There has been a lot of discussion around the value of breach statistics and breach reporting. Personally, I feel that organizations can find a lot of value by monitoring reported breaches. By studying what breaches are being reported, especially within the same industry vertical. Organizations can get a feel for how common breaches are among like institutions. Leadership can gain insight into if the organization’s current security controls will help protect against commonly occurring breach patterns and discover areas of their current security programs that need improvement. Organizations can even gain a better understanding of what steps are taken by fellow institutions in response to the breach, since these common response will most likely be expected by customers should the organization itself suffer a breach.

However, the one area that breach reporting and most breach statistics fail to cover is what happens to the business after a breach. Questions remain surrounding the long term impact of data breaches on organizations in terms of increased regulatory oversight, loss of consumer confidence and difficulty attracting new business. After all, nothing makes the case for increased security quite as strongly as reductions in the bottom line and increased red tape.

Fortunately, two recent studies help shed some light on what exactly happens to consumer confidence in an organization after a data breach. In April, ID Experts and the Ponemon Institute released a study that looked at consumer response to data breach notices. (Please note for this post I am respecting the disclaimer of this study and will only use information available in the press release.) Two months later, Debix and Javelin Strategy & Research released the results of a consumer survey surrounding data breach notifications in June.

The topics and titles are not the only similarities between these two studies. Even though the methodologies cited in the studies were completely different (Pomemon used responses from a survey of 1,795 adult-aged respondents throughout the US while Javelin used an online survey of 400 data breach victims as well as in-depth interviews with two breached institutions) the numbers reported by both are shockingly similar. In fact, they are so similar that even as I write this I have this nagging feeling that somehow these might be the same report.

The results of the two reports (one report?!?) show that 55% (Javelin)/57% (Ponemon) of the individuals lost trust in the organization. Even worse, 30% (Javelin)/31% (Ponemon) of individuals notified of a breach terminate their relationship with that organization. Think about that for a second. Roughly 1 out of 2 customers will lose trust in an organization while 1 out of 3 will discontinue business with the organization following a data breach.

What do these numbers mean to us? Well, if you are in an organization that relies on continued customer revenue, these number mean a lot.

These numbers are a great starting point for computing the impact of breaches beyond clean-up and notification costs. Ignoring any security ROI proof of impossibility magic, the simple fact that 1 out of 3 individuals ends their relationship following a breach is something needs to be communicated to business leadership. These reports were not some academic exercise of what may happen. The reports looked at what real people did following breach notifications. Real people leaving real businesses can be a powerful selling point for professionals stressing the importance of security in their organizations.

If an organization does suffer a breach, this information is ideal to for helping leadership understand what is coming in the long run. Instead of simply running off guess work, gut feelings and “truthiness”, the organization can plan for an average reduction in repeat sales and use this information to develop compensating controls on how to cope with the loss. While the likelihood of suffering a loss of exactly 30% is low, it is a starting point to help business weather the post-breach storm.

With consumers quickly becoming aware of the importance of security, organizations have started using security as a selling point. Don’t believe me? Take a look at the Bank of America, Wells Faro and Citibank web sites. See those little locks signifying “secure” access to accounts? Why would these companies bother with this unless there was no benefit?

The general public is starting to gain an awareness of security in a way that did not exist a few years ago.* What this means is that if organizations start to become secure (real security not security theater), this selling point could be used to draw in those 30% of customers that leave competing organizations following a breach. How’s that for security enabling business?

*This excellent point was actually thought up by David Mortman over a recent dinner with Andy Willingham, Adrian Lane and myself.

If you haven’t already, I strongly urge to all of you to go read the full ID Experts/Ponemon and Debix/Javelin reports. Each report is full of great information that I didn’t touch on here such as do customers find breach notifications helpful, what do customers expect in terms of fraud protection and how soon do customers expect to be notified following a breach.

By Patrick Romero

The exponential growth in electronic information and the costs managing it, particularly in litigation, has spurred renewed interest in electronic records management and document retention programs.  A sound approach to developing an electronic records management and retention program would be to base it on a core principle that electronic records have value only to the extent that they can be efficiently identified and meet its legal responsibilities. 

Electronic records that cannot be readily identify or accessed, or that are kept after any legal and practical business requirement has expired, are of little to no value to an enterprise, particularly after the costs to store, retrieve and review are considered.  So, the twin goals of an electronic records management and retention program should be 1) to facilities the efficient search for and retrieval of electronic information and 2) to retain such electronic information so long as there is a legal or business need to keep it. 

Establish a Cross-Functional Project Team

The implementation and design of a team should bring all the major players of an organization from legal, information technology, business managers, and records retention specialists.  A cross-functional approach will ensure that all parties understand that it takes a team approach to comply with retention policies and ensure that all mandates are being met. 

Confirm the Legal and Business Implications for Retention

The team, usually headed by the legal department, must confirm that all federal and states law and regulations are being complied with.  Changes to the Federal Rules of Civil Procedure took effect on December 1^st, 2006 and dramatically impact the way that litigants handle electronic documents during the discovery process.  Lawyers must be knowledgeable not only about the law but be mindful of the business implications for their retention policies. 

Recommend Process for Periodic Monitoring and Updating

The duty to preserve is tantamount in ediscovery.  The duty to preserve documents is triggered when a party reasonably anticipates that litigation will occur.  Lawyers will have to make independent judgments about when that occurs based on their previous retention policies and facts of a particular case.  It is imperative that there be an established process for periodic monitoring and updating to show the court, if required, the steps a particular organization has in place. 

