The Security Catalyst

by Patrick Romero

This last lesson of the CIPP study guide was on information security. The lesson describes the systems, policies and controls within a typical, corporate environment. One of the themes espoused by the speaker was that security and privacy are not mutually exclusive concepts. One quote that stood out was that “you can have security without privacy – but you cannot have privacy without security.”

The speaker goes on to describe the six types of security controls that would help reduce risk exposure and protection information. I won’t bore you with the details but they were a pretty extensive list of technical and physical security measures.

Another part of the lesson that I found interesting was when the discussion turned to the security requirements that should be addressed in a contract when outsourcing data activities. As I have mentioned before, I am currently taking an intellectual property drafting class dealing with software licenses and agreements and the issue of liability and indemnity clauses often comes up. While most contracts tend to be reused by attorneys, it’s always a smart policy to make sure that specific clauses are present.

The speaker goes over some of the basic elements of a contract when dealing with security, such as describing the clear roles and responsibilities for the parties. Who is responsible for storing the data? How will the information be stored? What security measures will be taken to ensure confidentiality? The speaker recommends that businesses should ask for the right to conduct audits of the outsourcing entity, preferably with an independent third party. This avoids any conflicts of interest and preserves the integrity of the audit.

The larger part of the lesson deals with authentification and authorization. Authentification is the process of confirming an identity and there are several, well-known methods to authenticate the credentials of an individual. We all know the most common way to authenticate a person or information on a computer is through passwords. Others include a smart card that the military and other government agencies issue. Many of these cards contain a small electronic device.

Another concept worth mentioning is Public Key Infrastructure. While there is more to PKI than what was discussed, PKI is a very strong non-repudiation technology that can authenticate the validity of each person involved in an e-transaction. Other methods are digital signatures and Digital.

One method of authentification that has been getting coverage in the news is biometrics. Biometrics continue to gain in popularity as a useful technique to enhance security for commercial purposes as well. Currently, there are no state or federal laws that specifically govern the use of biometric information by public or private organizations. At the SoHo Loft, a posh New York hotel, guests can use their index fingerprint to open the doors to their rooms. The hotel states that it throws away the scanned fingerprints every few days. As the law now stands, their legal obligations would appear to fall under traditional privacy laws related to the protection of medical and financial information.

Authorization is the process of determining if the user, once identified, is permitted to have access to the resource. The speaker discusses the importance of role-based access in determining who can do what to which information. The concept of role-based and need-to-know access is crucial in protecting data within an organization. Other preventative measures to limit access would be to implement identity management solutions that allow for one authoritative source, single or reduced sign-on, segregation of duties, and ease of access with controls.

Since this was the last lesson of the CIPP, I have to admit that it feels a little anticlimactic. I have been studying for the exam these last couple of weeks and I definitely have a new knowledge base of the privacy sector. I never imagined that there was so much information involved and it is definitely going to be growing in our information-based economy. I hope that I didn’t bore anyone too much but at least people know what it is like to prepare for the exam to become a Privacy Professional.

This is the second part of our three-part guest series with Scott Wright, discussing the motivation, ideas and findings of the newly launched Honey Stick Project. — Michael

By Scott Wright

The basic concept of the project’s initial phase (called Stream 0) was to drop USB drives loaded with files that contained HTML links to files on a website. When each file was opened by double-clicking, the native application (e.g. default browser, MS Word or Adobe Acrobat) would launch and try to load a referenced file automatically. All of the links contained on each USB drive would include a unique ID number, so I could identify which device was being used when the HTTP requests were logged at the website.

There was certainly a temptation to gather the IP addresses of the hosts from which devices were being accessed, primarily to identify the organization that owned the IP address space by doing reverse DNS lookups. However, the only value I could see in doing this was to identify organizations that might benefit from security awareness training to teach their staff about these risks. While this might be a source of leads for my business, I felt that using the information in this way would probably put the organization on the defensive in any sales call I could imagine.

“Hi Mr. CSO. I’m calling to let you know that one of your staff picked up a Honey Stick and used it from within your network.” Responses I expect might range from, “Go away, you pervert! You don’t know anything about my network, so stop following my staff around.” to “So what? I have more important things to worry about, like the auditor waiting for me in the President’s office.”

