passwords in record-breaking data breach

Hold Security, a firm credited with uncovering significant data breaches – such as the one at Adobe Systems in October 2013 – has uncovered a record-breaking hack of 1.2 billion username and passwords from multiple websites.

From the Hold Security website:

After more than seven months of research, Hold Security identified a Russian cyber gang which is currently in possession of the largest cache of stolen data. While the gang did not have a name, we dubbed it “CyberVor” (“vor” meaning “thief” in Russian).

The CyberVor gang amassed over 4.5 billion records, mostly consisting of stolen credentials. 1.2 billion of these credentials appear to be unique, belonging to over half a billion e-mail addresses. To get such an impressive number of credentials, the CyberVors robbed over 420,000 web and FTP sites.

Hold Security is not naming the victims – made up of large and small sites from industries across the world – because of non-disclosure agreements and a reluctance to publicize companies that may remain vulnerable.

The New York Times has reported that it asked another security expert to analyze the database of stolen credentials and it has been confirmed as authentic. Another computer crime expert told The New York Times that some “big companies” are aware that their records are among the stolen information.

Hold Security explains how the theft played out:

Initially, the gang acquired databases of stolen credentials from fellow hackers on the black market. These databases were used to attack e-mail providers, social media, and other websites to distribute spam to victims and install malicious redirections on legitimate systems. Earlier this year, the hackers altered their approach. Through the underground black market, the CyberVors got access to data from botnet networks (a large group of virus-infected computers controlled by one criminal system). These botnets used victims’ systems to identify SQL vulnerabilities on the sites they visited. The botnet conducted possibly the largest security audit ever. Over 400,000 sites were identified to be potentially vulnerable to SQL injection flaws alone. The CyberVors used these vulnerabilities to steal data from these sites’ databases. To the best of our knowledge, they mostly focused on stealing credentials, eventually ending up with the largest cache of stolen personal information, totaling over 1.2 billion unique sets of e-mails and passwords.

The San Jose Mercury News notes the scale of this attack – combined with multiple recent reports of cyber assaults – “raises significant questions about the security practices of thousands of companies around the globe and puts at risk the financial and personal information of a significant fraction of the planet’s population.”

Mark Bower from Voltage Security told the newspaper: “This sounds all too familiar – weakly secured sites, preventable vulnerabilities that aren’t patched. Yet more evidence the bad guys are winning big at consumers’ expense.”

Whether brought to the point of security awareness kicking and screaming, companies will come to face the dilemma of wanting as much information about consumers as they can store without losing the trust of the very audience they aim to serve by inadvertently losing it to cybercriminals. Defense in depth protections may require more consumer inconvenience with mandating things like two-factor login authentication, but more importantly will have to layer up their infrastructure on the back end and make sure they have the monitoring tools in place to detect nefarious activity quickly.

This is an arms race with sophisticated cybercriminals who realize that stealthy camouflage on a server with a trickle of captured information can mean a long-lasting goldmine of sensitive information. When you pull a whole server down, the changes of discovery and eradication are much higher. All part of the reason it can take so long to detect an issue.


RESOURCES:
Hold Security:
You Have Been Hacked!
New York Times: Russian Hackers Amass Over a Billion Passwords
San Jose Mercury News: Record-breaking data breach highlights widespread security flaws


RELATED CONTENT:
Encryption: perspective on privacy, security & compliance
Defense in depth
What took so long? How data breaches can go months without being detected
Data breaches ending careers “right to the top” of C-suite

facebooktwittergoogle_pluspinterestlinkedinmail
Posted in HIPAA Compliance, Information Technology Tips, PCI Compliance | Tagged , , , , | Leave a comment

Data breach reporting: A job killer or business saver?

There’s quite a brouhaha bubbling up Down Under.

It all stems from a Sydney Morning Herald opinion piece written by the CEO of the Association of Data Driven Marketing and Advertising opposing the mandatory data breach reporting law introduced to the Australian Parliament by federal attorney general Mark Dreyfus.

The CEO, Jodie Sangster, raised some eyebrows (and generated plenty of pro and con internet content) by referring to a mandatory data breach reporting law as “Luddite thinking” that would be “an innovation killer and the extra compliance red tape will strangle technology-related organizations throughout the economy.”

