The Security Catalyst

The last few weeks have seen some excellent conversations continue on the SCC forums. In fact, I continue to learn and grow every time I log in and check out what people are talking about. By working together, blending experiences and insights from around the globe, we’re really able to create a wealth of knowledge. I also consistently see that those who engage grow the most - which is true in life and learning, not just our forums.

In case you missed them here are some of the hot/top topics that caught my eye in the last few days:

Job Focus and Certification Advice
A lot of us that protect information for our career hit a point where we wonder, “what can we do to improve our career?” Often, that turns to discussions of certifications and where to focus. What I like about this thread is that we explore some elements of focus, and the resulting conversation is really balanced and realistic. We always welcome new ideas and insights, and if you find that you’re in this situation, you may find some insights and inspiration here. At the same time, perhaps you have some advice that you’d like to share — if so, please come and contribute!

HIPAA Compliance Question
Sometimes we just need a little help from our friends. In this case, one of our board members is wondering if he has to include HIPAA in his list of areas to consider for an audit. The community responded quickly - including the woman who literally wrote the book on HIPAA! I’m posting it here since you might have questions about HIPAA or other regulations, or you might have some audit experience, and if you do, please join the conversation and help us all improve how we practice the protection of information.

How long until this “security measure” gets broken
One of the elements that I truly enjoy in the community is the opportunity to take a look at current trends, and new suggestions for protecting information. In this case, we’re exploring some new ideas to defeat bots when it comes to registering accounts. You can learn what’s suggested in this thread, and then why I think this link poses the “attack”: Captcha-ing the power of porn (SFW). If this does pose a viable attack, how would you then build your defenses to resist this attack? Chime in, since we would enjoy the opportunity to learn from you!

Interview questions for entry-level security position?
I *love* this question and the thread. In fact, I still need to make the time to contribute some of my own ideas. This is precisely where the community excels: we have members that are executives, consultants, coaches, mid-level, in-the-trenches and brand new. Combine all of our experiences and you’re bound to get some absolutely excellent questions and resources. So… whether you are looking to hire someone or you’re looking for a job and want to be more prepared for an interview, you should be reading and contributing to this thread. You’d be pleasantly surprised when you see the level of talent and insight available for questions like this. This thread has a lot more to come, and I hope you join us and share your insights! Easily worth the price of admission (right. It’s no charge to be part of our community — your participation is your currency!).

How to proof a 40-bit SSL certificate is not strong enough
Ever face a challenge where you know the answer, but could use some help explaining why? Yup, me too. Here’s a prime example - and if you want to figure out how to explain this to those around you, come join in. Have a different challenge? Well, then come share that, too - and we’ll be here to guide you and contribute our time, talent and experiences. All we ask in return is that you do the same!

These are just some highlights - but hopefully enough to demonstrate to you that our membership is made up of professionals that support each other. We welcome new members every day - and invite you to join us.

What does it take to be a member?
Membership is easy. Go here: http://www.securitycatalyst.org/forums/index.php
Keep in mind:
1. You have to register using your real name, and in the format of FirstName.Lastname (note the period between the first and last name. For example: Michael.Santarcangelo)

** if you do not follow the naming convention, your account will be revoked. If that happens, please re-apply using the proper naming convention.

2. Once you register, your account is reviewed by one of our moderators, and then approved. Once approved, you need to log in to activate your account
3. Accounts that are not activated after 30 days are removed. Sometimes your schedule gets compressed and you forget to come back - no worries; in the event your account is removed, you are welcome to apply for another account.

The goals of the community are simple
1. provide a positive environment in which it’s safe to ask for help
2. create a culture where anyone can answer any question - it’s simple; share what you know
3. bring professionals together to share their passions and blend their ideas for the benefit of everyone

I invite you to join us, and I look forward to learning from you!

One of the areas I have been interested in is how teams can effectively work in a virtual environment - and in a way that protects information. I like to work virtually, and it’s the only way I can effective support the growing team of professionals behind the security catalyst (we have nearly 10 people now).

