RSA 2013: FBI offers lessons learned on insider threat detection

SAN FRANCISCO -- Organizations with insider threat programs spend a considerable amount of time worrying about hacking techniques and malicious code, but FBI experts told RSA Conference 2013 attendees that insider threats are not usually hackers.

I believe that organizations who have good insider threat and data protection programs will be around in 10 years, and those that don't -- won't.

Patrick Reidy,
CISO, FBI

According to counterintelligence presented by the Federal Bureau of Investigation's Insider Threat Program last week, employees, former employees or contractors -- those who joined the organization with no intent of wrongdoing -- pose the biggest threat.

These findings, which are based on 20 years of espionage case investigations, indicate that contrary to popular belief, when it comes to data loss and spying, the real-world insider threat is not a stereotypical hacker who covertly siphons off sensitive information on internal systems and networks.

Authorized users with a level of organizational trust, who are doing legitimate activities with malicious intent, pose the biggest threat, according to Patrick Reidy, the FBI's chief information security officer heading up the Insider Threat Program. The program was created in the aftermath of the Robert Hanssen debacle, the 2001 incident in which an American FBI agent was caught selling information and other goods to the Russians after 22 years of espionage.

Since Wikileaks started releasing classified information, Reidy said discussions about insider threats have intensified. How can security professionals root out potential insider threats before their organization faces fraud or catastrophic loss of intellectual property and sensitive data

Educate 'accidental' insiders

First, Reidy said to make sure that best practices surrounding firewalls, antivirus software, policies and other system controls are followed. About a quarter of the incidents that the FBI tracks on an annual basis stem from what Reidy called "knucklehead" problems: unintentional acts in which employees compromise systems by not following procedures, losing equipment and sensitive data, clicking on spam, inappropriate emails or Web links, or mishandling passwords and accounts.

Reidy said the FBI spends about 35% of its response time on these types of incidents. Focusing on education can help minimize these problems; he said these incidents have dropped 7% at the FBI in the past year.

Insider threats are not numerous, according to Reidy, but in terms of damages they are the most costly. Of more than 1,900 incidents reported during a 10-year period, Reidy said about 19% were malicious insider threats. Based on information from multiple, "open source" data breach reports and data loss surveys, the average cost per incident is $412 thousand, and the average loss per industry is $15 million. In several instances, damages reached more than $1 billion.

Data from cases prosecuted from 1996 to 2012, under the Industrial Espionage Act (IEA) Title 18 U.S.C., Section 1831, which requires proof of links to a foreign government, indicated an average loss of $472 million (damages claimed in court). China was involved in 71% of the cases; 29% targeted other countries.

"I believe that organizations who have good insider threat and data protection programs will be around in 10 years," said Reidy, "and those that don't -- won't."

Reidy said it's important to identify patterns on an insider threat continuum using diagnostic analysis. The FBI found that the predictive analysis, which it had used for years, was not effective. Insider threats do not act like other people and many reach a tipping point, according to Reidy.

Use a multi-disciplinary approach

A good insider threat program requires more than policy compliance and cybersecurity. "It's not a technical problem," said Kate Randal, an insider threat analyst with the FBI and whose research indicated that in 90% of cases the problem can't be detected by malware. "It's a people-centric problem," she said, "and people are multi-dimensional, so what you have to do is take a multi-disciplinary approach."

The goal of a good program is to deter, detect and disrupt insider threats, Randal said. Program implementers need to identify personnel and classified information in addition to cybersecurity.

"It's important to focus on identifying your enemies, your people and your data," Randal said. That process includes asking questions like, "Who would be interested in your organization, and whom within the company would they target" Randal said the FBI looks at a combination of cyber, contextual (i.e., financial status, travel, reports) and psychosocial information. In the enterprise, Randal said security professionals should work with their legal departments to determine the types of information that they can legitimately collect.

According to Randal, it's critical to understand the company's assets and to identify "the crown jewels of the organization." A good place to start, she said, is to list the worst-case scenarios -- both assets and individuals -- that could really cause damage to the company. Another good question to ask, Randal recommended, is, "What are the top-five systems with sensitive data" From there, track the user data, logs and documents on these systems. Internal FBI security logs showed that more than 80% of data movement was done by less than 2% of the workforce.

Good insider threat programs should focus mainly on deterrence, not detection, Reidy said, because by then it is often too late. The FBI decided that it couldn't possibly identify every potential insider threat. Instead, it opted to use multiple tactics to deter insider threats.

One method involved creating an environment that discouraged insider threats by "crowdsourcing" security, and another is based on interacting with users. By giving tools and capabilities to educated users to encrypt their own data, and come up with ways to protect and classify their own data -- which is different than the centralized policies that many organizations adopt -- the responsibility for information security is transferred to users, using positive social engineering to heighten awareness.

"The whole idea is creating rumble sticks in the road," said Reidy, with one example being a warning screen whenever a user tries to download sensitive files onto a USB device. This, he said, lets users know, "Hey, we are watching you" and makes them answer the question, "Do you really want to do this"

Reidy said such an effort may result in internal pushback from people who do not think the rank-and-file are capable of handling this level of responsibility. That scenario played out at the FBI, but for Reidy, it wasn't valid.

"At the bureau we have 14,000 people that come to work every day with firearms," Reidy said, "and you're telling me that they can't learn how to use a USB"

Detection of insider threats should use data mining and behavioral-based techniques, Reidy said. Focus on diagnostic analytics and observable red flags, he said, such as changes in behavior. According to FBI research, psychosocial risk factors can range from disgruntled workers and people with high stress levels (those dealing with a divorce or financial problems), to vulnerable individuals and egotists.

Initial steps, Reidy said, may be as simple as sharing information with human resources. He recommended trying to notice, for example, if someone is printing a high volume of documents after hours on a Friday and is then fired on Monday. Base detection on users' baseline computer behavior (volume, frequency and patterns) and use strategies to lure threats out.

"Finding a needle in a haystack is simple; finding a needle in a stack of needles is hard -- everyone is the same or acting the same way," Reidy said.

The science of insider threat detection and deterrence is nascent, according to Randal. The CERT Insider Threat Center at Carnegie Mellon University does threat modeling by industry as part of its Management and Education of the Risk of Insider Threat (MERIT) program. Cyber Insider Threat (CINDER) at DARPA is also doing work in this area and can serve as a valuable resource. Security professionals can use this research to implement or improve their insider threat programs, she said, and aid researchers by providing data on insider threat incidents.




