Wednesday, September 14, 2016

Email encryption? Who really cares!

So, I finally took advantage of the low mortgage rates I've seen advertised all over the place and refinanced my house.   I was excited! The bank I applied for the mortgage through was able to do just about everything online, using a combination of Adobe PDF delivery mechanisms and a portal to upload documents required for the mortgage.  

In typical fashion, something broke with their portal and I needed to send one last document to the bank.  My options were to either drop it off at the local branch or send it to them via email.

As it is, with my job, I have many tools at my disposal in order to send messages encrypted through email, but I decided that I really didn't want to use any of our systems at work since I like to maintain a separation between personal business and work.

Hmm, what should I use within my personal email account to encrypt this stuff? Should I zip it and password protect the file?  That sounded like a good idea, but then I started to think of the risk involved with me just sending the stupid PDF.  Do I really care? I mean, what could happen? Is there a chance that some hackers are a just standing by at Comcast headquarters with one of the switches port mirrored, looking for stuff coming off of the residential backbone? I guess it's possible, but what are the chances? Are we really going overboard with this email encryption stuff? Do we REALLY need it?

Unfortunately, in reality, the answer is yes... We do need it.  The biggest problem is that you don't know what's happening between the two endpoints. You can't put your faith in a gut feeling that there won't be any evil happening once the data hits he Internet or that the infrastructure is somehow too big or obscured enough to even allow the capture of your "one in a billion" packets that pass through in a nanosecond.  Since you don't have any control or visibility of what happens between the originator and he receiver, you just can't take that chance with sensitive data assets.

I teach at a college here in Chicago and one of the assignments I have the students in my Information Security course complete is research on something called Room 641A.  Google it... You'll have fun.

(As posted on LinkedIN)

Thursday, September 1, 2016

Data Classification - Who needs it?

As an information security practitioner, there are times when you look at the security landscape for your organization and think, wow, there are definitely some areas we can improve on.  Many of these areas are not necessarily easy to tackle and execution may even seem impossible!

One thing I had always struggled with when working in banking, was data classification. We did have data classification defined, to an extent, but it was really basic and didn’t allow us to make real decisions on investing in technology and security controls.  The bulk of what we really needed to protect was customer information, but was that good enough?

In banking there is a defined segmentation of data that needs protection – customer data.  Putting forth the minimum required effort from a compliance standpoint is really a shortsighted view of a larger data classification need, because there are so many other groups of data that fit into a grey area.  In this grey area lives large quantities of private information, such as the information that human resources maintains on our employees (salary, health care info, etc.), information relating to mergers and acquisitions, employee lists, schedules, bank access codes, combinations to vaults, minimum cash limits…  The list goes on.

How do we classify the sensitivity of this data? It certainly doesn’t fall into the larger category of customer information, but it definitely needs to be protected from exposure.  What’s more, this inadequacy will start to expose itself when looking at initiatives such as DLP, rights management, DR optimization, justifying spend on technology, and now – cyber-insurance requirements.

Take the time to look at how you are classifying data, what types of data labels you are using, and how data classification feeds into larger initiatives.  You may be surprised at how many areas this touches and how it may help with some of the initiatives listed above.

If you need help understanding how Data Classification can help you, or if you are in need of building out a more comprehensive Data Classification scheme, let me know.

(as posted on LinkedIn)

Sunday, March 1, 2015

Bankers - Cloud Apprehension?

Lately, I've been talking to a lot of banks about Office 365, but there is still fear and apprehension in the banking industry about the "cloud". It has long been held in the banking industry that the cloud is bad and I, myself, have also held that same stance on public cloud services in general.

One day last week, I was performing SSAE16 reviews of critical vendors for a financial institution and I realized something: Their core service provider is essentially a cloud offering.

Some may scoff at this idea, but take a closer look:

  • You are on a shared system – Shared disk, processor, memory (Unless you are a large bank)
  • You rely on third-party audits (and possibly site visits) to validate controls
  • You receive an SSAE16 SOC1 – Type II report from them
  • There is no on premises equipment
  • Telecom circuits are relied upon for availability
  • You don't really know exactly what is going on behind the scenes

… and this is for the core processor, where all of the super-sensitive data resides. We are talking customers, addresses, balances and account numbers!

I started to ask myself: Are bankers living by a double standard?

If I looked at Office 365 objectively, performed a proper vendor risk assessment and evaluated the risks, I couldn't imagine that an email system would be ranked nearly as high in Confidentiality Risk as the Core.