Sangster’s biggest problem with the legislation is a clear definition of “serious harm,” a term introduced by Dreyfus in his own previous opinion piece. In it, he writes that “(b)usinesses will not be unfairly burdened by the proposed laws because the notification requirement will apply only to serious data breaches that may cause harm to individuals.”

Here’s what Sangster believes is the end result of a law without a clear definition of “serious harm”:

… will likely cause organizations to adopt the most risk-averse internal policy setting. This, in turn, will lead to the over-reporting of relatively minor data errors, as compliance managers act to protect their organization from prosecution.

It will also tend to penalize those with the most sophisticated data management systems, since they are the ones more likely to pick up on data errors. Small to medium businesses will likely take a “see no evil, hear no evil” approach; they will put off investments in data-driven technology for fear it will come back to bite them.

The costs will fall relatively more heavily on smaller entities – the innovators of the Australian digital economy – who don’t have sufficient internal resources dedicated to compliance. They will find themselves spending more time managing the reporting process and less on managing the right outcome for customers.

Interesting points, for sure. But regardless of what an organization is required to do by law, many security experts would still suggest that it notify customers of any data breach itself before somebody else does.

Last month, we wrote a blog post entitled “Experts: Be fast and forthcoming with details of a data breach.” It excerpted a Dallas Morning News story, with these quotes from Javelin Security & Research senior analyst Al Pascual:

“Release clear, descriptive, and prompt notifications,” Javelin said. “Notifications that describe in detail how a breach occurred can bolster an organization’s claims that they have corrected the security vulnerability … restoring some degree of confidence among consumers.”

Shutting down about information is the worst thing a business can do in a data breach.

“To avoid having a breach event’s narrative hijacked by the media or by adversarial organizations, prompt disclosure is imperative,” Javelin said. “A loss of control can imperil an organization’s reputation, diminishing the trust of business partners, consumers, and shareholders.”

In the same post, we pointed out an article by Healthcare IT News associate editor Erin McCann has strikingly similar advice from Gerry Hinkley, a partner at the Pillsbury Winthrop Shaw Pittman law firm who spoke at a HIMSS Media and Healthcare IT News Privacy and Security Forum.

Hinkley’s message: “Don’t give in to individuals who want to sugar coat this. … You do much better really saying what happened up front.” He said proper breach response can help limit cost, avoid litigation and help retain the integrity of the organization.

Let the debate continue.


RESOURCES:

Sydney Morning Herald: Data breach law a jobs killer

Sydney Morning Herald: Online privacy breaches a concern for us all


RELATED CONTENT:

Experts: Be fast and forthcoming with details of a data breach

Americans agree government must do more to protect data, but can the government act?

Another U.S. retailer discovers the real cost of card holder data theft: customer loyalty

facebooktwittergoogle_pluspinterestlinkedinmail
Posted in HIPAA Compliance, Information Technology Tips, PCI Compliance | Tagged | Leave a comment

The next big retail fraud? Jimmy John’s investigating possible data breach

Unauthorized activity on credit cards recently used at Jimmy John’s locations has led the sandwich chain to work with authorities on an investigation of a potential data breach.

KrebsOnSecurity.com first reported on the issue Thursday, stating the chain “did not return calls seeking comment for two days” (not Freaky Fast) before issuing an email statement that it is “investigating the situation” and will provide an update “as soon as we have additional information.”

Financial institutions contacted by KrebsOnSecurity.com witnessed “card-present” fraud that allowed criminals to create copies of credit cards.

Beyond ATM skimmers, the most prevalent sources of card-present fraud are payment terminals in retail stores that have been compromised by malicious software. This was the case with mass compromises at previous nationwide retailers including Target, Neiman Marcus, Michaels, White Lodging, P.F. Chang’s, Sally Beauty and Goodwill Industries.

Jimmy John’s has more than 1,900 stores across the United States.


RESOURCE:
Sandwich Chain Jimmy John’s Investigating Breach Claims


RELATED CONTENT:

What took so long? How data breaches can go months without being detected

Data breaches ending careers “right to the top” of C-suite

facebooktwittergoogle_pluspinterestlinkedinmail
Posted in Information Technology Tips, PCI Compliance | Tagged , | Leave a comment

Potential for undetected breaches is CFOs’ biggest cybersecurity concern

Ever wonder what your company’s CFO is most worried about when it comes to cybersecurity? We may have your answer.

