Blog

The latest in Dark Rhino Security news

Why Video Games Are The New Golf

Why Video Games Are The New Golf

Millennials grew up during the stock market crash of 2008. While we were young, our parents were focused on cutting costs and trying to scrape together money for retirement. Nobody’s parents had money to take them out to the golf course, let alone get lessons. It was far cheaper — and easier on our parents — for us to play video games.

As a result, we grew up in a video game culture. Most millennials who are adults today grew up playing video games like Halo, Call of Duty, and Battlefield. Video games are so common in our age cohort that they are the kind of thing you can strike up a conversation with a stranger over, much like football or the weather.

We didn’t leave our love of video games in the past, either. Platforms like Twitch and YouTube allow us not only to play video game, but to watch the pros show us how it’s done. Video games are not just a hobby, but an entire sports industry.

As millennials get older, more and more of us are holding influential roles inside companies. According to the Pew Research Center, the oldest millennials were born in 1981, making the oldest millennials 38 years old. In our youth-obsessed culture, that’s more than old enough to hold powerful executive positions. There are millennials in Congress and on the boards of directors.

And almost every one of those millennials grew up playing video games.

The Advantages of Video Games

It’s easier to play video games. You don’t have to get dressed up, pack a bunch of large golf clubs into the car, and drive to a physical location — all you have to do is turn on your console and sign on. This makes it easier to arrange short-notice or impromptu sessions.

Video games are more relaxed. Most people take golf pretty seriously, whereas they consider video games relaxed and lighthearted. Instead of focusing on competing, people laugh and have fun. That relaxed atmosphere makes people — customers, partners, and vendors — feel more comfortable talking about their needs without politicking.

Video games can be played together remotely. To play golf, you and your contact need to be in the same place at the same time. On the other hand, all video games require is an internet connection. This allows you to maintain hot connections with people all over the world.


It’s not that video games are “better” than golf. At the end of the day, both are simply different ways of getting in touch with business contacts. But as more and more millennials take positions of power, video games are likely to take center stage as a way of connecting with clients. In fact, this is already starting to happen, says millennial sales engineer Mitch:

“I was consulting at a client site and one of the things that we brought up during our lunch break was how great the new modern warfare game is to play. We talked about some of our favorite game modes and then decided to add each other once the engagement ended. Ever since, we’ve been playing together fairly frequently and discussing just some of the other problems that he’s facing internally.

Another time, myself and a partner bonded over our shared love of Fortnite. We added each other on that game as well, and have discussed everything from how to go after certain accounts together strategically to what has and hasn’t worked with his technology during his sales cycles.”

And it isn’t just milennials playing video games. As video games become more popular, familiarity with them is becoming more common. Even Gen X-ers and Baby Boomers know about video games — even if your contact is older, odds are they have children of their own, children who are growing up playing video games today.

As the business landscape changes, don’t be afraid to strike up conversations about video games. You never know which impromptu gaming sessions may lead to business breakthroughs.

Your Company Needs A Risk-Aware Culture

Your Company Needs A Risk-Aware Culture

Cybersecurity can look dauntingly technical at first. You need a SIEM solution, an IAM solution, a DLP solution, so and so forth — but the most important part of cybersecurity strategy isn’t technical. In fact, it doesn’t even involve a computer. The most important part of a cybersecurity strategy is having a risk-aware culture.

If a company has a risk-aware culture, every employee — from the CEO to the store associates — is aware of basic principles of cybersecurity like never sharing your password, never authenticating for other people, and never sending files over email (especially to external addresses). Companies with risk-aware cultures consider cybersecurity to be the responsibility of the entire organization, not just the responsibility of some cyber guys shoved in the corner.

Most companies, however, don’t have risk aware cultures. Their employees sign in for each other and even share passwords. They conduct business by passing files back and forth over email. When IT imposes new cybersecurity rules, employees conspire to find shortcuts around them. And when management says it’s time for the annual cybersecurity training, everyone groans.

What A Risk-Aware Culture Looks Like

Building a risk aware culture is a matter of educating your employees about the following kinds of threats:

Phishing

One of the most common kind of cybersecurity threats are phishing emails. Phishing emails are attempts by hackers to trick people into submitting their credentials into fake websites created by the hacker, so the hacker can use these credentials on the real company website to steal information or inject malicious code.