I was recently contacted by a group of grad students from Johns Hopkins studying virtual teams. They wanted to pick my brain on the topic of what kills virtual teams, talk a bit of security, and then buttered me up to ask if I would produce a podcast of their results by interviewing an expert. I agreed.

Part of their approach is to conduct a brief six-question survey (this literally takes 5 minutes): http://www.surveymonkey.com/s.aspx?sm=Z23UF52G_2bIvUD_2bSzPICoqA_3d_3d

By participating, you’ll be helping some grad students - and we’ll all get the results with a podcast! We only need 100 people to help - please take a few minutes and share your experiences.

Since I’m conducting the interview of their expert, if you have comments, questions or suggestions, please send them to me before Thursday at securitycatalyst@gmail.com.

Here is some additional background.

The school: Johns Hopkins University Carey Business School
• A business school situated within one of the greatest research universities in the world.
• Innovative business school curricula taught by expert faculty and prominent business leaders, based on the Hopkins model of combining theory and practice.

The class: Building Teams and Developing Teamwork
This course is designed to teach students to benchmark the qualities, characteristics, and structures that lead to high performance teams. They examine the similarities and differences among interdisciplinary work teams, multidisciplinary work teams, cross-functional work teams, and virtual teams. Models of team development and organizational culture are applied to diagnosing, consulting, and facilitating team success.

The project: Bring new knowledge to the field of work team behavior
A group of five Hopkins graduate students were charged with bringing new knowledge to the field of teaming. This group elected to research the world of virtual teaming and in doing so there is a great body of literature on what makes virtual teams successful, but little written about what causes them to fail or at least be sub-optimized. This brief, six question survey addresses potential problems related to virtual teaming and will be used in conjunction with data gather by conducting a series of structured interviews with subject matter experts to examine “virtual team killers.” The final product of this research will be a podcast sharing the research finding and further exploring the topic.

Please take a few minutes and share your experiences and insights: http://www.surveymonkey.com/s.aspx?sm=Z23UF52G_2bIvUD_2bSzPICoqA_3d_3d

Not long ago, Microsoft was the chief butt of security jokes in the IT world. It’s safe to say that they no longer wear the crown - in fact they’ve moved to being a company often pointed to as ‘getting it right.’ And that’s coming from someone typing this post from his Ubuntu Linux laptop.

Microsoft has always been very developer focused. One of the most important shifts they’ve made has been to focus their communication on the message that security bugs are just another kind of software defect to be eliminated. I’m especially pleased that they decided to invest effort into combating a classification of bug as serious as XSS, by developing code automation tools. While not quite a replacement for SCA software like Fortify, it does cover one very serious issue using automated techniques.

The Microsoft ACE Team blog just announced a ‘free’ tool (60 day beta) that’s worth checking out if you develop or security .NET web apps.

“XSSDetect runs as a Visual Studio plug-in and can detect potential XSS issues in managed code. ”

If that sounds fresh and exciting to you, visit:

http://blogs.msdn.com/ace_team/archive/2007/10/22/xssdetect-public-beta-now-available.aspx

There have been a string of newer articles posted about this tool in the meanwhile, as well: http://blogs.msdn.com/ace_team/default.aspx

Products & Services

“Without change, something sleeps inside us, and seldom awakens. The sleeper must awaken.”
-Frank Herbert

By now you’re getting a sense of what we are doing. With a new interpretation of our role in the information security community, a larger team, more consistent communications and new products and services, we are providing a comprehensive resource for individuals and organizations concerned about protecting data.

It is important that you understand that the change to The Security Catalyst is not cosmetic. While we have updated our marketing, our real investment has gone into developing toolkits, web-based services, new presentations, and bundles of services so that we can deliver what you need – whether you are technically inclined or not. Our new offerings includ• e:

• The Information Protection Toolkit (IPT)

• ‘Speaking About Security’ training sessions for security professionals

• The Privacy and Awareness Toolkit

• Keynote speeches and workshops designed to engage, empower and enable your teams

• Catalyst Sessions - dedicated and private support that blends coaching, consulting, and facilitation with deep industry experience.