Dig deep down through Grant Thornton LLP’s bi-annual survey of CFOs and other senior financial executives for a pretty good hint. Right there on page 23 of the 28-page report:

What are your business’s top cybersecurity and data privacy concerns?

59% — Potential for undetected breaches
54% — Customer/client data privacy
50% — Unknown and identified risks
42% — Employee and workplace data privacy
32% — Compliance with data security laws

(Respondents were able to select more than one answer.)

More from the report: “Forty-two percent of chief audit executives listed data security/privacy as a risk area that has the potential to impact growth, and 70% include this risk in their internal audit plan. More than 40% of in-house counsel claim that the risk of a cybersecurity/data privacy breach has increased in the past year, but 17% are unsure what was being done to deal with these risks in their organization.”

(Oh, and here’s some good news from that same report: Sixty-eight percent of CFOs expect an increase in the average per-employee salary over the next year!)


RESOURCES:
Grant Thornton Spring 2014 CFO Survey


RELATED CONTENT:

What took so long? How data breaches can go months without being detected

Data protection and the cloud

Data is money: Just as money belongs in a bank, data belongs in a data center

facebooktwittergoogle_pluspinterestlinkedinmail
Posted in Information Technology Tips | Tagged , | Leave a comment

Up your HIPAA IQ with a little HIPAA FAQ

Are you wondering what all the HIPAA fuss is about? Here are a few basics go get you started, along with some reference to in-depth videos along the way.

What is HIPAA?
HIPAA is the Health Insurance Portability and Accountability Act of 1996 that specifies laws for the protection and use of Personal (or Protected) Health Information (PHI) which is essentially your medical record. HIPAA was intended to ease the sharing of Personal Health Information (PHI) between entities that have a need to know while maintaining an acceptable and reasonable level of privacy to the individual whose information is at stake.

What is HITECH?
In 2010, the Health Information Technology for Economic and Clinical Health Act (HITECH) was passed in order to update HIPAA rules and provided federal funds for deploying electronic medical records (EMR), also referred to as electronic health records (EHR). HITECH upgraded HIPAA because medical records were now in digital form, and as a result, they needed new rules for protection and availability.

What does HIPAA cover?

HIPAA covers the Privacy, Security and Enforcement rules of PHI. The Privacy and Security rules contain information on how one must treat PHI (whether it’s electronic or not). The enforcement rules specify what happens if you don’t (the penalties).

The 3 pillars of HIPAA are:

  1. Integrity of information – the medical record must be accurate
  2. Confidentiality – The medical record should only be seen by those with a need to know and all uses of that data should be knowable by the individual.
  3. Availability – The medical record must be available, in essence, no reasonably avoidable downtime.

Download HIPAA Hosting White PaperWho’s the Boss for these rules? Are the HIPAA police real?
The Acts are administered by the Department of Health and Human Services (HHS) in the Office of Civil Rights (OCR). It is the OCR which has the right to enforce, audit, fine and charge companies and individuals for violations of the Act. They interpret the law in the Act and write the rules and regulations.

What are the rules and regulations?
The rules and regulations are documented in the Code of Federal Regulations (CFR). Parts 160 and 164 of the CFR are the two that pertain to HIPAA. When someone says they adhere to HIPAA rules, it means they adhere to the paragraphs in the Parts. For example, one of the paragraphs says:

Paragraph 164.308(a)(1)(i) Standard: Security Management Practices – Implement policies and procedures to prevent, detect, contain, and correct security violations.

We are then required to do precisely what it says – prevent, detect, contain and correct security violations. At Online Tech, we have such a written policy and in that documented policy we reference this paragraph number. Note that these rules say nothing about how you achieve these objectives – that is what we decide and document in our policies.

What do the rules say we must do (and not do)?
Primarily:

  • Protect the Availability, Integrity and Confidentiality of PHI
  • Have Business Associates Agreements with any vendors that touch protected health information (PHI)
  • Report any violations of PHI misuse to the OCR (yes, we actually must snitch if we see violations to the statutes).

They do not specify any specific technology platform or design, just that you must secure the data. There are industry best practices that they assume you would use, such as NIST for protecting data, or they would likely consider you negligent.

What are all these “safeguards” about?

The requisite safeguards in the HIPAA Privacy and Security rules are divided into three different sections: Administrative, Physical, and Technical.