The best defense against phishing is simply to educate employees as to what phishing attempts look like. It is much easier for a human to identify a phishing attempt than for a computer to identify one, so a great deal of money and effort is saved by educating employees as to what they look like.

Using Proper Authentication

An organization with good cybersecurity uses an Identity Access Management (IAM) solution that utilizes Single Sign-On (SSO). What this means is that employees are able to access every software platform they need to do their job with one login.

However, sometimes employees don’t use their IAM. Sometimes they make logins from their work email on websites on their own, or they use third-party login systems to access software. These openings create security vulnerabilities for the whole organization.

The best defense against this vulnerability is to educate employees about the importance of using the company IAM.

Physical Security

In a world obsessed with the cloud, it’s easy to forget about physical infrastructure — but physical infrastructure is critical to cybersecurity.

Thieves often take advantage of people’s oversight. For instance, to gain access to a system, some hackers pretend to be employees who have forgotten their ID card. They ask real employees to “please let them in so they don’t have to drive home and get their card.” If the real employees haven’t been educated to decline requests like these, the infiltrator’s gambit may work.

Another important aspect of physical security is device management. Laptops, tablets and phones used for company business can be stolen and used as an access point through which malicious code can be injected. Because of this, employees must keep careful track of their devices, and alert IT staff as soon as anything is missing or stolen.

The best defense against physical vulnerability is — again — employee education. If every company employee knows not to let people in without their scan cards and to always report missing equipment, many cybersecurity threats can be neutralized before they cause any damage.

How To Build A Risk-Aware Culture

There is a wide variety of different kinds of cybersecurity training available. If you have a cybersecurity partner, either an MSSP or a vendor, they likely have their own training available for your company’s employees. If you do cybersecurity in-house, your cybersecurity personnel likely know of training they feel comfortable recommending to the rest of your organization.

What Is The Difference Between A Blue Ocean And A Red Ocean Company?

What Is The Difference Between A Blue Ocean And A Red Ocean Company?

When it comes to competition, not every company has the same amount. Some companies compete in what are called red ocean spaces — so called because the oceans are red with blood. Competitors attack each other in order to feed on a limited number of customers.

On the other hand, there are companies who compete in blue ocean spaces. A company that operates in a blue ocean space is a company that has plenty of customers to sell to and little competition which they must beat to do so.

Obviously, everyone wants to compete in a blue ocean space. The reason most companies don’t do so, however, is because moving to a blue ocean requires a whole new way of thinking about your business. Most businesses think in term of incremental value addition — shaving a few bucks off the price here, adding a feature there, redesigning their product every few years. This kind of thinking keeps businesses in red oceans. Blue oceans require a whole new way of thinking about your product; they require a business to think outside the box, creating products to fill needs customers are not aware they even have.

“Value innovation is the cornerstone of blue ocean strategy. We call it value innovation because instead of focusing on beating the competition, you focus on making the competition irrelevant by creating a leap in value for buyers and your company, thereby opening up new and uncontested market space.”
―W. Chan Kim, Blue Ocean Strategy, Expanded Edition: How to Create Uncontested Market Space and Make the Competition Irrelevant

When talking about blue ocean strategy, it’s best not to think in terms of companies, but in terms of products. And the best example of a blue ocean product is Apple’s iPhone.
Source

At the time, most of Apple’s products were red ocean products. They sold desktops, laptops and computer accessories that competed with major companies like HP, Dell, and Lenovo. While they were doing well in these markets, they were fighting viciously for each percentage point of dominance in the market.

The iPhone, however, was blue ocean. When the iPhone was released, it had no competitors. Anyone who wanted one of the new “smartphones” had to buy an iPhone. The newly created “smartphone” market exploded to a billion-dollar-plus market within just a few years, with the iPhone capturing the lion’s share of it.

Another great example of a blue ocean product is the Cirque du Soleil, highlighted in the book Blue Ocean Strategy.