New Groupon Analytic Features Available To All Users

Groupon has launched a new tool allowing merchants to track and analyze the performance of their daily deals, adding to their previous suite of merchant features. The new tool is called the Merchant Impact Report, and it allows you to see who’s buying your daily deal, what they think about your products or services, and calculates profitability.

Let’s take a closer look at the new Groupon analytic features.

Marketing Analytics

You can see the number of emails that have been sent out to Groupon subscribers advertising your deal right next to the number of people who have purchased the deal. See how many of those potential eyeballs have converted to real sales. You can also see your customers broken down by gender, age, and location on a map.

Customer Insights

A pie chart shows you the percentage of deal-buyers new to your business along with customers that have been enticed back to your business as a result of the daily deal. There’s customer feedback, plus the percentage of customers who would recommend your business to their friends, based on survey results, and an estimate on the percentage of customers expected to return to your business within three months.

Profit Calculator

After plugging in what it costs you to serve one Groupon customer, the profit calculator extrapolates that to estimate the cost-effectiveness of your promotion. See how much money you should expect to make.

If your business participates in daily deals, this tool provides invaluable information on your customer base. Up until now, this data has only been available to the larger companies.

“The Merchant Impact Report was created as a result of our merchants’ feedback and is designed to provide a clear, concise view into the effectiveness of their Groupon promotions,” said Amit Koren, Director of Merchant Products, Groupon. “Until today only the largest companies had access to this kind of information, and now we’re providing these powerful analytics to every local business that works with Groupon.”

All of these features can be tested in a demo Groupon has provided.

If your business has worked with Groupon, or another daily deal website, let us know about your experience in the comments, and give us your thoughts on this new tool!



You Can Use LinkedIn As a Landing Page and Facebook For Blogging

linkedinFacebook’s 1 billion users and 552 million daily visits and LinkedIn’s recent 200 million member milestone (click the image for a full size infographic) and 25 million daily visits  have secured their top spot in our online professional and social networking world. They can also be powerful, resourceful ecosystems for business and professional advancement.

The current findings, research and metrics are very substantial, impressive and bare close attention.

Those of us that live and work out of our websites and blogs sometimes forget there are a lot of small businesses and professional consultants who may not be able to afford one or don’t need a full blown website.

This can be achieved using LinkedIn as a landing page and the notes feature on Facebook to blog. Both are acceptable, affordable and effective ways for startups, professional consultants, micropreneurs and solopreneurs to have a professionally branded landing page and a place to blog.

Using LinkedIn as a Landing Page

You can create a personal page as a landing page and highlight your story, services, contact information and professional activity. Or you can create a company page. Linked In has certain requirements for creating a company page, so make sure you meet the criteria first. Both options offer the ability to professionally present and market yourself, your products and services and connect them to other platforms where you engage.

LinkedIn is the professional playground for professional connections, so if you are serious about being taken seriously and meeting business decision makers, then LinkedIn is an amazing, turn-key ecosystem.

Join Groups, Start a Group, Post a Job, Look for a Job

LinkedIn is one of the most comprehensive job search and job posting sites out there today.  Need employees, looking for more work, want to change jobs or find a job It’s all on LinkedIn under jobs.

Get the Latest News, Trends and Articles in the News Center, Tailored Just For You

LinkedIn aggregates the best daily articles and journalists from top news and information sites like CNN, Wall Street Journal, Business Insider and more. You can customize the industry sources you want to receive and then receive them daily. LinkedIn is developing into a major go to publishing machine.

Discover What Skills You Need to Succeed in the Skills & Expertise Area

Learn what you need to know from the thousands of hot, up-and-coming skills LinkedIn tracks daily. This is where you can really create your personal branding statement and fully develop your profile. Here are some great tips for optimizing your SEO on LinkedIn to boost your page and profile visibility and connectivity.

Use the Facebook Notes Feature as a Blog

This is a feature on Facebook most people don’t know about or leverage. Since Facebook is the top social engagement platform of choice, using it to post articles, write articles and share stories is another way you can optimize it and your time on it.

The notes feature is in Microsoft Word format, so its easy for most people to use and allows you to include images and links to other sites. Once you create and save your article, you can easily share them on other social sites and  in your email marketing. It’s really a nifty, fun tool.

LinkedIn and Facebook are top social marketing tools, which most people already use and are comfortable with. Used together in tandem, they offer a no cost, low cost option to all of us to professionally brand ourselves and help us move forward with our content marketing.




New Groupon Analytic Features Available To All Users

Groupon has launched a new tool allowing merchants to track and analyze the performance of their daily deals, adding to their previous suite of merchant features. The new tool is called the Merchant Impact Report, and it allows you to see who’s buying your daily deal, what they think about your products or services, and calculates profitability.

Let’s take a closer look at the new Groupon analytic features.

Marketing Analytics

You can see the number of emails that have been sent out to Groupon subscribers advertising your deal right next to the number of people who have purchased the deal. See how many of those potential eyeballs have converted to real sales. You can also see your customers broken down by gender, age, and location on a map.

Customer Insights

A pie chart shows you the percentage of deal-buyers new to your business along with customers that have been enticed back to your business as a result of the daily deal. There’s customer feedback, plus the percentage of customers who would recommend your business to their friends, based on survey results, and an estimate on the percentage of customers expected to return to your business within three months.

Profit Calculator

After plugging in what it costs you to serve one Groupon customer, the profit calculator extrapolates that to estimate the cost-effectiveness of your promotion. See how much money you should expect to make.

If your business participates in daily deals, this tool provides invaluable information on your customer base. Up until now, this data has only been available to the larger companies.

“The Merchant Impact Report was created as a result of our merchants’ feedback and is designed to provide a clear, concise view into the effectiveness of their Groupon promotions,” said Amit Koren, Director of Merchant Products, Groupon. “Until today only the largest companies had access to this kind of information, and now we’re providing these powerful analytics to every local business that works with Groupon.”

All of these features can be tested in a demo Groupon has provided.

If your business has worked with Groupon, or another daily deal website, let us know about your experience in the comments, and give us your thoughts on this new tool!



10 Ways You Can Avoid Becoming An Email Robot

craft email marketingNow that you know how not to be a social media or content robot, let’s look at another great marketing tool that is often abused: email marketing.

I know. When you’re busy and doing everything yourself, it’s easier to slap together an email as fast as you can without bothering to customize it or really consider what would provide the most value to your customers.