  • Administrative safeguards are things like security training for all employees, or policies to never access client data.
  • Physical security includes things like requiring two forms of authentication in order to open the doors in our data center. It might be a combination of a badge, fingerprint, pin code, or key fob – anything that requires at least 2 things to prove you are who you say you are.
  • Technical security includes things like making sure that anti-virus software is on your server or using 2-factor authentication for remote VPN connections to a server.

What are the penalties for violating HIPAA?
The penalties for violating HIPAA rules are severe and range from $100 to $50,000 per violation (or per record) up to a maximum of $1,500,000 per year and can carry criminal charges which could result in jail time. They are incurred if PHI (or ePHI, Electronic Personal Health Information) is released to the public in unencrypted form of more than 500 records.

Serious stuff. The fines and charges are broken down into 2 major categories: “Reasonable Cause” and “Willful Neglect”.

  • Reasonable Cause ranges from $100 to $50,000 per incident (release of 500 medical records) and does not involve any jail time.
  • Willful Neglect ranges from $10,000 to $50,000 for each incident and can result in criminal charges.

What does it mean to have a HIPAA audit?
A HIPAA audit means that you have performed a diligent risk assessment against the latest OCR HIPAA Audit Protocol. Let’s be honest: none of us can truly, objectively assess ourselves. Get an independent, third-party opinion or if you are working with a Business Associate and sharing protected health information (PHI), make sure to ask them for a copy of their independent assessment report. Then read it! You should see evidence of strong administrative, physical, and technical safeguards that protect patient information.

What is a Business Associate (BA)?
There are three types of entities described in the statute. The first is the patient. That’s easy. The second is the Covered Entity (CE) and the third is the Business Associate (BA). The CE performs medical services on the patient and has the most trusted access of the information. A hospital or an insurance company is a CE.

A BA is someone contracted by a CE for services that involve the exchange of patient information (PHI). to perform the contracted service. A traditional BA is a bill processing company that sends medical invoices and processes payments. They have and need access to the patient information (name, address) and the medical record (diagnosis code, charge etc.) to perform the work for the CE.

Is my business considered a Business Associate?
If your company comes into contact with patient information, you are considered a Business Associate. At first, not everyone was convinced if cloud providers were indeed Business Associates until David S. Holtzman of the Health Information Privacy Division of OCR during a speech at the Health Care Compliance Association’s 16th Annual Compliance Institute clarified:

“If you use a cloud service, it should be your business associate. If they refuse to sign a business associate agreement, don’t use the cloud service”

Another point they make is that business associates must also adhere to the Breach Notification Rule – including the subcontractors of business associates. Covered entities and business associates should take note – the document also states that “these proposed changes would make covered entities and business associates liable under § 160.402(c) for the acts of their business associate agents, in accordance 61 with the Federal common law of agency, regardless of whether the covered entity has a compliant business associate agreement in place.”

When is a BAA required?

A Business Associate Agreement is required whenever a client is storing, processing or transmitting protected health information (PHI).

Does choosing a HIPAA compliant Business Associate make your business HIPAA compliant?

No. Every company must do their own risk assessment and mitigation planning that is specific to their own processes and procedures. That said, if you are working with a vendor who has performed the same level of due diligence, it saves you from having to spend a lot of time and money researching and detailing their protective practices to protect patient information. In our case, we provide all of our clients with our complete, independent HIPAA audit report. In turn, they can share this with their auditors to save time and money during their own audit.

What about Encryption, is it required?

Yes and no. Encryption is listed as “addressable” in the technical safeguards, instead of “required”. Why? The healthcare information ecosystem is wildly diverse, and there are many different ways of protecting patient information. The easiest way to prove you meet this requirement, is to use AES 256 bit encryption on all data to the NIST standard. If you have adequately encrypted the data, then you are NOT required to report a data breach as long as the encryption keys have not been jeopardized and patient information remains safely encrypted.

If you opt not to use the recommended AES 256 encryption, it’s on you to prove that your method is as good as, or better, than the NIST standard. If you can’t prove that your protections meet or beat the NIST standard, you may be liable for penalties that fall into the expensive “negligent” category.

What are some other HIPAA best practices?