Consider Availability Risk Reduction when it comes to Office 365: The number of systems Microsoft has dedicated to keeping the system available is ridiculous.

Service providers for banking? They typically have a warm site backup on the other side of the country.

My experience in working with Office 365 over the past year has been enlightening. I've received SSAE16 reports, data center tours and have access to the Microsoft trust center which allows me to understand the security controls better. After working through some of the details - using information from a processor that I used to utilize -  Microsoft has more visibility and controls built around the protection of data than my processor did.

Wednesday, December 24, 2014

The Big Move - Part 1 - Setting up your custom domain to work with Office 365!

To say that I did a big move would be a complete lie.  I have a couple of domains that I have email addresses attached to as well as two POP3 accounts (from my college days) that I would like to aggregate into one place.  Gmail was able to do this for me for many years, but I have since wanted to explore the Office 365 offering by Microsoft a lot deeper, so I started the process of moving over some of my "lesser used" domain /email combinations.  When I say "move", I don't mean that I migrated the mailbox - I just simply configured everything so that any future email would flow into my Office 365 account.  I figured this would be easier and safer in case I wanted to switch back quickly -- especially considering I probably get one or two email messages per week in my lesser used accounts.  I did eventually do a mailbox move, but I will cover this in another blog post.

Again, this is an additional domain and email address that is being added to my already established Office 365 account.  The intent is to have all of my various email accounts aggregate into one mail box.  I will also show how to get POP3 email into this one account as well as some tips I used to make mail management a lot easier in another blog post.

So, here is what I did:

First, I logged into my freshly new Office 365 tenant and went to Admin / Office 365:

Then on the left side of the screen you will see a place for you to click on called "Domains":

You will then be presented with the following screen.  These are the three steps you need to take in order to get your domain set up.

Once Step 1 is selected, you will be presented with the following dialog.  Enter the domain name you want to start to use with Office 365.  I used a domain of a business I used to have but still get email through:
Office 365 will interface with most registrars to make your DNS modifications to allow email to flow to Office 365. 

Once you continue, you will see a dialog box that is generated by GoDaddy (my registrar and where I maintain my DNS):

Just click ACCEPT and voila:

Now, what you can do is start adding user accounts.  BUT... I chose not to - Keep reading:



Because I just have one mailbox license for Office 365 and I have it configured with another email address with another domain, I will choose not to add any users.  What I will do instead is configure Office 365 to direct all inbound email to this domain to my primary email account.  This will become apparent later in this post.

This step sets up the DNS information properly.  It will want to know how you want to use Office 365 with this domain and then make the appropriate DNS modifications - see the next three screen shots:






There you have it - Now your domain is configured to be used with Office 365!

You will now have to configure Office 365 to be able to accept inbound email from this new domain and then determine what happens to the email.  Additionally, you will need to configure Office 365 to be able to send from this domain as well.  I will be covering all of this in my NEXT blog post, so stay tuned!

** Remember, this is a second domain and email address that is being added to my already established Office 365 account.  The intent is to have all of my various email accounts aggregate into one mail box.  I will also show how to get POP3 email into this one account as well as some tips I used to make mail management a lot easier. 



Wednesday, November 12, 2014

Office 365 Mailbox De-Clutter

Since I was a Gmail user for so long, I got used to some of the features and subsequently took them for granted.  One of those features was the automatic classification of email on perceived "importance".

Gmail took it a step further and started to break out email into multiple groups such as: Social, Forum, Updates and Promotions.  This made it nice to really de-clutter my mailbox within Gmail and I started to miss this once I migrated over to Office 365.  

Well, apparently just a few days ago, the Clutter feature came out. This feature learns your behavior and will classify certain inbound email as clutter.   I enabled it, and it is starting to actually learn my behavior within two days.  

If you want to enable it in your Office 365 mailbox, launch OWA, (http://portal.office.com - Click on "OUTLOOK") click on the GEAR icon, and click OPTIONS:






You will then be presented with the options under Mail / Automatic Processing.  Select the option "Separate items identified as Clutter":


... and that's it.  You will notice a new folder in your inbox called Clutter.  This is where all of the newly classified email will be directed.



If you want to learn more about this feature and how it really works, this is a great blog article put out by Microsoft:  


Monday, November 10, 2014

Leaving Gmail - Hello Office 365!