But if you don’t do this, you’ll quickly see your contact list shrinking and your sales dwindling.

Never fear!

Below are 10 ways to avoid this.

Really Customize Your Email

Just a few years ago, simply putting “Dear Sally” at the top of an email was the pinnacle of customization. But now there’s no excuse for you not to go deeper with your emails.  There are plenty of tools that help you track customer behavior online, which can guide you to delivering more customized content and offers in email. While most entry-level email marketing programs don’t offer these capabilities, it may be time to graduate to one that does.

Don’t Over Send

We all have examples of companies that send emails too frequently. What do we do with those Either ignore and delete or unsubscribe. You don’t want that to be your company’s email. Instead, test out different schedules to figure out what works best. I recommend that my clients send one email newsletter and one to two promotional or announcement emails each month. It’s not too much, but it keeps them on the minds of their contacts.

Don’t Make It Lengthy

Like with blogs and websites, consumers want to speed read their emails and get to the good stuff quickly. If they have to scroll and scroll, they’ll lose interest. Break your content up into chunks (most templates will help with this), use headers and subheaders and add in bullet points or lists to break up content. You can also cut off the copy and include a hyperlink for people to click to keep reading on your site.

Don’t Make It Look Icky

While some people do prefer a text-only email (and you can add in a text version when creating an email), most want an HTML version rich with pictures and color. You’ll get better engagement if your email is attractive.

Write Like a Human

Because, after all, you are. There are plenty of sources that provide recommendations for writing to your audience’s reading level. If you know they’re all PhDs, fine. Use highfalutin language. But assume they’re not and write in a conversational tone that makes it easy to skim and understand.

Include Contact Info

If someone wants to email you when they get your newsletter, but you have a “do not reply” email, it gets frustrating. Include an email address, phone number and web links for your company in each email.

Make It Easy to Unsubscribe

There’s nothing more frustrating than a difficult unsubscribe process. I click the spam button for them, which is, of course bad for the company. So make sure you have a simple, one-click link for contacts to unsubscribe. Forcing them to receive your emails doesn’t do anything to nurture that customer relationship.

Create Lists

All of your contacts likely don’t need to be lumped into the same group. If you’re in retail, you can separate your list into those that buy women’s clothes, those that buy men’s clothes and those that buy kids’ clothes. As well as those who haven’t yet made a purchase. Or if you have a long sales cycle, you can use key behaviors (see #1) to sort them into whatever stage they’re in in the sales cycle. Then you can target your content to each list rather than mass mailing everyone the same email.

See What They Respond To

In my MailChimp account, I can see the 5 most clicked emails. If I’m smart, I’ll go into each and see what was so appealing to my contacts, then try to create similar content in subsequent emails. By paying attention to patterns, in terms of content and open times, you can better tweak future campaigns.

Keep Your Strategy in Mind

If you’re just aimlessly sending emails out because you’re supposed to, stop and consider what your goal is. Is it simply brand recognition To increase sales through your emails Get more subscribers Make sure each email addresses that strategy and your goals.

Email Robot Photo via Shutterstock




Five Must-Have Travel Apps That Keep You Moving While On The Road

Traveling can be an ordeal and keeping organized away from your home or office can be a nightmare. Luckily, there are plenty of travel apps for your smartphone that have you covered. One trip to the App Store can make your life a little less complicated!

1. TripIt or TripCase (Both on iOS and Android)

You used to carry around printed reservations, but with these apps, you just forward your travel confirmation emails to them and they automatically parse the details to create your itinerary. What separates TripCase from TripIt are the free flight alerts: starting 48 hours before you depart, if your gate changes, or there’s a delay or a cancellation, TripCase lets you know. “No other free app provides anything close to this level of functionality,” says TripCase spokesman, Dave Hochman.

2. mTrip (iOS and Android)

If you’re going to one of the major cities that mTrip has made a travel guide for, it’s a no brainer download. You get maps and loads of information on points of interest, including restaurants, museums, hotels and more. And because all that is contained in the app, you save yourself roaming charges when you need directions or want to know more about the area.

Each city costs $5.99.

3. Uber (iOS and Android)

Uber says they’re everyone’s private driver. If you’re in one of the cities serviced by Uber, you can request a pickup from anywhere at any time. The nearest driver comes for you in a “sleek black car.” When it’s time to pay, Uber charges the credit card you have on file with them. No cash needed.

4. DocuSign Ink (iOS and Android)

A contract needs your signature right away and you’re on the other side of the world with just a phone. That was a problem, but now it isn’t. DocuSign Ink lets you grab documents from your email, Dropbox or elsewhere, and sign them with your finger. It’s got enterprise-grade security and it’s legally binding. More on electronic signatures in our archives.

5. Expensify (iOS and Android)

The easy way to do your expense reports. This app syncs with your credit cards and bank accounts, and allows you to scan receipts using your phone’s camera. Mileage expenses are tracked with GPS or odometer entry. At the end of it all, you’ve got a PDF expense report you can email anywhere it needs to go.

These five apps are perfect for avoiding some of the roadblocks you’re likely to encounter on your travels, and should help you get from home to away and back again. Let us know if this list helps you out! And tell us about any really great app we might have missed. Which travel apps do you swear by



Five Must-Have Travel Apps That Keep You Moving While On The Road

Traveling can be an ordeal and keeping organized away from your home or office can be a nightmare. Luckily, there are plenty of travel apps for your smartphone that have you covered. One trip to the App Store can make your life a little less complicated!

1. TripIt or TripCase (Both on iOS and Android)

You used to carry around printed reservations, but with these apps, you just forward your travel confirmation emails to them and they automatically parse the details to create your itinerary. What separates TripCase from TripIt are the free flight alerts: starting 48 hours before you depart, if your gate changes, or there’s a delay or a cancellation, TripCase lets you know. “No other free app provides anything close to this level of functionality,” says TripCase spokesman, Dave Hochman.

2. mTrip (iOS and Android)

If you’re going to one of the major cities that mTrip has made a travel guide for, it’s a no brainer download. You get maps and loads of information on points of interest, including restaurants, museums, hotels and more. And because all that is contained in the app, you save yourself roaming charges when you need directions or want to know more about the area.

Each city costs $5.99.

3. Uber (iOS and Android)

Uber says they’re everyone’s private driver. If you’re in one of the cities serviced by Uber, you can request a pickup from anywhere at any time. The nearest driver comes for you in a “sleek black car.” When it’s time to pay, Uber charges the credit card you have on file with them. No cash needed.