Cirque du Soleil took the world by storm. It created a blue ocean of new market space. Its blue ocean strategic move challenged the conventions of the circus industry. Cirque’s productions have been seen by more than 150 million spectators in more than 300 cities around the world. In less than twenty years since its creation, Cirque du Soleil achieved a level of revenues that took Ringling Bros. and Barnum & Bailey — the once global champion of the circus industry — more than one hundred years to attain.

What makes this rapid growth all the more remarkable is that it was not achieved in a declining industry in which traditional strategic analysis pointed to limited potential for growth. Supplier power on the part of star performers was strong. So was buyer power. Alternative forms of entertainment — ranging from various kinds of urban live entertainment to sporting events to home entertainment — cast an increasingly long shadow. Children cried out for video games rather than a visit to the travelling circus. Partially as a result, the industry was suffering from steadily decreasing audiences and, in turn, declining revenue and profits. There was also increasing sentiment against the use of animals in circuses by animal rights groups. Ringling Bros. and Barnum & Bailey set the standard, and competing smaller circuses essentially followed with scaled-down versions. From the perspective of competition-based strategy, the circus industry appeared unattractive.

Another compelling aspect of Cirque du Soleil’s success is that it did not win by taking customers from the already shrinking circus industry, which historically catered to children. Instead it created uncontested market space that made the competition irrelevant. It appealed to a whole new group of customers: adults and corporate clients prepared to pay a price several times as great as traditional circuses for an unprecedented entertainment experience. Significantly, one of the first Cirque productions was titled “We Reinvent the Circus.”

Cirque du Soleil succeeded because it realized that to win in the future, companies must stop competing in red oceans. Instead they should create blue oceans of uncontested market space and make the competition irrelevant.

— Blue Ocean Strategy Cirque du Soleil Case Study

If you run a company that is struggling and want to leap forward in your performance, research what it would take to pivot your products to a blue ocean strategy.

From the book Blue Ocean Strategy by W. Chan Kim and Renée Mauborgne

3 Ways To Keep Your Data Secure

3 Ways To Keep Your Data Secure

Avoid using social media messaging services

When you’re using a messaging service provided by a social media company, there is no such thing as privacy. That social media company can see everything you message. So, if you’re using Facebook Messenger, or WhatsApp, or Instagram, Facebook can see everything you message. If you’re using DMs on Twitter, Twitter can see everything you say.

Emails and regular texts, on the other hand, are protected by privacy laws, meaning that a private company can’t root around them at will. If you’ve got something to say to someone, you’re better off emailing or texting.

Generate & store your passwords securely

Good password security has two components:

  1. Generating unique passwords for every login you have
  2. Storing those passwords somewhere they won’t get stolen

The first part, generating unique passwords for every login, is critical. The websites you log in to sometimes get hacked, and those stolen passwords are sold on the black market and used to break into your other accounts. If you have the same password for every internet account, you are just one hack away from being completely vulnerable.

Want to know if your passwords have already been hacked? Check for free on haveibeenpwnd.com

The second part, storing those passwords, is equally as important. It doesn’t matter how unique and secure your passwords are if your list of passwords can be easily stolen. And unfortunately the ways most people store their passwords, such as making a list in their notes app or writing them down in a notebook, are notoriously insecure.

In order to store your passwords properly, you want to use a password vault. Most major browsers come with their own password vault, but we recommend LastPass or 1Password.

Store your data on the cloud

Data loss doesn’t just come from hackers; data loss can come from natural disasters. If your data is stored locally on your laptop or on an external drive, flooding or a fire can wipe out your personal data just as quickly as a hacker can. Data that’s stored on the cloud, on the other hand, is impervious to these natural disasters.

Most major hardware providers have their own cloud storage solution. Google offers Google Drive, Apple offers iCloud Drive, and Microsoft offers OneDrive. There are also third-party solutions available, such as Dropbox or the encrypted alternative Sync.com. The best part is that most of these solutions are free — meaning there’s no excuse for you not to use them.

4 Common Misconceptions About CCPA Compliance

4 Common Misconceptions About CCPA Compliance

Correcting these misconceptions could save you thousands in fees

1. “We will be compliant once we update our privacy policies.”

A published privacy policy is great marketing for a company. It communicates to customers that you care about their privacy and security.