Conclusion

The above is just a bones list of what electronic discovery laws require from counsel. The more planning and effort attorneys put into gather information about the matter, selecting the appropriate document review and ESI vendors, and training and managing the document reviewed, the better position counsel will be to meet productions deadlines, manage costs and avoid mistakes in the document review process.   

Patrick is a third-year law student at New York Law School, concentrating on privacy and internet law.  He is currently working at the New York City Department of Investigation in the General Counsels office and Digital Forensic Investigative Unit.  He is a Certified Information Privacy Professional and was selected as a 2008 International Association of Privacy Professional Scholarship Recipient.  Patrick is a decorated Iraq war veteran and served in the Army Reserves for eight years.  He hopes to use his education and experience to bridge the gap between technology, law and information security. 

Editor note: Patrick is currently managing Law School, an internship and prepping for his CISSP (hopefully within the newly formed SCC study group). He’s going to focus on those efforts for a while, and will hopefully make a return to our pages in the Spring. I really appreciate his efforts, insights and contributions- so thanks, Patrick. Now go kick some ass!

But if personal information really were property, then I should be able to permanently sell, or “alienate,” it. But unfortunately, I can’t sell personal information like a car. If I sell my car and the new owner paints it purple or runs it into a tree, it’s not my problem. But we all know that if I sell my personal information and the new owner “crashes” my identity, I suffer. Unlike all forms of property, personal information is inherently inalienable. Unless you enter the witness protection program, you’re stuck with your identity no matter how many times you sell it, and no matter how many times it is crashed.

Data as Property

Intellectual Property law does not generally treat personal information as property.¹ Most personal information, such as names, addresses, phone numbers, and social security numbers are facts. Facts are not copyrightable.² You can’t patent personal information,³ and it certainly isn’t a trade secret.⁴ In short, nobody “owns” my name, including myself. And if someone could “own” my name, it would most logically be my parents, since they created it. But my mom can’t copyright my date of birth, and the government can’t patent my social security number. My phone number is not an AT&T trade secret, nor is it mine.

However, data often behaves like property, and so it is treated as such. Like property, personal information has value. Entire multi-billion dollar industries thrive on the sale and exchange of personal information. Next, like any form of property, personal information in databases can be shared, sold, licensed, stolen, or lost with remarkable efficiency.⁵ And unfortunately, you don’t have any constitutional right of privacy when you give your personal data to a third party.⁶

Some laws recognize that personal information has value. For example, United States election law requires candidates disclose the value of all in-kind campaign donations, including databases of potential voters.⁷ Other federal and state statutes, such as the Gramm-Leach-Bliley Act and the Sarbanes-Oxley Act, require corporations to account for the fair market value of assets, which may include customer data. Even tort law says that some forms of privacy come from a trademark ownership of one’s name and likeness.⁸ And breach notification laws seem to assert that companies which collect personal information “own” it.⁹

Data as Self

But that isn’t the whole story. Unlike every other form of property, you can’t alienate personal information (such as bank account numbers, credit scores, social security numbers, or police reports) even if a third party creates it. Personal information is different from property, since property is presumptively alienable.

In the Information Age, you are not much more than “an electronic collage of bits of information, a digital person composed in the collective computer networks of the world.”¹⁰ In other words, a person may now be defined as just a few pieces of data. This data is your Data Self. Your Data Self is a collection of your credit report, facebook page, Google results, Bank account numbers, archived e-mails, and an endless parade of other data. Your Data Self is a digital alter-ego, with its own personality, dispositions, fallacies and mortality. Your Data Self also has the power to enter contracts, grant access to your financial assets, have surgery, commit crimes, or be kidnapped.

When your Data Self belongs to someone else, it can be forced to act against your will. If someone makes your Data Self sign a contract, you are bound by it. If your Data Self is convicted of a crime, you can go to jail. If someone forces your Data Self to take out a loan, you must repay it. If your Data Self has an operation, you may no longer qualify for medical insurance. If your Data Self is abused, stolen, sold, manipulated, or forced to act against its will, you suffer the consequences. In this sense, “Identity Theft” might be more descriptively defined as “Digital Kidnapping.” Identity Theft is when someone pretends to be you by “kidnapping” your Data Self, doing something bad, and you get blamed.

Data IS Self

In my view, this is a startling development. As long as my Data Self is a third party’s possession, then they can also treat me like property. The now popular crime of Identity Theft is the most visible consequence of this trend. In fact, the very term “Identity Theft” epitomizes the clash between the Data as Property and Data as Self theories of personal information: First, you have an alter-ego digital “identity” or Data Self; and second, your Data Self is subject to theft and abuse, like property.

Fortunately, the 13th Amendment ended slavery, and human muscle, once required for agriculture and labor, does not command the same economic premium in a post-industrial society. Instead, a person’s economic value now lies in his access to financial assets and credit. Our Data Selves are easy to coerce, and we are now worth more in bytes than in flesh and blood. As long as Data Selves are digital property, new crimes similar to identity theft will continue to arise, and our society runs the sinister risk of a new form of human trafficking: A type of Digital Slavery, where third parties can own, abuse, and force Data Selves to act against their will.

Aaron Titus is the Privacy Director for the Liberty Coalition, and welcomes feedback.