4. DocuSign Ink (iOS and Android)

A contract needs your signature right away and you’re on the other side of the world with just a phone. That was a problem, but now it isn’t. DocuSign Ink lets you grab documents from your email, Dropbox or elsewhere, and sign them with your finger. It’s got enterprise-grade security and it’s legally binding. More on electronic signatures in our archives.

5. Expensify (iOS and Android)

The easy way to do your expense reports. This app syncs with your credit cards and bank accounts, and allows you to scan receipts using your phone’s camera. Mileage expenses are tracked with GPS or odometer entry. At the end of it all, you’ve got a PDF expense report you can email anywhere it needs to go.

These five apps are perfect for avoiding some of the roadblocks you’re likely to encounter on your travels, and should help you get from home to away and back again. Let us know if this list helps you out! And tell us about any really great app we might have missed. Which travel apps do you swear by



SaaSID adds new capability to its Cloud Application Manager

SaaSID has launched the second version of its cloud application manager to offer a unified format for managing user's authentication credentials.

Integrating the management of strong identity credentials, granular application accessibility and intuitive reporting, the company said that Cloud Application Manager 2.0 now provides server-side authentication to prevent logon credentials being sent to devices that might be infected.

SaaSID claims that all usage is now displayed in a dashboard that provides clear visibility of web application use throughout an organisation, while the new software simplifies administration of authentication, feature controls and password management to help CIOs monitor and audit every user interaction with web applications.

Users can also be authenticated and logged into web applications from the SaaSID server, ensuring that credentials are protected from man-in-the-middle malware that might be present on an unsecured device.

Also added is the ability for IT departments to apply their own restrictions to application features, while support is offered for existing two-factor authentication solutions, including technology from RSA, Vasco and ActivIdentity.

Ed Macnair, CEO of SaaSID, said, “The intuitive dashboard makes Cloud Application Manager's auditing capability even more powerful, by providing CIOs with full visibility of employees' web application use, through a single pane of glass.

“We are committed to helping our customers meet the evolving identity, authentication and reporting requirements of the cloud. Cloud Application Manager 2.0 increases visibility and automates security features: putting CIOs back in control of web applications and providing clear proof of governance, risk management and compliance.”



Dell SecureWorks expands incident response to offer APT and DoS protection

Dell SecureWorks has expanded its incident response services to offer assessment for advanced threats and denial-of-service attacks.

According to the company, this expansion will help organisations stay abreast of emerging threats, proactively fortify defences, continuously detect and stop cyber attacks, and recover quickly from security breaches.

The three additions include: the advanced threat preparedness assessment service, which assesses organisations' capabilities to resist, detect and respond to an attack by an advanced threat actor; and the advanced threat tabletop exercises that evaluate an organisation's ability to respond to a targeted attack and incorporate intelligence on the tactics, techniques and procedures of targeted actors.

Finally, the denial-of-service (DoS) preparedness assessment services will help organisations understand their abilities to withstand those attacks and will assess users to see if they have a tested response methodology in place. The services include capabilities reviews, tabletop exercises and DoS/DDoS stress testing under real-world conditions.

Kevin Hanes, executive director of security and risk consulting at Dell SecureWorks, said: “Companies have been increasingly seeking our incident response expertise because of our unified security capabilities. Our responders have access to intelligence before their boots even hit the ground so they can help organisations recover quickly from security breaches.”



4 Social Media Trade Show Marketing Tips

If you’re not using social media marketing to improve your trade show success, then you’re missing out on big opportunities. Follow these four social media trade show marketing tips to boost interest, create buzz and keep people interested in your business ideas.

Make as Many Connections as Possible

trade show marketingBees Photo via Shutterstock

Social media makes it easier for you to connect with others. Easier, however, doesn’t mean “effortless.” You need to put effort into forming connections to build a hive of interconnected colleagues.

Make a professional profile for yourself on LinkedIn and create profiles for your business on:

Use these sites to branch out to other people and organizations in your industry. Don’t feel bashful about sending a friend request. They want to connect with you for the same reasons you want to connect with them.

Incorporate Social Media Into Your Blog Posts

trade show marketingBlue Bird Photo via Shutterstock

Ideally, you already have a blog that draws in readers with compelling content. If you don’t, then you need to get on that as soon as possible.

If you have great articles, videos and infographics, people will want to share your content with others. Honestly though, they will only share your blog post if they have an easy way to do so. Include buttons that let readers share your posts immediately on G+, Facebook and Twitter.

This lets them share your ideas without exerting any effort.

Create a Buzz Before the Show

trade show marketingBuzz Photo via Shutterstock

Use your social media connections to generate buzz before your trade show. The more people you can attract, the more people you get to influence with your presentation.

How do you create buzz

Those social media connections will come in handy as will your content creation skills. Video content typically creates a lot of buzz. Exciting music, interviews and demonstrations can make your ideas more engaging. You can also mention contests and giveaways to motivate people with free stuff.

This is an essential step in the marketing process. If you don’t have an in-house video producer and director, then you should consider farming this part out to a local business that can help you. It will cost a bit of money but the potential returns are great.

Make More Connections at the Trade Show

trade show marketingNetworking Photo via Shutterstock

Social media marketing can increase attendance at your next trade show exhibit, but you shouldn’t think of that as your end goal. Consider how you can use this event to build a reputation, make more connections and attract a bigger audience to your next event.

How do you make more connections at the show

Put tablet PCs on a table and ask people to sign up for a drawing by friending you on Facebook or sharing one of your posts.

As important as social media is, you also have to use your personality to work the crowd and meet new people. Smartphone apps such as Bump make it easy to share contact info with the people you meet. Always carry business cards for people who haven’t caught on to the smartphone revolution.

What are some of the best social media marketing strategies that have gotten you to visit a trade show




Research reveals reality of mobile application flaws

A survey of popular applications has revealed that most have SQL flaws, store sensitive details in an unencrypted format and have fragile backends.

According to IntegriCell president Aaron Turner there are so many vulnerabilities in mobile applications, as every one has a backend API, particularly free applications, and as so many developers use SQL Light to implement things, no one checks whether this is secure or not.

In a survey of a number of applications that had versions for Apple and Android, Turner found that 35 per cent had SQL injection flaws, while 99 per cent had unencrypted data.