We’ve been testing our solutions over the last few months, and I am now excited to offer them with confidence – to help you improve your practice of information protection. We’re putting the final touches on our website so we can share more details with you in the coming days.
Visit our website or contact me for more information.

By Michael Santarcangelo with Patrick G. Romero

If you’re like me, you routinely ignore the email disclaimers that many messages seem to have attached to them these days. For the most part, disclaimers have been added by the company, automatic and out of the hands of the users. Some users include their own, both serious and sometimes to be funny. I’d more or less accepted that some used them, while others didn’t – but paid little mind to the question – do email disclaimers matter?

During a breakfast a few weeks ago, a friend of mine shared a situation in which a business email sent to an individual was later posted to a website (by the recipient). In this case, it wasn’t really a big deal, but then he asked me if he needed to start using an email disclaimer.

It’s been a while since someone asked me if they needed a disclaimer, and my instinct was that it simply wasn’t necessary. Rather than give him a wrong answer, I promised that I’d look into it. With the help of Patrick Romero, this is what we found:

Some Background on Disclaimers
Turns out these disclaimers can be used for a whole list of things – from breach of confidentiality to transmission of viruses to employer’s liability. However, the most common type of disclaimers are those that guarantee the privacy and confidentiality of documents. They usually look something like this:

This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.

With the prevalence of e-mail communication, statements like these have become more and more ubiquitous among private and public companies – the majority are automatically generated whenever a user sends out any information regardless of the content of the message.

So now that we have examined the basis for email disclaimers, let’s dig deeper and explore if they provide any value or serve any purpose.

Can e-mail disclaimers guarantee the privacy and confidentiality of documents?

Generally speaking, e-mail disclaimers are not legally enforceable.

The misconception that they are stems from a lack of knowledge that surrounds the interception of electronic communication. The relevant statute that supports this belief comes from the language of the Electronic Communications Privacy Act of 1986 (ECPA) which includes language that criminalizes the interception of electronic communications. However, ECPA defines “intercept” as “the aural or other acquisition of the contents of any wire, electronic, or oral communication through the use of any electronic, mechanical, or other device.” A narrow reading of the statute would insinuate that only information that has been acquired illegally can be found to be intercepted.

One of the many courts that have defined “intercept” this way is the 8th Circuit. The Court held that electronic communications that have reached their destination are ineligible for interception and, therefore, are outside the protections of the ECPA. As a result, unless an e-mail has been intercepted in transit, the ECPA will not provide legal authority for individuals seeking to prevent disclosure of a misdirected e-mail.

If you are concerned about the privacy and confidentiality of your email, we offer three basic considerations:
1. Use encryption
2. Use the “envelope within an envelope” approach
3. Write carefully, review and think before pressing send

1. Can encryption provide privacy and confidentiality email?
I have spent a lot of time reminding people recently that “solutions follow requirements” – and I’m always hesitant to recommend a solution without understanding the requirements. However, if you are concerned about the privacy and confidentiality of your email communications, you probably need to investigate the use of encryption.

I have always enjoyed learning about and teaching encryption – and while it can be a double-edged sword, it offers the safest means of ensuring privacy of email communications. In general usage, the message is encrypted (and signed in most current applications) before being sent. In a properly constructed and managed solution, only the designated recipient has the ability to decrypt and verify the message – ensuring the confidentiality of the transmission (this is an overly simplified explanation – if you’re thinking about using email encryption, give me a call and we can talk about specific details).

Encryption solutions are available for commercial and personal use. If you’re looking at this for corporate use - please start with your requirements and then select your solution.

2. It’s all about positioning
If you’re convinced that you need to continue to use a disclaimer, then you might consider where you place it. Arguments have been posed that by placing the disclaimer at the bottom of the e-mail, the user is undermining the enforceability of the disclaimer.

Think about it - how can you comply with a disclaimer after having read the content of the e-mail? As a result, there are some who advocate (albeit annoying for those who rely on email) that the disclaimer appear at the top of the e-mail. This option is known as the “envelope within an envelope” approach. The confidential information is sent as an attachment and the text of the e-mail only contains the actual language of the disclaimer.