That being said, merely having a privacy policy is not enough. For a privacy policy to matter, you need to ensure that…

  1. The company privacy policy is up to date with what leadership wants. Many companies take a “set it and forget it” approach to their privacy policy. Having an out-of-date privacy policy published means customers are being scared away by privacy policies that do not take the current security climate into account. Having an out-of-date privacy policy published also means employees are not clear on the privacy target at which they should be aiming.
  2. The company privacy policy is actually being followed. In many companies, privacy policies are often ignored in favor of creating convenient employee workarounds (i.e. carrying flash drives of customer information around the office.) These workarounds may be convenient for employees, but they expose customer information to a lot of abuse, and the CCPA was written with this in mind.

2. “CCPA is IT’s problem.”

While technology is vital to CCPA compliance, it is not the only component of CCPA compliance. As mentioned above, many employees often create workarounds for their personal workflows that compromise customer information. These workflows are not an IT problem, these are an Operations problem, and so plugging these holes requires participation from Operations. Many customers also contact companies through their helpdesk and social media and provide personal information through these channels; CCPA requires companies have the processes in place to delete these sources of customer information as well. All of the holes in your company must be plugged in order to be CCPA compliant.

3. “We are already adding an Opt Out button on our privacy page.”

There are two misconceptions at play here. The first is that an opt-out button on the privacy page is adequate. It is not. The opt-out button must be on the home page for CCPA compliance. The second is the efficacy of the opt-out button:

  • Does the act of “opting out” trigger information removal from multiple systems?
  • Does it communicate this request to 3rd party affiliates?
  • Does this produce a report about what steps were taken to remove the information & send it back to the requesting party?

To be compliant with CCPA, the opt-out button on your home page must do all these things.

4. “We did this all for GDPR two years ago, so we are good!”

While GDPR and CCPA were both passed for similar political reasons and have many similar requirements, they are not the same. Relying on your GDPR compliance for your CCPA compliance will most likely result in your company not being CCPA compliant at all.

DLP Piper deep dives into the differences:

In some respects, however, the CCPA does not go as far as GDPR. Most crucially, the CCPA does not require businesses to have a “legal basis” (a justification set forth in GDPR) for collection and use of personal information. The CCPA also does not restrict the transfer of personal information outside the US, or require that businesses appoint a data protection officer and conduct impact assessments. In addition, California residents’ right to access personal information is limited to data collected in the past 12 months. CCPA also places fewer obligations on service providers.

In other respects, the CCPA differs or goes beyond the scope of GDPR:

  • The CCPA’s definition of personal information specifically includes household information.
  • While both the CCPA and GDPR require detailed privacy notices, the required content of those notices differs. A privacy policy that meets the requirements of the GDPR will likely not satisfy the CCPA’s requirements.
  • Under GDPR, a business does not necessarily need the individual’s consent to collect and use data, in which case the individual does not have a general opt-out right. But CCPA grants individuals an absolute right to opt out of the sale of their personal information and obligates businesses to add a “Do Not Sell My Personal Information” link on websites and mobile apps.
  • Although both the CCPA and GDPR prescribe provisions that must be included in contracts with service providers, the requirements differ, and GDPR data processing agreements will likely not meet CCPA requirements.
  • Finally, the GDPR and CCPA take different approaches to children’s privacy rights. GDPR requires that parents provide consent for the processing of their children’s personal information in an online environment — but only where the legal basis for processing is consent. Children are defined as under 16, although member states can lower the age to 13. The CCPA, in contrast, addresses the sale of children’s information — not all processing — and requires that businesses first obtain opt-in consent. Parents must provide consent for kids under 13; teens 13–15 can provide their own consent.
How To Configure Okta’s Flexible Security Policies For Your Environment

How To Configure Okta’s Flexible Security Policies For Your Environment

One of the nice things about working with Okta’s SSO platform is that even though they aren’t a tried and true security company, they have built a lot of security tools into their product. When leveraged correctly, these tools really help lock down employee access to enterprise applications and give the security folks at your company helpful insight into how employees access governed cloud services.

No matter how powerful the software, though, if it is configured incorrectly, it poses a security risk. The most secure system is one implemented by a competent system administrator.