Footnotes

1. 19 NO. 7 Intell. Prop. & Tech. L.J. 5, 8
2. Feist Publications, Inc. v. Rural Telephone Service, 499 U.S. 340, 363-64, 111 S.Ct. 1282, 1297 (1991) (Holding that an alphabetized collection of personal facts in a phone book is not copyrightable because 1. Facts are not copyrightable, and 2. The phone book lacks minimally creative selection, coordination, and arrangement. “As a statutory matter, 17 U.S.C. § 101 does not afford protection from copying to a collection of facts that are selected, coordinated, and arranged in a way that utterly lacks originality.”)
3. 35 U.S.C.A. §§ 101-102.
4. Facts in a database may qualify for trade secret protection under state law, but only if the information meets stringent requirements, and remains secret. 19 NO. 7 Intell. Prop. & Tech. L.J. 5, 8.
5. Identity Theft Resource Center, Press Release - 2007 Breach List; Privacy Rights Clearinghouse, A Chronology of Data Breaches.
6. United States v. Miller, 425 U.S. 435, 443-44 (1976) (Holding that bank records have no fourth amendment protection, and are subject to government subpoena with no infringement of an individual’s rights).
7. 2 U.S.C.A § 431(8)(a).
8. “Tort” law is common- or judge-made law that allows people to sue others for doing bad things. For example, the tort of Appropriation of Name or Likeness is when someone uses a person’s name or picture for financial gain: Rest. 2d Torts § 652C cmt a. (1977) (The Tort of Appropriation of Likeness gives the individual “exclusive use of his own identity, in so far as it is represented by his name or likeness, and in so far as the use may be of benefit to him or to others. Although the protection of his personal feelings against mental distress is an important factor leading to a recognition of the rule, the right created by it is in the nature of a property right, for the exercise of which an exclusive license may be given to a third person, which will entitle the licensee to maintain an action to protect it.”);
9. See, e.g. Cal. Civ. Code § 1798.81.5(a).
10. Solove, Daniel J., The Digital Person. New York University Press, New York. 2004. p. 2

After a great week in Michigan, tonight we pack up and prepare to head to Ohio tomorrow. Friday promises to be busy and exciting – and then on Saturday, we head to Maryland (Metro DC) for a week. Which brings me to the gifts I promised:

Join a conversation, get a free copy (hardcover) of Into the Breach

First – while in Maryland, I am attending CSI next week in support of the CompTIA Security Trustmark. It turns out that a chapter of Into the Breach examines how to evaluate, build and improve “third party trust” – what we need for success with our service providers and other vendors.

CompTIA Security Trustmark is hosting a handful of “catalyst conversations” to discuss my findings and examine how the industry handles this today, and what we can do in the future. This is not a sales pitch; rather, this is an opportunity to come together and work toward a common solution.

For those invited to attend, CompTIA will present you will your own copy of Into the Breach – which I will promptly autograph for you. Drop me an email – securitycatalyst (gmail) if you want to join us.

This leads me to my second offering…

Not going to CSI? Do you want to?

CSI was generous enough to share with me two ways for you to get involved:

* I can offer (I think) a free conference pass with full access – based on response. Here’s the deal – share with me the biggest challenge you face in changing how people protect information. The best answer gets a signed copy of the book and a pass to the show (I’ll hand you the book at the show).

* If you are already planning to attend, you can get 25% off your registration with code: BLOG25

I will do my best to both tweet (twitter id: catalyst) from CSI and report on interesting talks/findings from the floor. I will also be taking a limited number of vendor meetings to learn more about the products and solutions that make it easier for people to protect information. Shoot me a note if there is a product you want me to check out and report back on. 

It has been an interesting two weeks – thanks to a catastrophic failure on the bulk of my web servers – thanks to an unannounced dreamhost switch/migration that results in their setting all permissions incorrectly. It’s a long and boring story – loaded with insights for anyone involved in technology and customer service. But we’re fixed – and I’m back.

The last few weeks have been pretty amazing; we have traveled the country from Upstate, NY to Kansas City…. Seattle…. And then back “East” to Detroit. We leave here on Thursday and head to Ohio for two days before heading on to the DC Metro area. CompTIA is sponsoring a book signing and give-away at the CSI show – so look for more details.

Last week – before the blizzards closed down sections of I-90 — we stopped on Monday at Mount Rushmore – and the entire family was taken with the effort on multiple levels. I was drawn to the history of the presidents – and will be spending more time learning about the character of these men, and the way they served themselves and their country. All very inspiring!!

Join the conversation. Take responsibility. Make a difference!

Discussion Forum Activity

I have noticed an exciting trend in the community – more and more people are coming together to “create.” The community is reaching another level (and I will be forming a team of volunteers to help improve the available tools) – and it is exciting to realize that by working together, we really can make a difference. Here are some recent discussions ripe for contribution or learning:

Here are three community-based efforts that you can contribute to, or learn from:

• I’m starting an online CISSP study group (member driven)
• Explaining the WPA-TKIP issue to end users (TALK ABOUT TIMELY!!)
• Red Flags (ID Theft)
• Starting an Incident Handling/Response Program (MUST READ!!)
• Security (or other) White Papers that stand out? (or that don’t suck)

 Upcoming Opportunities to Work Together or Meet in Person:

• New group added to LinkedIn: Log Analysis Professionals
• CSI Annual 2008 — Lunch Meetup for SCC Members
• Meetup at the 25th Chaos Computer Congress (Berlin)
• Shmoocon 2009

List of community blogger and podcasters

(I am working to ensure the list is accurate and separate out the blogs from the podcasts — let me know if you need to be updated/included)

What Security Blogs and Podcasts are represented in this community? (http://www.securitycatalyst.org/forums/index.php?topic=28.0)

Here are some recent blog posts from Community Members that you may have missed:

•  Shoulder Surfing a Malicious PDF Author (AN ABSOLUTE MUST READ)
• Tips for starting a security career

About the Security Catalyst Community

 We are a positively focused and supportive community that unites passionate professionals to achieve three goals:

(1) Provide a community where it is acceptable to be vulnerable and ask for help when you need it

(2) Create a community where anyone with an idea can share their approach in the pursuit of helping another. If today is your first day in security, welcome - share what you have learned without fear.

