Saturday, February 16, 2019

Secure Translations - Employee Training - Phishing - Part 8 of Many

Security Drills like Ethical Phishing Attacks are a must-do to keep digital assets secure.

This immediately poses the question: Are you and your service providers training users on cybersecurity? We need employees to master security, not just to be aware. The employee awareness programs that most auditors are after are a good start but not enough to make sure that your employees act as a trusted line of defense.

This is the 8th post on my Secure Translation series, and this time I am discussing the lack of strong employee security training.

As usual, let us use our simple yet effective quantitative risk management framework to analyze this threat.
  • Threat: Companies are tempted just to check the box when it comes to employee training as part of regulatory compliance. Unfortunately, just caring about compliance is not the same as caring about security.
  • Asset: All digital assets are at risk when employees are not highly trained on security issues.
  • Vulnerability: Users with access to confidential information do not truly know how to combat security dangers like phishing.
  • Risk: The impact of any single employee not knowing how to actively fight threats like phishing is the highest security risk Companies face today. The likelihood of this happening is extremely high with attacks getting so sophisticated that even information technology professionals fall for phishing scams nowadays.
  • Safeguard: Actively craft your own internal ethical attacks, collect statistics like percentage of employees that are failing to identify threats over time, share the statistics openly, help personally those employees that are having trouble with recognizing threats. Make sure not a single user is left behind. Work with the staff, vendors and even contacts for mastery and not for punishment. Do not just ask for audit reports and certifications from your service providers, but in addition ask them for the specific employee training program and proof that such continuous training is happening. Furthermore demand proof about ethical hacking drills performed internally. A service provider like a language service provider cannot provide secure services like secure translations, unless they have a highly qualified cybersecurity program in place. If a single employee or vendor falls for phishing attacks for example, such provider cannot provide secure services. If such providers do not have in place an ethical hacking drill program, they cannot keep your information safe.
The reason why my series are about secure translations is that the processes being used today to translate documentation for international Corporations are in hands of users that are most likely not well trained. If your organization has trusted translations to Language Service Providers (LSP) that do not have strong continuous employee mastery-training programs, then your risk of data loss is high, no matter what such providers promise. If your LSP is not training users for security mastery, then such Language Service Provider cannot offer secure translations. They might sell themselves as secure translation providers but the devil is in the details. You are ultimately in charge of requesting proof that your content is handled by employees and vendors that master the art of fighting cybercriminals, of being cautious, of being knowledgable. This requires constant training and testing. This is serious cybersecurity matter.

You can follow the "Secure Language Translations" series in this blog, on linkedIn, Twitter or Google+. My objective is to educate executives and managers but also to help engineers in reducing the organization risk through sound security measures.

Tuesday, February 12, 2019

Smart Marketing - Understand the Hollywood Principle

Growth hacking has taught Marketing the importance of Applied Software Engineering. Growth Marketing practitioners should understand how consumers think. Consumers apply the Hollywood Principle: "Don't call us, we'll call you". The Consumer should be calling the Producer instead of the reverse. This inversion of control mechanism would, in my opinion, benefit the marketing mix: Products will deliver exactly what customers are demanding. Price will be transparent and commensurate to the offered value. Placement of the product will be dictated by the buyer interest and profitable customer retention analysis, rather than artificially and temporarily apparent customer demand. Promotion of the product will be achieved by free subscription to relevant material rather than expensive ads, and more educated clients will look into comparison matrices emerged from a community rather than paid artificially generated benchmarks.

The Hollywood Principle brings to software development two important benefits: Decoupling, which is needed to make sure code can be tested in isolation; and Cohesion, which is needed to make sure software is packaged together to work towards a very specific goal.

This principle also brings to the customer two important benefits: Decoupling, which is needed to avoid locking into sub-par services as the priority becomes a match on prioritized needed features rather than existing relationships; and Cohesion, which is needed to make sure consumed services offer highly specialized value rather than a one size fits all requirements.

Traditional marketing is still predominant: pushy follow ups on cold email campaigns, pushy follow ups on consumption of published content, pushy ads that do not let you navigate through clean content, pushy commercials that disrupt your productivity ...

We all want our services to be bought but pushing at the wrong time has an adverse effect. Pulling is safer. Instead of overwhelming the potential future customers with unnecessary calls, emails and ads; marketers should keep the good job of publishing meaningful content that educates and makes the customer ultimately decide for the best.