There are a few things that clients should do as it will help with their audit:

  • Document data management, security, training and notification plans
  • Client should use a Password policy for their access
  • Encrypt PHI data whether it’s in a database or in files on the server
  • Do not use public FTP. Use other methods to move files
  • Only use VPN access for remote access
  • Login retry protection in their application
  • Document a disaster recovery plan

What other questions do you have about HIPAA? Leave them below, and we’ll answer them in future posts.

facebooktwittergoogle_pluspinterestlinkedinmail
Posted in Cloud Computing, HIPAA Compliance | Tagged , , , , , | Leave a comment

Converge conference in Detroit: Before finding data breach solution, be sure your business is ready to receive it

More from the Converge information security conference in Detroit, this time recapping Enterprise Security Back to Basics presented by Joel Cardella, the director of information security, IT security, governance, risk and compliance at Holcim US.

(Also see a recap of Thursday’s The Challenge of Natural Security Systems.)

Why this back to basics talk? Cardella feels we’re being beguiled by all these large breaches that push people to a solution they aren’t yet ready to receive. He holds that the importance of this talk is getting organizations mature enough to be ready to buy what vendors are selling. It’s about asking if your company is sure you need what is being offered.

The goal for security is being able to become proactive from the normally reactive InfoSec environment. Each single record lost is worth $145 in a data breach. That’s up 15% this year from last year. When breaches affect thousands, or even millions, of records the cost is incredible.

Cardella defines risk as:

Threats x Vulnerabilities x Time = Risk

Threats are not something we can control. Vulnerabilities are things we can control and influence, both directly and indirectly. Time is also in our control. Taking care of something quickly can help drive the risk down. The point: Do what you can to secure your company as quickly as possible to immediately lower risk within your organization.

Basics:

  • Security requires resources, you must invest in order to get a return
  • Act/think like an adversary.
  • Find and understand what’s happening in your network. Find your baselines.
  • Document everything. Especially if you deal with audits, you want to have everything written down.
  • Make a plan. Write that plan down. Even if it’s simple, write it down, and then flesh it out over time.
  • Keep your scope small.
  • Go back and do it all again. Verify, and find the things you missed.

Cardella says that in IT, it’s important to understand your business, and how the IT infrastructure supports that business. Knowing how your business uses the infrastructure means you can create and change it to be more effective and secure in the future.

Another really important basic is network segmentation. Not allowing systems to talk to each other within a network means that an attacker cannot break into one section because they have access to a different section. He admits that this takes a lot of time, and it’s important to seek out an expert who can help with firewall implementation. You also need to test to be sure that your network is actually segmented, not just that they should be segmented.

Managing the accounts that are on your system is incredibly important, and goes back to understanding how your company works, and who needs what access. Restrict access to employees and vendors to a need to know. Set up a classification scheme in order to determine the sensitivity of data, and thus what access is necessary for certain users in order to get to the information they need.

At the end of the day, Cardella explains that there is no magic bullet. InfoSec is multi-layered and multi-disciplinary. It costs time, money and resources. Focus on the implementation, not just the technology – that’s where much of the problem is.

Humans are the weakest link, so you can’t take for granted that a great technology is implemented correctly. Always ask “Are you sure?”, and prove that you’re secure through trials, testing, changing and repeating.


RELATED CONTENT:

Converge conference in Detroit: InfoSec organizations must learn, modify and adapt like organisms

Online Tech opens its doors to fast-growing tech hub of Metro Detroit

facebooktwittergoogle_pluspinterestlinkedinmail
Posted in Information Technology Tips | Tagged , | Leave a comment

Want a good job? Study computer or information science

Momma, don’t let your babies grow up to be cowboys. Don’t let ‘em pick guitars and drive them old trucks. Make ‘em be software engineers and network systems analysts and such.

With apologies to Waylon Jennings, it’s true that a recent study by the US Education Department found that more than 95 percent of computer and information science students were employed full-time four years after graduation. Engineering graduates had similar success.

The findings are based on a survey of 17,110 students conducted in 2012, about four years after the students obtained their bachelor’s degrees.

And there’s this: Just 16 percent of the students had STEM (science, technology, engineering, math) degrees, but those who did were paid significantly better than their counterparts.

Speaking of tech jobs, Online Tech is currently looking for senior sales engineers and a data center facilities engineer. Check out our careers page for details.


RESOURCE
Associated Press: Survey finds math, science grads earn top dollar

facebooktwittergoogle_pluspinterestlinkedinmail
Posted in Information Technology Tips, Online Tech News | Tagged | Leave a comment

Converge conference in Detroit: InfoSec organizations must learn, modify and adapt like organisms

Today is Day 2 of the Converge information security conference at Detroit’s Cobo Center, and it promises to be full of significant insights into IT security within organizations.