(3) Participate in a forum where members can share their passions, expand their thinking and find support with others who believe in making a positive difference.

Signing Up for the Security Catalyst Community

Your participation is your currency (means no charge to join) - the more you contribute the more you learn and the more valuable the community becomes to everyone (so dive in and share).

Registration Overview (NOTE THE NAMING CONVENTION)

      Go here: http://www.securitycatalyst.org/forums/

      Select the register link

      Follow the naming standard: firstname.lastname (include the period between first and last names)

      Your account will be reviewed and approved

      Jump in and share your thoughts!

Where is Michael - onTour Schedule & Updates

As we set out to journey the country, keep tabs on our schedule and opportunities to meet at www.catalystontour.tv or follow the progress of the book and speaking tour at www.intothebreach.com. As always, if you are on the way (or in the city we are heading), please contact me directly so we can meet. Our RV is our home, and our home is always open to our friends.

I am also spending more time on twitter these days - and would love to engage in the conversation with you. You can learn more about twitter here: http://twitter.com/ and “follow” and chat with me here: https://twitter.com/catalyst

Coming Up:

Once the RV is repaired (working on it now) and our laptops restored (also in progress), we head right back out – and amazingly, don’t really miss a beat!

• Week of November 10: Southern Michigan (DC Metro) and Ohio
• Week of November 17: DC Metro – CSI Conference (look for more details) and Philadelphia, PA for a private briefing for the CSO Breakfast Club
• Week of November 24: Albany, NY – then Hershey, PA
• Week of December 1: Trenton, NJ
• Week of December 8: Baltimore/Metro DC

Join The Security Catalyst LinkedIn Group

For active members of the Security Catalyst Communityhttp://www.linkedin.com/groups?gid=27010

Inside the Breach

I recently announced such a breach by East Burke High School in the small North Carolina town of Connelly Springs. In short, a staff member had placed personal information online for more than five years. The victims included 163 teachers, bus drivers, custodians, and others who worked at East Burke High School in 2003. The information exposed included names, social security numbers, addresses, phone numbers, job titles, e-mail addresses, and a few unlisted phone numbers.

I notified the school, which removed the file within 20 minutes, and also worked to clear search engine caches. I then worked directly with the Superintendent, David Burleson, who asked for my help drafting a letter to victims, which I was happy to do. As I drafted the letter I put factual assumptions in [brackets], and for the sake of expediency omitted some of the instructions, replacing them with asterisks. I handed him the letter and said told him to review it for factual accuracy and run it by his legal counsel. In addition to the brackets and asterisks, my draft of the letter committed the school district to do five things, including contracting with an identity theft protection company to provide free credit protection services to victims.

Days after I sent the letter to the school district, the Hickory Record ran a copy of the letter as sent by the school district, and I had to chuckle when I saw all of my brackets and asterisks still in the final copy. For example, “As of now, [we don't have any evidence that anyone with bad intentions has seen your personal information].” I also wanted their general counsel to confirm whether North Carolina allowed for credit freezes. The final copy encourages victims to get a credit freeze, with a note to the general counsel: “[Note: Not all states allow a credit freeze].” And this omission for sake of expediency, “visit www.ftc.gov, and click on “***” for more information.” The Hickory Record has since done some copy editing on behalf of the school district, and edited out the brackets.

Therefore, What?

Now in their defense, I’ve got to give the school district credit for making a good faith effort to notify their employees of the breach. And I can’t be too critical of their failure to edit the letter, especially in a small school district with limited resources.

On the other hand, it turns out they did edit the letter. The school district conveniently removed the promise to provide identity theft protection services to victims. This selective editing is symptomatic of systemic problems with protecting consumer privacy:

• The market does not value privacy. Ensuring privacy is expensive, but the costs of violating privacy are small. This means that there is a strong financial incentive to do as little as possible to prevent, announce, or clean up a breach. The result is victims often don’t get all of the facts or protections they need.
• The fox is guarding the hen house. A cruel irony of data breaches is that the responsible organization has a strong incentive to hide or skew the details. Many breaches are under-reported or unreported, regardless of applicable law. With very few exceptions, even well-intentioned organizations issue vague, incomplete, blame-shifting or liability-reducing press releases that leave victims in the dark.
• Privacy Naivety. If you have ever asked customer service, “does your organization ever share my personal information with other organizations,” the answer is always (and incorrectly) “no.” Unfortunately, consumers incorrectly assume that laws and privacy policies protect their personal information. Employees incorrectly assume that their privacy practices are sound, while company policies often amount to little more than a privacy waiver. An environment of naivety breeds carelessness and increases the risk of breaches.

Consumers should always read breach announcements with a skeptical eye, and press the breaching organization for as much detail as possible.

The world of blogging, podcasting and social media is a dynamic –and dominant – force in the way individuals share and consume information. In this fast-paced approach to sharing, we stop to consider the ethics involved.

With the help of Jennifer Leggio  - social media expert, former journalist and friend of the Security Roundtable – we tackle the issue of ethics. During this highly informative roundtable discussion, we tackle the responsibility (and credibility) of bloggers, podcasters and especially the individual responsibility of those consuming the information.

This episode is packed with ideas and comments that will get the juices flowing. If you want to continue to conversation with us – join us in the Security Catalyst Community (just pay attention to the naming standard – you must use your real name).