Further analysis of the backends found that all of the applications assessed had a web sever and patch configuration flaw, allowing an attacker to control a server, while authentication bypass was permitted in 79 per cent of applications. Unencrypted data was also present in 99 per cent of application backends.

Turner told SC Magazine that there were significant errors and if an open application were seen, it would allow an attacker to collect data from the handset and if it were connected to a network, all of that data too.

“I pointed the scanning tool at the application backend and did a simple scan and as they were default Linux builds, I did the configuration and all of the administrator passwords were not changed,” he said.

“This is an issue of the lack of maturity of mobile application developers who are ‘not solving stupid'. Look at the eco-system; once the backend has been attacked an attacker can use JSON to control the frontend also. There is no firewall to protect the user or application monitoring to do control, it is a complex backend and [there is] no security on either.”

Presenting at the RSA Conference in San Francisco last week on the subject ‘mobile applications - the vulnerability tsunami is coming' with this research, he recommended deploying a PIM container, as although it is not very good, "it is the best we have right now".

Turner told SC Magazine that he had sought permission from the developers of the applications he assessed, initially contacting them at the end of last year, but had no permission given to independently analyse their applications. He admitted that this might have led to some false positives.



RSA 2013: Experts struggle to define offensive security, hacking back

SAN FRANCISCO -- It's hard to agree whether "hacking back" is an acceptable enterprise defense practice when no one can agree what the term means.

Offensive security is a big term, and it's compounded by the fact that the laws governing it are also vague.

Andrew Woods,
Stanford University Law School

That was perhaps the only concrete takeaway from a discussion at RSA Conference 2013 last week, during which a panel of experts -- led by Joshua Corman, Akamai Technologies Inc.'s director of security intelligence -- sought to take on the nebulous concept of offensive security, loosely defined as any effort to "turn the tables" on an attacker (or would-be attacker) by penetrating their networks or disabling their systems.

The topic, once largely theoretical, has taken on more practical undertones as of late, especially in the wake of the bombshell APT1 report by Mandiant Corp.

In the report, released just prior to the RSA Conference, Mandiant offered compelling evidence showing how a military group supported by the Chinese government has allegedly been hacking into enterprises for years and stealing intellectual property, with little, if any, repercussions.

Corman said he's noticed an increase recently in industry discussion about the acceptability of offensive security. George Kurtz, CEO of Irvine, Calif.-based active defense vendor CrowdStrike Inc., said enterprises are increasingly frustrated about their inability to stop advanced attacks, particularly those conducted by nation states.

"Most of our customers who have had a persistent and active threat over the past couple of years are tired of [being exploited and] going through forensic examinations, capturing the memory, flattening the boxes and starting over, and that frustration has manifested in this discussion of offensive security," Kurtz said. "People are saying, 'The government isn't protecting us; what can we do'"

Yet at what point does an enterprise's effort to secure its IT infrastructure shift from defensive to offensive Adam O'Donnell, chief architect for the cloud technology group at Columbia, Md.-based security vendor Sourcefire Inc., said an organization's efforts are no longer defensive when they involve crossing the boundaries of another organization's network to affect change.

O'Donnell expressed concern that more organizations may be considering "hacking back" against attackers. He said not only is it a bad idea for private organizations to assume authority reserved expressly for the federal government, but it's also inherently dangerous to go after malicious actors who may be associated with or aided by foreign governments.

"You're responding to an adversary with bytes when they're used to responding with bullets," O'Donnell said. "They're not operating in a world where they're simply going to compromise your host and deface your website. They're going to come back shooting. It's something to consider if you're going to punch the bully in the nose."

Christopher Hoff, senior director and chief security architect with Sunnyvale, Calif.-based Juniper Networks Inc., argued a different perspective. He offered up a hypothetical scenario involving an attacker attempting to access a victim's website, making "an authorized and expressed connection" with the intent of doing harm. Hoff asserted that, if an organization can detect that attack attempt, it should be reasonable to respond with similarly hostile packets.

"If somebody directly connects to me, and I issue a response back, whether I deliver what they were expecting or not, that's not penetrating; that's replying to a request in an authorized manner," Hoff said.

While some panelists seemed to subtly bristle at Hoff's assertion, like many in the industry, they were reluctant to counter with their own definitions of hacking back. At one point, Corman challenged the panelists to define the term for the audience, and like a hot potato they tossed the issue back and forth, with Hoff eventually proposing that it should be the process of doing harm to an attacker, above and beyond the "request response" in his example. O'Donnell said hacking back is to go after a machine that's outside one's control, and alternatively active defense is going after a machine that one doesn't own.

Part of the reason the functional parameters are so difficult to define is because the legal parameters are equally unclear, if not more so. Panelist Andrew Woods, an attorney and fellow at Stanford University Law School, said the primary U.S. law governing such activity would be the 1984 Computer Fraud and Abuse Act (CFAA).

The law, Woods said, provides criminal penalties for anyone who intentionally exceeds authorized network access. However, he added, access has been broadly defined by the courts over the years -- originally it meant physical access to a computer, but has been taken to mean that access begins and ends at the bounds of any particular network.

In terms of what's allowable under the CFAA, Woods offered up examples like blocking cyber-intruders, obfuscating them with false data and misdirecting them toward false targets. Using tools to affect an attacker's network, however, would likely be a violation of CFAA, and the law offers little to no guidance when adversaries are outside the jurisdiction of the U.S.

"Offensive security is a big term," said Woods, "and it's compounded by the fact that the laws governing it are also vague."

Kurtz said as significant as the criminal statutes may be, enterprise executives are often more concerned with the civil and financial implications. He said a CIO councils' first question may be whether offensive security is legal, but their second question will be whether the company could be sued.

Rather than seeking to strike back at attackers directly, Kurtz offered a more measured response to attackers, a two-pronged approach that he called "block and get rid" and "watch and contain." Determined cyberattackers, he said, are like termites; in some cases it's necessary to "tent the whole house" and in others, like in the case of a targeted attack, it can be better for an organization to position itself to observe the behavior of attackers and learn what they want and why by planting false information.

"With high-end nation-state IP theft, information is gathered en masse, and someone on the other end of the keyboard has to go through it," Kurtz said. "If they don't know what's real, that drives up the cost. So you're active, but you're not breaking into something."




Social Network Advertising: Twitter, Facebook or LinkedIn Let’s Compare!