Consequences, Considerations and Responsible Handling
I was also concerned about the potential worst-case consequences of the requests being made without the user’s consent (regardless of the fact that the device they were using was clearly not their own). What those consequences might be, I was not quite sure. However, if somebody were to get fired from their job because they were found to be using unauthorized devices on their employer’s networks, I did not want there to be any uncertainty about the liabilities. So, I started drafting a paper to describe the scenarios related to data collection through “Trackable Content” on devices deliberately meant to be “found” and used. This paper is now posted on the Honey Stick Website at White Paper on Privacy Considerations for Trackable Content on Mobile Storage Devices.

In the paper, I describe the basic scenarios where different types of content could be placed on Honey Sticks (both for research and for active attacks such as something I called “Stick Phishing”). I also described what I felt to be the best approaches to deploying Honey Sticks safely for legitimate purposes, as well as safeguards that individuals could use to render these initiatives ineffective. After all, the intent was to educate people on the risks around using unknown devices. The feedback from reviews of the paper were very helpful, and led me to the decision not to capture IP addresses at all, as they could be seen as being used for profiling or targeting people. The related privacy issue really depends on how you use IP addresses. So, once again I tried to steer clear of any grey areas to keep the experiment safe for everyone.

Finally, I was confident enough in the concept to start creating a file set and website that would support the experiment. In Stream 0, all the files are identical, with the exception of the parameters in the URLs that reference the website. I am keeping the exact filenames, content and websites confidential, since the experiment is ongoing, and I want to avoid having somebody in the lunatic fringe trying to skew the results.

While most of the files have meaningful filenames, and some have meaningful text links within them, the only content that is meaningful to the user is contained in two of the files. One file briefly explains the Honey Stick Project, and offers the user the chance to indicate whether they plan to: (1) discard the device, (2) keep the device, (3) redeploy the device, or (4) return the device. By clicking on a link in the file, a request gets logged with a unique URL. The other file is a plain text file called “owner_contact_info.txt”. This file contains information about how to contact me in several ways, in case the user decides to take action to return it. (Don’t laugh, it has already happened more than once…) There is also a website reference to the Honey Stick Project for more information.

Device Selection
The devices I’m using are the cheapest USB drives available; currently between 256MB and 1GB, and costing between $6 and $8 Canadian from large retailers. As you can see by visiting the “Stream 0 Results” page of the Honey Stick Project website, I’ve been leaving them in various publicly accessible locations, including coffee shops, libraries, hospitals, office buildings, hotels, recreation centers, etc. So far, I have not been putting any labels on the devices, except for some chicken scratches that mean something to me, but could easily appear to be normal wear and tear to the Finder.

It turns out that the exact location within each site can cause a difference in response rates. For quick response, I want people to pick them up and be able to get to a connected computer as soon as possible. In many retail product and service companies, it’s too easy for people to turn them in to a cashier or desk and have them sit in a “lost and found” for several weeks, or longer. Phone stalls, washrooms and elevators seem to be good for having them picked up almost immediately. So, Stream 0 is helping me learn about these subtleties. Perhaps I’ll be able to target specific types of locations that will allow me to get higher response rates in future.

Budgeting
As for budgeting, I will do 10 or 15 at a time, as I can afford it. I am accepting sponsorships on the site to allow for the purchase of more devices. It may also be possible for me to package device “loads” for indoctrinated “HSP Fellows” to distribute in their own cities, or when they are traveling.

Stay tuned for the next installment, when I discuss some of the findings so far, and what the future may hold for the Honey Stick Project.

With a focus on bringing new insights into the challenges business and professionals face, I am keynoting the April 22 Nebraska Cyber Security Conference in Lincoln, NE. Additional details and registration can be found here: http://www.cio.ne.gov/cybersecurity/conference/registration08.html

I will share ideas, anecdotes and strategies from Into the Breach, designed to to help bring more effective results and address the challenges we face. If you are going to be there, I would enjoy the opportunity to speak with you before, during or after the event.