Learn more about the participants:

Jennifer Leggio

http://blogs.zdnet.com/feeds/

http://mediaphyter.wordpress.com/

http://twitter.com/mediaphyter

Martin McKeay

http://www.mckeay.net/

http://netsecpodcast.com/

http://twitter.com/mckeay

Michael Santarcangelo

http://www.securitycatalyst.com/

http://www.intothebreach.com/ (books now available – eBook or hardcover)

http://twitter.com/catalyst

Due to popular demand - James Costello and I will be hosting a session tomorrow on how to build an awareness program that works, based on our Pop Culture Security program (and yes, I am WAAAAY late on posting our next episode. I blame the thieves - and am almost caught up). Join us if you can! Thursday I am honored to be invited to the CCKC event - 7pm local time. It’s a busy week.

Next Stop? Seattle! I will be leading a session at the Secure World Seattle event — and hoping to meet many of the Security Twits and good friends in the area. Will be my first Halloween in Seattle - and we’re looking forward to it!

Discussion Forum Activity

Here are some recent discussions ripe for contribution or learning:

• Securing road warriors Hotspot usage
• Snort Win32
• OWASP EU Summit 2008
• RSA Europe
• Favorite Podcasts OUTSIDE of Security and Technology

List of community blogger and podcasters

(I am working to ensure the list is accurate and separate out the blogs from the podcasts - let me know if you need to be updated/included)

What Security Blogs and Podcasts are represented in this community? (http://www.securitycatalyst.org/forums/index.php?topic=28.0)

About the Security Catalyst Community

We are a positively focused and supportive community that unites passionate professionals to achieve three goals:

(1) Provide a community where it is acceptable to be vulnerable and ask for help when you need it

(2) Create a community where anyone with an idea can share their approach in the pursuit of helping another. If today is your first day in security, welcome - share what you have learned without fear.

(3) Participate in a forum where members can share their passions, expand their thinking and find support with others who believe in making a positive difference.

Signing Up for the Security Catalyst Community

Your participation is your currency (means no charge to join) - the more you contribute the more you learn and the more valuable the community becomes to everyone (so dive in and share).

Registration Overview (NOTE THE NAMING CONVENTION)

      Go here: http://www.securitycatalyst.org/forums/

      Select the register link

      Follow the naming standard: firstname.lastname (include the period between first and last names)

      Your account will be reviewed and approved

      Jump in and share your thoughts!

Where is Michael - onTour Schedule & Updates

As we set out to journey the country, keep tabs on our schedule and opportunities to meet at www.catalystontour.tv or follow the progress of the book and speaking tour at www.intothebreach.com. As always, if you are on the way (or in the city we are heading), please contact me directly so we can meet. Our RV is our home, and our home is always open to our friends.

I am also spending more time on twitter these days - and would love to engage in the conversation with you. You can learn more about twitter here: http://twitter.com/ and “follow” and chat with me here: https://twitter.com/catalyst

Coming Up:

• Week of October 20: Kansas City for the MCSF Keynote http://www.mcsfonline.org/
• Week of October 27: Seattle - Secure World Seattle (look for more details coming soon)
• Week of November 3: Portland, Oregon, Keynote for: http://www.nwsecurityconference.com
• Week of November 10: (transit back to East Coast, perhaps via Dallas)
• Week of November 17: DC Metro - CSI Conference (look for more details) and Philadelphia, PA for a private briefing for the CSO Breakfast Club

Join The Security Catalyst LinkedIn Group

For active members of the Security Catalyst Community

http://www.linkedin.com/groups?gid=27010

This weekend I finally did it. I was tired of the sub-par performance. Tired of being forced to redo the same job over and over again to get it right. Just plain tired of nothing working like it should. So I broke down. I had just had enough. This weekend I bought myself a new vacuum.

That’s right, yours truly is the proud owner of a fancy new vacuum cleaner and, believe me, it was well worth the purchase price. The amount of - let’s call it crud - crud that I pulled off my floor was downright sickening. Yet, it was also amazing. Here I thought that I was actually cleaning when vacuuming and all I was doing was tricking myself. Yes indeed, the vacuum was an excellent purchase. As an added bonus, I now have all these new attachments with which to play.

So what does all of this have to do with information security? Plenty. Anyone working in the information security field knows the pain of trying to institute necessary changes and running into the all to frequent wall called “I’ve been doing it this way for X years”. (This wall is also know as “Other organizations are doing it this way”.) Like me with my broken vacuum, people are comfortable with familiarity and often resist changing until absolutely necessary.

One of the tenets that gets tossed around when implementing any type of security controls is to make the process as transparent as possible to the target audience. Generally, we take this to mean that the controls should be hidden away from the end user as much as possible. However, there is a better way. Whenever possible, we need to improve security by implementing solutions that offer minimal differences in all aspects. In other words, replace the broken vacuum with a new one, not a mop.

However, simply because I replaced my old, broken vacuum with a shiny new one does not mean that I will be happy with the purchase. After all, if my new vacuum required complicated setup or extra operating steps (for example, constantly having to change a bag) I would by annoyed. Luckily this was not the case, two screws and an on-off switch equals a happy Adam. The same is true for any new security controls. Replacing a control with a better, yet familiar, control will only lead to frustration and avoidance of the new control.

Of course, new additions are not always a bad thing. For example, my vacuum came with a few attachments that I did not have before. Some of these attachments, like the upholstery cleaner, are welcome additions. (Long, white haired cat plus upholstery equals a chore!) However, other attachments, such as the “electro-static duster”, are not so useful.

The best part is that these additional components do not affect the main operation of the vacuum. The same should hold true for any security improvements we try to implement. Optional services need to be just that, optional. While these geegaws may add value, the main focus of the control needs to be the basic functionality of the control.