If you want to spread your presence around via social networking, you’re probably wondering what’s worth it and what you should throw in the bin. It’s not like you have the exquisite budget of a multi-million-dollar top-hatter. You’re looking to make the smartest investment possible, and you want to make sure that you rake in a nice, fat followership. So where are your social network advertising dollars best spent

Today, we’ll be comparing the advertising platforms of Facebook, Twitter and LinkedIn. I’ll be doing it in a pros/cons model to make it easier to read. Let’s start with Facebook.

Facebook

Just about everyone in the civilized world is on Facebook. Compare it to other social networks, and this one takes home the trophy. But is its advertising platform small-business-friendly They seem to have it all figured out, since a large number of small businesses all over the world use the Facebook advertising platform to deliver their message to people in their vicinity.

Pros:

  • The ad creation process is simple, intuitive, and allows you plenty of flexibility.
  • You can target your ads to microscopic demographics and geographical areas. For example, you can target 18-24-year-old males living in Kiev who like snorkeling and collecting stamps. You can even target education and income levels. The possibilities are literally endless. This makes sure that your ad reaches only the customers you’re really pining for.
  • You’re able to advertise your business’ website as well as your Facebook page, allowing you to get likes that help you keep your customer base informed.
  • Ads are not very costly, often costing below $1 per like received, depending on how you set up your ad.

Cons:

  • It’s a little annoying to keep track of your ads, and they lose traction after about three days.
  • This is not a good product for businesses that don’t have consumer-centric M.O.’s.
  • It may take quite an initial investment to get someone to design and manage a page for you if you really don’t have the time or don’t know what you’re doing. You’d benefit best if you already have an established page on Facebook.
  • You might have trouble with senior citizens. According to the linked source, senior citizens are more likely to click through your ad, but are less likely to click “Like” on your page once they get to it. The drop in “Like” count compared to younger people is only around 8%. It doesn’t seem much of a difference, although that’s eight cents out of every advertising dollar wasted. If advertising to older people is worth your while (and it might be), pursue it!

LinkedIn

LinkedIn is one of those rare places where you’ll find all your B2B customers perfectly lined up in a row. This is the perfect place to hit your target if you’re a business that offers business-oriented products. There are only a few things to keep in mind:

Pros

  • LinkedIn is one beautiful golden goose. It has several business owners connected to it.
  • Your ads are easy to target, especially if you’re looking to attract people with certain titles. You can target an ad to executives.

Cons

  • The ads are very expensive. The minimum cost-per-click (CPC) bid is $2 per click. Your minimum budget is $10 a day. This means that, at the lowest rate, you’ll get 5 clicks per day. Their own page on campaign pricing seems to confess that they prefer a $3 bid, so we don’t know if you’ll even get more than 3 clicks per day out of this. Conversion had better be easy!
  • Conversions seem to be minimal. Many experiments have failed, although they weren’t offering something relevant to the audience at LinkedIn. You might not be making the safest bet with this platform.

Twitter

Twitter’s a very busy traffic junction. It’s one of the metropolitan centers of the Internet. There are two ways to advertise here:

1) The cost-per-click model that promotes a tweet you make at the top of several search results and delivers conversions.

2) The cost-per-thousand-impressions model that promotes your account on a “people to follow” list. This one delivers followers.

I’ll be using this comprehensive experiment of Twitter’s advertising as a model. Here’s the rundown:

Pros:

  • Twitter’s tweet promotion advertising really generates tons of clicks and impressions. CTR hovers at around 0.70%, which is impressive.
  • The account promotion ad model can bring a decent following. The CTR was somewhere in the ballpark of 0.20% in the sourced experiment.

Cons:

  • Tweet promotion doesn’t work at converting squat. The most conversions this experiment got was six, out of 9,235 impressions and 64 clicks. A 10 percent conversion rate against clicks doesn’t look very bad on the resume, until you realize that the other ads got zero conversion. Aside from this, you’re paying $1.50 per click, if not more.
  • Account promotion is expensive. At a particular price per thousand impressions, the experiment yielded a less-than-flattering 47 followers after 20,000 impressions. This led to a price of around $2.3 per follower.
  • Ads start to fade out at around 5 days. It’s a rather short lifespan.

The Conclusion

I’m inclined to say that Facebook takes home the trophy this time. Its advertising platform is not only great at targeting a desired audience, but it’s also more lucrative. You can get one like on Facebook for a fraction of the cost of a follower on Twitter. This is the perfect solution for a B2C business.

If you’re a B2B provider, you’re likely better off with LinkedIn. Besides the scarce conversion rate, it seems that you can eventually figure out the LinkedIn formula. It’s still a gamble, but it’s better than trying to appeal to businesses on a largely consumer-driven platform like Facebook.



File Sharing Battle: Citrix ShareFile Ups The Ante. Within App Document Editing

It seems like almost every week that a new file sharing, file synchronization app and service comes on the market. I LOVE IT - it’s great for us small businesses for sure.

Today, Citrix ShareFile, releases a new iOS app that enables its file sharing users to edit Microsoft Office documents from within their app. Sounds simple but as you look for the file sharing service to best meet your needs, it’s the small changes and features like this that will make the difference.



Social Network Advertising: Twitter, Facebook or LinkedIn Let’s Compare!

If you want to spread your presence around via social networking, you’re probably wondering what’s worth it and what you should throw in the bin. It’s not like you have the exquisite budget of a multi-million-dollar top-hatter. You’re looking to make the smartest investment possible, and you want to make sure that you rake in a nice, fat followership. So where are your social network advertising dollars best spent

Today, we’ll be comparing the advertising platforms of Facebook, Twitter and LinkedIn. I’ll be doing it in a pros/cons model to make it easier to read. Let’s start with Facebook.

Facebook

Just about everyone in the civilized world is on Facebook. Compare it to other social networks, and this one takes home the trophy. But is its advertising platform small-business-friendly They seem to have it all figured out, since a large number of small businesses all over the world use the Facebook advertising platform to deliver their message to people in their vicinity.

Pros:

  • The ad creation process is simple, intuitive, and allows you plenty of flexibility.
  • You can target your ads to microscopic demographics and geographical areas. For example, you can target 18-24-year-old males living in Kiev who like snorkeling and collecting stamps. You can even target education and income levels. The possibilities are literally endless. This makes sure that your ad reaches only the customers you’re really pining for.
  • You’re able to advertise your business’ website as well as your Facebook page, allowing you to get likes that help you keep your customer base informed.
  • Ads are not very costly, often costing below $1 per like received, depending on how you set up your ad.