Marketing should be modernized and respect the modern knowledge user. Do not call the customer, let the customer call you later when your service is of interest. Offer your potential and existing customers a valuable newsletter/podcast/videocast without fluff but just stuff, make your website rich in content that educates on the possibilities of your services, showcase previous successful client engagements, make all content short and educative. Everybody wants free lunch, which we know it does not exist, but we should know when is the right time to charge for it.

Here is a simple recipe:
  1. Create relevant content in different media (some prefer video, others audio, others written information)
  2. Allow to subscribe to such content and explain clearly who and how to reach out for further questions and suggestions
  3. Listen to feedback, measure impact and segment the audience to determine what relevant content should be created next
Here are examples of pushy marketing that has not worked for me and probably it is not working for most because it does not respect the Hollywood Principle:

Friday, February 08, 2019

Stop phishing - Use the "Presumption of Guilt" principle

Let's get this straight so that you do not get phished:
  1. All emails, phone calls, regular mails, external links from a website and in general any form of interactive communication, without exception, are all guilty of illegally trying to invade your privacy and security, until you demonstrate the contrary.
  2. It is your responsibility not to click, take a call, place a call, and in general to avoid responding to any communication unless you have demonstrated such communication is not an illegal attempt to invade your privacy and security.
  3. If by mistake you click, speak, and in general interact through any channel you are responsible to not provide any information after such action. Stop communication immediately and instead initiate yourself the communication by visiting a well known website (instead of clicking, type its URL!), call a well known phone number, ask around for help.
  4. Be curious. Do your homework as you should do it with any news you receive. Right click and copy the link, paste it somewhere so that you can read it and determine where it would take you if you would click it. Google keywords from the email, the link, the sender. Lookup the phone number calling you. Search for complaints about the suspicious domain or email. Find out if the email or the email domain of the person contacting you is being reported to be part of criminal activities before. We live in a world full of scams, false news and hoaxes. Learn, which always means to look at the problem from more than one perspective.
Apply the "presumption of guilt" principle. In particular for emails, please learn (do not just read):
  1. Look at the details of the sender. The "from" in an email tells you if the person that sent it is known to you, not because of a name but because of the address. The address has an id (the identifier for the sender), an "at" sign (@) and a domain (usually the official website of the company)
  2. An email id that is not as clear as "john.doe", "jdoe", "johnd" is suspicious. Do not trust any stranger up front.
  3. The email domain part would be separated by "dots" (.). For example "evil.com" from jdoe@evil.com. You should ask yourself how that domain looks like? Is "evil.com" a place you know and trust?. Go to a browser and type that domain, do not copy and paste. Consider for example the letters "P/p" which in Cyrillic look exactly the same as in Latin script but they are different and therefore https://www.philosophy.com/ is not the same as https://www.рhilosoрhy.com. The second URL is built with the Cyrillic "р". What you see is not actually what you get.
  4. If you trust the user id and the domain then ask yourself if you are expecting that email. The fact that you have seen a similar email before does not mean this one is legit as well. If you do not expect that email, assume it is evil. If in doubt, send a separate email to that user that you know to confirm or share details with the related business support team, ask the geek closer to you. Space is just part of the whole picture, time is as important.
  5. If something is not expected, immediately mark that email as spam, do not engage.
  6. Do look carefully into the URLs you navigate, compare them letter by letter with those you know are correct using tools like https://www.diffchecker.com/diff. That is how you see that "https://facebook.com" and "https://facebооk.com" are two very different URLs. The first is the one you use while the second uses Cyrillic characters. The list of confusable Unicode characters is huge. The possibilities to get phished are literally infinite.
  7. Beware of popups, specially that their URLs are real and not a simulation of an address bar. The URL should be visible in the address bar and should be editable by you. All modern browsers ensure that this URL is visible and this is why you are supposed to use a safe browser. And yet as mentioned above double check that it is actually the URL you are supposed to be visiting. This could make the last phishing exploit linked at the beginning of this blog post even smarter and harder to combat.
  8. Needless to say that you should maintain all your devices updated. Do not leave that patch for later. Apply it ASAP (do not procrastinate on protecting yourself).

Monday, February 04, 2019

Cyber Threat Intelligence (CTI) Program

Does your organization and all your service providers have a Cyber Threat Intelligence (CTI) Program?
In other words what is the ability of your organization and your service providers to prevent cyber attacks?