So there it is. Frustration with a bad vacuum cleaner leads to thoughts on how the best approach replacing outdate/non-functioning security controls. My mind works in mysterious ways. What are you still doing here? Go out and start selling vacuums at your organization.

By Joe Coates

Picture this.  You get on the elevator and realize you are alone with the CEO of your organization.  He looks at you and says, “Tell me in 25 words or less what you do and why it is important to this company.”

What would you say?  Do you have an answer prepared?  Does your answer have words like “synergize” or “leverage” or other corporate vision-speak that means next to nothing?

As the current financial credit crisis spreads across the globe, it is imperative to your career that you give serious thought to crafting a Personal Unique Selling Proposition (USP) for your job.

So what’s a USP?  The term was coined by an advertising and marketing heavy weight named Rosser Reeves in his 1961 book Reality In Advertising.  I believe the idea was best described by Dan Kennedy.  He says your USP needs to communicate to your audience why they should choose you over all their other alternatives, including doing nothing.  So from a Personal USP perspective, think about why your organization should choose you, above all other alternatives, to deliver the results you are expected to deliver.

 Probably the most famous USP in recent history is Domino’s classic “Fresh, hot pizza delivered in 30 minutes or less, guaranteed.”  Domino’s chose to focus on their ability to get the pizza to their customers hot and in a half hour or less.  They never claimed the pizza would be any good.   And thanks to that USP, they sold a lot of pizzas that were not very good.  But they were hot, and they came pretty quick, and you didn’t have to go get ‘em. 

Michael Santarcangelo’s USP for his terrific book Into The Breach is his approach to protecting information by educating actual living, breathing, thinking human beings on how to consciously protect information.  So while the market is preaching from the gospel of “Technology Will Save You”, Michael’s approach is to say technology is necessary and useful, but ultimately not enough if the people responsible for protecting information aren’t aware of the potential effects of their actions.

So how can you create a personal USP?    This is a great mind mapping exercise.  Start by plotting out what you are responsible for, and how that impacts the organization you work in.  What organizations do you directly touch.  What financial impact your work has on the organization.  What would happen if your role was eliminated.

Take your time with this.  It is well worth the effort.  So much of the marketing we are exposed to on a minute by minute basis is focused on being cute and clever, not on delivering an impactful statement on what makes the product or service unique.  For inspiration take a good look around at Michael’s   Security Catalyst website and see how his positioning is so different from the rest of the IT security consulting marketplace.  Then, for the rest of the day really ponder the ads, power point presentations (UGH!), radio spots and TV commercials and notice if any of them communicate a unique message about what they are selling.  My guess is you’ll find less than 10% do.  More likely less than 5%.

In closing, remember what Thomas Edison said. Opportunity is missed because it is dressed in overalls and looks like work.  Do the hard work to develop your Personal USP.  Then deliver on it and see the difference it makes in your career.  

More details here: http://www.h-i-r.net/2008/10/catalyst-on-tour-michael-santarcangelo.html

I previously announced that a Kindle version is available on amazon.com. While I am working on the audio book edition, we took a different approach with the eBook version. The content is the same, but we engaged Designs by Reese (who did a fabulous job!) to convert the words into a design that worked easier for reading on the screen, or for printing and making notes.  By literally designing the eBook, we were able to use landscape mode, left plenty of whitespace and chose fonts to make it easy to read and follow along.

I am pleased to announce the eBook version is ready to share!

The ordering mechanism is just about completed, so to celebrate the eBook and our relaunch of Catalyst onTour, I am going to offer free copies of the Into the Breach eBook to my fellow catalysts connected to me through LinkedIn. I anticipate sending out the codes at the end of the week.

The book is, of course, for sale - and when you visit intothebreach.com, you will also be able to select a hand-signed edition - personalized - for you at no additional charge. But if you want to get a copy of the eBook for no charge and with no strings attached, then we need to be connected.

Why LinkedIn?

Why not? Seriously, though, the goal of the book is to help solve problems. Catalyst onTour is about bringing an optimistic message, proven approach and support necessary for introducing change around North America (of course, we’re happy to travel the world, too). I see LinkedIn as a viable way to build connections and improve how I am able to help others. Throughout our travels, we hope to leverage linkedin to meet up with friends, meet new people and keep connected.

Connect with me on LinkedIn

Connecting to me is easy - my public profile is here: http://www.linkedin.com/in/securitycatalyst

And if you want to send an email to connect us, feel free to us my securitycatalyst at gmail address and we’ll be connected! In addition to the eBook codes (and trip update) I’ll be sharing later this week, do not hesitate to contact me if I can help you in personal or professional ways.

I look forward to journeying Into the Breach with you and changing the way people protect information.

Please make some time tomorrow (Wednesday) to join me live! 

http://www.microsoft.com/smallbusiness/summit/

When I get back on Thursday, we load up the RV and head back out onTour – next stop, Kansas City. Let’s make some time to meet up while I am there. Plans are in the works, with more details to follow soon.

Discussion Forum Activity

Here are some recent discussions ripe for contribution or learning:

• OPSEC for Out of Office Replies…
• Looking for an Online Writing Course
• Google Localisation Settings Break Link to Reader from GMail
• How to proof a 40-bit SSL certificate is not strong enough
• Getting SAM Database 

Upcoming Places to Meet (and interesting Off-topic conversations)

• Midwest Consolidated Security Forum
• RSA Europe
• Information Security Decisions 08 Nov 4 - 6, 2008
• Favorite Podcasts OUTSIDE of Security and Technology

List of community blogger and podcasters

(I am working to ensure the list is accurate and separate out the blogs from the podcasts — let me know if you need to be updated/included)

What Security Blogs and Podcasts are represented in this community? (http://www.securitycatalyst.org/forums/index.php?topic=28.0)

Here are some recent blog posts from Community Members that you may have missed:

•  Secure Software is Sexy
• Chip-and-PIN Not the Answer (Again!)
• Symantec’s vision… 

About the Security Catalyst Community

 We are a positively focused and supportive community that unites passionate professionals to achieve three goals:

(1) Provide a community where it is acceptable to be vulnerable and ask for help when you need it

(2) Create a community where anyone with an idea can share their approach in the pursuit of helping another. If today is your first day in security, welcome - share what you have learned without fear.