Cons:

  • It’s a little annoying to keep track of your ads, and they lose traction after about three days.
  • This is not a good product for businesses that don’t have consumer-centric M.O.’s.
  • It may take quite an initial investment to get someone to design and manage a page for you if you really don’t have the time or don’t know what you’re doing. You’d benefit best if you already have an established page on Facebook.
  • You might have trouble with senior citizens. According to the linked source, senior citizens are more likely to click through your ad, but are less likely to click “Like” on your page once they get to it. The drop in “Like” count compared to younger people is only around 8%. It doesn’t seem much of a difference, although that’s eight cents out of every advertising dollar wasted. If advertising to older people is worth your while (and it might be), pursue it!

LinkedIn

LinkedIn is one of those rare places where you’ll find all your B2B customers perfectly lined up in a row. This is the perfect place to hit your target if you’re a business that offers business-oriented products. There are only a few things to keep in mind:

Pros

  • LinkedIn is one beautiful golden goose. It has several business owners connected to it.
  • Your ads are easy to target, especially if you’re looking to attract people with certain titles. You can target an ad to executives.

Cons

  • The ads are very expensive. The minimum cost-per-click (CPC) bid is $2 per click. Your minimum budget is $10 a day. This means that, at the lowest rate, you’ll get 5 clicks per day. Their own page on campaign pricing seems to confess that they prefer a $3 bid, so we don’t know if you’ll even get more than 3 clicks per day out of this. Conversion had better be easy!
  • Conversions seem to be minimal. Many experiments have failed, although they weren’t offering something relevant to the audience at LinkedIn. You might not be making the safest bet with this platform.

Twitter

Twitter’s a very busy traffic junction. It’s one of the metropolitan centers of the Internet. There are two ways to advertise here:

1) The cost-per-click model that promotes a tweet you make at the top of several search results and delivers conversions.

2) The cost-per-thousand-impressions model that promotes your account on a “people to follow” list. This one delivers followers.

I’ll be using this comprehensive experiment of Twitter’s advertising as a model. Here’s the rundown:

Pros:

  • Twitter’s tweet promotion advertising really generates tons of clicks and impressions. CTR hovers at around 0.70%, which is impressive.
  • The account promotion ad model can bring a decent following. The CTR was somewhere in the ballpark of 0.20% in the sourced experiment.

Cons:

  • Tweet promotion doesn’t work at converting squat. The most conversions this experiment got was six, out of 9,235 impressions and 64 clicks. A 10 percent conversion rate against clicks doesn’t look very bad on the resume, until you realize that the other ads got zero conversion. Aside from this, you’re paying $1.50 per click, if not more.
  • Account promotion is expensive. At a particular price per thousand impressions, the experiment yielded a less-than-flattering 47 followers after 20,000 impressions. This led to a price of around $2.3 per follower.
  • Ads start to fade out at around 5 days. It’s a rather short lifespan.

The Conclusion

I’m inclined to say that Facebook takes home the trophy this time. Its advertising platform is not only great at targeting a desired audience, but it’s also more lucrative. You can get one like on Facebook for a fraction of the cost of a follower on Twitter. This is the perfect solution for a B2C business.

If you’re a B2B provider, you’re likely better off with LinkedIn. Besides the scarce conversion rate, it seems that you can eventually figure out the LinkedIn formula. It’s still a gamble, but it’s better than trying to appeal to businesses on a largely consumer-driven platform like Facebook.



File Sharing Battle: Citrix ShareFile Ups The Ante. Within App Document Editing

It seems like almost every week that a new file sharing, file synchronization app and service comes on the market. I LOVE IT - it’s great for us small businesses for sure.

Today, Citrix ShareFile, releases a new iOS app that enables its file sharing users to edit Microsoft Office documents from within their app. Sounds simple but as you look for the file sharing service to best meet your needs, it’s the small changes and features like this that will make the difference.



Control Your Email Inbox: Stop Email Notifications From Twitter, Facebook

control emailSocial media is one of the greatest inventions of the modern world. It allows us to connect with people we lost touch with, keep up with the daily lives of people we care about but don’t see often in real life, and share content that can be truly rewarding. Not to mention the ability to find others from around the globe to chat with. Whereas before, it was a difficult prospect.

Yes, social networking in particular has managed to open up our lives to the wider world in a way we never would have thought possible before the creation of the miracle known as the Internet. But it has also created a whole list of minor irritations and distractions that can build up and make life a little more stressful.

For me, the most irritating of these minor annoyances is social media notifications. Emails flooding my inbox about every little comment or activity on Facebook, Twitter and LinkedIn is a hassle. With more social networks becoming a part of life, they can now also come from Pinterest, YouTube, StumbleUpon and a dozen other sites you just don’t need to be constantly updated on.

Here’s how I handle the email craziness:

  • Use social media inboxes to get notified of social media interactions in a user-friendly, non-intrusive way (here are two tools to get productive).
  • Stop certain types of social media updates to my main inbox. All I am usually interested in learning quickly is a DM or a private message. All other types of social media updates have to go. Otherwise, I’ll have no time for work.

However, it took me ages to realize that I could stop this. All it takes is a few alterations to your settings and you are free. Or just get one of the programs made to make it even easier.

Using Settings

All social media sites have an area of your settings, sometimes in your account settings, that lets you specify what you would like to be notified of.

Facebook

In Facebook, just simply go to Account Settings through the little gear in the top right hand corner of any Facebook page. On the left hand side will be a bar with options. Select Notifications > Email. You can choose to get all notifications except those specifically unsubscribed from, important notifications about you or activity or only notifications about problems with your account, security or privacy.

You can also select what text message notifications you get (if you are subscribed to mobile use). This includes comments on your profile, friend requests/confirmations and everything else. You may also set the times you get notifications if you don’t want them at certain hours of the night or morning.

control email

Twitter

Twitter isn’t quite so customizable, but you can still specify what you want. Just go to your account, hit the gear button on the top header, then select Settings > Email Notifications. You can choose when you get an email and who it applies to on your list. You can also choose to get an email digest weekly, daily, etc.

Using Gmail Filter

Whether you want to avoid or better organize older social media updates that get archived in your inbox (to stop them from interfering with your inbox search) or to stop the clutter from the future ones, this Gmail search command will come in handy:

  • Search: [from:noreply* OR from:do-not-reply* OR from:donotreply* OR from:notification*] This filters out most automated updates.