I am about to head off site for the day with a client. As a speaker that works with companies to change the way people protect information, I have met some great people. Among them is John Sileo, a fellow professional speaker and expert on identity theft. I asked John to share some insights with us about the value of organizations investing in speakers to help people learn about privacy and how to protect themselves…

By John Sileo

After all, most businesses are profit-driven and only have time and resources to concentrate on initiatives that affect their bottom line. Businesses educate their employees and even their end customers on identity theft because it positively affects the corporation’s bottom line (by lowering the costs of data theft). Here’s how organizations benefit:

Minimizing employee downtime.
Serious individual cases of identity theft can take up to 600 hours in recovery time. Because banks and creditors are generally open when employees are at work, the employees are forced to recover on company time. Even if they only spend 40 hours during work recovering, this is a huge cost to the company. Roughly 10% of households will have to recover from identity theft at least once this year.

Personal privacy leads to professional privacy.
How can corporations expect employees to care about the sensitive information they handle every day (customer data, employee records, intellectual capital) if the employees don’t first respect their own private data? As employees discover how much their identity is worth, they are far more likely to protect the data they handle at work as if it were their own. After all, they begin to understand that next time it might be their identity that is stolen from a corporation.

Corporate data breaches are expensive.
Smart corporations understand that safe data is profitable data. Just ask TJX, a company that, according to recent stories, lost somewhere in the neighborhood of 94 million customer identities (far above what they initially reported) and could spend up to $1 billion recovering from the data breach. Not only are they being sued by customers, but by credit card companies and banks whose customer data has been compromised. Add to this the costs of providing a year’s worth of credit monitoring for every affected individual (a maximum of 94 million X $10 per month X 12 months), the damage it has done to their brand (almost everyone has seen this on the news), the hit taken by their stock and the thousands of hours spent in damage control, and you can see why investing in prevention is wildly inexpensive compared to recovering from a corporate data breach. And corporate prevention begins at the personal, employee level.

Safe and happy employees are good employees.
I have found that many corporations out there truly care about the quality of their employees’ lives. In addition, many of them hire me simply because they understand that safe and happy employees are more loyal to the corporation, speak well of the company, remain longer in the organization and drive more business. These companies consider their employees’ financial health to be as vital as their physical health, and it pays off over the long run. Identity theft poses the highest risk to their workers’ financial health.

Educated customers cost less.
I often speak to the end customers of corporations (e.g., the clients of a bank, the customers of a financial planner) who improve their security dramatically even when the just follow the basic recommendations in my ID Theft Tool Box. When a bank customer knows how to prevent identity theft, they are far less likely to become a victim and therefore less likely to lose money for which the bank is ultimately responsible. When someone steals your identity and drains your bank account, the bank generally covers the cost. If your identity is never stolen in the first place, neither your nor the bank has the expense.

If you feel that your organization would benefit from increased awareness about personal and workplace privacy, learn more about bringing in a business speaker on identity theft.

John Sileo
Identity Theft Expert

This is the first in a series of three guest posts from Scott Wright. Scott approached me with the Honey Stick Project a few weeks (or months) ago - and I look forward to participating and learning from the results. As such, I have asked him to share with us the genesis of the project and help us better understand the goals. — Michael Santarcangelo

By Scott Wright
Security Views Blog

Part 1 – The Inspiration and Purpose

For the umpteenth time, I was hearing about the touchstone penetration test that was done by Secure Network Technologies, as documented in Dark Reading’s June 2006 column “Social Engineering, the USB Way”. It was almost a year after I first heard about it, and this was still one of the most compelling story about risks from USB devices.

It was certainly a brilliantly designed test, and the results were shocking. It illustrated how easy it was to use these devices to attack an organization without even entering their doors or scanning their network. But even though it is a well-known story by now in security circles, it was but a single data point. This was just one organization, and while many Information Security bloggers, including myself, had written of it, I got the feeling that most CSO’s or executives could marginalize the story as being irrelevant to their world.