(3) Participate in a forum where members can share their passions, expand their thinking and find support with others who believe in making a positive difference.

Signing Up for the Security Catalyst Community

 Your participation is your currency (means no charge to join) - the more you contribute the more you learn and the more valuable the community becomes to everyone (so dive in and share).

Registration Overview (NOTE THE NAMING CONVENTION)

      Go here: http://www.securitycatalyst.org/forums/

      Select the register link

      Follow the naming standard: firstname.lastname (include the period between first and last names)

      Your account will be reviewed and approved

      Jump in and share your thoughts!

Where is Michael - onTour Schedule & Updates

As we set out to journey the country, keep tabs on our schedule and opportunities to meet at www.catalystontour.tv or follow the progress of the book and speaking tour at www.intothebreach.com. As always, if you are on the way (or in the city we are heading), please contact me directly so we can meet. Our RV is our home, and our home is always open to our friends.

I am also spending more time on twitter these days - and would love to engage in the conversation with you. You can learn more about twitter here: http://twitter.com/ and “follow” and chat with me here: https://twitter.com/catalyst

Coming Up:

Once the RV is repaired (working on it now) and our laptops restored (also in progress), we head right back out – and amazingly, don’t really miss a beat!

• Week of October 13: Seattle for the MSFT Small Business Summit http://www.microsoft.com/smallbusiness/summit/
• Week of October 20: Kansas City for the MCSF Keynote http://www.mcsfonline.org/
• Week of October 27: Seattle – Secure World Seattle (look for more details coming soon)
• Week of November 3: Portland, Oregon, Keynote for: http://www.nwsecurityconference.com
• Week of November 10: (transit back to East Coast, perhaps via Dallas)
• Week of November 17: DC Metro – CSI Conference (look for more details) and Philadelphia, PA for a private briefing for the CSO Breakfast Club

Join The Security Catalyst LinkedIn Group

For active members of the Security Catalyst Community

http://www.linkedin.com/groups?gid=27010

You can follow along live! At this link:

http://www.microsoft.com/smallbusiness/summit/

I am a day 2 speaker - with an impressive lineup of guests:

http://www.microsoft.com/smallbusiness/summit/guests.aspx

This is a live program, but I have been working with the producers for a few weeks now - and I am excited about the questions, thought process and opportunity to share some different thinking about what businesses need to do to protect them. More, we’re also going to explore how the right approach to protecting your business can actually save money and increase the opportunity for more revenue (as outlined in Into the Breach). To me, that’s a really cool conversation.

I hope you check it out. I look forward to the opportunity continue to conversations through this blog, the podcast(s) and as we fire up the diesel and head out on the road again (Friday - next stop, Kansas City!).

To be clear, this does not diminish network security, network operations or anything of the sort. That directly supports my point: done properly, the network operates in a way that does not impose a burden on users.

While at the “Apple Festival” last weekend, we took time to visit one of my favorite exhibits - a museum of working, but retired, farm equipment. Much of it is from turn of the century through the 1960s. Some of the equipment was routinely used in the act of farming and other support roles until the 1980s and 1990s.

I can’t explain why, but I have always been drawn to pickup trucks, tractors and flashlights. So to see a working series of tractors far older than I is simply amazing. As a kinesthetic learner, I am immediate transported back in time - and allow myself to be fully absorbed in the moment. I love learning. Period. But I really love learning about history - and specifically how improvements shifted the way things were done.

That brings us back to security. I have a sense that many organizations have lost sight of what they do, what they provide. The recent break-in and burglary of our RV put us in contact with a lot of different organizations. The responses have been interesting- and illuminating. And when the emotion has had a chance to subside a bit, I’ll post a transparent account of what we learned. What I can share today is that many organizations have lost a sense of who they are, what they do and who they serve.

But it is not too late!

Last Sunday, I watched simple -yet powerful and impressive — machines in action. What struck me most was the fact these machines were designed and used to make it easier for people (farmers, in this case) to do their jobs. It allowed them to do more with less, expand their farms, provide for more people or make more money with the resources they had. These simple machines (especially by today’s standards) were powered independently, easy to understand, use and repair. Did I mention they still work?

In fact, these machines were so simple that my five year old could quickly and easily understand what they were, what they did and how they worked. Can you say the same about the way information is protected in your organization?

The more we travel, the more I meet with people who explain their elegant laptop encryption solutions, extravagant VPNs and others measures to protect information. But when I have the opportunity to work with the people upon whom these ‘solutions’ are inflicted, I find that the solutions were not designed and implemented with people in mind; as a result, it actually makes it harder for people to do their jobs. This brings the unintended consequence of further disconnecting people from their responsibility to protect information - and ultimately creates more risk that is more difficult to assess, measure and manage.

I wrote Into the Breach to present a straightforward solution that any organization can use to make an immediate difference in the way people protect information. We are launching the Protecting Information Program to provide the additional guidance, insight and accountability people need to make the shift. I look forward to the opportunity to meet and support your efforts to make the change and join me in the challenge to change the way people protect information.

