2014: The Internet of Things

Fridges, Air Conditioners, Home Security Cameras – Oh My!  The media has latched onto the fact that most of the things in our houses can connect to the Internet, and therefore can be comprimised by hackers and other nefarious beings.

Talk about managing by FUD (Fear, Uncertainty, Doubt).  There is enough of it floating around to keep everyone feeling like a character from “1984”.

The likelihood that a student or teacher at OSU will be hacked via their Fridge is pretty low.  You’re more likely to need to worry about the traditional garage thief, than the garage fridge.

Just like healthcare, taking a few preventative steps can go a long way to improving your Security health:

1. Passwords.  Yes, passwords.  Old news, but still very relevant.  Keep different ones for different accounts, make them relatively hard to guess, and change them frequently.  If you don’t want to do this with ALL your accounts, at LEAST do this for your financial and health-related accounts.

2.  Keep software up-to-date:  Whether it’s your iPhone or your Thermostat, if the vendor gives you a security update, take it.

3.  Physical Security:  Know where the stuff you care about is, who can get to it, and what they do with it.  Don’t leave your phones (or your toasters) lying around if you care when they go missing.

4.  When you’re not using something, shut it off.

Basic information security hygiene, guaranteed to help you lose a few pounds and lower your cholesterol.

Happy New Year!

Holiday Hacking and Other Fireside Reflections

So, it’s December already.  Six months, or so, as the OSU Chief Information Security Officer, and it’s likely the fastest 6 months of my career.

Information Security in Higher Ed is really, well, weird.  On the one hand we have a bunch of data that we all agree we should care about protecting – financial data, medical stuff, student records.  On the other hand, a public, land grant, research institution which prides itself on a comprehensive data, and more importantly KNOWLEDGE, sharing policy.  Throw in some ambiguity about who OWNS the data (The researcher?  The student?  The public partner?  The University?), and it’s enough to drive an Information Security professional running for the hills.

While working through this learning curve, the outside world hasn’t stopped either.  As a Target customer, I was one of 40 million customers potentially impacted by their breach.  Edward Snowden is one of Time’s People of the Year, and don’t get me started on the hackability of thumb prints, encryption keys and cars.  Yes, cars.

So where to start?  Well, actually, we’ve already started, years ago.  We have done a lot to implement technologies that will help us identify and respond to threats, protect some strategic systems, and yes, monitor some stuff.  But this will only take us so far.  We need to go to where the knowledge is, and at OSU, that means full engagement with our teachers, researchers, students and staff.  It requires everyone to know what information they care about, and where they keep it.  It requires the security team to work to enable KNOWLEDGE sharing – intentionally, securely – not to inhibit it.

The good news is, OSU is full of creative, collaborative people, who understand that a strong information security program is a foundational support to OSU’s mission.  Even the most regulated of private industries can’t make that claim.  So, as I sit here and watch the fire and celebrate the season, I also look forward to the New Year.  Because, while there is a lot yet to be done, it’s going to be FUN.