You can now set up a filter to send these emails to a separate folder, bypassing your inbox. Now just create a calendar reminder to check that folder once a day or a couple of times a week, depending on your workload.

control email

Using Tools

Notify Me Not

control email

If you want more thorough directions for changing your settings, or you want them for a different site than those above, you might want to check out Notify Me Not. They cover all the social networks, including those that are only social in a secondary way like Amazon.

Easy to follow, helpful and with a complete guide on the subject, it is the number one authority on banishing annoying emails to Hell, where they belong.

Unroll Me

control email

Not only does this program allow you to get rid of unwanted emails, but it also rolls everything into a very simple, highly organized inbox for you. That means all of your emails are better formatted for easy sifting, reading and storage. Plus, it works for both Yahoo and Gmail, which means it isn’t compatible with other clients. But come on, who uses them anymore

Know of any good programs or tips for stopping annoying social network notifications

Image source: sps




Control Your Email Inbox: Stop Email Notifications From Twitter, Facebook

control emailSocial media is one of the greatest inventions of the modern world. It allows us to connect with people we lost touch with, keep up with the daily lives of people we care about but don’t see often in real life, and share content that can be truly rewarding. Not to mention the ability to find others from around the globe to chat with. Whereas before, it was a difficult prospect.

Yes, social networking in particular has managed to open up our lives to the wider world in a way we never would have thought possible before the creation of the miracle known as the Internet. But it has also created a whole list of minor irritations and distractions that can build up and make life a little more stressful.

For me, the most irritating of these minor annoyances is social media notifications. Emails flooding my inbox about every little comment or activity on Facebook, Twitter and LinkedIn is a hassle. With more social networks becoming a part of life, they can now also come from Pinterest, YouTube, StumbleUpon and a dozen other sites you just don’t need to be constantly updated on.

Here’s how I handle the email craziness:

  • Use social media inboxes to get notified of social media interactions in a user-friendly, non-intrusive way (here are two tools to get productive).
  • Stop certain types of social media updates to my main inbox. All I am usually interested in learning quickly is a DM or a private message. All other types of social media updates have to go. Otherwise, I’ll have no time for work.

However, it took me ages to realize that I could stop this. All it takes is a few alterations to your settings and you are free. Or just get one of the programs made to make it even easier.

Using Settings

All social media sites have an area of your settings, sometimes in your account settings, that lets you specify what you would like to be notified of.

Facebook

In Facebook, just simply go to Account Settings through the little gear in the top right hand corner of any Facebook page. On the left hand side will be a bar with options. Select Notifications > Email. You can choose to get all notifications except those specifically unsubscribed from, important notifications about you or activity or only notifications about problems with your account, security or privacy.

You can also select what text message notifications you get (if you are subscribed to mobile use). This includes comments on your profile, friend requests/confirmations and everything else. You may also set the times you get notifications if you don’t want them at certain hours of the night or morning.

control email

Twitter

Twitter isn’t quite so customizable, but you can still specify what you want. Just go to your account, hit the gear button on the top header, then select Settings > Email Notifications. You can choose when you get an email and who it applies to on your list. You can also choose to get an email digest weekly, daily, etc.

Using Gmail Filter

Whether you want to avoid or better organize older social media updates that get archived in your inbox (to stop them from interfering with your inbox search) or to stop the clutter from the future ones, this Gmail search command will come in handy:

  • Search: [from:noreply* OR from:do-not-reply* OR from:donotreply* OR from:notification*] This filters out most automated updates.

You can now set up a filter to send these emails to a separate folder, bypassing your inbox. Now just create a calendar reminder to check that folder once a day or a couple of times a week, depending on your workload.

control email

Using Tools

Notify Me Not

control email

If you want more thorough directions for changing your settings, or you want them for a different site than those above, you might want to check out Notify Me Not. They cover all the social networks, including those that are only social in a secondary way like Amazon.

Easy to follow, helpful and with a complete guide on the subject, it is the number one authority on banishing annoying emails to Hell, where they belong.

Unroll Me

control email

Not only does this program allow you to get rid of unwanted emails, but it also rolls everything into a very simple, highly organized inbox for you. That means all of your emails are better formatted for easy sifting, reading and storage. Plus, it works for both Yahoo and Gmail, which means it isn’t compatible with other clients. But come on, who uses them anymore

Know of any good programs or tips for stopping annoying social network notifications

Image source: sps




What You Need to Know About the Sequester

sequesterSmall businesses contracting with the federal government will be first to feel the effect of the sequester, the name for across-the-board federal budget cuts that went into effect in Washington Friday.

For example, an estimated 35 percent of suppliers to the U.S. Defense Department are small businesses, according to the U.S. Small Business Administration.

In 2011, the department awarded 20 percent of its contracts and 35 percent of subcontracts to small firms. Those small businesses benefited at the time, of course. And all of their employees and subcontractors benefited too.

However, those businesses now could have their contracts canceled or drastically reduced as the Defense Department and other federal agencies begin to make cuts.

Small businesses also face the uncertainty of not knowing when or how their companies might be affected.

Economics expert Dr. Stephen S. Fuller of George Mason University told CBS News recently that the biggest problem is so many smaller firms may be suppliers or vendors for large, prime federal contractors without even knowing it.

As a result, Fuller says these smaller firms could see sudden loss of business without warning. He estimates nearly half of a projected two million job losses resulting from the sequester could come from smaller firms.

Not all small businesses with federal contracts are waiting around for the axe to fall, however.

For example, software and high tech consulting company Geocent gets about 80 percent of its business from the Navy, the Air Force, and the U.S. Department of Veterans Affairs.

The company is working to diversify by increasing sales in the healthcare, financial, and insurance industries, Ryan Lemire, executive director at Geocent told the Associated Press.

In October, Small Business Trends founder Anita Campbell explained how the sequester might affect small businesses beyond those with federal contracts. Deep federal budget could cause a ripple effect, resulting in reduced gross domestic product, unemployment, and recession.

Meanwhile, Bill Dunkelberg, chief economist for the National Federation of Independent Business, insists business owners shouldn’t listen to what he calls scare tactics by political leaders. See his take in the video below.

Dunkelberg says the budget cuts will take time to implement and will be less damaging than a recent two percent increase in Social Security taxes in January.

Small businesses must make efforts to move away from government contracts if possible, should the sequester continue. Business owners should also encourage their political leaders to end the sequester in Washington, but without tax increases that could be equally damaging to growth.