Despite the little typo, the The 2018 ENISA Threat Landscape Report outlined CTI program representation in the picture is a starting point to consider reading the rest of this document that coverages current threats and safeguards that you should consider when going through quantitative risk management.

While we want security first and then compliance, both are as important. To achieve a high security maturity level we need to look at the strategy (compliance), tactics (ways to compile intelligence), operations (tooling), and technology (secure DevOps and SDLC practices).

My series about secure translations is actually applicable to any kind of service providers but naturally, based on my current role, I am concerned about the impact of globalization in security and privacy. I am particularly concerned about the modus operandi practices currently being used by multiple top Language Service Providers (LSP).

It is worrisome to see claims about security in LSP corporate websites that tend to deceive customers. For example the claim that they hold security reports and certifications pointing to the hosting providers they use. Let us make this clear, security is not reached because you ride on a mature hosting provider. Instead, security is a journey that an organization decides to make and that must cover internal strategic, tactical, operational and ultimately technical/logical areas.

If you are an international organization executive you should be aware that the biggest cyber-risk faced by your organization lies on the fact that your LSP of choice cannot deliver secure translation services. All efforts around internationalization, localization, trans-creation and therefore globalization might be actually compromising your bottom line.

Saturday, February 02, 2019

No person left behind - Anybody can master any subject matter

Salman Khan puts it way better that anybody could:
"Learn math the way you'd learn anything, like riding a bicycle. Stay on that bicycle. Fall off that bicycle. Do it as long as necessary, until you have mastery. The traditional model, it penalizes you for experimentation and failure, but it does not expect mastery. We encourage you to experiment. We encourage you to fail. But we do expect mastery."
If you think there are smart and dumb people you are simply wrong. All we, human beings, are smart, period. In fact we all are equally smart, period. What makes some of you look smarter than others is just the way we as society evaluate and measure intelligence. As it stands, society is plain wrong when it comes to measuring intelligence.

This is an argument that I have so many times that I decided to write it down so that I can share it for the years to come, instead of repeating myself. We can all be prepared for the Fourth Industrial Revolution and for the industrial revolutions yet to come. We just need to stop teaching the way we teach. The learning pace of each individual is sacred and must be respected and applauded because the ones that are ahead could be behind soon. It all comes down to determination for mastery. The determination is affected by the society we live in which rewards the fast learner instead of mastery. The so called "gifted" are just fast learners. To master a subject you just need determination whether you were ever called "gifted" or not.

Wednesday, January 30, 2019

Secure Translations - Old Browser Support - Part 7 of Many

Is your service provider stopping old or unpatched browsers from using their application? Is your Language Service Provider delivering secure translations? Let us start with a browser support test. Open Google Chrome, go to your service provider web application and press Ctrl + Shift + J if you are on Windows/Linux or Cmd + Opt + J if you are on MAC OSX. When the Inspector screen shows up click on the three dots menu button on the right and click on More Tools, then on Network Conditions. Scroll to User Agent section, deselect "Select automatically" and pick for instance "Internet Explorer 7" as shown below:


Did you get a page stating that your browser must be updated? No? Then your service provider is not rendering secure services because it is supporting an old unsupported browser. Repeat this process for all user agents to verify that your service provider is delivering secure services. If you are using a Language Service Provider (LSP) that fails this test then they are not delivering secure translations to you.

Up until now (2019-01-30) there are over 100 reported vulnerabilities affecting Internet Explorer. Previously, in 2018 there were over 2000 Internet Explorer reported vulnerabilities. Six years ago I started supporting only the latest version of any browser including Internet Explorer and in that post you can see several issues related to security and cost associated with delivering software that supports insecure browsers.

There is a fundamental issue with Internet Explorer. Microsoft decided to embed it in the Windows Operating System, and that was a bad decision for two reasons: Exploits are closer to make a bigger impact in the affected system and upgrading the browser usually means that the user must also upgrade the Operating System. Therefore I would say that if Microsoft really wants to promote the use of Internet Explorer as a secure browser, then they should separate it from the Operating System and upgrade it automatically as soon as a critical flow is detected. Until then I would say use one of the alternative browsers in the market. I personally recommend Chrome just because of the tremendous investment in security that Google has put behind that browser.