So, as I sat listening to a presenter relating the Dark Reading story to the amazed attendees (“15 of the 20 devices were picked up, and all 15 were plugged in to company computers…”), I asked myself, “How hard would it be to create a similar study in the public arena that could raise the awareness of these risks on an ongoing basis?” As I followed a few hunches I realized two things:

1) It would be very risky to the public (and probably to me) to implement the same kind of study with an executable program flying around on USB devices that would probe and send data from unwitting study subjects’ computers.

2) It would probably still be possible to gather some information about what people do with these devices without violating their privacy rights, or risking damage to their computers. The amount of information might be less, but some measure of the public’s propensities might still be worthwhile.

As I thought more about the issues around doing such an experiment, I thought about what might be measurable. Then there were the ethical and privacy issues, which I will discuss in Part 2. I had become intrigued with this experiment.

I decided on simply trying to measure whether or not somebody who found a device would plug it into their computer and try to open files on it. So, I thought about how you might be able to use programs already on the user’s computer, so no new software would be required. What about using the default browser?

Proof of Concept
I then demonstrated my hypothesis in a 5 minute experiment (it would have been quicker, but I had to look up the syntax for creating a barebones HTML file!). This proved that an HTML file with an “IMG SRC” tag in the body was enough to trigger an HTTP request to a website that could be logged, as long as the computer had access to the Internet at the time the file was opened. This was too simple. I felt like James Watson discovering the DNA molecule’s double-helix!

Next, I decided that, while putting a single HTML file on each USB drive would be enough, it might not necessarily be enough to prompt the person who found the device to actually open the file. So, I decided to create a spectrum of file names that might pique the curiosity of a broad segment of the population. For example, topics such as banking, passwords, funny, confidential, teen pop idols, cool, etc.

But, if you can identify which files people actually open, and in what order, the experiment suddenly becomes much more about psychology than technology. It also started to remind me of the old decoy technique called “Honey Pots” that are used to attract network hackers and distract them long enough for an operations center to identify and thwart an attack. So, I decided to call it the Honey Stick Project.

More questions came to mind such as, “What do people go for first?”, “Will they follow links to get what they want?”, and “Will they try to locate and contact the owner, if enough information is available?”

But before I could go shopping for USB drives, I had to deal with an important aspect of the project that otherwise might cause a lot of uneasiness amongst privacy folks, and of course the subjects of the study.

… Continued in Part 2 – The Experiment Design and Execution

In the meantime, to learn more, check out: http://www.honeystickproject.com/

When is the last time you actually sat down and read a privacy policy? What about writing one?

In the last week, I have read some (painful), written and updated one (interesting) and started to consider how they drive (or not) actions around how people protect information. I think we need to reconsider our privacy policies…

Sometimes a confluence of events presents themselves to shape thinking in new and important ways:

1. Last week I updated the privacy policy for the Security Salon. In the process, I reviewed a lot of policies, checked out the “privacy policy generators” and tried to craft a policy that was fair, made sense and was technically accurate — as well as captured the essence of my intentions. To be fair, I felt the “generators” were confusing and limiting. In the end, I generated a policy and then modified it by hand. No doubt, it’ll evolve.

2. On Friday, an article on a local company (High Peaks invests $500K in software developer Apprenda) stood out to me for two reasons:

a. This is a Software as a Service (Saas) company. They represent a growing trend that holds some important lessons and opportunities for changing the way people protect information.

b. They are a startup, and they actually have a dedicated security resource onsite as a founder - and his title is “Vice President of Security and Infrastructure.” This suggests security is top of mind.

3. This weekend, it was reported that 13 people were fired and another dozen or so — including doctors! — have been disciplined for access to Britney Spears medical records. Sadly, this activity is not new in the realm of medical records, and the reaction is not surprising.

So I wrote a privacy policy, learned about a company handling information that was founded with security engaged from the beginning and read about the results of people violating the privacy of a medical patient. They all stayed with me — and then last night, I learned why.

Last night, I approved a comment to a post I wrote over two years ago. Normally, this is a sure sign of spam. In this case, it was not spam - and better. It was the catalyst that pulled my thinking together (yes, catalysts rely on other catalysts - now you know).