Here’s a recap of one of Thursday’s sessions, The Challenge of Natural Security Systems, presented by Rockie Brockaway, the security practice director at Black Box:

Brockaway started with a really important point: Information security is currently viewed as a tactical response within companies, when it should be treated as a function of the business. InfoSec’s role is to prevent the loss of business-critical data, promote innovation within other parts of the company and protect the brand. One of the biggest hurdles in InfoSec, Brockaway explains, is understanding what a company’s critical data is, and where it’s stored. Without that information, there’s no way to fully protect it and vulnerabilities will be created.

Another issue within enterprise InfoSec is the obsession with static models like walls. If a security measure is put into place without learning, modifying and adapting from new information, it will eventually be circumvented and will become useless.

So what should companies do to become more adaptive? Brockaway looks at business similar to animals, with small systems making up a larger organism. Using characteristics of adaptable organisms, he found traits that will help in the business sense.

First, he says, learn from your successes. There is value in understanding mistakes, but analyzing what is working helps give more information about attacks. The next is setting up a company in a semi-autonomous fashion, with little central control. One of the biggest issues with centrality is the issue of a single point of failure. Redundancy is key to the survival of a system, and with no redundancy, one issue could be devastating.

Another trait Brockaway mentions is the ability to use information to mitigate uncertainty. An animal survives by evaluating its surroundings and being aware of potential danger. Understanding a corporate IT environment and continuing to assess the surroundings means being able to see when things are out of the ordinary, and fixing potential vulnerabilities.

Lastly, Brockaway states that in order to be adaptable, organisms have many symbiotic relationships with other organisms. He translates this to having relationships with solution providers that can help open up a company to mutual benefits and stronger security.

There’s more to come about information security, so stay tuned! The Converge conference concludes today and it is followed Saturday by BSides Detroit.


RELATED CONTENT
Online Tech opens its doors to fast-growing tech hub of Metro Detroit

facebooktwittergoogle_pluspinterestlinkedinmail
Posted in Information Technology Tips | Tagged , | Leave a comment

Online Tech opens its doors to fast-growing tech hub of Metro Detroit

The Metro Detroit area has been one of the country’s fastest-growing technology hubs for years, topping that list in 2012 and placing fifth in 2013.

In its 2014 Technology Industry report, Automation Alley says the automotive capital of the world has “quietly become a leader among the nation’s technology economies,” the largest tech hub in the Midwest with a growth rate significantly higher than more traditional technology regions like Silicon Valley.

Online Tech’s Metro Detroit data center.

“Everyone in Michigan knows the exciting story that is emerging, but Detroit has been under the radar nationally,” Online Tech co-CEO Mike Klein said in a press release announcing the company’s new Metro Detroit data center will officially open on August 1. “With smart people like Dan Gilbert making major investments in a wide range of local technology businesses, there is now a vibrant community of startups in Detroit that rivals anywhere in the country.”

As the installation of Henry Ford’s first moving assembly line transformed Detroit’s industrial past, world-class data centers will provide the infrastructure necessary to make today’s Motor City more productive and profitable, and also prepare the burgeoning tech scene for the next several decades.

More than a year ago, Online Tech co-CEO addressed this topic in a video entitled Data Centers Come to Town:

“You can’t have a really successful community with lots of high tech activity if there’s not a single intellectual property lawyer in town or a single accountant that knows how to do depreciation for software. Companies end up leaving those areas because they can’t get important help,” he said. “(Similarly, data centers) are seen as an important piece of the infrastructure. You can’t be a technology corridor if you don’t have at least one or two data center providers.”

Note: Tours of Online Tech’s new Metro Detroit data center are available upon request.


RELATED CONTENT:

Request a visit of Online Tech’s fourth Great Lakes data center in Metro Detroit

Online Tech ready to meet Metro Detroit’s growing IT infrastructure demand

Smitten with the mitten: Online Tech honored for improving economy in state of Michigan

Celebrating Michigan’s metamorphosis to a digital, science and technology base

Metro Detroit has ‘become a leader among the nation’s technology economies’

facebooktwittergoogle_pluspinterestlinkedinmail
Posted in Data Centers, Michigan Data Centers, Online Tech News | Tagged , , | Leave a comment