This guide will explain the different security policies in Okta — and, hopefully, help you become competent with Okta yourself.

Sign On Policies

Okta allows admins to configure sign-on policies at two different points during the user experience. The first is initial sign-on to Okta, when a user tries to log in to Okta directly from the http://www.w3.org/2000/svg\">"); background-size: 1px 1px; background-position: 0px calc(1em + 1px); background-repeat: repeat no-repeat;">https://yourdomain.okta.com URL, and the second is when they try to access an SSO application from their Okta end-user dashboard.

This means you have two places you could configure your MFA policies: at the front door, or prior to accessing specific applications. (I don’t recommend configuring your policies in both places, or doubling up, because there is nothing end users hate more.)

Let’s look at two scenarios and investigate how these different approaches might fit into your environment.

Scenario 1:

Company A

  • 500 Users
  • 2 Office locations with 200 employees apiece
  • 100 remote users (contractors & sales)
  • 5 mission critical applications in Okta, nothing else.

Info:
Company A has been configured by admins to only allow SSO into 5 big-ticket applications, O365, Salesforce, Box, Tableau & AWS. All of these application contain very sensitive information pertinent to the day-to-day operations of Company A, as well as a lot of valuable IP.

How would you configure security policies for Company A?
There are a few ways you could approach this, but I’ll explain the approach that is the simplest while still being secure.

First, I would whitelist the external IP’s users inside Company A’s offices that will be accessing Okta. This allows these IPs to skip being challenged for Okta if they are operating from inside the office. Some people would contest that this is not secure, but unless the company has compliance requirements they need to meet (like MFA for all content-sharing apps), I generally try to leave the Okta user-experience as simple and straightforward as possible.

This is especially helpful when introducing Okta to them for the first time. If users see Okta as a convenience, rather than a hindrance, Okta projects run much more smoothly.

The only other policy you would need to configure is the front-door policy for remote users. You can configure this under the “Security” > “Authentication” tab, and then under the “Sign-on” sub-tab. A front-door policy is the best policy here because configuring 5 separate policies for each app creates unnecessary overhead on the part of the user.

Lastly, I would configure a session timeout. This means that if someone‘s laptop were to get stolen, company information would still be secure.

Scenario 2:

Company B

  • 50 Users, 1 office
  • Startup company with a highly mobile workforce. Over half of the employees are remote
  • 2 Apps, Github & Dropbox
  • User self-service is active

Info:
Company B has been using Okta since it’s inception. It’s employees use Okta to access Company B’s Github and Dropbox environments via SAML, but they also use Okta as a store for whichever apps they see fit thanks to user self-service. In addition to Github and Dropbox, they have added personal accounts to various websites and disparate email services added to their end-user dashboards as well.

How would you configure security policies for Company B?
Since Company B is a startup and have yet to lock down which applications their employees use for official business purposes (outside of Github and Dropbox), I would recommend configuring MFA only for Dropbox and Github. These are the only applications which need secured from a company perspective, so it is more convenient to leave the sign-in to Okta free from MFA.

The central issue in this scenario is not really Okta security policies, but company policies themselves. Startups often use many different applications, most of which do not support sophisticated integration with Okta. Until Company B decides which services to officially support, they should just focus on putting MFA on their business critical applications and leave the rest untouched.

If you as an admin are concerned about users adding MFA to their personal accounts, a better way of enforcing it is setting it up app-side. Applications like Twitter and Facebook have their own MFA. If you know your users heavily use the self-service features of Okta, a company-wide email about setting up MFA individually in these applications is a smarter move, because I know from experience if you don’t have these applications configured with SAML and you put an MFA policy on it, end-users will just navigate to the site’s regular login in order to bypass MFA.

In Conclusion

That’s it for now, configuring security policies in Okta can only hold my attention for so long and I’m sure any readers feel similarly. Thanks and stay tuned for more.

News

Subscribe to Our Newsletter

Image

Address (United States)

5695 Avery Road
Dublin, OH 43016

Address (United Kingdom)

31 Sapphire Rd
Bishop's Cleeve
Cheltenham
Glos GL52 7YT

Talk to us

+1 (614)-401-3025 Ext.107

Support

Need Any Help?
Contact Us