The comments were focused on the privacy policy of Plaxo. Keep in mind, the post is old and the privacy policy has probably evolved. Stacy Martin has moved on and the new Plaxo Privacy Officer is Redgee Capili. All of that withstanding, here is an excerpt from the recent comment that got me thinking:

…you did NOT say that Plaxo will not read the data of their customers… It would be nice to see a policy shuch [sic] as “Plaxo will not read the data of its customers unless 1) explicit permission is granted from the customer or 2) a law enforcement agency with appropriate juristiction demands to see the data.”

This is a subtle point and an interesting question - if someone provides a service, beyond protecting the information, should they have access to the data they hold? If so, for what purposes? I even question what it means to “read” - machine or human? Is there a difference?

Same time - fascinating post popped up yesterday in the Security Catalyst Community, asking the ‘right’ way to handle ‘discovered’ PII: Handling Discovered PII. Great question!

We face a human problem. We need a new approach. Where to start? When it comes to privacy policies - I think we need to start with some active and transparent conversations about responsibility. What do you think?

Workplace Privacy

This was a section that only a lawyer could love. This lesson focused on the privacy concerns that are encountered by human resource management and the legal framework surrounding employee screening, hiring, evaluation, and testing. While I know next to nothing about this area of law, I did pick up some valuable knowledge, such as what type of questions employers can and cannot ask.

The lesson starts by drawing a distinction between the US approach to employee privacy protection versus the European Union. Guess which one is more business friendly? It doesn’t take much to figure out that employee expectations of privacy in the United States are very limited. There have been several cases that have ruled in favor of employers and severely limited the privacy expectations of their employees. These have ranged from allowing employers to listen in on a phone conversation to giving employers access to employee’s web-based email accounts.

A large section of the lecture related to questions that can and cannot be asked during the interview process. Some of the questions were the epitome of lawyer sophistry. For example, you cannot ask an applicant whether or not they are a US citizen but you can ask them whether they are prevented from being lawfully employed in the US because of visa or immigration status? You may not ask questions about past addiction to drugs(legal or illegal) or alcoholism? However, you can ask question about past drug use or alcoholism as long as they are not likely to illicit information about a past addiction to drugs or alcohol.

Now, one of the reasons for this legal dance that is played by human resources is a response of legislation that protects employee rights, such as the Civil Rights Act of 1964 and the Americans with Disabilities Act of 1990. Companies have to try to balance their desire to know as a much as possible of an applicant in the pre-hiring phase without breaking the law. I am personally glad that such legislation is in place but sometimes I wonder whether it really does anything to protect the rights of employees.

The part of the lesson that I found most relevant related to disclosure laws. Since this is something that I know a little bit more about, I was more interested in this part of the lesson. HR has a large responsibility in the safe keeping of employee personal records. If a data breach occurs with compromised employee’s PII, the HR department will be involved in notifying them of the breach. Most states do not require a company to notify employees that are not residents of the state where the breach occurred. The lesson was correct in pointing out that business best practices would include notification of out-of-state employees. Even though an employee would not receive damages for a data breach unless specific harm arose (eg. identity theft), a business should have a policy beyond the legal threshold of liability.

Overall, this was probably the one lesson that interested me the least but it was relevant to many privacy issues that arise in corporate environments. Most of the information was targeted for HR specialists. I am just not sure how much of the information I will be able to retain beyond the test day unless I was involved in this profession.

The last few weeks have seen an increase in the activity in the Security Catalyst Community. As I have shared before, I learn with each experience - and find new ideas, insights and have built some great friendships as a result. A few weeks ago, we started the “Carnival of the Security Catalyst Community” in an effort to share some of the value with others, and to promote the security bloggers and podcasters that comprise the community.

Each week, a different member of the community hosts the “Carnival” and shares the posts they found useful or interesting, as well as shedding some light on the blogs or postings of their fellow catalysts. I find this useful and engaging, and hope you do too!