I've been a Gmail user for years and consequently, I've found myself quite embedded in the Google line products.   I have an Android and also use the connected products (like this blog), but Gmail has always been on my list of products to migrate away from.

Notwithstanding the privacy issues that are continually raised on the Google platform, I wanted to untangle the complex web I had to create in order to make everything work for me on the Gmail platform.  This was further prompted by my renewal at GoDaddy that was topping $200 annually. (More on this later...)

Granted, I don't have a ton of email, and nothing I am doing is enterprise class, but I do have my personal account (a vanity domain), a business type of personal account (also a vanity domain), a couple of POP3 accounts that my alma maters have set up for me, and an exchange account that I have to use to communicate to my students (I teach at a local college).  Quite a mess if you have to keep track of email from a number of different interfaces...
... and how would this all work with mobile access??

Well, Gmail was here to save the day - Kind of...
I did get everything to work pretty well, but I had to do a number of workarounds to make everything click.  Gmail gave me a lot of space (I'm currently using 7GB of my 15GB mailbox) and I absolutely fell in love with the Archive function.

Over time, some of the Gmail shortcomings started to bother me, and with my last GoDaddy bill, my "want" to start to consolidate everything (from GoDaddy, to Gmail, to Exchange) prompted me to start to look at Office 365 is a viable alternative to my Gmail mailbox - a central repository for all of my mail.
What were some of the issues with my current setup?  Godaddy's SMTP Relay limits and Gmail's "On behalf of" problem. A description of this is clipped here from Wikipedia:
"... any email sent through the Gmail interface included the Gmail.com address as the "sender", even if it was sent with a custom email address as "from". For example, an email sent with an external "from" address using Gmail could be displayed to a receiving email client user as From user@gmail.com on behalf of user@OtherDomainEmailAddress.com (the display used by versions of Microsoft Outlook). By exposing the Gmail address, Google claimed that this would "help prevent mail from being marked as spam..."
This was unacceptable to me, so I signed up for SMTP Relay accounts with GoDaddy and routed my mail through them instead of the Gmail servers.  GoDaddy would only allow 50 messages per day with their SMTP relay service, which would also pose a problem for me at times.

Since I work for a Microsoft Gold Partner, I started to see first-hand the functionality Office 365 had, and was moving closer and closer to setting up a "tenant" to do some testing.  The features that get added to Office 365 are staggering - You can see the road map here.

One evening, I decided to flip the switch.  I've successfully made the switch over to Office 365, and it was a piece of cake.  I'm starting to assemble some of the steps I've taken to make Office 365 a great way to consolidate all of my email and the use of some of the functions Office 365 offers to make my consolidated email box something that is functional and not overwhelming. Look for those notes to appear here over the next couple of weeks - Including setting up websites in Azure!


Wednesday, November 5, 2014

An ISACA volunteer

Twice a year, I disappear for about 3 days to participate in a question writing and proofing exercise for ISACA, a non-profit organization charged with leading the information security, risk and assurance certification as well as education.  They are most notable for their CISA and CISM certifications.

I earned my CISM a number of years ago and over the course of time, I've always had a little bit of a challenge obtaining CPE (Continuing Professional Education) credits. A minimum number of credits is required to maintain the certification.  I was working for a failing financial institution, and it was nearly impossible for me to get funds to take courses or attend events that would allow me to obtain credits.

Luckily, there are a number of other ways to obtain CPE credits: 
 - Answer questions in the back of the monthly journal
 - Write articles for the journal
 - Write test questions for a certification pool
 - Mentor others toward a certification

I always thought it would be fun to try to attempt writing test questions for the CISM exam, so one day I did!

Shortly after submitting my attempt at creating about 15 questions, ISACA and I launched a fantastic relationship, to which I am thankful to have with this organization to this day.

My involvement in writing test questions lasted only one year when I was then asked to be part of a committee called the Test Enhancement Subcommittee, which not only writes questions for the exams, but is in charge of proofing all of the questions that get submitted.  Better yet, I get all of my CPE for the year just by participating!

In the beginning, I was more excited about being able to obtain all of my CPE easily, but as I continued to get involved in the TES with ISACA, it was clear to me that I was part of something amazing - a continually refining exercise that produces relevant questions to test an applicant's base of knowledge!

Working on creating and modifying questions for the CISM certification is a rewarding experience, but it is the relationships with the other volunteers and the wonderful staff at ISACA that make me proud to be a volunteer and to be part of the process.