Until then, when you can, go check out some old farm equipment - and notice how it made it easier for people to do their jobs. Then ask yourself a simple question: is the solution I am working on going to make it easier for people to do their jobs?

In case you haven’t heard, starting on November 1st, 2008 the FTC will require financial institutions and creditors to develop and implement written identity theft prevention programs. The Red Flag and Address Discrepancy Under the Fair and Accurate Credit Act of 2003, also known as “Red Flag” rules are intended to formally detect prevent and mitigate identity theft.

Are you a creditor?

Many think that the Red Flag provisions apply mostly to banks, other financial institutions and credit card issuers. However, some of the obligations affect any entity considered to be a creditor. Federal statutes define a creditor as “any person who regularly extends, renews, or continues credit; any person who regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who participates in the decision to extend renew, or continue credit. 15 U.S.C §169 1a(e), 168a(r)5. 16 C.F.R. §681.2(b)(4).

What this means is that creditors can also be considered organizations like automobile dealers, mortgage brokers, utility companies, non-bank financial services that provide money market accounts and institutions of higher education. As you can tell this list is pretty extensive and many organizations will have a rude awakening when they learn they are considered a “creditor” with no Red Flag rules in place.

What does compliance entail?

Fortunately, compliance with Red Flags Rule does not have to be too difficult since it allows for flexibility, depending on the creditors’ activities and level of identity theft risk associated with the relevant covered accounts. For example, a large health care provider will be required to develop a detailed identity-theft prevention program, whereas a small private clinic would comply based on a lower individual level of risk. An initial risk assessment will enable the creditor to identity what information must be protected and the creditor’s previous experience with issues of identity theft.

Interagency Guidelines on Identity Theft Detection, Prevention, and Mitigation, published as an appendix to the Red Flags Rule, provides an outline for developing a Program. In a supplement to the guidance, the FTC and federal banking regulators identified 26 red flags that may be useful to incorporate into an identity-theft prevention program. Examples include:
• address discrepancy
• name discrepancy on identification and insurance information
• presentation of suspicious documents
• personal information inconsistent with information already on file
• unusual use or suspicious activity related to a covered account, and/or
• notice from customers, law enforcement or others of unusual activity related to that covered account.
In addition to addressing relevant red flags, an institution covered by the Red Flags Rule must “train staff, as necessary” to implement the identity-theft prevention program effectively. According to the preamble to the rule, institutions need train only “relevant staff” and only insofar as necessary to supplement other training programs.

Expect more fines from the FTC

The Red Flag rules are meant to protect consumer information and ensure compliance of personal data in the private sector. Organizations that do not comply face civil money penalties of up to $2,500 per violation for knowing violations of the rule that constitute a pattern or practice. Additionally, if the FTC finds violations of the rule to be “unfair and deceptive”, the FTC may also use its adjudicatory authority to issue cease and desist orders and other enforcement actions.

While it is hard to gauge how many organizations have been implementing the Red Flag rules, recent high profile cases of data-breaches indicate that many still lack strong protections. The push by the FTC is a general pattern that has begun with data-breach notification laws in over 40 states. While a little late in the race, the federal government is now using it’s reach to enhance state laws and give it oversight into the issues of identity and medical theft faced by millions of Americans.

For those born in the last 30 years, it is impossible to relate to the fear of nuclear holocaust that was so pervasive in the darkest hours of the cold war. The government embarked on an educational campaign to teach people to duck under a desk and cover their eyes upon sensing the first light of an atomic flash. Despite the fact that duck and cover wasn’t going to keep an atomic fireball at bay, it gave society a sense of hope so that they could live productively.

In my opinion, SSL is our generation’s “duck and cover.” We educate the masses that a site is secure if that “little lock” is present. In a virulent Internet environment rife with danger, we put our faith in SSL so that the e-commerce engine can chug along.

To understand the advantages of SSL, we first must explore some basic concepts of trust. When walking through an unfamiliar neighborhood on a hot day, Pat wouldn’t think twice about buying a cold drink from a seedy corner bodega. The risks associated with making a small purchase from an unfamiliar merchant is relatively small. For opposite reasons, Pat would probably not purchase an HDTV from a corner electronics store in the same neighborhood. However, if a trusted friend directed Pat to the same corner electronics store, vouching for a particular salesperson, the outcome would be much different. The store is the same, the merchandise is the same, but in the latter case, the element of trust changes the outcome.

The same paradigm applies to ecommerce. Consumers are expected to navigate to an abstract entity known as a website, select items that they cannot touch, and provide payment information to a machine that they cannot see. To make this work, an element of trust needed to be introduced.

SSL security starts with a trusted 3^rd party who vouches for a website. The 3^rd party uses a process whereby they validate that the website and the Internet space that it occupies, is actually what it claims to be (more on this later). The 3^rd party then uses cryptographic means to generate a “certificate” that is given to the website for presentation to its visitors. A web browser will compare the information in the certificate with the website itself to determine if there is a match. While Pat may not know the owner of the website, Pat knows that the 3^rd party is trustworthy and vouches for the website. The same cryptographic mechanism can also be used to encrypt whatever information passes from the user to the website.

The ability to generate certificates is not restricted to trusted 3^rd parties. Anyone can create a certificate and present it on their website. If a user navigates online to the equivalent of an unfamiliar, seedy corner electronics store they will be presented with a certificate and their transactions will be encrypted. But if the certificate wasn’t generated by a trusted party, then there really isn’t any security at all.

The problem is compounded by the loosening of the issuer’s domain verification processes. Many issuers will validate a domain based on the most basic registrar information instead of a m