This week, Kees Leune is the host, and his Carnival posting is here: http://www.leune.org/blog/kees/2008/03/carnival-of-the-security-catal.html

Previous Carnival Hosts
Tuesday, February 12 - Andy Willingham
Tuesday, February 26 - Michael Santarcangelo
Tuesday, March 4 - Martin McKeay

Upcoming Carnival Hosts
Tuesday, March 18 - Anton Chuvakin
Tuesday, March 25 - Don C. Weber
Tuesday, April 1 - Noah Campbell
Tuesday, April 8 - Didier Stevens
Tuesday, April 15 - Andrew Hay
Tuesday, April 22 - Scott Wright
Tuesday, April 29 - Allen Baranov

What Security Blogs and Podcasts are represented in this community?
You can view the full list here: http://www.securitycatalyst.org/forums/index.php?topic=28.0

We are global. We are passionate. We work together to make a difference.

I’ve been researching and considering the challenge of protecting information - specifically centered on breaches - for a while now. I’ve noticed an interesting trend where the focus is turning toward human factors - with the assertion that people are the problem.

I see it differently. Regardless of whether the growing trend of breach rises to the level of epidemic or not – breach is only a symptom.

Progress comes from treating the cause, not the symptom. While the quick assessment suggests breach is a technology problem, waiting for a technology solution, this is not entirely true.
We face a human problem – where people are not the problem. The true problem is how people have been unintentionally and systematically disconnected from the consequences of their actions. This has happened for so long that they no longer accept responsibility or are held accountable. This disconnect impacts everything in the organization and needs to be properly addressed to move forward.

To solve the breach epidemic and the broader and more pressing need to protect information requires a new approach. We literally have to change the way people think about and protect information. We must adopt a the Strategy to Protect Information. This strategy is shared in the book and guided to success in the Protecting Information Program (launched today). I have some video and audio of the explanation, and I’ll share it in the coming days — as well as on the April Expedition of the Campaign Across America.

It’s time for a change that makes it easier for others (and us) to do their jobs. Your thoughts?

(and if you can’t wait, send me a note or give me a call - I’ll share what I’ve discovered)

Part 4: Web Privacy Policy

I guess there are more ways than I had originally thought for a company to get information from their online visitors. Part four of the IAPP exam deals with web privacy and security. The lesson goes through the list of different mechanisms that would allow a company to identify a user visiting its website.

I felt that the information presented was an excellent introduction for individuals without any technical background. It lays out the fundamental internet protocols and how different privacy challenges that arise from the use of web surfing.

The part of the lesson that I found most interesting was learning about P3P. P3P stands for Platform for Privacy Preferences Project of the World Wide Web Consortium (W3C). This is a protocol which allows companies to declare on their website how they intend to use information they collect about online visitors. The lesson analyzed a sample P3P policy as an XML file and how it would appear to an end user reading a company’s privacy policy. The speaker stressed how important it was for the privacy people at a company to communicate with their IT departments to determine what PII was being collected. Only by understanding the technical aspects of how PII is collected, can privacy experts make sure that their companies are adhering to any privacy policy they set out.

P3P is a recommended industry standard that is meant to convey to the public what a company does with the information they collect. I had known that web browsers can be set by an end user to certain privacy options but seeing how it looks from the side of the server was interesting. The model given breaks the policy into a human-readable version when requested by a user. A P3P-compliant website promises to adhere to certain privacy provisions when tracking information of visitors. Critics have said that P3P is too difficult for the average person to understand and doesn’t do enough to protect privacy. Also, using P3P on such browers as Internet Explorer only extends to cookie blocking and not other tracking mechanisms pixel tags or clear .GIFs.

I had not heard of P3P until this lesson but some of the controls that the consortium attempts to give to end users should be applauded. Companies that chose to abide by the P3P are taking a public stand on how they treat information they collect. While end users need to be aware of privacy concerns, companies are in a better position to comply with basic privacy standards.

While the P3P is a standard for web sites to live up to, there are no laws or regulations that make it a criminal or civil offense when companies improperly use personal information. My guess is that the only recourse for a consumer would be to seek compensation by claiming unfair trade or deception business practices.

Overall, this lesson was one of my favorites. It taught me something new and enforced some older knowledge. As a technology enthusiast, it is always good to understand the basics and go from there. I think that the material covered is crucial for any privacy professional working in a digital environment.