While this does not guarantee that the recipient will not open the attachment, it could provide some greater standing in litigation if disclosure does occur. Such evidence would be relevant into providing proof that the sender took reasonable measures to ensure the confidentiality of documents.

3. Stop. Think before you press send.
One of the best methods for protecting information (note: information protection doesn’t always mean encryption) is to establish and effectively communicate expectations for proper use of email (if you need some help learning how to communicate policies more effectively – pick up the phone and call, it’s what we do).

Every organization should put in place a company policy with regards to sending confidential information through e-mail. This could range from a “no forwarding” policy to restrictions on what information can and cannot be sent. Clear guidelines within an organization can provide directions for individuals to understand the proper use of e-mail and decrease disclosure of sensitive information.

In the end, some do, some don’t and you get to chose

Currently, there is little case law or statutory interpretation that discusses the legal rights of senders vis-à-vis e-mail disclaimers. With the prevalence of internet use, it is understandable that individuals would attempt to ensure some level of privacy when sending e-mails. Unfortunately, the law today does not provide protection for the misuse of confidential information sent over the internet regardless of a written disclaimer. Companies and individuals need to determine, on their own, the risk of disclosure and how to best protect their privacy.

You may have noticed the new look and feel for the Security Catalyst Blog. We’re in the process of rolling out a brand new website, as well as a more focused blog and podcast. To help, I am pleased to welcome Patrick Romero to the team. He has an impressive background, has served our country well - and is passionate about information protection. Patrick is currently in law school, and will be contributing on a weekly basis.

Meet Patrick
Patrick Romero is a second-year law student at New York Law School and concentrating on issues of internet law. He graduated from Connecticut College cum laude with double majors in international relations and economics and was a member of Pi Sigma Alpha. He also attended the Arabic Language Institute at the American University in Cairo (AUC) prior to attending law school. Mr. Romero served as a Staff Sergeant in the United States Army Multi-National Security Transition Command in Baghdad, Iraq from 2004-2005. During this time, he was awarded many military medals, including the Combat Action Badge, Joint Service Commendation Badge, Iraq Campaign Medal, Armed Forces Overseas Ribbon and the U.S. Army Commendation Medal. He speaks Spanish, French and Arabic.

Communications

“You must be the change you wish to see in the world.”
-Mahatma Gandhi

In Part I of Change is Good, I gave you an overview of our developments at The Security Catalyst. This time I want to focus specifically on communications.

Our new website will be launched at the end of this month. It will offer useful resources for individuals and organizations along with information on our innovative toolkits, training and support such as the:

• Information Protection Toolkit
• ‘Speaking About Security’ training sessions for security professionals
• Catalyst Sessions for one-on-one and team support
• Presentations designed to engage, empower and enable your teams
• Catalyst Club - unique coaching, job-aids and the ability to practice and improve

The Security Catalyst blog and podcast will gain new energy thanks to the addition of two new team members. With their support, we are developing a production schedule which will allow me to share research, analysis and opinions with you on a more regular basis. Shortly, you will notice a new blog template. In a few weeks, you’ll noticea slight change to it’s location (it will be found at /blog). We all have a lot to share, and we’re looking forward to the change.

We are about to start rolling out the changes. You have already seen the new logo. Soon you will experience the new look, feel and functionality of our web-based services. We are excited to finally share these fruits of our labor.

Watch for ‘Change is Good: Part III’ next week.

Overview

Change your thoughts and you change your world.
— Norman Vincent Peale

It has been a year of change at The Security Catalyst.

First we changed our thinking about what our contribution to information protection should be. Then we changed our offerings. We invested in a solid foundation, built the infrastructure for delivery and now we’re rolling out the results. Over the next two months you will notice:

• new products and toolkits
• more online services
• adaptable, cost-saving bundles of our offerings
• a new website
• enriched blogging with more analysis, research, perspectives and updates on my training for the Iron Man (specifically as it relates to information protection).
• the work of new team members
Quite simply, our focus and research put us at the intersection where information becomes understanding and enables us to change the way people protect information.

Watch for ‘Change is Good: Part II’ next week.