The ENISA Threat Landscape Report 2018 reveals how serious IE issues are:
The trend of web browser based (drive-by) exploit-kits is continuing. According to Malwarebytes spring and summer report, the majority of exploit kits were observed in Asia. This might be related to the continued use of Internet Explorer (Japan, South Korea) in this part of the world. Apart from known browser type exploit-kits, researchers observed an increase in drive-by downloads labelled as “pseudo exploit-kits”. These type of exploit-kits typically miss a solid infrastructure and often result from a single malicious software developer/actor copy and pasting from leaked or POC-type exploits
In the topic of browser type exploits, Internet Explorer (CVE-2018-8174) and Flash (CVE-2018-4878) have been the most weaponised vulnerabilities for this type of web-based attacks
Even Edge is problematic, and Microsoft has announced its intent to use the Chromium project for their browser. Hopefully they will completely remove the browser from the OS. Until then I personally suggest to avoid using any Microsoft Windows supplied by default Browser. This will also make it cheaper to build web applications as the IE and Edge render issues do not need to be addressed.

This is the 7th post on my Secure Translation series, and this time I am discussing Old Browser Support related threat.

As usual, let us use our simple yet effective quantitative risk management framework to analyze this threat.
  • Threat: Companies love to cast a wider net for which they tend to support any browser, even well known compromised versions.
  • Asset: Web applications and all assets they handle.
  • Vulnerability: Users behind old browsers will be compromised. These users are accessing company resources. Computers controlled by criminals can pentest these applications without being noticed, escalate privileges, access other users data and beyond.
  • Risk: The impact of supporting an old compromised browser is high, only limited by the number of vulnerabilities that a logged in user can find. The likelihood of this happening is also high because usually exploited machines will be plenty of malware that hackers can control remotely. Therefore the risk is high.
  • Safeguard: Do not grant access to any browser with vulnerable versions in your application. Force users to download non embedded browsers like Chrome which is without a doubt the safest browser in the planet at the time of this writing. Check browser support for absolutely all service providers like your LSP's online Translation Management System (TMS). Reach out to them to make sure they update their applications. An LSP that allows access to any of their services from an insecure browser cannot provide secure translations. While it is OK to cast a wider net in your corporate website be aware that marketing related forms could be a target for criminals. What will be a serious mistake is to allow old browsers to interact with the service. As explained in this post, change your user agent and try your current LSP with it and if they support an old version of a given browser be aware that they cannot provide secure translations.


In the next post I analyze the risk related to lack of training and in particular lack of internal hacking drills that truly educate employees on cyber-defense practices.

You can follow the "Secure Language Translations" series in this blog, on linkedIn, Twitter or Google+. My objective is to educate executives and managers but also to help engineers in reducing the organization risk through sound security measures.

Monday, January 28, 2019

Secure Translations - Privacy reminder on EU Data Protection Day - Part 6 of Many

Today is the European Union Data Protection Day and while there is a lot of GDPR related myth there are definitely good reasons to be alarmed about privacy breaches that apply for now only to European citizens and therefore to any international company dealing with them.

This is the 6th post on my Secure Translation series, and this time I am discussing Privacy breach related threats.

As usual, let us use our simple yet effective quantitative risk management framework to analyze this threat.
  • Threat: Privacy breach.
  • Asset: Any service where customer contacts, vendor information or staff information is stored.
  • Vulnerability: Storing more user information than what is actually needed and/or for purposes not agreed by the user.
  • Risk: The impact of keeping personal information for longer than needed or for purposes not agreed by the user is high for a business from a monetary perspective and reputation perspective. The likelihood of such breach happening increases with the miss understanding of what GDPR means for corporations. Therefore the risk can be medium or high depending on how truly ready the company is when it comes to GDPR compliance. Some examples shared by the European Commission are: Outbound marketing like Telemarketing and promotional emails can accidentally disclose personal identifiable information (PII), not reporting to the National Data Protection Authority (DPA) within 72 hours of an accidental disclosure, failing to secure user data (One or more European Data Protection Authorities or the European Protection Board itself will investigate your processes in deep), lack of user consent in processes the users did not agree to participate in.
  • Safeguard: Use a security plan that adopts an existing well known framework like NIST or a combination of multiple frameworks. Make sure all your service providers including Language Service Providers (LSP) do have a SOC 2 Type II report (only a type II report matters here, do not go for less). Avoid storing any sensible information in marketing related platforms by using segmentation by IDs rather than actual PII. Use Data Minimization up front.
In the next post I analyze the risk related to supporting old browsers.

You can follow the "Secure Language Translations" series in this blog, on linkedIn, Twitter or Google+. My objective is to educate executives and managers but also to help engineers in reducing the organization risk through sound security measures.

Followers